1 /* $Cambridge: exim/src/src/tls-openssl.c,v 1.28 2010/06/12 17:56:32 jetmore Exp $ */
3 /*************************************************
4 * Exim - an Internet mail transport agent *
5 *************************************************/
7 /* Copyright (c) University of Cambridge 1995 - 2009 */
8 /* See the file NOTICE for conditions of use and distribution. */
10 /* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
11 library. It is #included into the tls.c file when that library is used. The
12 code herein is based on a patch that was originally contributed by Steve
13 Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
15 No cryptographic code is included in Exim. All this module does is to call
16 functions from the OpenSSL library. */
21 #include <openssl/lhash.h>
22 #include <openssl/ssl.h>
23 #include <openssl/err.h>
24 #include <openssl/rand.h>
26 /* Structure for collecting random data for seeding. */
28 typedef struct randstuff {
33 /* Local static variables */
35 static BOOL verify_callback_called = FALSE;
36 static const uschar *sid_ctx = US"exim";
38 static SSL_CTX *ctx = NULL;
39 static SSL *ssl = NULL;
41 static char ssl_errstring[256];
43 static int ssl_session_timeout = 200;
44 static BOOL verify_optional = FALSE;
50 /*************************************************
52 *************************************************/
54 /* Called from lots of places when errors occur before actually starting to do
55 the TLS handshake, that is, while the session is still in clear. Always returns
56 DEFER for a server and FAIL for a client so that most calls can use "return
57 tls_error(...)" to do this processing and then give an appropriate return. A
58 single function is used for both server and client, because it is called from
59 some shared functions.
62 prefix text to include in the logged error
63 host NULL if setting up a server;
64 the connected host if setting up a client
65 msg error message or NULL if we should ask OpenSSL
67 Returns: OK/DEFER/FAIL
71 tls_error(uschar *prefix, host_item *host, uschar *msg)
75 ERR_error_string(ERR_get_error(), ssl_errstring);
76 msg = (uschar *)ssl_errstring;
81 uschar *conn_info = smtp_get_connection_info();
82 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0)
84 log_write(0, LOG_MAIN, "TLS error on %s (%s): %s",
85 conn_info, prefix, msg);
90 log_write(0, LOG_MAIN, "TLS error on connection to %s [%s] (%s): %s",
91 host->name, host->address, prefix, msg);
98 /*************************************************
99 * Callback to generate RSA key *
100 *************************************************/
108 Returns: pointer to generated key
112 rsa_callback(SSL *s, int export, int keylength)
115 export = export; /* Shut picky compilers up */
116 DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
117 rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL);
120 ERR_error_string(ERR_get_error(), ssl_errstring);
121 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
131 /*************************************************
132 * Callback for verification *
133 *************************************************/
135 /* The SSL library does certificate verification if set up to do so. This
136 callback has the current yes/no state is in "state". If verification succeeded,
137 we set up the tls_peerdn string. If verification failed, what happens depends
138 on whether the client is required to present a verifiable certificate or not.
140 If verification is optional, we change the state to yes, but still log the
141 verification error. For some reason (it really would help to have proper
142 documentation of OpenSSL), this callback function then gets called again, this
143 time with state = 1. In fact, that's useful, because we can set up the peerdn
144 value, but we must take care not to set the private verified flag on the second
147 Note: this function is not called if the client fails to present a certificate
148 when asked. We get here only if a certificate has been received. Handling of
149 optional verification for this case is done when requesting SSL to verify, by
150 setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
153 state current yes/no state as 1/0
154 x509ctx certificate information.
156 Returns: 1 if verified, 0 if not
160 verify_callback(int state, X509_STORE_CTX *x509ctx)
162 static uschar txt[256];
164 X509_NAME_oneline(X509_get_subject_name(x509ctx->current_cert),
165 CS txt, sizeof(txt));
169 log_write(0, LOG_MAIN, "SSL verify error: depth=%d error=%s cert=%s",
170 x509ctx->error_depth,
171 X509_verify_cert_error_string(x509ctx->error),
173 tls_certificate_verified = FALSE;
174 verify_callback_called = TRUE;
175 if (!verify_optional) return 0; /* reject */
176 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
177 "tls_try_verify_hosts)\n");
178 return 1; /* accept */
181 if (x509ctx->error_depth != 0)
183 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d cert=%s\n",
184 x509ctx->error_depth, txt);
188 DEBUG(D_tls) debug_printf("SSL%s peer: %s\n",
189 verify_callback_called? "" : " authenticated", txt);
193 if (!verify_callback_called) tls_certificate_verified = TRUE;
194 verify_callback_called = TRUE;
196 return 1; /* accept */
201 /*************************************************
202 * Information callback *
203 *************************************************/
205 /* The SSL library functions call this from time to time to indicate what they
206 are doing. We copy the string to the debugging output when the level is high
218 info_callback(SSL *s, int where, int ret)
222 DEBUG(D_tls) debug_printf("SSL info: %s\n", SSL_state_string_long(s));
227 /*************************************************
228 * Initialize for DH *
229 *************************************************/
231 /* If dhparam is set, expand it, and load up the parameters for DH encryption.
234 dhparam DH parameter file
235 host connected host, if client; NULL if server
237 Returns: TRUE if OK (nothing to set up, or setup worked)
241 init_dh(uschar *dhparam, host_item *host)
248 if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded))
251 if (dhexpanded == NULL) return TRUE;
253 if ((bio = BIO_new_file(CS dhexpanded, "r")) == NULL)
255 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
256 host, (uschar *)strerror(errno));
261 if ((dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)) == NULL)
263 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
269 SSL_CTX_set_tmp_dh(ctx, dh);
271 debug_printf("Diffie-Hellman initialized from %s with %d-bit key\n",
272 dhexpanded, 8*DH_size(dh));
284 /*************************************************
285 * Initialize for TLS *
286 *************************************************/
288 /* Called from both server and client code, to do preliminary initialization of
292 host connected host, if client; NULL if server
293 dhparam DH parameter file
294 certificate certificate file
295 privatekey private key
296 addr address if client; NULL if server (for some randomness)
298 Returns: OK/DEFER/FAIL
302 tls_init(host_item *host, uschar *dhparam, uschar *certificate,
303 uschar *privatekey, address_item *addr)
308 SSL_load_error_strings(); /* basic set up */
309 OpenSSL_add_ssl_algorithms();
311 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
312 /* SHA256 is becoming ever more popular. This makes sure it gets added to the
313 list of available digests. */
314 EVP_add_digest(EVP_sha256());
317 /* Create a context */
319 ctx = SSL_CTX_new((host == NULL)?
320 SSLv23_server_method() : SSLv23_client_method());
322 if (ctx == NULL) return tls_error(US"SSL_CTX_new", host, NULL);
324 /* It turns out that we need to seed the random number generator this early in
325 order to get the full complement of ciphers to work. It took me roughly a day
326 of work to discover this by experiment.
328 On systems that have /dev/urandom, SSL may automatically seed itself from
329 there. Otherwise, we have to make something up as best we can. Double check
335 gettimeofday(&r.tv, NULL);
338 RAND_seed((uschar *)(&r), sizeof(r));
339 RAND_seed((uschar *)big_buffer, big_buffer_size);
340 if (addr != NULL) RAND_seed((uschar *)addr, sizeof(addr));
343 return tls_error(US"RAND_status", host,
344 US"unable to seed random number generator");
347 /* Set up the information callback, which outputs if debugging is at a suitable
350 SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
352 /* Apply administrator-supplied work-arounds.
353 Historically we applied just one requested option,
354 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
355 moved to an administrator-controlled list of options to specify and
356 grandfathered in the first one as the default value for "openssl_options".
358 No OpenSSL version number checks: the options we accept depend upon the
359 availability of the option value macros from OpenSSL. */
361 okay = tls_openssl_options_parse(openssl_options, &init_options);
363 return tls_error(US"openssl_options parsing failed", host, NULL);
367 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
368 if (!(SSL_CTX_set_options(ctx, init_options)))
369 return tls_error(string_sprintf(
370 "SSL_CTX_set_option(%#lx)", init_options), host, NULL);
373 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
375 /* Initialize with DH parameters if supplied */
377 if (!init_dh(dhparam, host)) return DEFER;
379 /* Set up certificate and key */
381 if (certificate != NULL)
384 if (!expand_check(certificate, US"tls_certificate", &expanded))
387 if (expanded != NULL)
389 DEBUG(D_tls) debug_printf("tls_certificate file %s\n", expanded);
390 if (!SSL_CTX_use_certificate_chain_file(ctx, CS expanded))
391 return tls_error(string_sprintf(
392 "SSL_CTX_use_certificate_chain_file file=%s", expanded), host, NULL);
395 if (privatekey != NULL &&
396 !expand_check(privatekey, US"tls_privatekey", &expanded))
399 /* If expansion was forced to fail, key_expanded will be NULL. If the result
400 of the expansion is an empty string, ignore it also, and assume the private
401 key is in the same file as the certificate. */
403 if (expanded != NULL && *expanded != 0)
405 DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", expanded);
406 if (!SSL_CTX_use_PrivateKey_file(ctx, CS expanded, SSL_FILETYPE_PEM))
407 return tls_error(string_sprintf(
408 "SSL_CTX_use_PrivateKey_file file=%s", expanded), host, NULL);
412 /* Set up the RSA callback */
414 SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
416 /* Finally, set the timeout, and we are done */
418 SSL_CTX_set_timeout(ctx, ssl_session_timeout);
419 DEBUG(D_tls) debug_printf("Initialized TLS\n");
426 /*************************************************
427 * Get name of cipher in use *
428 *************************************************/
430 /* The answer is left in a static buffer, and tls_cipher is set to point
433 Argument: pointer to an SSL structure for the connection
438 construct_cipher_name(SSL *ssl)
440 static uschar cipherbuf[256];
441 /* With OpenSSL 1.0.0a, this needs to be const but the documentation doesn't
442 yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
443 the accessor functions use const in the prototype. */
448 switch (ssl->session->ssl_version)
466 c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
467 SSL_CIPHER_get_bits(c, &bits);
469 string_format(cipherbuf, sizeof(cipherbuf), "%s:%s:%u", ver,
470 SSL_CIPHER_get_name(c), bits);
471 tls_cipher = cipherbuf;
473 DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf);
480 /*************************************************
481 * Set up for verifying certificates *
482 *************************************************/
484 /* Called by both client and server startup
487 certs certs file or NULL
489 host NULL in a server; the remote host in a client
490 optional TRUE if called from a server for a host in tls_try_verify_hosts;
491 otherwise passed as FALSE
493 Returns: OK/DEFER/FAIL
497 setup_certs(uschar *certs, uschar *crl, host_item *host, BOOL optional)
499 uschar *expcerts, *expcrl;
501 if (!expand_check(certs, US"tls_verify_certificates", &expcerts))
504 if (expcerts != NULL)
507 if (!SSL_CTX_set_default_verify_paths(ctx))
508 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL);
510 if (Ustat(expcerts, &statbuf) < 0)
512 log_write(0, LOG_MAIN|LOG_PANIC,
513 "failed to stat %s for certificates", expcerts);
519 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
520 { file = NULL; dir = expcerts; }
522 { file = expcerts; dir = NULL; }
524 /* If a certificate file is empty, the next function fails with an
525 unhelpful error message. If we skip it, we get the correct behaviour (no
526 certificates are recognized, but the error message is still misleading (it
527 says no certificate was supplied.) But this is better. */
529 if ((file == NULL || statbuf.st_size > 0) &&
530 !SSL_CTX_load_verify_locations(ctx, CS file, CS dir))
531 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL);
535 SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(CS file));
539 /* Handle a certificate revocation list. */
541 #if OPENSSL_VERSION_NUMBER > 0x00907000L
543 /* This bit of code is now the version supplied by Lars Mainka. (I have
544 * merely reformatted it into the Exim code style.)
546 * "From here I changed the code to add support for multiple crl's
547 * in pem format in one file or to support hashed directory entries in
548 * pem format instead of a file. This method now uses the library function
549 * X509_STORE_load_locations to add the CRL location to the SSL context.
550 * OpenSSL will then handle the verify against CA certs and CRLs by
551 * itself in the verify callback." */
553 if (!expand_check(crl, US"tls_crl", &expcrl)) return DEFER;
554 if (expcrl != NULL && *expcrl != 0)
556 struct stat statbufcrl;
557 if (Ustat(expcrl, &statbufcrl) < 0)
559 log_write(0, LOG_MAIN|LOG_PANIC,
560 "failed to stat %s for certificates revocation lists", expcrl);
565 /* is it a file or directory? */
567 X509_STORE *cvstore = SSL_CTX_get_cert_store(ctx);
568 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
572 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
578 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
580 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
581 return tls_error(US"X509_STORE_load_locations", host, NULL);
583 /* setting the flags to check against the complete crl chain */
585 X509_STORE_set_flags(cvstore,
586 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
590 #endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
592 /* If verification is optional, don't fail if no certificate */
594 SSL_CTX_set_verify(ctx,
595 SSL_VERIFY_PEER | (optional? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
604 /*************************************************
605 * Start a TLS session in a server *
606 *************************************************/
608 /* This is called when Exim is running as a server, after having received
609 the STARTTLS command. It must respond to that command, and then negotiate
613 require_ciphers allowed ciphers
614 ------------------------------------------------------
615 require_mac list of allowed MACs ) Not used
616 require_kx list of allowed key_exchange methods ) for
617 require_proto list of allowed protocols ) OpenSSL
618 ------------------------------------------------------
620 Returns: OK on success
621 DEFER for errors before the start of the negotiation
622 FAIL for errors during the negotation; the server can't
627 tls_server_start(uschar *require_ciphers, uschar *require_mac,
628 uschar *require_kx, uschar *require_proto)
633 /* Check for previous activation */
637 tls_error(US"STARTTLS received after TLS started", NULL, US"");
638 smtp_printf("554 Already in TLS\r\n");
642 /* Initialize the SSL library. If it fails, it will already have logged
645 rc = tls_init(NULL, tls_dhparam, tls_certificate, tls_privatekey, NULL);
646 if (rc != OK) return rc;
648 if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
651 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
652 are separated by underscores. So that I can use either form in my tests, and
653 also for general convenience, we turn underscores into hyphens here. */
655 if (expciphers != NULL)
657 uschar *s = expciphers;
658 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
659 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
660 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
661 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL);
664 /* If this is a host for which certificate verification is mandatory or
665 optional, set up appropriately. */
667 tls_certificate_verified = FALSE;
668 verify_callback_called = FALSE;
670 if (verify_check_host(&tls_verify_hosts) == OK)
672 rc = setup_certs(tls_verify_certificates, tls_crl, NULL, FALSE);
673 if (rc != OK) return rc;
674 verify_optional = FALSE;
676 else if (verify_check_host(&tls_try_verify_hosts) == OK)
678 rc = setup_certs(tls_verify_certificates, tls_crl, NULL, TRUE);
679 if (rc != OK) return rc;
680 verify_optional = TRUE;
683 /* Prepare for new connection */
685 if ((ssl = SSL_new(ctx)) == NULL) return tls_error(US"SSL_new", NULL, NULL);
688 /* Set context and tell client to go ahead, except in the case of TLS startup
689 on connection, where outputting anything now upsets the clients and tends to
690 make them disconnect. We need to have an explicit fflush() here, to force out
691 the response. Other smtp_printf() calls do not need it, because in non-TLS
692 mode, the fflush() happens when smtp_getc() is called. */
694 SSL_set_session_id_context(ssl, sid_ctx, Ustrlen(sid_ctx));
697 smtp_printf("220 TLS go ahead\r\n");
701 /* Now negotiate the TLS session. We put our own timer on it, since it seems
702 that the OpenSSL library doesn't. */
704 SSL_set_wfd(ssl, fileno(smtp_out));
705 SSL_set_rfd(ssl, fileno(smtp_in));
706 SSL_set_accept_state(ssl);
708 DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
710 sigalrm_seen = FALSE;
711 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
712 rc = SSL_accept(ssl);
717 tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL);
718 if (ERR_get_error() == 0)
719 log_write(0, LOG_MAIN,
720 "TLS client disconnected cleanly (rejected our certificate?)");
724 DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
726 /* TLS has been set up. Adjust the input functions to read via TLS,
727 and initialize things. */
729 construct_cipher_name(ssl);
734 if (SSL_get_shared_ciphers(ssl, CS buf, sizeof(buf)) != NULL)
735 debug_printf("Shared ciphers: %s\n", buf);
739 ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
740 ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
741 ssl_xfer_eof = ssl_xfer_error = 0;
743 receive_getc = tls_getc;
744 receive_ungetc = tls_ungetc;
745 receive_feof = tls_feof;
746 receive_ferror = tls_ferror;
747 receive_smtp_buffered = tls_smtp_buffered;
749 tls_active = fileno(smtp_out);
757 /*************************************************
758 * Start a TLS session in a client *
759 *************************************************/
761 /* Called from the smtp transport after STARTTLS has been accepted.
764 fd the fd of the connection
765 host connected host (for messages)
766 addr the first address
767 dhparam DH parameter file
768 certificate certificate file
769 privatekey private key file
770 verify_certs file for certificate verify
771 crl file containing CRL
772 require_ciphers list of allowed ciphers
773 ------------------------------------------------------
774 require_mac list of allowed MACs ) Not used
775 require_kx list of allowed key_exchange methods ) for
776 require_proto list of allowed protocols ) OpenSSL
777 ------------------------------------------------------
778 timeout startup timeout
780 Returns: OK on success
781 FAIL otherwise - note that tls_error() will not give DEFER
782 because this is not a server
786 tls_client_start(int fd, host_item *host, address_item *addr, uschar *dhparam,
787 uschar *certificate, uschar *privatekey, uschar *verify_certs, uschar *crl,
788 uschar *require_ciphers, uschar *require_mac, uschar *require_kx,
789 uschar *require_proto, int timeout)
791 static uschar txt[256];
796 rc = tls_init(host, dhparam, certificate, privatekey, addr);
797 if (rc != OK) return rc;
799 tls_certificate_verified = FALSE;
800 verify_callback_called = FALSE;
802 if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
805 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
806 are separated by underscores. So that I can use either form in my tests, and
807 also for general convenience, we turn underscores into hyphens here. */
809 if (expciphers != NULL)
811 uschar *s = expciphers;
812 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
813 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
814 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
815 return tls_error(US"SSL_CTX_set_cipher_list", host, NULL);
818 rc = setup_certs(verify_certs, crl, host, FALSE);
819 if (rc != OK) return rc;
821 if ((ssl = SSL_new(ctx)) == NULL) return tls_error(US"SSL_new", host, NULL);
822 SSL_set_session_id_context(ssl, sid_ctx, Ustrlen(sid_ctx));
824 SSL_set_connect_state(ssl);
826 /* There doesn't seem to be a built-in timeout on connection. */
828 DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
829 sigalrm_seen = FALSE;
831 rc = SSL_connect(ssl);
835 return tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL);
837 DEBUG(D_tls) debug_printf("SSL_connect succeeded\n");
839 /* Beware anonymous ciphers which lead to server_cert being NULL */
840 server_cert = SSL_get_peer_certificate (ssl);
843 tls_peerdn = US X509_NAME_oneline(X509_get_subject_name(server_cert),
844 CS txt, sizeof(txt));
850 construct_cipher_name(ssl); /* Sets tls_cipher */
860 /*************************************************
861 * TLS version of getc *
862 *************************************************/
864 /* This gets the next byte from the TLS input buffer. If the buffer is empty,
865 it refills the buffer via the SSL reading function.
868 Returns: the next character or EOF
874 if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
879 DEBUG(D_tls) debug_printf("Calling SSL_read(%lx, %lx, %u)\n", (long)ssl,
880 (long)ssl_xfer_buffer, ssl_xfer_buffer_size);
882 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
883 inbytes = SSL_read(ssl, CS ssl_xfer_buffer, ssl_xfer_buffer_size);
884 error = SSL_get_error(ssl, inbytes);
887 /* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
888 closed down, not that the socket itself has been closed down. Revert to
891 if (error == SSL_ERROR_ZERO_RETURN)
893 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
895 receive_getc = smtp_getc;
896 receive_ungetc = smtp_ungetc;
897 receive_feof = smtp_feof;
898 receive_ferror = smtp_ferror;
899 receive_smtp_buffered = smtp_buffered;
910 /* Handle genuine errors */
912 else if (error == SSL_ERROR_SSL)
914 ERR_error_string(ERR_get_error(), ssl_errstring);
915 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
920 else if (error != SSL_ERROR_NONE)
922 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
927 dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
929 ssl_xfer_buffer_hwm = inbytes;
930 ssl_xfer_buffer_lwm = 0;
933 /* Something in the buffer; return next uschar */
935 return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
940 /*************************************************
941 * Read bytes from TLS channel *
942 *************************************************/
949 Returns: the number of bytes read
950 -1 after a failed read
954 tls_read(uschar *buff, size_t len)
959 DEBUG(D_tls) debug_printf("Calling SSL_read(%lx, %lx, %u)\n", (long)ssl,
960 (long)buff, (unsigned int)len);
962 inbytes = SSL_read(ssl, CS buff, len);
963 error = SSL_get_error(ssl, inbytes);
965 if (error == SSL_ERROR_ZERO_RETURN)
967 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
970 else if (error != SSL_ERROR_NONE)
982 /*************************************************
983 * Write bytes down TLS channel *
984 *************************************************/
991 Returns: the number of bytes after a successful write,
992 -1 after a failed write
996 tls_write(const uschar *buff, size_t len)
1002 DEBUG(D_tls) debug_printf("tls_do_write(%lx, %d)\n", (long)buff, left);
1005 DEBUG(D_tls) debug_printf("SSL_write(SSL, %lx, %d)\n", (long)buff, left);
1006 outbytes = SSL_write(ssl, CS buff, left);
1007 error = SSL_get_error(ssl, outbytes);
1008 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
1012 ERR_error_string(ERR_get_error(), ssl_errstring);
1013 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
1016 case SSL_ERROR_NONE:
1021 case SSL_ERROR_ZERO_RETURN:
1022 log_write(0, LOG_MAIN, "SSL channel closed on write");
1026 log_write(0, LOG_MAIN, "SSL_write error %d", error);
1035 /*************************************************
1036 * Close down a TLS session *
1037 *************************************************/
1039 /* This is also called from within a delivery subprocess forked from the
1040 daemon, to shut down the TLS library, without actually doing a shutdown (which
1041 would tamper with the SSL session in the parent process).
1043 Arguments: TRUE if SSL_shutdown is to be called
1048 tls_close(BOOL shutdown)
1050 if (tls_active < 0) return; /* TLS was not active */
1054 DEBUG(D_tls) debug_printf("tls_close(): shutting down SSL\n");
1067 /*************************************************
1068 * Report the library versions. *
1069 *************************************************/
1071 /* There have historically been some issues with binary compatibility in
1072 OpenSSL libraries; if Exim (like many other applications) is built against
1073 one version of OpenSSL but the run-time linker picks up another version,
1074 it can result in serious failures, including crashing with a SIGSEGV. So
1075 report the version found by the compiler and the run-time version.
1077 Arguments: a FILE* to print the results to
1082 tls_version_report(FILE *f)
1084 fprintf(f, "Library version: OpenSSL: Compile: %s\n"
1086 OPENSSL_VERSION_TEXT,
1087 SSLeay_version(SSLEAY_VERSION));
1093 /*************************************************
1094 * Pseudo-random number generation *
1095 *************************************************/
1097 /* Pseudo-random number generation. The result is not expected to be
1098 cryptographically strong but not so weak that someone will shoot themselves
1099 in the foot using it as a nonce in input in some email header scheme or
1100 whatever weirdness they'll twist this into. The result should handle fork()
1101 and avoid repeating sequences. OpenSSL handles that for us.
1105 Returns a random number in range [0, max-1]
1109 pseudo_random_number(int max)
1114 uschar smallbuf[sizeof(r)];
1119 /* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
1123 gettimeofday(&r.tv, NULL);
1126 RAND_seed((uschar *)(&r), sizeof(r));
1128 /* We're after pseudo-random, not random; if we still don't have enough data
1129 in the internal PRNG then our options are limited. We could sleep and hope
1130 for entropy to come along (prayer technique) but if the system is so depleted
1131 in the first place then something is likely to just keep taking it. Instead,
1132 we'll just take whatever little bit of pseudo-random we can still manage to
1135 needed_len = sizeof(r);
1136 /* Don't take 8 times more entropy than needed if int is 8 octets and we were
1137 asked for a number less than 10. */
1138 for (r = max, i = 0; r; ++i)
1144 /* We do not care if crypto-strong */
1145 (void) RAND_pseudo_bytes(smallbuf, needed_len);
1147 for (p = smallbuf; needed_len; --needed_len, ++p)
1153 /* We don't particularly care about weighted results; if someone wants
1154 smooth distribution and cares enough then they should submit a patch then. */
1161 /*************************************************
1162 * OpenSSL option parse *
1163 *************************************************/
1165 /* Parse one option for tls_openssl_options_parse below
1168 name one option name
1169 value place to store a value for it
1170 Returns success or failure in parsing
1173 struct exim_openssl_option {
1177 /* We could use a macro to expand, but we need the ifdef and not all the
1178 options document which version they were introduced in. Policylet: include
1179 all options unless explicitly for DTLS, let the administrator choose which
1182 This list is current as of:
1184 static struct exim_openssl_option exim_openssl_options[] = {
1185 /* KEEP SORTED ALPHABETICALLY! */
1187 { US"all", SSL_OP_ALL },
1189 #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
1190 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
1192 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
1193 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
1195 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
1196 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
1198 #ifdef SSL_OP_EPHEMERAL_RSA
1199 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
1201 #ifdef SSL_OP_LEGACY_SERVER_CONNECT
1202 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
1204 #ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
1205 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
1207 #ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
1208 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
1210 #ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
1211 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
1213 #ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
1214 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
1216 #ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
1217 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
1219 #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1220 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
1222 #ifdef SSL_OP_NO_SSLv2
1223 { US"no_sslv2", SSL_OP_NO_SSLv2 },
1225 #ifdef SSL_OP_NO_SSLv3
1226 { US"no_sslv3", SSL_OP_NO_SSLv3 },
1228 #ifdef SSL_OP_NO_TICKET
1229 { US"no_ticket", SSL_OP_NO_TICKET },
1231 #ifdef SSL_OP_NO_TLSv1
1232 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
1234 #ifdef SSL_OP_SINGLE_DH_USE
1235 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
1237 #ifdef SSL_OP_SINGLE_ECDH_USE
1238 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
1240 #ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
1241 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
1243 #ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
1244 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
1246 #ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
1247 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
1249 #ifdef SSL_OP_TLS_D5_BUG
1250 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
1252 #ifdef SSL_OP_TLS_ROLLBACK_BUG
1253 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
1256 static int exim_openssl_options_size =
1257 sizeof(exim_openssl_options)/sizeof(struct exim_openssl_option);
1260 tls_openssl_one_option_parse(uschar *name, long *value)
1263 int last = exim_openssl_options_size;
1264 while (last > first)
1266 int middle = (first + last)/2;
1267 int c = Ustrcmp(name, exim_openssl_options[middle].name);
1270 *value = exim_openssl_options[middle].value;
1284 /*************************************************
1285 * OpenSSL option parsing logic *
1286 *************************************************/
1288 /* OpenSSL has a number of compatibility options which an administrator might
1289 reasonably wish to set. Interpret a list similarly to decode_bits(), so that
1290 we look like log_selector.
1293 option_spec the administrator-supplied string of options
1294 results ptr to long storage for the options bitmap
1295 Returns success or failure
1299 tls_openssl_options_parse(uschar *option_spec, long *results)
1304 BOOL adding, item_parsed;
1307 /* We grandfather in as default the one option which we used to set always. */
1308 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
1309 result |= SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
1312 if (option_spec == NULL)
1318 for (s=option_spec; *s != '\0'; /**/)
1320 while (isspace(*s)) ++s;
1323 if (*s != '+' && *s != '-')
1325 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
1326 "+ or - expected but found \"%s\"\n", s);
1329 adding = *s++ == '+';
1330 for (end = s; (*end != '\0') && !isspace(*end); ++end) /**/ ;
1333 item_parsed = tls_openssl_one_option_parse(s, &item);
1336 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
1339 DEBUG(D_tls) debug_printf("openssl option, %s from %lx: %lx (%s)\n",
1340 adding ? "adding" : "removing", result, item, s);
1353 /* End of tls-openssl.c */