1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) University of Cambridge 1995 - 2009 */
6 /* See the file NOTICE for conditions of use and distribution. */
8 /* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
9 library. It is #included into the tls.c file when that library is used. The
10 code herein is based on a patch that was originally contributed by Steve
11 Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
13 No cryptographic code is included in Exim. All this module does is to call
14 functions from the OpenSSL library. */
19 #include <openssl/lhash.h>
20 #include <openssl/ssl.h>
21 #include <openssl/err.h>
22 #include <openssl/rand.h>
24 /* Structure for collecting random data for seeding. */
26 typedef struct randstuff {
31 /* Local static variables */
33 static BOOL verify_callback_called = FALSE;
34 static const uschar *sid_ctx = US"exim";
36 static SSL_CTX *ctx = NULL;
37 static SSL_CTX *ctx_sni = NULL;
38 static SSL *ssl = NULL;
40 static char ssl_errstring[256];
42 static int ssl_session_timeout = 200;
43 static BOOL verify_optional = FALSE;
45 static BOOL reexpand_tls_files_for_sni = FALSE;
48 typedef struct tls_ext_ctx_cb {
52 /* these are cached from first expand */
53 uschar *server_cipher_list;
54 /* only passed down to tls_error: */
58 /* should figure out a cleanup of API to handle state preserved per
59 implementation, for various reasons, which can be void * in the APIs.
60 For now, we hack around it. */
61 tls_ext_ctx_cb *static_cbinfo = NULL;
64 setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional);
67 /*************************************************
69 *************************************************/
71 /* Called from lots of places when errors occur before actually starting to do
72 the TLS handshake, that is, while the session is still in clear. Always returns
73 DEFER for a server and FAIL for a client so that most calls can use "return
74 tls_error(...)" to do this processing and then give an appropriate return. A
75 single function is used for both server and client, because it is called from
76 some shared functions.
79 prefix text to include in the logged error
80 host NULL if setting up a server;
81 the connected host if setting up a client
82 msg error message or NULL if we should ask OpenSSL
84 Returns: OK/DEFER/FAIL
88 tls_error(uschar *prefix, host_item *host, uschar *msg)
92 ERR_error_string(ERR_get_error(), ssl_errstring);
93 msg = (uschar *)ssl_errstring;
98 uschar *conn_info = smtp_get_connection_info();
99 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0)
101 log_write(0, LOG_MAIN, "TLS error on %s (%s): %s",
102 conn_info, prefix, msg);
107 log_write(0, LOG_MAIN, "TLS error on connection to %s [%s] (%s): %s",
108 host->name, host->address, prefix, msg);
115 /*************************************************
116 * Callback to generate RSA key *
117 *************************************************/
125 Returns: pointer to generated key
129 rsa_callback(SSL *s, int export, int keylength)
132 export = export; /* Shut picky compilers up */
133 DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
134 rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL);
137 ERR_error_string(ERR_get_error(), ssl_errstring);
138 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
148 /*************************************************
149 * Callback for verification *
150 *************************************************/
152 /* The SSL library does certificate verification if set up to do so. This
153 callback has the current yes/no state is in "state". If verification succeeded,
154 we set up the tls_peerdn string. If verification failed, what happens depends
155 on whether the client is required to present a verifiable certificate or not.
157 If verification is optional, we change the state to yes, but still log the
158 verification error. For some reason (it really would help to have proper
159 documentation of OpenSSL), this callback function then gets called again, this
160 time with state = 1. In fact, that's useful, because we can set up the peerdn
161 value, but we must take care not to set the private verified flag on the second
164 Note: this function is not called if the client fails to present a certificate
165 when asked. We get here only if a certificate has been received. Handling of
166 optional verification for this case is done when requesting SSL to verify, by
167 setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
170 state current yes/no state as 1/0
171 x509ctx certificate information.
173 Returns: 1 if verified, 0 if not
177 verify_callback(int state, X509_STORE_CTX *x509ctx)
179 static uschar txt[256];
181 X509_NAME_oneline(X509_get_subject_name(x509ctx->current_cert),
182 CS txt, sizeof(txt));
186 log_write(0, LOG_MAIN, "SSL verify error: depth=%d error=%s cert=%s",
187 x509ctx->error_depth,
188 X509_verify_cert_error_string(x509ctx->error),
190 tls_certificate_verified = FALSE;
191 verify_callback_called = TRUE;
192 if (!verify_optional) return 0; /* reject */
193 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
194 "tls_try_verify_hosts)\n");
195 return 1; /* accept */
198 if (x509ctx->error_depth != 0)
200 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d cert=%s\n",
201 x509ctx->error_depth, txt);
205 DEBUG(D_tls) debug_printf("SSL%s peer: %s\n",
206 verify_callback_called? "" : " authenticated", txt);
210 if (!verify_callback_called) tls_certificate_verified = TRUE;
211 verify_callback_called = TRUE;
213 return 1; /* accept */
218 /*************************************************
219 * Information callback *
220 *************************************************/
222 /* The SSL library functions call this from time to time to indicate what they
223 are doing. We copy the string to the debugging output when TLS debugging has
235 info_callback(SSL *s, int where, int ret)
239 DEBUG(D_tls) debug_printf("SSL info: %s\n", SSL_state_string_long(s));
244 /*************************************************
245 * Initialize for DH *
246 *************************************************/
248 /* If dhparam is set, expand it, and load up the parameters for DH encryption.
251 dhparam DH parameter file
252 host connected host, if client; NULL if server
254 Returns: TRUE if OK (nothing to set up, or setup worked)
258 init_dh(uschar *dhparam, host_item *host)
265 if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded))
268 if (dhexpanded == NULL) return TRUE;
270 if ((bio = BIO_new_file(CS dhexpanded, "r")) == NULL)
272 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
273 host, (uschar *)strerror(errno));
278 if ((dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)) == NULL)
280 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
286 SSL_CTX_set_tmp_dh(ctx, dh);
288 debug_printf("Diffie-Hellman initialized from %s with %d-bit key\n",
289 dhexpanded, 8*DH_size(dh));
301 /*************************************************
302 * Expand key and cert file specs *
303 *************************************************/
305 /* Called once during tls_init and possibly againt during TLS setup, for a
306 new context, if Server Name Indication was used and tls_sni was seen in
307 the certificate string.
310 sctx the SSL_CTX* to update
311 cbinfo various parts of session state
313 Returns: OK/DEFER/FAIL
317 tls_expand_session_files(SSL_CTX *sctx, const tls_ext_ctx_cb *cbinfo)
321 if (cbinfo->certificate == NULL)
324 if (Ustrstr(cbinfo->certificate, US"tls_sni"))
325 reexpand_tls_files_for_sni = TRUE;
327 if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded))
330 if (expanded != NULL)
332 DEBUG(D_tls) debug_printf("tls_certificate file %s\n", expanded);
333 if (!SSL_CTX_use_certificate_chain_file(sctx, CS expanded))
334 return tls_error(string_sprintf(
335 "SSL_CTX_use_certificate_chain_file file=%s", expanded),
339 if (cbinfo->privatekey != NULL &&
340 !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded))
343 /* If expansion was forced to fail, key_expanded will be NULL. If the result
344 of the expansion is an empty string, ignore it also, and assume the private
345 key is in the same file as the certificate. */
347 if (expanded != NULL && *expanded != 0)
349 DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", expanded);
350 if (!SSL_CTX_use_PrivateKey_file(sctx, CS expanded, SSL_FILETYPE_PEM))
351 return tls_error(string_sprintf(
352 "SSL_CTX_use_PrivateKey_file file=%s", expanded), cbinfo->host, NULL);
361 /*************************************************
362 * Callback to handle SNI *
363 *************************************************/
365 /* Called when acting as server during the TLS session setup if a Server Name
366 Indication extension was sent by the client.
368 API documentation is OpenSSL s_server.c implementation.
371 s SSL* of the current session
372 ad unknown (part of OpenSSL API) (unused)
373 arg Callback of "our" registered data
375 Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
379 tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
380 /* pre-declared for SSL_CTX_set_tlsext_servername_callback call within func */
383 tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
385 const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
386 const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
390 return SSL_TLSEXT_ERR_OK;
392 DEBUG(D_tls) debug_printf("TLS SNI: %s%s\n", servername,
393 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
395 /* Make the extension value available for expansion */
396 tls_sni = servername;
398 if (!reexpand_tls_files_for_sni)
399 return SSL_TLSEXT_ERR_OK;
401 /* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
402 not confident that memcpy wouldn't break some internal reference counting.
403 Especially since there's a references struct member, which would be off. */
405 ctx_sni = SSL_CTX_new(SSLv23_server_method());
408 ERR_error_string(ERR_get_error(), ssl_errstring);
409 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
410 return SSL_TLSEXT_ERR_NOACK;
413 /* Not sure how many of these are actually needed, since SSL object
414 already exists. Might even need this selfsame callback, for reneg? */
416 SSL_CTX_set_info_callback(ctx_sni, SSL_CTX_get_info_callback(ctx));
417 SSL_CTX_set_mode(ctx_sni, SSL_CTX_get_mode(ctx));
418 SSL_CTX_set_options(ctx_sni, SSL_CTX_get_options(ctx));
419 SSL_CTX_set_timeout(ctx_sni, SSL_CTX_get_timeout(ctx));
420 SSL_CTX_set_tlsext_servername_callback(ctx_sni, tls_servername_cb);
421 SSL_CTX_set_tlsext_servername_arg(ctx_sni, cbinfo);
422 if (cbinfo->server_cipher_list)
423 SSL_CTX_set_cipher_list(ctx_sni, CS cbinfo->server_cipher_list);
425 rc = tls_expand_session_files(ctx_sni, cbinfo);
426 if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
428 rc = setup_certs(ctx_sni, tls_verify_certificates, tls_crl, NULL, FALSE);
429 if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
431 DEBUG(D_tls) debug_printf("Switching SSL context.\n");
432 SSL_set_SSL_CTX(s, ctx_sni);
434 return SSL_TLSEXT_ERR_OK;
440 /*************************************************
441 * Initialize for TLS *
442 *************************************************/
444 /* Called from both server and client code, to do preliminary initialization of
448 host connected host, if client; NULL if server
449 dhparam DH parameter file
450 certificate certificate file
451 privatekey private key
452 addr address if client; NULL if server (for some randomness)
454 Returns: OK/DEFER/FAIL
458 tls_init(host_item *host, uschar *dhparam, uschar *certificate,
459 uschar *privatekey, address_item *addr)
464 tls_ext_ctx_cb *cbinfo;
466 cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
467 cbinfo->certificate = certificate;
468 cbinfo->privatekey = privatekey;
469 cbinfo->dhparam = dhparam;
472 SSL_load_error_strings(); /* basic set up */
473 OpenSSL_add_ssl_algorithms();
475 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
476 /* SHA256 is becoming ever more popular. This makes sure it gets added to the
477 list of available digests. */
478 EVP_add_digest(EVP_sha256());
481 /* Create a context */
483 ctx = SSL_CTX_new((host == NULL)?
484 SSLv23_server_method() : SSLv23_client_method());
486 if (ctx == NULL) return tls_error(US"SSL_CTX_new", host, NULL);
488 /* It turns out that we need to seed the random number generator this early in
489 order to get the full complement of ciphers to work. It took me roughly a day
490 of work to discover this by experiment.
492 On systems that have /dev/urandom, SSL may automatically seed itself from
493 there. Otherwise, we have to make something up as best we can. Double check
499 gettimeofday(&r.tv, NULL);
502 RAND_seed((uschar *)(&r), sizeof(r));
503 RAND_seed((uschar *)big_buffer, big_buffer_size);
504 if (addr != NULL) RAND_seed((uschar *)addr, sizeof(addr));
507 return tls_error(US"RAND_status", host,
508 US"unable to seed random number generator");
511 /* Set up the information callback, which outputs if debugging is at a suitable
514 SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
516 /* Automatically re-try reads/writes after renegotiation. */
517 (void) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
519 /* Apply administrator-supplied work-arounds.
520 Historically we applied just one requested option,
521 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
522 moved to an administrator-controlled list of options to specify and
523 grandfathered in the first one as the default value for "openssl_options".
525 No OpenSSL version number checks: the options we accept depend upon the
526 availability of the option value macros from OpenSSL. */
528 okay = tls_openssl_options_parse(openssl_options, &init_options);
530 return tls_error(US"openssl_options parsing failed", host, NULL);
534 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
535 if (!(SSL_CTX_set_options(ctx, init_options)))
536 return tls_error(string_sprintf(
537 "SSL_CTX_set_option(%#lx)", init_options), host, NULL);
540 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
542 /* Initialize with DH parameters if supplied */
544 if (!init_dh(dhparam, host)) return DEFER;
546 /* Set up certificate and key */
548 rc = tls_expand_session_files(ctx, cbinfo);
549 if (rc != OK) return rc;
551 /* If we need to handle SNI, do so */
552 #if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
553 /* We always do this, so that $tls_sni is available even if not used in
555 SSL_CTX_set_tlsext_servername_callback(ctx, tls_servername_cb);
556 SSL_CTX_set_tlsext_servername_arg(ctx, cbinfo);
559 /* Set up the RSA callback */
561 SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
563 /* Finally, set the timeout, and we are done */
565 SSL_CTX_set_timeout(ctx, ssl_session_timeout);
566 DEBUG(D_tls) debug_printf("Initialized TLS\n");
568 static_cbinfo = cbinfo;
576 /*************************************************
577 * Get name of cipher in use *
578 *************************************************/
580 /* The answer is left in a static buffer, and tls_cipher is set to point
583 Argument: pointer to an SSL structure for the connection
588 construct_cipher_name(SSL *ssl)
590 static uschar cipherbuf[256];
591 /* With OpenSSL 1.0.0a, this needs to be const but the documentation doesn't
592 yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
593 the accessor functions use const in the prototype. */
597 switch (ssl->session->ssl_version)
611 #ifdef TLS1_1_VERSION
617 #ifdef TLS1_2_VERSION
627 c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
628 SSL_CIPHER_get_bits(c, &tls_bits);
630 string_format(cipherbuf, sizeof(cipherbuf), "%s:%s:%u", ver,
631 SSL_CIPHER_get_name(c), tls_bits);
632 tls_cipher = cipherbuf;
634 DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf);
641 /*************************************************
642 * Set up for verifying certificates *
643 *************************************************/
645 /* Called by both client and server startup
648 sctx SSL_CTX* to initialise
649 certs certs file or NULL
651 host NULL in a server; the remote host in a client
652 optional TRUE if called from a server for a host in tls_try_verify_hosts;
653 otherwise passed as FALSE
655 Returns: OK/DEFER/FAIL
659 setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional)
661 uschar *expcerts, *expcrl;
663 if (!expand_check(certs, US"tls_verify_certificates", &expcerts))
666 if (expcerts != NULL)
669 if (!SSL_CTX_set_default_verify_paths(sctx))
670 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL);
672 if (Ustat(expcerts, &statbuf) < 0)
674 log_write(0, LOG_MAIN|LOG_PANIC,
675 "failed to stat %s for certificates", expcerts);
681 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
682 { file = NULL; dir = expcerts; }
684 { file = expcerts; dir = NULL; }
686 /* If a certificate file is empty, the next function fails with an
687 unhelpful error message. If we skip it, we get the correct behaviour (no
688 certificates are recognized, but the error message is still misleading (it
689 says no certificate was supplied.) But this is better. */
691 if ((file == NULL || statbuf.st_size > 0) &&
692 !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
693 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL);
697 SSL_CTX_set_client_CA_list(sctx, SSL_load_client_CA_file(CS file));
701 /* Handle a certificate revocation list. */
703 #if OPENSSL_VERSION_NUMBER > 0x00907000L
705 /* This bit of code is now the version supplied by Lars Mainka. (I have
706 * merely reformatted it into the Exim code style.)
708 * "From here I changed the code to add support for multiple crl's
709 * in pem format in one file or to support hashed directory entries in
710 * pem format instead of a file. This method now uses the library function
711 * X509_STORE_load_locations to add the CRL location to the SSL context.
712 * OpenSSL will then handle the verify against CA certs and CRLs by
713 * itself in the verify callback." */
715 if (!expand_check(crl, US"tls_crl", &expcrl)) return DEFER;
716 if (expcrl != NULL && *expcrl != 0)
718 struct stat statbufcrl;
719 if (Ustat(expcrl, &statbufcrl) < 0)
721 log_write(0, LOG_MAIN|LOG_PANIC,
722 "failed to stat %s for certificates revocation lists", expcrl);
727 /* is it a file or directory? */
729 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
730 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
734 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
740 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
742 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
743 return tls_error(US"X509_STORE_load_locations", host, NULL);
745 /* setting the flags to check against the complete crl chain */
747 X509_STORE_set_flags(cvstore,
748 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
752 #endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
754 /* If verification is optional, don't fail if no certificate */
756 SSL_CTX_set_verify(sctx,
757 SSL_VERIFY_PEER | (optional? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
766 /*************************************************
767 * Start a TLS session in a server *
768 *************************************************/
770 /* This is called when Exim is running as a server, after having received
771 the STARTTLS command. It must respond to that command, and then negotiate
775 require_ciphers allowed ciphers
776 ------------------------------------------------------
777 require_mac list of allowed MACs ) Not used
778 require_kx list of allowed key_exchange methods ) for
779 require_proto list of allowed protocols ) OpenSSL
780 ------------------------------------------------------
782 Returns: OK on success
783 DEFER for errors before the start of the negotiation
784 FAIL for errors during the negotation; the server can't
789 tls_server_start(uschar *require_ciphers, uschar *require_mac,
790 uschar *require_kx, uschar *require_proto)
794 tls_ext_ctx_cb *cbinfo;
796 /* Check for previous activation */
800 tls_error(US"STARTTLS received after TLS started", NULL, US"");
801 smtp_printf("554 Already in TLS\r\n");
805 /* Initialize the SSL library. If it fails, it will already have logged
808 rc = tls_init(NULL, tls_dhparam, tls_certificate, tls_privatekey, NULL);
809 if (rc != OK) return rc;
810 cbinfo = static_cbinfo;
812 if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
815 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
816 are separated by underscores. So that I can use either form in my tests, and
817 also for general convenience, we turn underscores into hyphens here. */
819 if (expciphers != NULL)
821 uschar *s = expciphers;
822 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
823 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
824 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
825 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL);
826 cbinfo->server_cipher_list = expciphers;
829 /* If this is a host for which certificate verification is mandatory or
830 optional, set up appropriately. */
832 tls_certificate_verified = FALSE;
833 verify_callback_called = FALSE;
835 if (verify_check_host(&tls_verify_hosts) == OK)
837 rc = setup_certs(ctx, tls_verify_certificates, tls_crl, NULL, FALSE);
838 if (rc != OK) return rc;
839 verify_optional = FALSE;
841 else if (verify_check_host(&tls_try_verify_hosts) == OK)
843 rc = setup_certs(ctx, tls_verify_certificates, tls_crl, NULL, TRUE);
844 if (rc != OK) return rc;
845 verify_optional = TRUE;
848 /* Prepare for new connection */
850 if ((ssl = SSL_new(ctx)) == NULL) return tls_error(US"SSL_new", NULL, NULL);
852 /* Warning: we used to SSL_clear(ssl) here, it was removed.
854 * With the SSL_clear(), we get strange interoperability bugs with
855 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
856 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
858 * The SSL_clear() call is to let an existing SSL* be reused, typically after
859 * session shutdown. In this case, we have a brand new object and there's no
860 * obvious reason to immediately clear it. I'm guessing that this was
861 * originally added because of incomplete initialisation which the clear fixed,
862 * in some historic release.
865 /* Set context and tell client to go ahead, except in the case of TLS startup
866 on connection, where outputting anything now upsets the clients and tends to
867 make them disconnect. We need to have an explicit fflush() here, to force out
868 the response. Other smtp_printf() calls do not need it, because in non-TLS
869 mode, the fflush() happens when smtp_getc() is called. */
871 SSL_set_session_id_context(ssl, sid_ctx, Ustrlen(sid_ctx));
874 smtp_printf("220 TLS go ahead\r\n");
878 /* Now negotiate the TLS session. We put our own timer on it, since it seems
879 that the OpenSSL library doesn't. */
881 SSL_set_wfd(ssl, fileno(smtp_out));
882 SSL_set_rfd(ssl, fileno(smtp_in));
883 SSL_set_accept_state(ssl);
885 DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
887 sigalrm_seen = FALSE;
888 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
889 rc = SSL_accept(ssl);
894 tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL);
895 if (ERR_get_error() == 0)
896 log_write(0, LOG_MAIN,
897 "TLS client disconnected cleanly (rejected our certificate?)");
901 DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
903 /* TLS has been set up. Adjust the input functions to read via TLS,
904 and initialize things. */
906 construct_cipher_name(ssl);
911 if (SSL_get_shared_ciphers(ssl, CS buf, sizeof(buf)) != NULL)
912 debug_printf("Shared ciphers: %s\n", buf);
916 ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
917 ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
918 ssl_xfer_eof = ssl_xfer_error = 0;
920 receive_getc = tls_getc;
921 receive_ungetc = tls_ungetc;
922 receive_feof = tls_feof;
923 receive_ferror = tls_ferror;
924 receive_smtp_buffered = tls_smtp_buffered;
926 tls_active = fileno(smtp_out);
934 /*************************************************
935 * Start a TLS session in a client *
936 *************************************************/
938 /* Called from the smtp transport after STARTTLS has been accepted.
941 fd the fd of the connection
942 host connected host (for messages)
943 addr the first address
944 dhparam DH parameter file
945 certificate certificate file
946 privatekey private key file
947 verify_certs file for certificate verify
948 crl file containing CRL
949 require_ciphers list of allowed ciphers
950 ------------------------------------------------------
951 require_mac list of allowed MACs ) Not used
952 require_kx list of allowed key_exchange methods ) for
953 require_proto list of allowed protocols ) OpenSSL
954 ------------------------------------------------------
955 timeout startup timeout
957 Returns: OK on success
958 FAIL otherwise - note that tls_error() will not give DEFER
959 because this is not a server
963 tls_client_start(int fd, host_item *host, address_item *addr, uschar *dhparam,
964 uschar *certificate, uschar *privatekey, uschar *verify_certs, uschar *crl,
965 uschar *require_ciphers, uschar *require_mac, uschar *require_kx,
966 uschar *require_proto, int timeout)
968 static uschar txt[256];
973 rc = tls_init(host, dhparam, certificate, privatekey, addr);
974 if (rc != OK) return rc;
976 tls_certificate_verified = FALSE;
977 verify_callback_called = FALSE;
979 if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
982 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
983 are separated by underscores. So that I can use either form in my tests, and
984 also for general convenience, we turn underscores into hyphens here. */
986 if (expciphers != NULL)
988 uschar *s = expciphers;
989 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
990 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
991 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
992 return tls_error(US"SSL_CTX_set_cipher_list", host, NULL);
995 rc = setup_certs(ctx, verify_certs, crl, host, FALSE);
996 if (rc != OK) return rc;
998 if ((ssl = SSL_new(ctx)) == NULL) return tls_error(US"SSL_new", host, NULL);
999 SSL_set_session_id_context(ssl, sid_ctx, Ustrlen(sid_ctx));
1000 SSL_set_fd(ssl, fd);
1001 SSL_set_connect_state(ssl);
1003 /* There doesn't seem to be a built-in timeout on connection. */
1005 DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
1006 sigalrm_seen = FALSE;
1008 rc = SSL_connect(ssl);
1012 return tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL);
1014 DEBUG(D_tls) debug_printf("SSL_connect succeeded\n");
1016 /* Beware anonymous ciphers which lead to server_cert being NULL */
1017 server_cert = SSL_get_peer_certificate (ssl);
1020 tls_peerdn = US X509_NAME_oneline(X509_get_subject_name(server_cert),
1021 CS txt, sizeof(txt));
1027 construct_cipher_name(ssl); /* Sets tls_cipher */
1037 /*************************************************
1038 * TLS version of getc *
1039 *************************************************/
1041 /* This gets the next byte from the TLS input buffer. If the buffer is empty,
1042 it refills the buffer via the SSL reading function.
1045 Returns: the next character or EOF
1051 if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
1056 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
1057 ssl_xfer_buffer, ssl_xfer_buffer_size);
1059 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
1060 inbytes = SSL_read(ssl, CS ssl_xfer_buffer, ssl_xfer_buffer_size);
1061 error = SSL_get_error(ssl, inbytes);
1064 /* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
1065 closed down, not that the socket itself has been closed down. Revert to
1066 non-SSL handling. */
1068 if (error == SSL_ERROR_ZERO_RETURN)
1070 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
1072 receive_getc = smtp_getc;
1073 receive_ungetc = smtp_ungetc;
1074 receive_feof = smtp_feof;
1075 receive_ferror = smtp_ferror;
1076 receive_smtp_buffered = smtp_buffered;
1087 /* Handle genuine errors */
1089 else if (error == SSL_ERROR_SSL)
1091 ERR_error_string(ERR_get_error(), ssl_errstring);
1092 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
1097 else if (error != SSL_ERROR_NONE)
1099 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
1104 #ifndef DISABLE_DKIM
1105 dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
1107 ssl_xfer_buffer_hwm = inbytes;
1108 ssl_xfer_buffer_lwm = 0;
1111 /* Something in the buffer; return next uschar */
1113 return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
1118 /*************************************************
1119 * Read bytes from TLS channel *
1120 *************************************************/
1127 Returns: the number of bytes read
1128 -1 after a failed read
1132 tls_read(uschar *buff, size_t len)
1137 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
1138 buff, (unsigned int)len);
1140 inbytes = SSL_read(ssl, CS buff, len);
1141 error = SSL_get_error(ssl, inbytes);
1143 if (error == SSL_ERROR_ZERO_RETURN)
1145 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
1148 else if (error != SSL_ERROR_NONE)
1160 /*************************************************
1161 * Write bytes down TLS channel *
1162 *************************************************/
1169 Returns: the number of bytes after a successful write,
1170 -1 after a failed write
1174 tls_write(const uschar *buff, size_t len)
1180 DEBUG(D_tls) debug_printf("tls_do_write(%p, %d)\n", buff, left);
1183 DEBUG(D_tls) debug_printf("SSL_write(SSL, %p, %d)\n", buff, left);
1184 outbytes = SSL_write(ssl, CS buff, left);
1185 error = SSL_get_error(ssl, outbytes);
1186 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
1190 ERR_error_string(ERR_get_error(), ssl_errstring);
1191 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
1194 case SSL_ERROR_NONE:
1199 case SSL_ERROR_ZERO_RETURN:
1200 log_write(0, LOG_MAIN, "SSL channel closed on write");
1204 log_write(0, LOG_MAIN, "SSL_write error %d", error);
1213 /*************************************************
1214 * Close down a TLS session *
1215 *************************************************/
1217 /* This is also called from within a delivery subprocess forked from the
1218 daemon, to shut down the TLS library, without actually doing a shutdown (which
1219 would tamper with the SSL session in the parent process).
1221 Arguments: TRUE if SSL_shutdown is to be called
1226 tls_close(BOOL shutdown)
1228 if (tls_active < 0) return; /* TLS was not active */
1232 DEBUG(D_tls) debug_printf("tls_close(): shutting down SSL\n");
1245 /*************************************************
1246 * Report the library versions. *
1247 *************************************************/
1249 /* There have historically been some issues with binary compatibility in
1250 OpenSSL libraries; if Exim (like many other applications) is built against
1251 one version of OpenSSL but the run-time linker picks up another version,
1252 it can result in serious failures, including crashing with a SIGSEGV. So
1253 report the version found by the compiler and the run-time version.
1255 Arguments: a FILE* to print the results to
1260 tls_version_report(FILE *f)
1262 fprintf(f, "Library version: OpenSSL: Compile: %s\n"
1264 OPENSSL_VERSION_TEXT,
1265 SSLeay_version(SSLEAY_VERSION));
1271 /*************************************************
1272 * Pseudo-random number generation *
1273 *************************************************/
1275 /* Pseudo-random number generation. The result is not expected to be
1276 cryptographically strong but not so weak that someone will shoot themselves
1277 in the foot using it as a nonce in input in some email header scheme or
1278 whatever weirdness they'll twist this into. The result should handle fork()
1279 and avoid repeating sequences. OpenSSL handles that for us.
1283 Returns a random number in range [0, max-1]
1287 pseudo_random_number(int max)
1292 uschar smallbuf[sizeof(r)];
1297 /* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
1301 gettimeofday(&r.tv, NULL);
1304 RAND_seed((uschar *)(&r), sizeof(r));
1306 /* We're after pseudo-random, not random; if we still don't have enough data
1307 in the internal PRNG then our options are limited. We could sleep and hope
1308 for entropy to come along (prayer technique) but if the system is so depleted
1309 in the first place then something is likely to just keep taking it. Instead,
1310 we'll just take whatever little bit of pseudo-random we can still manage to
1313 needed_len = sizeof(r);
1314 /* Don't take 8 times more entropy than needed if int is 8 octets and we were
1315 asked for a number less than 10. */
1316 for (r = max, i = 0; r; ++i)
1322 /* We do not care if crypto-strong */
1323 (void) RAND_pseudo_bytes(smallbuf, needed_len);
1325 for (p = smallbuf; needed_len; --needed_len, ++p)
1331 /* We don't particularly care about weighted results; if someone wants
1332 smooth distribution and cares enough then they should submit a patch then. */
1339 /*************************************************
1340 * OpenSSL option parse *
1341 *************************************************/
1343 /* Parse one option for tls_openssl_options_parse below
1346 name one option name
1347 value place to store a value for it
1348 Returns success or failure in parsing
1351 struct exim_openssl_option {
1355 /* We could use a macro to expand, but we need the ifdef and not all the
1356 options document which version they were introduced in. Policylet: include
1357 all options unless explicitly for DTLS, let the administrator choose which
1360 This list is current as of:
1362 static struct exim_openssl_option exim_openssl_options[] = {
1363 /* KEEP SORTED ALPHABETICALLY! */
1365 { US"all", SSL_OP_ALL },
1367 #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
1368 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
1370 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
1371 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
1373 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
1374 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
1376 #ifdef SSL_OP_EPHEMERAL_RSA
1377 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
1379 #ifdef SSL_OP_LEGACY_SERVER_CONNECT
1380 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
1382 #ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
1383 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
1385 #ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
1386 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
1388 #ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
1389 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
1391 #ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
1392 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
1394 #ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
1395 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
1397 #ifdef SSL_OP_NO_COMPRESSION
1398 { US"no_compression", SSL_OP_NO_COMPRESSION },
1400 #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1401 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
1403 #ifdef SSL_OP_NO_SSLv2
1404 { US"no_sslv2", SSL_OP_NO_SSLv2 },
1406 #ifdef SSL_OP_NO_SSLv3
1407 { US"no_sslv3", SSL_OP_NO_SSLv3 },
1409 #ifdef SSL_OP_NO_TICKET
1410 { US"no_ticket", SSL_OP_NO_TICKET },
1412 #ifdef SSL_OP_NO_TLSv1
1413 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
1415 #ifdef SSL_OP_NO_TLSv1_1
1416 #if SSL_OP_NO_TLSv1_1 == 0x00000400L
1417 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
1418 #warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
1420 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
1423 #ifdef SSL_OP_NO_TLSv1_2
1424 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
1426 #ifdef SSL_OP_SINGLE_DH_USE
1427 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
1429 #ifdef SSL_OP_SINGLE_ECDH_USE
1430 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
1432 #ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
1433 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
1435 #ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
1436 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
1438 #ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
1439 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
1441 #ifdef SSL_OP_TLS_D5_BUG
1442 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
1444 #ifdef SSL_OP_TLS_ROLLBACK_BUG
1445 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
1448 static int exim_openssl_options_size =
1449 sizeof(exim_openssl_options)/sizeof(struct exim_openssl_option);
1453 tls_openssl_one_option_parse(uschar *name, long *value)
1456 int last = exim_openssl_options_size;
1457 while (last > first)
1459 int middle = (first + last)/2;
1460 int c = Ustrcmp(name, exim_openssl_options[middle].name);
1463 *value = exim_openssl_options[middle].value;
1477 /*************************************************
1478 * OpenSSL option parsing logic *
1479 *************************************************/
1481 /* OpenSSL has a number of compatibility options which an administrator might
1482 reasonably wish to set. Interpret a list similarly to decode_bits(), so that
1483 we look like log_selector.
1486 option_spec the administrator-supplied string of options
1487 results ptr to long storage for the options bitmap
1488 Returns success or failure
1492 tls_openssl_options_parse(uschar *option_spec, long *results)
1497 BOOL adding, item_parsed;
1500 /* Prior to 4.78 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed
1501 * from default because it increases BEAST susceptibility. */
1503 if (option_spec == NULL)
1509 for (s=option_spec; *s != '\0'; /**/)
1511 while (isspace(*s)) ++s;
1514 if (*s != '+' && *s != '-')
1516 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
1517 "+ or - expected but found \"%s\"\n", s);
1520 adding = *s++ == '+';
1521 for (end = s; (*end != '\0') && !isspace(*end); ++end) /**/ ;
1524 item_parsed = tls_openssl_one_option_parse(s, &item);
1527 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
1530 DEBUG(D_tls) debug_printf("openssl option, %s from %lx: %lx (%s)\n",
1531 adding ? "adding" : "removing", result, item, s);
1544 /* End of tls-openssl.c */