1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) University of Cambridge 1995 - 2015 */
6 /* See the file NOTICE for conditions of use and distribution. */
8 /* Portions Copyright (c) The OpenSSL Project 1999 */
10 /* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
11 library. It is #included into the tls.c file when that library is used. The
12 code herein is based on a patch that was originally contributed by Steve
13 Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
15 No cryptographic code is included in Exim. All this module does is to call
16 functions from the OpenSSL library. */
21 #include <openssl/lhash.h>
22 #include <openssl/ssl.h>
23 #include <openssl/err.h>
24 #include <openssl/rand.h>
25 #ifndef OPENSSL_NO_ECDH
26 # include <openssl/ec.h>
29 # include <openssl/ocsp.h>
31 #ifdef EXPERIMENTAL_DANE
37 # define EXIM_OCSP_SKEW_SECONDS (300L)
38 # define EXIM_OCSP_MAX_AGE (-1L)
41 #if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
42 # define EXIM_HAVE_OPENSSL_TLSEXT
46 * X509_check_host provides sane certificate hostname checking, but was added
47 * to OpenSSL late, after other projects forked off the code-base. So in
48 * addition to guarding against the base version number, beware that LibreSSL
49 * does not (at this time) support this function.
51 * If LibreSSL gains a different API, perhaps via libtls, then we'll probably
52 * opt to disentangle and ask a LibreSSL user to provide glue for a third
53 * crypto provider for libtls instead of continuing to tie the OpenSSL glue
54 * into even twistier knots. If LibreSSL gains the same API, we can just
55 * change this guard and punt the issue for a while longer.
57 #ifndef LIBRESSL_VERSION_NUMBER
58 # if OPENSSL_VERSION_NUMBER >= 0x010100000L
59 # define EXIM_HAVE_OPENSSL_CHECKHOST
61 # if OPENSSL_VERSION_NUMBER >= 0x010000000L \
62 && (OPENSSL_VERSION_NUMBER & 0x0000ff000L) >= 0x000002000L
63 # define EXIM_HAVE_OPENSSL_CHECKHOST
66 # if !defined(OPENSSL_NO_ECDH)
67 # if OPENSSL_VERSION_NUMBER >= 0x0090800fL
68 # define EXIM_HAVE_ECDH
70 # if OPENSSL_VERSION_NUMBER >= 0x10002000L
71 # define EXIM_HAVE_OPENSSL_ECDH_AUTO
72 # define EXIM_HAVE_OPENSSL_EC_NIST2NID
77 #if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP)
78 # warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile"
82 /* Structure for collecting random data for seeding. */
84 typedef struct randstuff {
89 /* Local static variables */
91 static BOOL client_verify_callback_called = FALSE;
92 static BOOL server_verify_callback_called = FALSE;
93 static const uschar *sid_ctx = US"exim";
95 /* We have three different contexts to care about.
97 Simple case: client, `client_ctx`
98 As a client, we can be doing a callout or cut-through delivery while receiving
99 a message. So we have a client context, which should have options initialised
100 from the SMTP Transport.
103 There are two cases: with and without ServerNameIndication from the client.
104 Given TLS SNI, we can be using different keys, certs and various other
105 configuration settings, because they're re-expanded with $tls_sni set. This
106 allows vhosting with TLS. This SNI is sent in the handshake.
107 A client might not send SNI, so we need a fallback, and an initial setup too.
108 So as a server, we start out using `server_ctx`.
109 If SNI is sent by the client, then we as server, mid-negotiation, try to clone
110 `server_sni` from `server_ctx` and then initialise settings by re-expanding
114 static SSL_CTX *client_ctx = NULL;
115 static SSL_CTX *server_ctx = NULL;
116 static SSL *client_ssl = NULL;
117 static SSL *server_ssl = NULL;
119 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
120 static SSL_CTX *server_sni = NULL;
123 static char ssl_errstring[256];
125 static int ssl_session_timeout = 200;
126 static BOOL client_verify_optional = FALSE;
127 static BOOL server_verify_optional = FALSE;
129 static BOOL reexpand_tls_files_for_sni = FALSE;
132 typedef struct tls_ext_ctx_cb {
140 uschar *file_expanded;
141 OCSP_RESPONSE *response;
144 X509_STORE *verify_store; /* non-null if status requested */
145 BOOL verify_required;
150 /* these are cached from first expand */
151 uschar *server_cipher_list;
152 /* only passed down to tls_error: */
154 const uschar * verify_cert_hostnames;
155 #ifndef DISABLE_EVENT
156 uschar * event_action;
160 /* should figure out a cleanup of API to handle state preserved per
161 implementation, for various reasons, which can be void * in the APIs.
162 For now, we hack around it. */
163 tls_ext_ctx_cb *client_static_cbinfo = NULL;
164 tls_ext_ctx_cb *server_static_cbinfo = NULL;
167 setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
168 int (*cert_vfy_cb)(int, X509_STORE_CTX *) );
171 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
172 static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
175 static int tls_server_stapling_cb(SSL *s, void *arg);
179 /*************************************************
181 *************************************************/
183 /* Called from lots of places when errors occur before actually starting to do
184 the TLS handshake, that is, while the session is still in clear. Always returns
185 DEFER for a server and FAIL for a client so that most calls can use "return
186 tls_error(...)" to do this processing and then give an appropriate return. A
187 single function is used for both server and client, because it is called from
188 some shared functions.
191 prefix text to include in the logged error
192 host NULL if setting up a server;
193 the connected host if setting up a client
194 msg error message or NULL if we should ask OpenSSL
196 Returns: OK/DEFER/FAIL
200 tls_error(uschar * prefix, const host_item * host, uschar * msg)
204 ERR_error_string(ERR_get_error(), ssl_errstring);
205 msg = (uschar *)ssl_errstring;
210 log_write(0, LOG_MAIN, "H=%s [%s] TLS error on connection (%s): %s",
211 host->name, host->address, prefix, msg);
216 uschar *conn_info = smtp_get_connection_info();
217 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0)
219 /* I'd like to get separated H= here, but too hard for now */
220 log_write(0, LOG_MAIN, "TLS error on %s (%s): %s",
221 conn_info, prefix, msg);
228 /*************************************************
229 * Callback to generate RSA key *
230 *************************************************/
238 Returns: pointer to generated key
242 rsa_callback(SSL *s, int export, int keylength)
245 export = export; /* Shut picky compilers up */
246 DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
247 rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL);
250 ERR_error_string(ERR_get_error(), ssl_errstring);
251 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
263 x509_store_dump_cert_s_names(X509_STORE * store)
265 STACK_OF(X509_OBJECT) * roots= store->objs;
267 static uschar name[256];
269 for(i= 0; i<sk_X509_OBJECT_num(roots); i++)
271 X509_OBJECT * tmp_obj= sk_X509_OBJECT_value(roots, i);
272 if(tmp_obj->type == X509_LU_X509)
274 X509 * current_cert= tmp_obj->data.x509;
275 X509_NAME_oneline(X509_get_subject_name(current_cert), CS name, sizeof(name));
276 name[sizeof(name)-1] = '\0';
277 debug_printf(" %s\n", name);
285 #ifndef DISABLE_EVENT
287 verify_event(tls_support * tlsp, X509 * cert, int depth, const uschar * dn,
288 BOOL *calledp, const BOOL *optionalp, const uschar * what)
294 ev = tlsp == &tls_out ? client_static_cbinfo->event_action : event_action;
297 DEBUG(D_tls) debug_printf("verify_event: %s %d\n", what, depth);
298 old_cert = tlsp->peercert;
299 tlsp->peercert = X509_dup(cert);
300 /* NB we do not bother setting peerdn */
301 if ((yield = event_raise(ev, US"tls:cert", string_sprintf("%d", depth))))
303 log_write(0, LOG_MAIN, "[%s] %s verify denied by event-action: "
304 "depth=%d cert=%s: %s",
305 tlsp == &tls_out ? deliver_host_address : sender_host_address,
306 what, depth, dn, yield);
310 if (old_cert) tlsp->peercert = old_cert; /* restore 1st failing cert */
311 return 1; /* reject (leaving peercert set) */
313 DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
314 "(host in tls_try_verify_hosts)\n");
316 X509_free(tlsp->peercert);
317 tlsp->peercert = old_cert;
323 /*************************************************
324 * Callback for verification *
325 *************************************************/
327 /* The SSL library does certificate verification if set up to do so. This
328 callback has the current yes/no state is in "state". If verification succeeded,
329 we set the certificate-verified flag. If verification failed, what happens
330 depends on whether the client is required to present a verifiable certificate
333 If verification is optional, we change the state to yes, but still log the
334 verification error. For some reason (it really would help to have proper
335 documentation of OpenSSL), this callback function then gets called again, this
336 time with state = 1. We must take care not to set the private verified flag on
337 the second time through.
339 Note: this function is not called if the client fails to present a certificate
340 when asked. We get here only if a certificate has been received. Handling of
341 optional verification for this case is done when requesting SSL to verify, by
342 setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
344 May be called multiple times for different issues with a certificate, even
345 for a given "depth" in the certificate chain.
348 preverify_ok current yes/no state as 1/0
349 x509ctx certificate information.
350 tlsp per-direction (client vs. server) support data
351 calledp has-been-called flag
352 optionalp verification-is-optional flag
354 Returns: 0 if verification should fail, otherwise 1
358 verify_callback(int preverify_ok, X509_STORE_CTX *x509ctx,
359 tls_support *tlsp, BOOL *calledp, BOOL *optionalp)
361 X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
362 int depth = X509_STORE_CTX_get_error_depth(x509ctx);
365 X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn));
366 dn[sizeof(dn)-1] = '\0';
368 if (preverify_ok == 0)
370 log_write(0, LOG_MAIN, "[%s] SSL verify error: depth=%d error=%s cert=%s",
371 tlsp == &tls_out ? deliver_host_address : sender_host_address,
373 X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)),
379 tlsp->peercert = X509_dup(cert); /* record failing cert */
380 return 0; /* reject */
382 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
383 "tls_try_verify_hosts)\n");
388 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n", depth, dn);
390 if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store)
391 { /* client, wanting stapling */
392 /* Add the server cert's signing chain as the one
393 for the verification of the OCSP stapled information. */
395 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
400 #ifndef DISABLE_EVENT
401 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
402 return 0; /* reject, with peercert set */
407 const uschar * verify_cert_hostnames;
409 if ( tlsp == &tls_out
410 && ((verify_cert_hostnames = client_static_cbinfo->verify_cert_hostnames)))
411 /* client, wanting hostname check */
414 #ifdef EXIM_HAVE_OPENSSL_CHECKHOST
415 # ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
416 # define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0
418 # ifndef X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
419 # define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0
422 const uschar * list = verify_cert_hostnames;
425 while ((name = string_nextinlist(&list, &sep, NULL, 0)))
426 if ((rc = X509_check_host(cert, name, 0,
427 X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
428 | X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS,
433 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
434 tlsp == &tls_out ? deliver_host_address : sender_host_address);
441 if (!tls_is_name_for_cert(verify_cert_hostnames, cert))
444 log_write(0, LOG_MAIN,
445 "[%s] SSL verify error: certificate name mismatch: \"%s\"",
446 tlsp == &tls_out ? deliver_host_address : sender_host_address,
452 tlsp->peercert = X509_dup(cert); /* record failing cert */
453 return 0; /* reject */
455 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
456 "tls_try_verify_hosts)\n");
460 #ifndef DISABLE_EVENT
461 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
462 return 0; /* reject, with peercert set */
465 DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
466 *calledp ? "" : " authenticated", dn);
467 if (!*calledp) tlsp->certificate_verified = TRUE;
471 return 1; /* accept, at least for this level */
475 verify_callback_client(int preverify_ok, X509_STORE_CTX *x509ctx)
477 return verify_callback(preverify_ok, x509ctx, &tls_out,
478 &client_verify_callback_called, &client_verify_optional);
482 verify_callback_server(int preverify_ok, X509_STORE_CTX *x509ctx)
484 return verify_callback(preverify_ok, x509ctx, &tls_in,
485 &server_verify_callback_called, &server_verify_optional);
489 #ifdef EXPERIMENTAL_DANE
491 /* This gets called *by* the dane library verify callback, which interposes
495 verify_callback_client_dane(int preverify_ok, X509_STORE_CTX * x509ctx)
497 X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
499 #ifndef DISABLE_EVENT
500 int depth = X509_STORE_CTX_get_error_depth(x509ctx);
501 BOOL dummy_called, optional = FALSE;
504 X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn));
505 dn[sizeof(dn)-1] = '\0';
507 DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s depth %d %s\n",
508 preverify_ok ? "ok":"BAD", depth, dn);
510 #ifndef DISABLE_EVENT
511 if (verify_event(&tls_out, cert, depth, dn,
512 &dummy_called, &optional, US"DANE"))
513 return 0; /* reject, with peercert set */
516 if (preverify_ok == 1)
517 tls_out.dane_verified =
518 tls_out.certificate_verified = TRUE;
521 int err = X509_STORE_CTX_get_error(x509ctx);
523 debug_printf(" - err %d '%s'\n", err, X509_verify_cert_error_string(err));
524 if (err = X509_V_ERR_APPLICATION_VERIFICATION)
530 #endif /*EXPERIMENTAL_DANE*/
533 /*************************************************
534 * Information callback *
535 *************************************************/
537 /* The SSL library functions call this from time to time to indicate what they
538 are doing. We copy the string to the debugging output when TLS debugging has
550 info_callback(SSL *s, int where, int ret)
554 DEBUG(D_tls) debug_printf("SSL info: %s\n", SSL_state_string_long(s));
559 /*************************************************
560 * Initialize for DH *
561 *************************************************/
563 /* If dhparam is set, expand it, and load up the parameters for DH encryption.
566 sctx The current SSL CTX (inbound or outbound)
567 dhparam DH parameter file or fixed parameter identity string
568 host connected host, if client; NULL if server
570 Returns: TRUE if OK (nothing to set up, or setup worked)
574 init_dh(SSL_CTX *sctx, uschar *dhparam, const host_item *host)
581 if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded))
584 if (!dhexpanded || !*dhexpanded)
585 bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
586 else if (dhexpanded[0] == '/')
588 if (!(bio = BIO_new_file(CS dhexpanded, "r")))
590 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
591 host, US strerror(errno));
597 if (Ustrcmp(dhexpanded, "none") == 0)
599 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
603 if (!(pem = std_dh_prime_named(dhexpanded)))
605 tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
606 host, US strerror(errno));
609 bio = BIO_new_mem_buf(CS pem, -1);
612 if (!(dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)))
615 tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
620 /* Even if it is larger, we silently return success rather than cause things
621 * to fail out, so that a too-large DH will not knock out all TLS; it's a
622 * debatable choice. */
623 if ((8*DH_size(dh)) > tls_dh_max_bits)
626 debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d",
627 8*DH_size(dh), tls_dh_max_bits);
631 SSL_CTX_set_tmp_dh(sctx, dh);
633 debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
634 dhexpanded ? dhexpanded : US"default", 8*DH_size(dh));
646 /*************************************************
647 * Initialize for ECDH *
648 *************************************************/
650 /* Load parameters for ECDH encryption.
652 For now, we stick to NIST P-256 because: it's simple and easy to configure;
653 it avoids any patent issues that might bite redistributors; despite events in
654 the news and concerns over curve choices, we're not cryptographers, we're not
655 pretending to be, and this is "good enough" to be better than no support,
656 protecting against most adversaries. Given another year or two, there might
657 be sufficient clarity about a "right" way forward to let us make an informed
658 decision, instead of a knee-jerk reaction.
660 Longer-term, we should look at supporting both various named curves and
661 external files generated with "openssl ecparam", much as we do for init_dh().
662 We should also support "none" as a value, to explicitly avoid initialisation.
667 sctx The current SSL CTX (inbound or outbound)
668 host connected host, if client; NULL if server
670 Returns: TRUE if OK (nothing to set up, or setup worked)
674 init_ecdh(SSL_CTX * sctx, host_item * host)
676 #ifdef OPENSSL_NO_ECDH
685 if (host) /* No ECDH setup for clients, only for servers */
688 # ifndef EXIM_HAVE_ECDH
690 debug_printf("No OpenSSL API to define ECDH parameters, skipping\n");
694 if (!expand_check(tls_eccurve, US"tls_eccurve", &exp_curve))
696 if (!exp_curve || !*exp_curve)
699 # ifdef EXIM_HAVE_OPENSSL_ECDH_AUTO
700 /* check if new enough library to support auto ECDH temp key parameter selection */
701 if (Ustrcmp(exp_curve, "auto") == 0)
703 DEBUG(D_tls) debug_printf(
704 "ECDH temp key parameter settings: OpenSSL 1.2+ autoselection\n");
705 SSL_CTX_set_ecdh_auto(sctx, 1);
710 DEBUG(D_tls) debug_printf("ECDH: curve '%s'\n", exp_curve);
711 if ( (nid = OBJ_sn2nid (CCS exp_curve)) == NID_undef
712 # ifdef EXIM_HAVE_OPENSSL_EC_NIST2NID
713 && (nid = EC_curve_nist2nid(CCS exp_curve)) == NID_undef
717 tls_error(string_sprintf("Unknown curve name tls_eccurve '%s'",
723 if (!(ecdh = EC_KEY_new_by_curve_name(nid)))
725 tls_error(US"Unable to create ec curve", host, NULL);
729 /* The "tmp" in the name here refers to setting a temporary key
730 not to the stability of the interface. */
732 if ((rv = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0))
733 tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), host, NULL);
735 DEBUG(D_tls) debug_printf("ECDH: enabled '%s' curve\n", exp_curve);
740 # endif /*EXIM_HAVE_ECDH*/
741 #endif /*OPENSSL_NO_ECDH*/
748 /*************************************************
749 * Load OCSP information into state *
750 *************************************************/
752 /* Called to load the server OCSP response from the given file into memory, once
753 caller has determined this is needed. Checks validity. Debugs a message
756 ASSUMES: single response, for single cert.
759 sctx the SSL_CTX* to update
760 cbinfo various parts of session state
761 expanded the filename putatively holding an OCSP response
766 ocsp_load_response(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo, const uschar *expanded)
770 OCSP_BASICRESP *basic_response;
771 OCSP_SINGLERESP *single_response;
772 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
774 unsigned long verify_flags;
775 int status, reason, i;
777 cbinfo->u_ocsp.server.file_expanded = string_copy(expanded);
778 if (cbinfo->u_ocsp.server.response)
780 OCSP_RESPONSE_free(cbinfo->u_ocsp.server.response);
781 cbinfo->u_ocsp.server.response = NULL;
784 bio = BIO_new_file(CS cbinfo->u_ocsp.server.file_expanded, "rb");
787 DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n",
788 cbinfo->u_ocsp.server.file_expanded);
792 resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
796 DEBUG(D_tls) debug_printf("Error reading OCSP response.\n");
800 status = OCSP_response_status(resp);
801 if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL)
803 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
804 OCSP_response_status_str(status), status);
808 basic_response = OCSP_response_get1_basic(resp);
812 debug_printf("OCSP response parse error: unable to extract basic response.\n");
816 store = SSL_CTX_get_cert_store(sctx);
817 verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
819 /* May need to expose ability to adjust those flags?
820 OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
821 OCSP_TRUSTOTHER OCSP_NOINTERN */
823 i = OCSP_basic_verify(basic_response, NULL, store, verify_flags);
827 ERR_error_string(ERR_get_error(), ssl_errstring);
828 debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
833 /* Here's the simplifying assumption: there's only one response, for the
834 one certificate we use, and nothing for anything else in a chain. If this
835 proves false, we need to extract a cert id from our issued cert
836 (tls_certificate) and use that for OCSP_resp_find_status() (which finds the
837 right cert in the stack and then calls OCSP_single_get0_status()).
839 I'm hoping to avoid reworking a bunch more of how we handle state here. */
840 single_response = OCSP_resp_get0(basic_response, 0);
841 if (!single_response)
844 debug_printf("Unable to get first response from OCSP basic response.\n");
848 status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
849 if (status != V_OCSP_CERTSTATUS_GOOD)
851 DEBUG(D_tls) debug_printf("OCSP response bad cert status: %s (%d) %s (%d)\n",
852 OCSP_cert_status_str(status), status,
853 OCSP_crl_reason_str(reason), reason);
857 if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
859 DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
864 cbinfo->u_ocsp.server.response = resp;
868 if (running_in_test_harness)
870 extern char ** environ;
872 for (p = USS environ; *p != NULL; p++)
873 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
875 DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
876 goto supply_response;
881 #endif /*!DISABLE_OCSP*/
886 /*************************************************
887 * Expand key and cert file specs *
888 *************************************************/
890 /* Called once during tls_init and possibly again during TLS setup, for a
891 new context, if Server Name Indication was used and tls_sni was seen in
892 the certificate string.
895 sctx the SSL_CTX* to update
896 cbinfo various parts of session state
898 Returns: OK/DEFER/FAIL
902 tls_expand_session_files(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo)
906 if (cbinfo->certificate == NULL)
909 if (Ustrstr(cbinfo->certificate, US"tls_sni") ||
910 Ustrstr(cbinfo->certificate, US"tls_in_sni") ||
911 Ustrstr(cbinfo->certificate, US"tls_out_sni")
913 reexpand_tls_files_for_sni = TRUE;
915 if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded))
918 if (expanded != NULL)
920 DEBUG(D_tls) debug_printf("tls_certificate file %s\n", expanded);
921 if (!SSL_CTX_use_certificate_chain_file(sctx, CS expanded))
922 return tls_error(string_sprintf(
923 "SSL_CTX_use_certificate_chain_file file=%s", expanded),
927 if (cbinfo->privatekey != NULL &&
928 !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded))
931 /* If expansion was forced to fail, key_expanded will be NULL. If the result
932 of the expansion is an empty string, ignore it also, and assume the private
933 key is in the same file as the certificate. */
935 if (expanded != NULL && *expanded != 0)
937 DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", expanded);
938 if (!SSL_CTX_use_PrivateKey_file(sctx, CS expanded, SSL_FILETYPE_PEM))
939 return tls_error(string_sprintf(
940 "SSL_CTX_use_PrivateKey_file file=%s", expanded), cbinfo->host, NULL);
944 if (cbinfo->is_server && cbinfo->u_ocsp.server.file != NULL)
946 if (!expand_check(cbinfo->u_ocsp.server.file, US"tls_ocsp_file", &expanded))
949 if (expanded != NULL && *expanded != 0)
951 DEBUG(D_tls) debug_printf("tls_ocsp_file %s\n", expanded);
952 if (cbinfo->u_ocsp.server.file_expanded &&
953 (Ustrcmp(expanded, cbinfo->u_ocsp.server.file_expanded) == 0))
956 debug_printf("tls_ocsp_file value unchanged, using existing values.\n");
958 ocsp_load_response(sctx, cbinfo, expanded);
970 /*************************************************
971 * Callback to handle SNI *
972 *************************************************/
974 /* Called when acting as server during the TLS session setup if a Server Name
975 Indication extension was sent by the client.
977 API documentation is OpenSSL s_server.c implementation.
980 s SSL* of the current session
981 ad unknown (part of OpenSSL API) (unused)
982 arg Callback of "our" registered data
984 Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
987 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
989 tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
991 const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
992 tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
994 int old_pool = store_pool;
997 return SSL_TLSEXT_ERR_OK;
999 DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
1000 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
1002 /* Make the extension value available for expansion */
1003 store_pool = POOL_PERM;
1004 tls_in.sni = string_copy(US servername);
1005 store_pool = old_pool;
1007 if (!reexpand_tls_files_for_sni)
1008 return SSL_TLSEXT_ERR_OK;
1010 /* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
1011 not confident that memcpy wouldn't break some internal reference counting.
1012 Especially since there's a references struct member, which would be off. */
1014 if (!(server_sni = SSL_CTX_new(SSLv23_server_method())))
1016 ERR_error_string(ERR_get_error(), ssl_errstring);
1017 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
1018 return SSL_TLSEXT_ERR_NOACK;
1021 /* Not sure how many of these are actually needed, since SSL object
1022 already exists. Might even need this selfsame callback, for reneg? */
1024 SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(server_ctx));
1025 SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(server_ctx));
1026 SSL_CTX_set_options(server_sni, SSL_CTX_get_options(server_ctx));
1027 SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(server_ctx));
1028 SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
1029 SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
1031 if ( !init_dh(server_sni, cbinfo->dhparam, NULL)
1032 || !init_ecdh(server_sni, NULL)
1034 return SSL_TLSEXT_ERR_NOACK;
1036 if (cbinfo->server_cipher_list)
1037 SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list);
1038 #ifndef DISABLE_OCSP
1039 if (cbinfo->u_ocsp.server.file)
1041 SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb);
1042 SSL_CTX_set_tlsext_status_arg(server_sni, cbinfo);
1046 rc = setup_certs(server_sni, tls_verify_certificates, tls_crl, NULL, FALSE, verify_callback_server);
1047 if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
1049 /* do this after setup_certs, because this can require the certs for verifying
1050 OCSP information. */
1051 if ((rc = tls_expand_session_files(server_sni, cbinfo)) != OK)
1052 return SSL_TLSEXT_ERR_NOACK;
1054 DEBUG(D_tls) debug_printf("Switching SSL context.\n");
1055 SSL_set_SSL_CTX(s, server_sni);
1057 return SSL_TLSEXT_ERR_OK;
1059 #endif /* EXIM_HAVE_OPENSSL_TLSEXT */
1064 #ifndef DISABLE_OCSP
1066 /*************************************************
1067 * Callback to handle OCSP Stapling *
1068 *************************************************/
1070 /* Called when acting as server during the TLS session setup if the client
1071 requests OCSP information with a Certificate Status Request.
1073 Documentation via openssl s_server.c and the Apache patch from the OpenSSL
1079 tls_server_stapling_cb(SSL *s, void *arg)
1081 const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
1082 uschar *response_der;
1083 int response_der_len;
1086 debug_printf("Received TLS status request (OCSP stapling); %s response\n",
1087 cbinfo->u_ocsp.server.response ? "have" : "lack");
1089 tls_in.ocsp = OCSP_NOT_RESP;
1090 if (!cbinfo->u_ocsp.server.response)
1091 return SSL_TLSEXT_ERR_NOACK;
1093 response_der = NULL;
1094 response_der_len = i2d_OCSP_RESPONSE(cbinfo->u_ocsp.server.response,
1096 if (response_der_len <= 0)
1097 return SSL_TLSEXT_ERR_NOACK;
1099 SSL_set_tlsext_status_ocsp_resp(server_ssl, response_der, response_der_len);
1100 tls_in.ocsp = OCSP_VFIED;
1101 return SSL_TLSEXT_ERR_OK;
1106 time_print(BIO * bp, const char * str, ASN1_GENERALIZEDTIME * time)
1108 BIO_printf(bp, "\t%s: ", str);
1109 ASN1_GENERALIZEDTIME_print(bp, time);
1114 tls_client_stapling_cb(SSL *s, void *arg)
1116 tls_ext_ctx_cb * cbinfo = arg;
1117 const unsigned char * p;
1119 OCSP_RESPONSE * rsp;
1120 OCSP_BASICRESP * bs;
1123 DEBUG(D_tls) debug_printf("Received TLS status response (OCSP stapling):");
1124 len = SSL_get_tlsext_status_ocsp_resp(s, &p);
1127 /* Expect this when we requested ocsp but got none */
1128 if (cbinfo->u_ocsp.client.verify_required && LOGGING(tls_cipher))
1129 log_write(0, LOG_MAIN, "Received TLS status callback, null content");
1131 DEBUG(D_tls) debug_printf(" null\n");
1132 return cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1135 if(!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
1137 tls_out.ocsp = OCSP_FAILED;
1138 if (LOGGING(tls_cipher))
1139 log_write(0, LOG_MAIN, "Received TLS cert status response, parse error");
1141 DEBUG(D_tls) debug_printf(" parse error\n");
1145 if(!(bs = OCSP_response_get1_basic(rsp)))
1147 tls_out.ocsp = OCSP_FAILED;
1148 if (LOGGING(tls_cipher))
1149 log_write(0, LOG_MAIN, "Received TLS cert status response, error parsing response");
1151 DEBUG(D_tls) debug_printf(" error parsing response\n");
1152 OCSP_RESPONSE_free(rsp);
1156 /* We'd check the nonce here if we'd put one in the request. */
1157 /* However that would defeat cacheability on the server so we don't. */
1159 /* This section of code reworked from OpenSSL apps source;
1160 The OpenSSL Project retains copyright:
1161 Copyright (c) 1999 The OpenSSL Project. All rights reserved.
1166 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
1168 DEBUG(D_tls) bp = BIO_new_fp(stderr, BIO_NOCLOSE);
1170 /*OCSP_RESPONSE_print(bp, rsp, 0); extreme debug: stapling content */
1172 /* Use the chain that verified the server cert to verify the stapled info */
1173 /* DEBUG(D_tls) x509_store_dump_cert_s_names(cbinfo->u_ocsp.client.verify_store); */
1175 if ((i = OCSP_basic_verify(bs, NULL,
1176 cbinfo->u_ocsp.client.verify_store, 0)) <= 0)
1178 tls_out.ocsp = OCSP_FAILED;
1179 if (LOGGING(tls_cipher))
1180 log_write(0, LOG_MAIN, "Received TLS cert status response, itself unverifiable");
1181 BIO_printf(bp, "OCSP response verify failure\n");
1182 ERR_print_errors(bp);
1183 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1187 BIO_printf(bp, "OCSP response well-formed and signed OK\n");
1190 STACK_OF(OCSP_SINGLERESP) * sresp = bs->tbsResponseData->responses;
1191 OCSP_SINGLERESP * single;
1193 if (sk_OCSP_SINGLERESP_num(sresp) != 1)
1195 tls_out.ocsp = OCSP_FAILED;
1196 log_write(0, LOG_MAIN, "OCSP stapling "
1197 "with multiple responses not handled");
1198 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1201 single = OCSP_resp_get0(bs, 0);
1202 status = OCSP_single_get0_status(single, &reason, &rev,
1203 &thisupd, &nextupd);
1206 DEBUG(D_tls) time_print(bp, "This OCSP Update", thisupd);
1207 DEBUG(D_tls) if(nextupd) time_print(bp, "Next OCSP Update", nextupd);
1208 if (!OCSP_check_validity(thisupd, nextupd,
1209 EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
1211 tls_out.ocsp = OCSP_FAILED;
1212 DEBUG(D_tls) ERR_print_errors(bp);
1213 log_write(0, LOG_MAIN, "Server OSCP dates invalid");
1214 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1218 DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n",
1219 OCSP_cert_status_str(status));
1222 case V_OCSP_CERTSTATUS_GOOD:
1223 tls_out.ocsp = OCSP_VFIED;
1226 case V_OCSP_CERTSTATUS_REVOKED:
1227 tls_out.ocsp = OCSP_FAILED;
1228 log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
1229 reason != -1 ? "; reason: " : "",
1230 reason != -1 ? OCSP_crl_reason_str(reason) : "");
1231 DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
1232 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1235 tls_out.ocsp = OCSP_FAILED;
1236 log_write(0, LOG_MAIN,
1237 "Server certificate status unknown, in OCSP stapling");
1238 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1246 OCSP_RESPONSE_free(rsp);
1249 #endif /*!DISABLE_OCSP*/
1252 /*************************************************
1253 * Initialize for TLS *
1254 *************************************************/
1256 /* Called from both server and client code, to do preliminary initialization
1257 of the library. We allocate and return a context structure.
1260 ctxp returned SSL context
1261 host connected host, if client; NULL if server
1262 dhparam DH parameter file
1263 certificate certificate file
1264 privatekey private key
1265 ocsp_file file of stapling info (server); flag for require ocsp (client)
1266 addr address if client; NULL if server (for some randomness)
1267 cbp place to put allocated callback context
1269 Returns: OK/DEFER/FAIL
1273 tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate,
1275 #ifndef DISABLE_OCSP
1278 address_item *addr, tls_ext_ctx_cb ** cbp)
1283 tls_ext_ctx_cb * cbinfo;
1285 cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
1286 cbinfo->certificate = certificate;
1287 cbinfo->privatekey = privatekey;
1288 #ifndef DISABLE_OCSP
1289 if ((cbinfo->is_server = host==NULL))
1291 cbinfo->u_ocsp.server.file = ocsp_file;
1292 cbinfo->u_ocsp.server.file_expanded = NULL;
1293 cbinfo->u_ocsp.server.response = NULL;
1296 cbinfo->u_ocsp.client.verify_store = NULL;
1298 cbinfo->dhparam = dhparam;
1299 cbinfo->server_cipher_list = NULL;
1300 cbinfo->host = host;
1301 #ifndef DISABLE_EVENT
1302 cbinfo->event_action = NULL;
1305 SSL_load_error_strings(); /* basic set up */
1306 OpenSSL_add_ssl_algorithms();
1308 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
1309 /* SHA256 is becoming ever more popular. This makes sure it gets added to the
1310 list of available digests. */
1311 EVP_add_digest(EVP_sha256());
1314 /* Create a context.
1315 The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant
1316 negotiation in the different methods; as far as I can tell, the only
1317 *_{server,client}_method which allows negotiation is SSLv23, which exists even
1318 when OpenSSL is built without SSLv2 support.
1319 By disabling with openssl_options, we can let admins re-enable with the
1322 *ctxp = SSL_CTX_new((host == NULL)?
1323 SSLv23_server_method() : SSLv23_client_method());
1325 if (*ctxp == NULL) return tls_error(US"SSL_CTX_new", host, NULL);
1327 /* It turns out that we need to seed the random number generator this early in
1328 order to get the full complement of ciphers to work. It took me roughly a day
1329 of work to discover this by experiment.
1331 On systems that have /dev/urandom, SSL may automatically seed itself from
1332 there. Otherwise, we have to make something up as best we can. Double check
1338 gettimeofday(&r.tv, NULL);
1341 RAND_seed((uschar *)(&r), sizeof(r));
1342 RAND_seed((uschar *)big_buffer, big_buffer_size);
1343 if (addr != NULL) RAND_seed((uschar *)addr, sizeof(addr));
1346 return tls_error(US"RAND_status", host,
1347 US"unable to seed random number generator");
1350 /* Set up the information callback, which outputs if debugging is at a suitable
1353 DEBUG(D_tls) SSL_CTX_set_info_callback(*ctxp, (void (*)())info_callback);
1355 /* Automatically re-try reads/writes after renegotiation. */
1356 (void) SSL_CTX_set_mode(*ctxp, SSL_MODE_AUTO_RETRY);
1358 /* Apply administrator-supplied work-arounds.
1359 Historically we applied just one requested option,
1360 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
1361 moved to an administrator-controlled list of options to specify and
1362 grandfathered in the first one as the default value for "openssl_options".
1364 No OpenSSL version number checks: the options we accept depend upon the
1365 availability of the option value macros from OpenSSL. */
1367 okay = tls_openssl_options_parse(openssl_options, &init_options);
1369 return tls_error(US"openssl_options parsing failed", host, NULL);
1373 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
1374 if (!(SSL_CTX_set_options(*ctxp, init_options)))
1375 return tls_error(string_sprintf(
1376 "SSL_CTX_set_option(%#lx)", init_options), host, NULL);
1379 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
1381 /* Initialize with DH parameters if supplied */
1382 /* Initialize ECDH temp key parameter selection */
1384 if ( !init_dh(*ctxp, dhparam, host)
1385 || !init_ecdh(*ctxp, host)
1389 /* Set up certificate and key (and perhaps OCSP info) */
1391 rc = tls_expand_session_files(*ctxp, cbinfo);
1392 if (rc != OK) return rc;
1394 /* If we need to handle SNI, do so */
1395 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
1396 if (host == NULL) /* server */
1398 # ifndef DISABLE_OCSP
1399 /* We check u_ocsp.server.file, not server.response, because we care about if
1400 the option exists, not what the current expansion might be, as SNI might
1401 change the certificate and OCSP file in use between now and the time the
1402 callback is invoked. */
1403 if (cbinfo->u_ocsp.server.file)
1405 SSL_CTX_set_tlsext_status_cb(server_ctx, tls_server_stapling_cb);
1406 SSL_CTX_set_tlsext_status_arg(server_ctx, cbinfo);
1409 /* We always do this, so that $tls_sni is available even if not used in
1411 SSL_CTX_set_tlsext_servername_callback(*ctxp, tls_servername_cb);
1412 SSL_CTX_set_tlsext_servername_arg(*ctxp, cbinfo);
1414 # ifndef DISABLE_OCSP
1416 if(ocsp_file) /* wanting stapling */
1418 if (!(cbinfo->u_ocsp.client.verify_store = X509_STORE_new()))
1420 DEBUG(D_tls) debug_printf("failed to create store for stapling verify\n");
1423 SSL_CTX_set_tlsext_status_cb(*ctxp, tls_client_stapling_cb);
1424 SSL_CTX_set_tlsext_status_arg(*ctxp, cbinfo);
1429 cbinfo->verify_cert_hostnames = NULL;
1431 /* Set up the RSA callback */
1433 SSL_CTX_set_tmp_rsa_callback(*ctxp, rsa_callback);
1435 /* Finally, set the timeout, and we are done */
1437 SSL_CTX_set_timeout(*ctxp, ssl_session_timeout);
1438 DEBUG(D_tls) debug_printf("Initialized TLS\n");
1448 /*************************************************
1449 * Get name of cipher in use *
1450 *************************************************/
1453 Argument: pointer to an SSL structure for the connection
1454 buffer to use for answer
1456 pointer to number of bits for cipher
1461 construct_cipher_name(SSL *ssl, uschar *cipherbuf, int bsize, int *bits)
1463 /* With OpenSSL 1.0.0a, this needs to be const but the documentation doesn't
1464 yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
1465 the accessor functions use const in the prototype. */
1466 const SSL_CIPHER *c;
1469 ver = (const uschar *)SSL_get_version(ssl);
1471 c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
1472 SSL_CIPHER_get_bits(c, bits);
1474 string_format(cipherbuf, bsize, "%s:%s:%u", ver,
1475 SSL_CIPHER_get_name(c), *bits);
1477 DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf);
1482 peer_cert(SSL * ssl, tls_support * tlsp, uschar * peerdn, unsigned bsize)
1484 /*XXX we might consider a list-of-certs variable for the cert chain.
1485 SSL_get_peer_cert_chain(SSL*). We'd need a new variable type and support
1486 in list-handling functions, also consider the difference between the entire
1487 chain and the elements sent by the peer. */
1489 /* Will have already noted peercert on a verify fail; possibly not the leaf */
1490 if (!tlsp->peercert)
1491 tlsp->peercert = SSL_get_peer_certificate(ssl);
1492 /* Beware anonymous ciphers which lead to server_cert being NULL */
1495 X509_NAME_oneline(X509_get_subject_name(tlsp->peercert), CS peerdn, bsize);
1496 peerdn[bsize-1] = '\0';
1497 tlsp->peerdn = peerdn; /*XXX a static buffer... */
1500 tlsp->peerdn = NULL;
1507 /*************************************************
1508 * Set up for verifying certificates *
1509 *************************************************/
1511 /* Called by both client and server startup
1514 sctx SSL_CTX* to initialise
1515 certs certs file or NULL
1516 crl CRL file or NULL
1517 host NULL in a server; the remote host in a client
1518 optional TRUE if called from a server for a host in tls_try_verify_hosts;
1519 otherwise passed as FALSE
1520 cert_vfy_cb Callback function for certificate verification
1522 Returns: OK/DEFER/FAIL
1526 setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
1527 int (*cert_vfy_cb)(int, X509_STORE_CTX *) )
1529 uschar *expcerts, *expcrl;
1531 if (!expand_check(certs, US"tls_verify_certificates", &expcerts))
1534 if (expcerts != NULL && *expcerts != '\0')
1536 if (Ustrcmp(expcerts, "system") == 0)
1538 /* Tell the library to use its compiled-in location for the system default
1541 if (!SSL_CTX_set_default_verify_paths(sctx))
1542 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL);
1546 struct stat statbuf;
1548 /* Tell the library to use its compiled-in location for the system default
1549 CA bundle. Those given by the exim config are additional to these */
1551 if (!SSL_CTX_set_default_verify_paths(sctx))
1552 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL);
1554 if (Ustat(expcerts, &statbuf) < 0)
1556 log_write(0, LOG_MAIN|LOG_PANIC,
1557 "failed to stat %s for certificates", expcerts);
1563 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
1564 { file = NULL; dir = expcerts; }
1566 { file = expcerts; dir = NULL; }
1568 /* If a certificate file is empty, the next function fails with an
1569 unhelpful error message. If we skip it, we get the correct behaviour (no
1570 certificates are recognized, but the error message is still misleading (it
1571 says no certificate was supplied.) But this is better. */
1573 if ( (!file || statbuf.st_size > 0)
1574 && !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
1575 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL);
1577 /* Load the list of CAs for which we will accept certs, for sending
1578 to the client. This is only for the one-file tls_verify_certificates
1580 If a list isn't loaded into the server, but
1581 some verify locations are set, the server end appears to make
1582 a wildcard reqest for client certs.
1583 Meanwhile, the client library as deafult behaviour *ignores* the list
1584 we send over the wire - see man SSL_CTX_set_client_cert_cb.
1585 Because of this, and that the dir variant is likely only used for
1586 the public-CA bundle (not for a private CA), not worth fixing.
1590 STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
1592 DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n",
1593 sk_X509_NAME_num(names));
1594 SSL_CTX_set_client_CA_list(sctx, names);
1599 /* Handle a certificate revocation list. */
1601 #if OPENSSL_VERSION_NUMBER > 0x00907000L
1603 /* This bit of code is now the version supplied by Lars Mainka. (I have
1604 * merely reformatted it into the Exim code style.)
1606 * "From here I changed the code to add support for multiple crl's
1607 * in pem format in one file or to support hashed directory entries in
1608 * pem format instead of a file. This method now uses the library function
1609 * X509_STORE_load_locations to add the CRL location to the SSL context.
1610 * OpenSSL will then handle the verify against CA certs and CRLs by
1611 * itself in the verify callback." */
1613 if (!expand_check(crl, US"tls_crl", &expcrl)) return DEFER;
1614 if (expcrl != NULL && *expcrl != 0)
1616 struct stat statbufcrl;
1617 if (Ustat(expcrl, &statbufcrl) < 0)
1619 log_write(0, LOG_MAIN|LOG_PANIC,
1620 "failed to stat %s for certificates revocation lists", expcrl);
1625 /* is it a file or directory? */
1627 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
1628 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
1632 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
1638 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
1640 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
1641 return tls_error(US"X509_STORE_load_locations", host, NULL);
1643 /* setting the flags to check against the complete crl chain */
1645 X509_STORE_set_flags(cvstore,
1646 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
1650 #endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
1652 /* If verification is optional, don't fail if no certificate */
1654 SSL_CTX_set_verify(sctx,
1655 SSL_VERIFY_PEER | (optional? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
1664 /*************************************************
1665 * Start a TLS session in a server *
1666 *************************************************/
1668 /* This is called when Exim is running as a server, after having received
1669 the STARTTLS command. It must respond to that command, and then negotiate
1673 require_ciphers allowed ciphers
1675 Returns: OK on success
1676 DEFER for errors before the start of the negotiation
1677 FAIL for errors during the negotation; the server can't
1682 tls_server_start(const uschar *require_ciphers)
1686 tls_ext_ctx_cb *cbinfo;
1687 static uschar peerdn[256];
1688 static uschar cipherbuf[256];
1690 /* Check for previous activation */
1692 if (tls_in.active >= 0)
1694 tls_error(US"STARTTLS received after TLS started", NULL, US"");
1695 smtp_printf("554 Already in TLS\r\n");
1699 /* Initialize the SSL library. If it fails, it will already have logged
1702 rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey,
1703 #ifndef DISABLE_OCSP
1706 NULL, &server_static_cbinfo);
1707 if (rc != OK) return rc;
1708 cbinfo = server_static_cbinfo;
1710 if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
1713 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
1714 were historically separated by underscores. So that I can use either form in my
1715 tests, and also for general convenience, we turn underscores into hyphens here.
1718 if (expciphers != NULL)
1720 uschar *s = expciphers;
1721 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
1722 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
1723 if (!SSL_CTX_set_cipher_list(server_ctx, CS expciphers))
1724 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL);
1725 cbinfo->server_cipher_list = expciphers;
1728 /* If this is a host for which certificate verification is mandatory or
1729 optional, set up appropriately. */
1731 tls_in.certificate_verified = FALSE;
1732 #ifdef EXPERIMENTAL_DANE
1733 tls_in.dane_verified = FALSE;
1735 server_verify_callback_called = FALSE;
1737 if (verify_check_host(&tls_verify_hosts) == OK)
1739 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
1740 FALSE, verify_callback_server);
1741 if (rc != OK) return rc;
1742 server_verify_optional = FALSE;
1744 else if (verify_check_host(&tls_try_verify_hosts) == OK)
1746 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
1747 TRUE, verify_callback_server);
1748 if (rc != OK) return rc;
1749 server_verify_optional = TRUE;
1752 /* Prepare for new connection */
1754 if ((server_ssl = SSL_new(server_ctx)) == NULL) return tls_error(US"SSL_new", NULL, NULL);
1756 /* Warning: we used to SSL_clear(ssl) here, it was removed.
1758 * With the SSL_clear(), we get strange interoperability bugs with
1759 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
1760 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
1762 * The SSL_clear() call is to let an existing SSL* be reused, typically after
1763 * session shutdown. In this case, we have a brand new object and there's no
1764 * obvious reason to immediately clear it. I'm guessing that this was
1765 * originally added because of incomplete initialisation which the clear fixed,
1766 * in some historic release.
1769 /* Set context and tell client to go ahead, except in the case of TLS startup
1770 on connection, where outputting anything now upsets the clients and tends to
1771 make them disconnect. We need to have an explicit fflush() here, to force out
1772 the response. Other smtp_printf() calls do not need it, because in non-TLS
1773 mode, the fflush() happens when smtp_getc() is called. */
1775 SSL_set_session_id_context(server_ssl, sid_ctx, Ustrlen(sid_ctx));
1776 if (!tls_in.on_connect)
1778 smtp_printf("220 TLS go ahead\r\n");
1782 /* Now negotiate the TLS session. We put our own timer on it, since it seems
1783 that the OpenSSL library doesn't. */
1785 SSL_set_wfd(server_ssl, fileno(smtp_out));
1786 SSL_set_rfd(server_ssl, fileno(smtp_in));
1787 SSL_set_accept_state(server_ssl);
1789 DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
1791 sigalrm_seen = FALSE;
1792 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
1793 rc = SSL_accept(server_ssl);
1798 tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL);
1799 if (ERR_get_error() == 0)
1800 log_write(0, LOG_MAIN,
1801 "TLS client disconnected cleanly (rejected our certificate?)");
1805 DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
1807 /* TLS has been set up. Adjust the input functions to read via TLS,
1808 and initialize things. */
1810 peer_cert(server_ssl, &tls_in, peerdn, sizeof(peerdn));
1812 construct_cipher_name(server_ssl, cipherbuf, sizeof(cipherbuf), &tls_in.bits);
1813 tls_in.cipher = cipherbuf;
1818 if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)) != NULL)
1819 debug_printf("Shared ciphers: %s\n", buf);
1822 /* Record the certificate we presented */
1824 X509 * crt = SSL_get_certificate(server_ssl);
1825 tls_in.ourcert = crt ? X509_dup(crt) : NULL;
1828 /* Only used by the server-side tls (tls_in), including tls_getc.
1829 Client-side (tls_out) reads (seem to?) go via
1830 smtp_read_response()/ip_recv().
1831 Hence no need to duplicate for _in and _out.
1833 ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
1834 ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
1835 ssl_xfer_eof = ssl_xfer_error = 0;
1837 receive_getc = tls_getc;
1838 receive_ungetc = tls_ungetc;
1839 receive_feof = tls_feof;
1840 receive_ferror = tls_ferror;
1841 receive_smtp_buffered = tls_smtp_buffered;
1843 tls_in.active = fileno(smtp_out);
1851 tls_client_basic_ctx_init(SSL_CTX * ctx,
1852 host_item * host, smtp_transport_options_block * ob, tls_ext_ctx_cb * cbinfo
1856 /* stick to the old behaviour for compatibility if tls_verify_certificates is
1857 set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only
1858 the specified host patterns if one of them is defined */
1860 if ( ( !ob->tls_verify_hosts
1861 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
1863 || (verify_check_given_host(&ob->tls_verify_hosts, host) == OK)
1865 client_verify_optional = FALSE;
1866 else if (verify_check_given_host(&ob->tls_try_verify_hosts, host) == OK)
1867 client_verify_optional = TRUE;
1871 if ((rc = setup_certs(ctx, ob->tls_verify_certificates,
1872 ob->tls_crl, host, client_verify_optional, verify_callback_client)) != OK)
1875 if (verify_check_given_host(&ob->tls_verify_cert_hostnames, host) == OK)
1877 cbinfo->verify_cert_hostnames =
1879 string_domain_utf8_to_alabel(host->name, NULL);
1883 DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
1884 cbinfo->verify_cert_hostnames);
1890 #ifdef EXPERIMENTAL_DANE
1892 dane_tlsa_load(SSL * ssl, host_item * host, dns_answer * dnsa)
1896 const char * hostnames[2] = { CS host->name, NULL };
1899 if (DANESSL_init(ssl, NULL, hostnames) != 1)
1900 return tls_error(US"hostnames load", host, NULL);
1902 for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
1904 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
1905 ) if (rr->type == T_TLSA)
1907 uschar * p = rr->data;
1908 uint8_t usage, selector, mtype;
1909 const char * mdname;
1913 /* Only DANE-TA(2) and DANE-EE(3) are supported */
1914 if (usage != 2 && usage != 3) continue;
1921 default: continue; /* Only match-types 0, 1, 2 are supported */
1922 case 0: mdname = NULL; break;
1923 case 1: mdname = "sha256"; break;
1924 case 2: mdname = "sha512"; break;
1928 switch (DANESSL_add_tlsa(ssl, usage, selector, mdname, p, rr->size - 3))
1931 case 0: /* action not taken */
1932 return tls_error(US"tlsa load", host, NULL);
1936 tls_out.tlsa_usage |= 1<<usage;
1942 log_write(0, LOG_MAIN, "DANE error: No usable TLSA records");
1945 #endif /*EXPERIMENTAL_DANE*/
1949 /*************************************************
1950 * Start a TLS session in a client *
1951 *************************************************/
1953 /* Called from the smtp transport after STARTTLS has been accepted.
1956 fd the fd of the connection
1957 host connected host (for messages)
1958 addr the first address
1959 tb transport (always smtp)
1960 tlsa_dnsa tlsa lookup, if DANE, else null
1962 Returns: OK on success
1963 FAIL otherwise - note that tls_error() will not give DEFER
1964 because this is not a server
1968 tls_client_start(int fd, host_item *host, address_item *addr,
1969 transport_instance *tb
1970 #ifdef EXPERIMENTAL_DANE
1971 , dns_answer * tlsa_dnsa
1975 smtp_transport_options_block * ob =
1976 (smtp_transport_options_block *)tb->options_block;
1977 static uschar peerdn[256];
1978 uschar * expciphers;
1980 static uschar cipherbuf[256];
1982 #ifndef DISABLE_OCSP
1983 BOOL request_ocsp = FALSE;
1984 BOOL require_ocsp = FALSE;
1987 #ifdef EXPERIMENTAL_DANE
1988 tls_out.tlsa_usage = 0;
1991 #ifndef DISABLE_OCSP
1993 # ifdef EXPERIMENTAL_DANE
1995 && ob->hosts_request_ocsp[0] == '*'
1996 && ob->hosts_request_ocsp[1] == '\0'
1999 /* Unchanged from default. Use a safer one under DANE */
2000 request_ocsp = TRUE;
2001 ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
2002 " {= {4}{$tls_out_tlsa_usage}} } "
2008 verify_check_given_host(&ob->hosts_require_ocsp, host) == OK))
2009 request_ocsp = TRUE;
2011 # ifdef EXPERIMENTAL_DANE
2015 verify_check_given_host(&ob->hosts_request_ocsp, host) == OK;
2019 rc = tls_init(&client_ctx, host, NULL,
2020 ob->tls_certificate, ob->tls_privatekey,
2021 #ifndef DISABLE_OCSP
2022 (void *)(long)request_ocsp,
2024 addr, &client_static_cbinfo);
2025 if (rc != OK) return rc;
2027 tls_out.certificate_verified = FALSE;
2028 client_verify_callback_called = FALSE;
2030 if (!expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
2034 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
2035 are separated by underscores. So that I can use either form in my tests, and
2036 also for general convenience, we turn underscores into hyphens here. */
2038 if (expciphers != NULL)
2040 uschar *s = expciphers;
2041 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
2042 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
2043 if (!SSL_CTX_set_cipher_list(client_ctx, CS expciphers))
2044 return tls_error(US"SSL_CTX_set_cipher_list", host, NULL);
2047 #ifdef EXPERIMENTAL_DANE
2050 SSL_CTX_set_verify(client_ctx,
2051 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
2052 verify_callback_client_dane);
2054 if (!DANESSL_library_init())
2055 return tls_error(US"library init", host, NULL);
2056 if (DANESSL_CTX_init(client_ctx) <= 0)
2057 return tls_error(US"context init", host, NULL);
2063 if ((rc = tls_client_basic_ctx_init(client_ctx, host, ob, client_static_cbinfo))
2067 if ((client_ssl = SSL_new(client_ctx)) == NULL)
2068 return tls_error(US"SSL_new", host, NULL);
2069 SSL_set_session_id_context(client_ssl, sid_ctx, Ustrlen(sid_ctx));
2070 SSL_set_fd(client_ssl, fd);
2071 SSL_set_connect_state(client_ssl);
2075 if (!expand_check(ob->tls_sni, US"tls_sni", &tls_out.sni))
2077 if (tls_out.sni == NULL)
2079 DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n");
2081 else if (!Ustrlen(tls_out.sni))
2085 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
2086 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tls_out.sni);
2087 SSL_set_tlsext_host_name(client_ssl, tls_out.sni);
2090 debug_printf("OpenSSL at build-time lacked SNI support, ignoring \"%s\"\n",
2096 #ifdef EXPERIMENTAL_DANE
2098 if ((rc = dane_tlsa_load(client_ssl, host, tlsa_dnsa)) != OK)
2102 #ifndef DISABLE_OCSP
2103 /* Request certificate status at connection-time. If the server
2104 does OCSP stapling we will get the callback (set in tls_init()) */
2105 # ifdef EXPERIMENTAL_DANE
2109 if ( ((s = ob->hosts_require_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
2110 || ((s = ob->hosts_request_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
2112 { /* Re-eval now $tls_out_tlsa_usage is populated. If
2113 this means we avoid the OCSP request, we wasted the setup
2114 cost in tls_init(). */
2115 require_ocsp = verify_check_given_host(&ob->hosts_require_ocsp, host) == OK;
2116 request_ocsp = require_ocsp
2117 || verify_check_given_host(&ob->hosts_request_ocsp, host) == OK;
2124 SSL_set_tlsext_status_type(client_ssl, TLSEXT_STATUSTYPE_ocsp);
2125 client_static_cbinfo->u_ocsp.client.verify_required = require_ocsp;
2126 tls_out.ocsp = OCSP_NOT_RESP;
2130 #ifndef DISABLE_EVENT
2131 client_static_cbinfo->event_action = tb->event_action;
2134 /* There doesn't seem to be a built-in timeout on connection. */
2136 DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
2137 sigalrm_seen = FALSE;
2138 alarm(ob->command_timeout);
2139 rc = SSL_connect(client_ssl);
2142 #ifdef EXPERIMENTAL_DANE
2144 DANESSL_cleanup(client_ssl);
2148 return tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL);
2150 DEBUG(D_tls) debug_printf("SSL_connect succeeded\n");
2152 peer_cert(client_ssl, &tls_out, peerdn, sizeof(peerdn));
2154 construct_cipher_name(client_ssl, cipherbuf, sizeof(cipherbuf), &tls_out.bits);
2155 tls_out.cipher = cipherbuf;
2157 /* Record the certificate we presented */
2159 X509 * crt = SSL_get_certificate(client_ssl);
2160 tls_out.ourcert = crt ? X509_dup(crt) : NULL;
2163 tls_out.active = fd;
2171 /*************************************************
2172 * TLS version of getc *
2173 *************************************************/
2175 /* This gets the next byte from the TLS input buffer. If the buffer is empty,
2176 it refills the buffer via the SSL reading function.
2179 Returns: the next character or EOF
2181 Only used by the server-side TLS.
2187 if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
2192 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", server_ssl,
2193 ssl_xfer_buffer, ssl_xfer_buffer_size);
2195 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
2196 inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer, ssl_xfer_buffer_size);
2197 error = SSL_get_error(server_ssl, inbytes);
2200 /* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
2201 closed down, not that the socket itself has been closed down. Revert to
2202 non-SSL handling. */
2204 if (error == SSL_ERROR_ZERO_RETURN)
2206 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
2208 receive_getc = smtp_getc;
2209 receive_ungetc = smtp_ungetc;
2210 receive_feof = smtp_feof;
2211 receive_ferror = smtp_ferror;
2212 receive_smtp_buffered = smtp_buffered;
2214 SSL_free(server_ssl);
2218 tls_in.cipher = NULL;
2219 tls_in.peerdn = NULL;
2225 /* Handle genuine errors */
2227 else if (error == SSL_ERROR_SSL)
2229 ERR_error_string(ERR_get_error(), ssl_errstring);
2230 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
2235 else if (error != SSL_ERROR_NONE)
2237 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
2242 #ifndef DISABLE_DKIM
2243 dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
2245 ssl_xfer_buffer_hwm = inbytes;
2246 ssl_xfer_buffer_lwm = 0;
2249 /* Something in the buffer; return next uschar */
2251 return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
2256 /*************************************************
2257 * Read bytes from TLS channel *
2258 *************************************************/
2265 Returns: the number of bytes read
2266 -1 after a failed read
2268 Only used by the client-side TLS.
2272 tls_read(BOOL is_server, uschar *buff, size_t len)
2274 SSL *ssl = is_server ? server_ssl : client_ssl;
2278 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
2279 buff, (unsigned int)len);
2281 inbytes = SSL_read(ssl, CS buff, len);
2282 error = SSL_get_error(ssl, inbytes);
2284 if (error == SSL_ERROR_ZERO_RETURN)
2286 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
2289 else if (error != SSL_ERROR_NONE)
2301 /*************************************************
2302 * Write bytes down TLS channel *
2303 *************************************************/
2307 is_server channel specifier
2311 Returns: the number of bytes after a successful write,
2312 -1 after a failed write
2314 Used by both server-side and client-side TLS.
2318 tls_write(BOOL is_server, const uschar *buff, size_t len)
2323 SSL *ssl = is_server ? server_ssl : client_ssl;
2325 DEBUG(D_tls) debug_printf("tls_do_write(%p, %d)\n", buff, left);
2328 DEBUG(D_tls) debug_printf("SSL_write(SSL, %p, %d)\n", buff, left);
2329 outbytes = SSL_write(ssl, CS buff, left);
2330 error = SSL_get_error(ssl, outbytes);
2331 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
2335 ERR_error_string(ERR_get_error(), ssl_errstring);
2336 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
2339 case SSL_ERROR_NONE:
2344 case SSL_ERROR_ZERO_RETURN:
2345 log_write(0, LOG_MAIN, "SSL channel closed on write");
2348 case SSL_ERROR_SYSCALL:
2349 log_write(0, LOG_MAIN, "SSL_write: (from %s) syscall: %s",
2350 sender_fullhost ? sender_fullhost : US"<unknown>",
2354 log_write(0, LOG_MAIN, "SSL_write error %d", error);
2363 /*************************************************
2364 * Close down a TLS session *
2365 *************************************************/
2367 /* This is also called from within a delivery subprocess forked from the
2368 daemon, to shut down the TLS library, without actually doing a shutdown (which
2369 would tamper with the SSL session in the parent process).
2371 Arguments: TRUE if SSL_shutdown is to be called
2374 Used by both server-side and client-side TLS.
2378 tls_close(BOOL is_server, BOOL shutdown)
2380 SSL **sslp = is_server ? &server_ssl : &client_ssl;
2381 int *fdp = is_server ? &tls_in.active : &tls_out.active;
2383 if (*fdp < 0) return; /* TLS was not active */
2387 DEBUG(D_tls) debug_printf("tls_close(): shutting down SSL\n");
2388 SSL_shutdown(*sslp);
2400 /*************************************************
2401 * Let tls_require_ciphers be checked at startup *
2402 *************************************************/
2404 /* The tls_require_ciphers option, if set, must be something which the
2407 Returns: NULL on success, or error message
2411 tls_validate_require_cipher(void)
2414 uschar *s, *expciphers, *err;
2416 /* this duplicates from tls_init(), we need a better "init just global
2417 state, for no specific purpose" singleton function of our own */
2419 SSL_load_error_strings();
2420 OpenSSL_add_ssl_algorithms();
2421 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
2422 /* SHA256 is becoming ever more popular. This makes sure it gets added to the
2423 list of available digests. */
2424 EVP_add_digest(EVP_sha256());
2427 if (!(tls_require_ciphers && *tls_require_ciphers))
2430 if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers))
2431 return US"failed to expand tls_require_ciphers";
2433 if (!(expciphers && *expciphers))
2436 /* normalisation ripped from above */
2438 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
2442 ctx = SSL_CTX_new(SSLv23_server_method());
2445 ERR_error_string(ERR_get_error(), ssl_errstring);
2446 return string_sprintf("SSL_CTX_new() failed: %s", ssl_errstring);
2450 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
2452 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
2454 ERR_error_string(ERR_get_error(), ssl_errstring);
2455 err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed", expciphers);
2466 /*************************************************
2467 * Report the library versions. *
2468 *************************************************/
2470 /* There have historically been some issues with binary compatibility in
2471 OpenSSL libraries; if Exim (like many other applications) is built against
2472 one version of OpenSSL but the run-time linker picks up another version,
2473 it can result in serious failures, including crashing with a SIGSEGV. So
2474 report the version found by the compiler and the run-time version.
2476 Note: some OS vendors backport security fixes without changing the version
2477 number/string, and the version date remains unchanged. The _build_ date
2478 will change, so we can more usefully assist with version diagnosis by also
2479 reporting the build date.
2481 Arguments: a FILE* to print the results to
2486 tls_version_report(FILE *f)
2488 fprintf(f, "Library version: OpenSSL: Compile: %s\n"
2491 OPENSSL_VERSION_TEXT,
2492 SSLeay_version(SSLEAY_VERSION),
2493 SSLeay_version(SSLEAY_BUILT_ON));
2494 /* third line is 38 characters for the %s and the line is 73 chars long;
2495 the OpenSSL output includes a "built on: " prefix already. */
2501 /*************************************************
2502 * Random number generation *
2503 *************************************************/
2505 /* Pseudo-random number generation. The result is not expected to be
2506 cryptographically strong but not so weak that someone will shoot themselves
2507 in the foot using it as a nonce in input in some email header scheme or
2508 whatever weirdness they'll twist this into. The result should handle fork()
2509 and avoid repeating sequences. OpenSSL handles that for us.
2513 Returns a random number in range [0, max-1]
2517 vaguely_random_number(int max)
2521 static pid_t pidlast = 0;
2524 uschar smallbuf[sizeof(r)];
2530 if (pidnow != pidlast)
2532 /* Although OpenSSL documents that "OpenSSL makes sure that the PRNG state
2533 is unique for each thread", this doesn't apparently apply across processes,
2534 so our own warning from vaguely_random_number_fallback() applies here too.
2535 Fix per PostgreSQL. */
2541 /* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
2545 gettimeofday(&r.tv, NULL);
2548 RAND_seed((uschar *)(&r), sizeof(r));
2550 /* We're after pseudo-random, not random; if we still don't have enough data
2551 in the internal PRNG then our options are limited. We could sleep and hope
2552 for entropy to come along (prayer technique) but if the system is so depleted
2553 in the first place then something is likely to just keep taking it. Instead,
2554 we'll just take whatever little bit of pseudo-random we can still manage to
2557 needed_len = sizeof(r);
2558 /* Don't take 8 times more entropy than needed if int is 8 octets and we were
2559 asked for a number less than 10. */
2560 for (r = max, i = 0; r; ++i)
2566 /* We do not care if crypto-strong */
2567 i = RAND_pseudo_bytes(smallbuf, needed_len);
2571 debug_printf("OpenSSL RAND_pseudo_bytes() not supported by RAND method, using fallback.\n");
2572 return vaguely_random_number_fallback(max);
2576 for (p = smallbuf; needed_len; --needed_len, ++p)
2582 /* We don't particularly care about weighted results; if someone wants
2583 smooth distribution and cares enough then they should submit a patch then. */
2590 /*************************************************
2591 * OpenSSL option parse *
2592 *************************************************/
2594 /* Parse one option for tls_openssl_options_parse below
2597 name one option name
2598 value place to store a value for it
2599 Returns success or failure in parsing
2602 struct exim_openssl_option {
2606 /* We could use a macro to expand, but we need the ifdef and not all the
2607 options document which version they were introduced in. Policylet: include
2608 all options unless explicitly for DTLS, let the administrator choose which
2611 This list is current as of:
2613 Plus SSL_OP_SAFARI_ECDHE_ECDSA_BUG from 2013-June patch/discussion on openssl-dev
2615 static struct exim_openssl_option exim_openssl_options[] = {
2616 /* KEEP SORTED ALPHABETICALLY! */
2618 { US"all", SSL_OP_ALL },
2620 #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
2621 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
2623 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
2624 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
2626 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
2627 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
2629 #ifdef SSL_OP_EPHEMERAL_RSA
2630 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
2632 #ifdef SSL_OP_LEGACY_SERVER_CONNECT
2633 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
2635 #ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
2636 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
2638 #ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
2639 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
2641 #ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
2642 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
2644 #ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
2645 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
2647 #ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
2648 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
2650 #ifdef SSL_OP_NO_COMPRESSION
2651 { US"no_compression", SSL_OP_NO_COMPRESSION },
2653 #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
2654 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
2656 #ifdef SSL_OP_NO_SSLv2
2657 { US"no_sslv2", SSL_OP_NO_SSLv2 },
2659 #ifdef SSL_OP_NO_SSLv3
2660 { US"no_sslv3", SSL_OP_NO_SSLv3 },
2662 #ifdef SSL_OP_NO_TICKET
2663 { US"no_ticket", SSL_OP_NO_TICKET },
2665 #ifdef SSL_OP_NO_TLSv1
2666 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
2668 #ifdef SSL_OP_NO_TLSv1_1
2669 #if SSL_OP_NO_TLSv1_1 == 0x00000400L
2670 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
2671 #warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
2673 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
2676 #ifdef SSL_OP_NO_TLSv1_2
2677 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
2679 #ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
2680 { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG },
2682 #ifdef SSL_OP_SINGLE_DH_USE
2683 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
2685 #ifdef SSL_OP_SINGLE_ECDH_USE
2686 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
2688 #ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
2689 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
2691 #ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
2692 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
2694 #ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
2695 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
2697 #ifdef SSL_OP_TLS_D5_BUG
2698 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
2700 #ifdef SSL_OP_TLS_ROLLBACK_BUG
2701 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
2704 static int exim_openssl_options_size =
2705 sizeof(exim_openssl_options)/sizeof(struct exim_openssl_option);
2709 tls_openssl_one_option_parse(uschar *name, long *value)
2712 int last = exim_openssl_options_size;
2713 while (last > first)
2715 int middle = (first + last)/2;
2716 int c = Ustrcmp(name, exim_openssl_options[middle].name);
2719 *value = exim_openssl_options[middle].value;
2733 /*************************************************
2734 * OpenSSL option parsing logic *
2735 *************************************************/
2737 /* OpenSSL has a number of compatibility options which an administrator might
2738 reasonably wish to set. Interpret a list similarly to decode_bits(), so that
2739 we look like log_selector.
2742 option_spec the administrator-supplied string of options
2743 results ptr to long storage for the options bitmap
2744 Returns success or failure
2748 tls_openssl_options_parse(uschar *option_spec, long *results)
2753 BOOL adding, item_parsed;
2756 /* Prior to 4.80 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed
2757 * from default because it increases BEAST susceptibility. */
2758 #ifdef SSL_OP_NO_SSLv2
2759 result |= SSL_OP_NO_SSLv2;
2762 if (option_spec == NULL)
2768 for (s=option_spec; *s != '\0'; /**/)
2770 while (isspace(*s)) ++s;
2773 if (*s != '+' && *s != '-')
2775 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
2776 "+ or - expected but found \"%s\"\n", s);
2779 adding = *s++ == '+';
2780 for (end = s; (*end != '\0') && !isspace(*end); ++end) /**/ ;
2783 item_parsed = tls_openssl_one_option_parse(s, &item);
2786 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
2789 DEBUG(D_tls) debug_printf("openssl option, %s from %lx: %lx (%s)\n",
2790 adding ? "adding" : "removing", result, item, s);
2805 /* End of tls-openssl.c */