1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) University of Cambridge 1995 - 2018 */
6 /* See the file NOTICE for conditions of use and distribution. */
8 /* Portions Copyright (c) The OpenSSL Project 1999 */
10 /* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
11 library. It is #included into the tls.c file when that library is used. The
12 code herein is based on a patch that was originally contributed by Steve
13 Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
15 No cryptographic code is included in Exim. All this module does is to call
16 functions from the OpenSSL library. */
21 #include <openssl/lhash.h>
22 #include <openssl/ssl.h>
23 #include <openssl/err.h>
24 #include <openssl/rand.h>
25 #ifndef OPENSSL_NO_ECDH
26 # include <openssl/ec.h>
29 # include <openssl/ocsp.h>
37 # define EXIM_OCSP_SKEW_SECONDS (300L)
38 # define EXIM_OCSP_MAX_AGE (-1L)
41 #if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
42 # define EXIM_HAVE_OPENSSL_TLSEXT
44 #if OPENSSL_VERSION_NUMBER >= 0x00908000L
45 # define EXIM_HAVE_RSA_GENKEY_EX
47 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
48 # define EXIM_HAVE_OCSP_RESP_COUNT
50 # define EXIM_HAVE_EPHEM_RSA_KEX
51 # define EXIM_HAVE_RAND_PSEUDO
53 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
54 # define EXIM_HAVE_SHA256
57 /* X509_check_host provides sane certificate hostname checking, but was added
58 to OpenSSL late, after other projects forked off the code-base. So in
59 addition to guarding against the base version number, beware that LibreSSL
60 does not (at this time) support this function.
62 If LibreSSL gains a different API, perhaps via libtls, then we'll probably
63 opt to disentangle and ask a LibreSSL user to provide glue for a third
64 crypto provider for libtls instead of continuing to tie the OpenSSL glue
65 into even twistier knots. If LibreSSL gains the same API, we can just
66 change this guard and punt the issue for a while longer. */
68 #ifndef LIBRESSL_VERSION_NUMBER
69 # if OPENSSL_VERSION_NUMBER >= 0x010100000L
70 # define EXIM_HAVE_OPENSSL_CHECKHOST
71 # define EXIM_HAVE_OPENSSL_DH_BITS
72 # define EXIM_HAVE_OPENSSL_TLS_METHOD
73 # define EXIM_HAVE_OPENSSL_KEYLOG
75 # define EXIM_NEED_OPENSSL_INIT
77 # if OPENSSL_VERSION_NUMBER >= 0x010000000L \
78 && (OPENSSL_VERSION_NUMBER & 0x0000ff000L) >= 0x000002000L
79 # define EXIM_HAVE_OPENSSL_CHECKHOST
83 #if !defined(LIBRESSL_VERSION_NUMBER) \
84 || LIBRESSL_VERSION_NUMBER >= 0x20010000L
85 # if !defined(OPENSSL_NO_ECDH)
86 # if OPENSSL_VERSION_NUMBER >= 0x0090800fL
87 # define EXIM_HAVE_ECDH
89 # if OPENSSL_VERSION_NUMBER >= 0x10002000L
90 # define EXIM_HAVE_OPENSSL_EC_NIST2NID
95 #ifndef LIBRESSL_VERSION_NUMBER
96 # if OPENSSL_VERSION_NUMBER >= 0x010101000L
97 # define OPENSSL_HAVE_KEYLOG_CB
98 # define OPENSSL_HAVE_NUM_TICKETS
102 #if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP)
103 # warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile"
104 # define DISABLE_OCSP
107 #ifdef EXIM_HAVE_OPENSSL_CHECKHOST
108 # include <openssl/x509v3.h>
111 /*************************************************
112 * OpenSSL option parse *
113 *************************************************/
115 typedef struct exim_openssl_option {
118 } exim_openssl_option;
119 /* We could use a macro to expand, but we need the ifdef and not all the
120 options document which version they were introduced in. Policylet: include
121 all options unless explicitly for DTLS, let the administrator choose which
124 This list is current as of:
126 Plus SSL_OP_SAFARI_ECDHE_ECDSA_BUG from 2013-June patch/discussion on openssl-dev
127 Plus SSL_OP_NO_TLSv1_3 for 1.1.2-dev
129 static exim_openssl_option exim_openssl_options[] = {
130 /* KEEP SORTED ALPHABETICALLY! */
132 { US"all", SSL_OP_ALL },
134 #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
135 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
137 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
138 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
140 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
141 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
143 #ifdef SSL_OP_EPHEMERAL_RSA
144 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
146 #ifdef SSL_OP_LEGACY_SERVER_CONNECT
147 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
149 #ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
150 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
152 #ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
153 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
155 #ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
156 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
158 #ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
159 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
161 #ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
162 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
164 #ifdef SSL_OP_NO_COMPRESSION
165 { US"no_compression", SSL_OP_NO_COMPRESSION },
167 #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
168 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
170 #ifdef SSL_OP_NO_SSLv2
171 { US"no_sslv2", SSL_OP_NO_SSLv2 },
173 #ifdef SSL_OP_NO_SSLv3
174 { US"no_sslv3", SSL_OP_NO_SSLv3 },
176 #ifdef SSL_OP_NO_TICKET
177 { US"no_ticket", SSL_OP_NO_TICKET },
179 #ifdef SSL_OP_NO_TLSv1
180 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
182 #ifdef SSL_OP_NO_TLSv1_1
183 #if SSL_OP_NO_TLSv1_1 == 0x00000400L
184 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
185 #warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
187 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
190 #ifdef SSL_OP_NO_TLSv1_2
191 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
193 #ifdef SSL_OP_NO_TLSv1_3
194 { US"no_tlsv1_3", SSL_OP_NO_TLSv1_3 },
196 #ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
197 { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG },
199 #ifdef SSL_OP_SINGLE_DH_USE
200 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
202 #ifdef SSL_OP_SINGLE_ECDH_USE
203 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
205 #ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
206 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
208 #ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
209 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
211 #ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
212 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
214 #ifdef SSL_OP_TLS_D5_BUG
215 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
217 #ifdef SSL_OP_TLS_ROLLBACK_BUG
218 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
223 static int exim_openssl_options_size = nelem(exim_openssl_options);
232 for (struct exim_openssl_option * o = exim_openssl_options;
233 o < exim_openssl_options + nelem(exim_openssl_options); o++)
235 /* Trailing X is workaround for problem with _OPT_OPENSSL_NO_TLSV1
236 being a ".ifdef _OPT_OPENSSL_NO_TLSV1_3" match */
238 spf(buf, sizeof(buf), US"_OPT_OPENSSL_%T_X", o->name);
239 builtin_macro_create(buf);
244 /******************************************************************************/
246 /* Structure for collecting random data for seeding. */
248 typedef struct randstuff {
253 /* Local static variables */
255 static BOOL client_verify_callback_called = FALSE;
256 static BOOL server_verify_callback_called = FALSE;
257 static const uschar *sid_ctx = US"exim";
259 /* We have three different contexts to care about.
261 Simple case: client, `client_ctx`
262 As a client, we can be doing a callout or cut-through delivery while receiving
263 a message. So we have a client context, which should have options initialised
264 from the SMTP Transport. We may also concurrently want to make TLS connections
265 to utility daemons, so client-contexts are allocated and passed around in call
266 args rather than using a gobal.
269 There are two cases: with and without ServerNameIndication from the client.
270 Given TLS SNI, we can be using different keys, certs and various other
271 configuration settings, because they're re-expanded with $tls_sni set. This
272 allows vhosting with TLS. This SNI is sent in the handshake.
273 A client might not send SNI, so we need a fallback, and an initial setup too.
274 So as a server, we start out using `server_ctx`.
275 If SNI is sent by the client, then we as server, mid-negotiation, try to clone
276 `server_sni` from `server_ctx` and then initialise settings by re-expanding
283 } exim_openssl_client_tls_ctx;
285 static SSL_CTX *server_ctx = NULL;
286 static SSL *server_ssl = NULL;
288 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
289 static SSL_CTX *server_sni = NULL;
292 static char ssl_errstring[256];
294 static int ssl_session_timeout = 200;
295 static BOOL client_verify_optional = FALSE;
296 static BOOL server_verify_optional = FALSE;
298 static BOOL reexpand_tls_files_for_sni = FALSE;
301 typedef struct tls_ext_ctx_cb {
306 STACK_OF(X509) *verify_stack; /* chain for verifying the proof */
310 uschar *file_expanded;
311 OCSP_RESPONSE *response;
314 X509_STORE *verify_store; /* non-null if status requested */
315 BOOL verify_required;
320 /* these are cached from first expand */
321 uschar *server_cipher_list;
322 /* only passed down to tls_error: */
324 const uschar * verify_cert_hostnames;
325 #ifndef DISABLE_EVENT
326 uschar * event_action;
330 /* should figure out a cleanup of API to handle state preserved per
331 implementation, for various reasons, which can be void * in the APIs.
332 For now, we hack around it. */
333 tls_ext_ctx_cb *client_static_cbinfo = NULL;
334 tls_ext_ctx_cb *server_static_cbinfo = NULL;
337 setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
338 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr );
341 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
342 static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
345 static int tls_server_stapling_cb(SSL *s, void *arg);
349 /*************************************************
351 *************************************************/
353 /* Called from lots of places when errors occur before actually starting to do
354 the TLS handshake, that is, while the session is still in clear. Always returns
355 DEFER for a server and FAIL for a client so that most calls can use "return
356 tls_error(...)" to do this processing and then give an appropriate return. A
357 single function is used for both server and client, because it is called from
358 some shared functions.
361 prefix text to include in the logged error
362 host NULL if setting up a server;
363 the connected host if setting up a client
364 msg error message or NULL if we should ask OpenSSL
365 errstr pointer to output error message
367 Returns: OK/DEFER/FAIL
371 tls_error(uschar * prefix, const host_item * host, uschar * msg, uschar ** errstr)
375 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
376 msg = US ssl_errstring;
379 msg = string_sprintf("(%s): %s", prefix, msg);
380 DEBUG(D_tls) debug_printf("TLS error '%s'\n", msg);
381 if (errstr) *errstr = msg;
382 return host ? FAIL : DEFER;
387 /*************************************************
388 * Callback to generate RSA key *
389 *************************************************/
393 s SSL connection (not used)
397 Returns: pointer to generated key
401 rsa_callback(SSL *s, int export, int keylength)
404 #ifdef EXIM_HAVE_RSA_GENKEY_EX
405 BIGNUM *bn = BN_new();
408 export = export; /* Shut picky compilers up */
409 DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
411 #ifdef EXIM_HAVE_RSA_GENKEY_EX
412 if ( !BN_set_word(bn, (unsigned long)RSA_F4)
413 || !(rsa_key = RSA_new())
414 || !RSA_generate_key_ex(rsa_key, keylength, bn, NULL)
417 if (!(rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL)))
421 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
422 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
434 x509_store_dump_cert_s_names(X509_STORE * store)
436 STACK_OF(X509_OBJECT) * roots= store->objs;
437 static uschar name[256];
439 for (int i= 0; i < sk_X509_OBJECT_num(roots); i++)
441 X509_OBJECT * tmp_obj= sk_X509_OBJECT_value(roots, i);
442 if(tmp_obj->type == X509_LU_X509)
444 X509_NAME * sn = X509_get_subject_name(tmp_obj->data.x509);
445 if (X509_NAME_oneline(sn, CS name, sizeof(name)))
447 name[sizeof(name)-1] = '\0';
448 debug_printf(" %s\n", name);
457 #ifndef DISABLE_EVENT
459 verify_event(tls_support * tlsp, X509 * cert, int depth, const uschar * dn,
460 BOOL *calledp, const BOOL *optionalp, const uschar * what)
466 ev = tlsp == &tls_out ? client_static_cbinfo->event_action : event_action;
469 DEBUG(D_tls) debug_printf("verify_event: %s %d\n", what, depth);
470 old_cert = tlsp->peercert;
471 tlsp->peercert = X509_dup(cert);
472 /* NB we do not bother setting peerdn */
473 if ((yield = event_raise(ev, US"tls:cert", string_sprintf("%d", depth))))
475 log_write(0, LOG_MAIN, "[%s] %s verify denied by event-action: "
476 "depth=%d cert=%s: %s",
477 tlsp == &tls_out ? deliver_host_address : sender_host_address,
478 what, depth, dn, yield);
482 if (old_cert) tlsp->peercert = old_cert; /* restore 1st failing cert */
483 return 1; /* reject (leaving peercert set) */
485 DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
486 "(host in tls_try_verify_hosts)\n");
488 X509_free(tlsp->peercert);
489 tlsp->peercert = old_cert;
495 /*************************************************
496 * Callback for verification *
497 *************************************************/
499 /* The SSL library does certificate verification if set up to do so. This
500 callback has the current yes/no state is in "state". If verification succeeded,
501 we set the certificate-verified flag. If verification failed, what happens
502 depends on whether the client is required to present a verifiable certificate
505 If verification is optional, we change the state to yes, but still log the
506 verification error. For some reason (it really would help to have proper
507 documentation of OpenSSL), this callback function then gets called again, this
508 time with state = 1. We must take care not to set the private verified flag on
509 the second time through.
511 Note: this function is not called if the client fails to present a certificate
512 when asked. We get here only if a certificate has been received. Handling of
513 optional verification for this case is done when requesting SSL to verify, by
514 setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
516 May be called multiple times for different issues with a certificate, even
517 for a given "depth" in the certificate chain.
520 preverify_ok current yes/no state as 1/0
521 x509ctx certificate information.
522 tlsp per-direction (client vs. server) support data
523 calledp has-been-called flag
524 optionalp verification-is-optional flag
526 Returns: 0 if verification should fail, otherwise 1
530 verify_callback(int preverify_ok, X509_STORE_CTX * x509ctx,
531 tls_support * tlsp, BOOL * calledp, BOOL * optionalp)
533 X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
534 int depth = X509_STORE_CTX_get_error_depth(x509ctx);
537 if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
539 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
540 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
541 tlsp == &tls_out ? deliver_host_address : sender_host_address);
544 dn[sizeof(dn)-1] = '\0';
546 if (preverify_ok == 0)
548 uschar * extra = verify_mode ? string_sprintf(" (during %c-verify for [%s])",
549 *verify_mode, sender_host_address)
551 log_write(0, LOG_MAIN, "[%s] SSL verify error%s: depth=%d error=%s cert=%s",
552 tlsp == &tls_out ? deliver_host_address : sender_host_address,
554 X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)), dn);
559 tlsp->peercert = X509_dup(cert); /* record failing cert */
560 return 0; /* reject */
562 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
563 "tls_try_verify_hosts)\n");
568 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n", depth, dn);
570 if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store)
571 { /* client, wanting stapling */
572 /* Add the server cert's signing chain as the one
573 for the verification of the OCSP stapled information. */
575 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
578 sk_X509_push(client_static_cbinfo->verify_stack, cert);
581 #ifndef DISABLE_EVENT
582 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
583 return 0; /* reject, with peercert set */
588 const uschar * verify_cert_hostnames;
590 if ( tlsp == &tls_out
591 && ((verify_cert_hostnames = client_static_cbinfo->verify_cert_hostnames)))
592 /* client, wanting hostname check */
595 #ifdef EXIM_HAVE_OPENSSL_CHECKHOST
596 # ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
597 # define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0
599 # ifndef X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
600 # define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0
603 const uschar * list = verify_cert_hostnames;
606 while ((name = string_nextinlist(&list, &sep, NULL, 0)))
607 if ((rc = X509_check_host(cert, CCS name, 0,
608 X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
609 | X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS,
614 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
615 tlsp == &tls_out ? deliver_host_address : sender_host_address);
622 if (!tls_is_name_for_cert(verify_cert_hostnames, cert))
625 uschar * extra = verify_mode
626 ? string_sprintf(" (during %c-verify for [%s])",
627 *verify_mode, sender_host_address)
629 log_write(0, LOG_MAIN,
630 "[%s] SSL verify error%s: certificate name mismatch: DN=\"%s\" H=\"%s\"",
631 tlsp == &tls_out ? deliver_host_address : sender_host_address,
632 extra, dn, verify_cert_hostnames);
637 tlsp->peercert = X509_dup(cert); /* record failing cert */
638 return 0; /* reject */
640 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
641 "tls_try_verify_hosts)\n");
645 #ifndef DISABLE_EVENT
646 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
647 return 0; /* reject, with peercert set */
650 DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
651 *calledp ? "" : " authenticated", dn);
652 if (!*calledp) tlsp->certificate_verified = TRUE;
656 return 1; /* accept, at least for this level */
660 verify_callback_client(int preverify_ok, X509_STORE_CTX *x509ctx)
662 return verify_callback(preverify_ok, x509ctx, &tls_out,
663 &client_verify_callback_called, &client_verify_optional);
667 verify_callback_server(int preverify_ok, X509_STORE_CTX *x509ctx)
669 return verify_callback(preverify_ok, x509ctx, &tls_in,
670 &server_verify_callback_called, &server_verify_optional);
676 /* This gets called *by* the dane library verify callback, which interposes
680 verify_callback_client_dane(int preverify_ok, X509_STORE_CTX * x509ctx)
682 X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
684 int depth = X509_STORE_CTX_get_error_depth(x509ctx);
685 #ifndef DISABLE_EVENT
686 BOOL dummy_called, optional = FALSE;
689 if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
691 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
692 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
693 deliver_host_address);
696 dn[sizeof(dn)-1] = '\0';
698 DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s depth %d %s\n",
699 preverify_ok ? "ok":"BAD", depth, dn);
701 #ifndef DISABLE_EVENT
702 if (verify_event(&tls_out, cert, depth, dn,
703 &dummy_called, &optional, US"DANE"))
704 return 0; /* reject, with peercert set */
707 if (preverify_ok == 1)
709 tls_out.dane_verified = tls_out.certificate_verified = TRUE;
711 if (client_static_cbinfo->u_ocsp.client.verify_store)
712 { /* client, wanting stapling */
713 /* Add the server cert's signing chain as the one
714 for the verification of the OCSP stapled information. */
716 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
719 sk_X509_push(client_static_cbinfo->verify_stack, cert);
725 int err = X509_STORE_CTX_get_error(x509ctx);
727 debug_printf(" - err %d '%s'\n", err, X509_verify_cert_error_string(err));
728 if (err == X509_V_ERR_APPLICATION_VERIFICATION)
734 #endif /*SUPPORT_DANE*/
737 /*************************************************
738 * Information callback *
739 *************************************************/
741 /* The SSL library functions call this from time to time to indicate what they
742 are doing. We copy the string to the debugging output when TLS debugging has
754 info_callback(SSL *s, int where, int ret)
760 if (where & SSL_ST_CONNECT)
761 str = US"SSL_connect";
762 else if (where & SSL_ST_ACCEPT)
763 str = US"SSL_accept";
765 str = US"SSL info (undefined)";
767 if (where & SSL_CB_LOOP)
768 debug_printf("%s: %s\n", str, SSL_state_string_long(s));
769 else if (where & SSL_CB_ALERT)
770 debug_printf("SSL3 alert %s:%s:%s\n",
771 str = where & SSL_CB_READ ? US"read" : US"write",
772 SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret));
773 else if (where & SSL_CB_EXIT)
775 debug_printf("%s: failed in %s\n", str, SSL_state_string_long(s));
777 debug_printf("%s: error in %s\n", str, SSL_state_string_long(s));
778 else if (where & SSL_CB_HANDSHAKE_START)
779 debug_printf("%s: hshake start: %s\n", str, SSL_state_string_long(s));
780 else if (where & SSL_CB_HANDSHAKE_DONE)
781 debug_printf("%s: hshake done: %s\n", str, SSL_state_string_long(s));
786 keylog_callback(const SSL *ssl, const char *line)
788 DEBUG(D_tls) debug_printf("%.200s\n", line);
793 /*************************************************
794 * Initialize for DH *
795 *************************************************/
797 /* If dhparam is set, expand it, and load up the parameters for DH encryption.
800 sctx The current SSL CTX (inbound or outbound)
801 dhparam DH parameter file or fixed parameter identity string
802 host connected host, if client; NULL if server
803 errstr error string pointer
805 Returns: TRUE if OK (nothing to set up, or setup worked)
809 init_dh(SSL_CTX *sctx, uschar *dhparam, const host_item *host, uschar ** errstr)
817 if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded, errstr))
820 if (!dhexpanded || !*dhexpanded)
821 bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
822 else if (dhexpanded[0] == '/')
824 if (!(bio = BIO_new_file(CS dhexpanded, "r")))
826 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
827 host, US strerror(errno), errstr);
833 if (Ustrcmp(dhexpanded, "none") == 0)
835 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
839 if (!(pem = std_dh_prime_named(dhexpanded)))
841 tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
842 host, US strerror(errno), errstr);
845 bio = BIO_new_mem_buf(CS pem, -1);
848 if (!(dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)))
851 tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
856 /* note: our default limit of 2236 is not a multiple of 8; the limit comes from
857 * an NSS limit, and the GnuTLS APIs handle bit-sizes fine, so we went with
858 * 2236. But older OpenSSL can only report in bytes (octets), not bits.
859 * If someone wants to dance at the edge, then they can raise the limit or use
860 * current libraries. */
861 #ifdef EXIM_HAVE_OPENSSL_DH_BITS
862 /* Added in commit 26c79d5641d; `git describe --contains` says OpenSSL_1_1_0-pre1~1022
863 * This predates OpenSSL_1_1_0 (before a, b, ...) so is in all 1.1.0 */
864 dh_bitsize = DH_bits(dh);
866 dh_bitsize = 8 * DH_size(dh);
869 /* Even if it is larger, we silently return success rather than cause things
870 * to fail out, so that a too-large DH will not knock out all TLS; it's a
871 * debatable choice. */
872 if (dh_bitsize > tls_dh_max_bits)
875 debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d\n",
876 dh_bitsize, tls_dh_max_bits);
880 SSL_CTX_set_tmp_dh(sctx, dh);
882 debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
883 dhexpanded ? dhexpanded : US"default", dh_bitsize);
895 /*************************************************
896 * Initialize for ECDH *
897 *************************************************/
899 /* Load parameters for ECDH encryption.
901 For now, we stick to NIST P-256 because: it's simple and easy to configure;
902 it avoids any patent issues that might bite redistributors; despite events in
903 the news and concerns over curve choices, we're not cryptographers, we're not
904 pretending to be, and this is "good enough" to be better than no support,
905 protecting against most adversaries. Given another year or two, there might
906 be sufficient clarity about a "right" way forward to let us make an informed
907 decision, instead of a knee-jerk reaction.
909 Longer-term, we should look at supporting both various named curves and
910 external files generated with "openssl ecparam", much as we do for init_dh().
911 We should also support "none" as a value, to explicitly avoid initialisation.
916 sctx The current SSL CTX (inbound or outbound)
917 host connected host, if client; NULL if server
918 errstr error string pointer
920 Returns: TRUE if OK (nothing to set up, or setup worked)
924 init_ecdh(SSL_CTX * sctx, host_item * host, uschar ** errstr)
926 #ifdef OPENSSL_NO_ECDH
935 if (host) /* No ECDH setup for clients, only for servers */
938 # ifndef EXIM_HAVE_ECDH
940 debug_printf("No OpenSSL API to define ECDH parameters, skipping\n");
944 if (!expand_check(tls_eccurve, US"tls_eccurve", &exp_curve, errstr))
946 if (!exp_curve || !*exp_curve)
949 /* "auto" needs to be handled carefully.
950 * OpenSSL < 1.0.2: we do not select anything, but fallback to prime256v1
951 * OpenSSL < 1.1.0: we have to call SSL_CTX_set_ecdh_auto
952 * (openssl/ssl.h defines SSL_CTRL_SET_ECDH_AUTO)
953 * OpenSSL >= 1.1.0: we do not set anything, the libray does autoselection
954 * https://github.com/openssl/openssl/commit/fe6ef2472db933f01b59cad82aa925736935984b
956 if (Ustrcmp(exp_curve, "auto") == 0)
958 #if OPENSSL_VERSION_NUMBER < 0x10002000L
959 DEBUG(D_tls) debug_printf(
960 "ECDH OpenSSL < 1.0.2: temp key parameter settings: overriding \"auto\" with \"prime256v1\"\n");
961 exp_curve = US"prime256v1";
963 # if defined SSL_CTRL_SET_ECDH_AUTO
964 DEBUG(D_tls) debug_printf(
965 "ECDH OpenSSL 1.0.2+ temp key parameter settings: autoselection\n");
966 SSL_CTX_set_ecdh_auto(sctx, 1);
969 DEBUG(D_tls) debug_printf(
970 "ECDH OpenSSL 1.1.0+ temp key parameter settings: default selection\n");
976 DEBUG(D_tls) debug_printf("ECDH: curve '%s'\n", exp_curve);
977 if ( (nid = OBJ_sn2nid (CCS exp_curve)) == NID_undef
978 # ifdef EXIM_HAVE_OPENSSL_EC_NIST2NID
979 && (nid = EC_curve_nist2nid(CCS exp_curve)) == NID_undef
983 tls_error(string_sprintf("Unknown curve name tls_eccurve '%s'", exp_curve),
988 if (!(ecdh = EC_KEY_new_by_curve_name(nid)))
990 tls_error(US"Unable to create ec curve", host, NULL, errstr);
994 /* The "tmp" in the name here refers to setting a temporary key
995 not to the stability of the interface. */
997 if ((rv = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0))
998 tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), host, NULL, errstr);
1000 DEBUG(D_tls) debug_printf("ECDH: enabled '%s' curve\n", exp_curve);
1005 # endif /*EXIM_HAVE_ECDH*/
1006 #endif /*OPENSSL_NO_ECDH*/
1012 #ifndef DISABLE_OCSP
1013 /*************************************************
1014 * Load OCSP information into state *
1015 *************************************************/
1016 /* Called to load the server OCSP response from the given file into memory, once
1017 caller has determined this is needed. Checks validity. Debugs a message
1020 ASSUMES: single response, for single cert.
1023 sctx the SSL_CTX* to update
1024 cbinfo various parts of session state
1025 expanded the filename putatively holding an OCSP response
1030 ocsp_load_response(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo, const uschar *expanded)
1033 OCSP_RESPONSE * resp;
1034 OCSP_BASICRESP * basic_response;
1035 OCSP_SINGLERESP * single_response;
1036 ASN1_GENERALIZEDTIME * rev, * thisupd, * nextupd;
1037 STACK_OF(X509) * sk;
1038 unsigned long verify_flags;
1039 int status, reason, i;
1041 cbinfo->u_ocsp.server.file_expanded = string_copy(expanded);
1042 if (cbinfo->u_ocsp.server.response)
1044 OCSP_RESPONSE_free(cbinfo->u_ocsp.server.response);
1045 cbinfo->u_ocsp.server.response = NULL;
1048 if (!(bio = BIO_new_file(CS cbinfo->u_ocsp.server.file_expanded, "rb")))
1050 DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n",
1051 cbinfo->u_ocsp.server.file_expanded);
1055 resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
1059 DEBUG(D_tls) debug_printf("Error reading OCSP response.\n");
1063 if ((status = OCSP_response_status(resp)) != OCSP_RESPONSE_STATUS_SUCCESSFUL)
1065 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
1066 OCSP_response_status_str(status), status);
1070 if (!(basic_response = OCSP_response_get1_basic(resp)))
1073 debug_printf("OCSP response parse error: unable to extract basic response.\n");
1077 sk = cbinfo->verify_stack;
1078 verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
1080 /* May need to expose ability to adjust those flags?
1081 OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
1082 OCSP_TRUSTOTHER OCSP_NOINTERN */
1084 /* This does a full verify on the OCSP proof before we load it for serving
1085 up; possibly overkill - just date-checks might be nice enough.
1087 OCSP_basic_verify takes a "store" arg, but does not
1088 use it for the chain verification, which is all we do
1089 when OCSP_NOVERIFY is set. The content from the wire
1090 "basic_response" and a cert-stack "sk" are all that is used.
1092 We have a stack, loaded in setup_certs() if tls_verify_certificates
1093 was a file (not a directory, or "system"). It is unfortunate we
1094 cannot used the connection context store, as that would neatly
1095 handle the "system" case too, but there seems to be no library
1096 function for getting a stack from a store.
1097 [ In OpenSSL 1.1 - ? X509_STORE_CTX_get0_chain(ctx) ? ]
1098 We do not free the stack since it could be needed a second time for
1101 Separately we might try to replace using OCSP_basic_verify() - which seems to not
1102 be a public interface into the OpenSSL library (there's no manual entry) -
1103 But what with? We also use OCSP_basic_verify in the client stapling callback.
1104 And there we NEED it; we must verify that status... unless the
1105 library does it for us anyway? */
1107 if ((i = OCSP_basic_verify(basic_response, sk, NULL, verify_flags)) < 0)
1111 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
1112 debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
1117 /* Here's the simplifying assumption: there's only one response, for the
1118 one certificate we use, and nothing for anything else in a chain. If this
1119 proves false, we need to extract a cert id from our issued cert
1120 (tls_certificate) and use that for OCSP_resp_find_status() (which finds the
1121 right cert in the stack and then calls OCSP_single_get0_status()).
1123 I'm hoping to avoid reworking a bunch more of how we handle state here. */
1125 if (!(single_response = OCSP_resp_get0(basic_response, 0)))
1128 debug_printf("Unable to get first response from OCSP basic response.\n");
1132 status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
1133 if (status != V_OCSP_CERTSTATUS_GOOD)
1135 DEBUG(D_tls) debug_printf("OCSP response bad cert status: %s (%d) %s (%d)\n",
1136 OCSP_cert_status_str(status), status,
1137 OCSP_crl_reason_str(reason), reason);
1141 if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
1143 DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
1148 cbinfo->u_ocsp.server.response = resp; /*XXX stack?*/
1152 if (f.running_in_test_harness)
1154 extern char ** environ;
1155 if (environ) for (uschar ** p = USS environ; *p; p++)
1156 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
1158 DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
1159 goto supply_response;
1164 #endif /*!DISABLE_OCSP*/
1169 /* Create and install a selfsigned certificate, for use in server mode */
1172 tls_install_selfsign(SSL_CTX * sctx, uschar ** errstr)
1180 where = US"allocating pkey";
1181 if (!(pkey = EVP_PKEY_new()))
1184 where = US"allocating cert";
1185 if (!(x509 = X509_new()))
1188 where = US"generating pkey";
1189 if (!(rsa = rsa_callback(NULL, 0, 2048)))
1192 where = US"assigning pkey";
1193 if (!EVP_PKEY_assign_RSA(pkey, rsa))
1196 X509_set_version(x509, 2); /* N+1 - version 3 */
1197 ASN1_INTEGER_set(X509_get_serialNumber(x509), 1);
1198 X509_gmtime_adj(X509_get_notBefore(x509), 0);
1199 X509_gmtime_adj(X509_get_notAfter(x509), (long)60 * 60); /* 1 hour */
1200 X509_set_pubkey(x509, pkey);
1202 name = X509_get_subject_name(x509);
1203 X509_NAME_add_entry_by_txt(name, "C",
1204 MBSTRING_ASC, CUS "UK", -1, -1, 0);
1205 X509_NAME_add_entry_by_txt(name, "O",
1206 MBSTRING_ASC, CUS "Exim Developers", -1, -1, 0);
1207 X509_NAME_add_entry_by_txt(name, "CN",
1208 MBSTRING_ASC, CUS smtp_active_hostname, -1, -1, 0);
1209 X509_set_issuer_name(x509, name);
1211 where = US"signing cert";
1212 if (!X509_sign(x509, pkey, EVP_md5()))
1215 where = US"installing selfsign cert";
1216 if (!SSL_CTX_use_certificate(sctx, x509))
1219 where = US"installing selfsign key";
1220 if (!SSL_CTX_use_PrivateKey(sctx, pkey))
1226 (void) tls_error(where, NULL, NULL, errstr);
1227 if (x509) X509_free(x509);
1228 if (pkey) EVP_PKEY_free(pkey);
1236 tls_add_certfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
1239 DEBUG(D_tls) debug_printf("tls_certificate file %s\n", file);
1240 if (!SSL_CTX_use_certificate_chain_file(sctx, CS file))
1241 return tls_error(string_sprintf(
1242 "SSL_CTX_use_certificate_chain_file file=%s", file),
1243 cbinfo->host, NULL, errstr);
1248 tls_add_pkeyfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
1251 DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", file);
1252 if (!SSL_CTX_use_PrivateKey_file(sctx, CS file, SSL_FILETYPE_PEM))
1253 return tls_error(string_sprintf(
1254 "SSL_CTX_use_PrivateKey_file file=%s", file), cbinfo->host, NULL, errstr);
1259 /*************************************************
1260 * Expand key and cert file specs *
1261 *************************************************/
1263 /* Called once during tls_init and possibly again during TLS setup, for a
1264 new context, if Server Name Indication was used and tls_sni was seen in
1265 the certificate string.
1268 sctx the SSL_CTX* to update
1269 cbinfo various parts of session state
1270 errstr error string pointer
1272 Returns: OK/DEFER/FAIL
1276 tls_expand_session_files(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo,
1281 if (!cbinfo->certificate)
1283 if (!cbinfo->is_server) /* client */
1286 if (tls_install_selfsign(sctx, errstr) != OK)
1293 if (Ustrstr(cbinfo->certificate, US"tls_sni") ||
1294 Ustrstr(cbinfo->certificate, US"tls_in_sni") ||
1295 Ustrstr(cbinfo->certificate, US"tls_out_sni")
1297 reexpand_tls_files_for_sni = TRUE;
1299 if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded, errstr))
1303 if (cbinfo->is_server)
1305 const uschar * file_list = expanded;
1309 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1310 if ((err = tls_add_certfile(sctx, cbinfo, file, errstr)))
1313 else /* would there ever be a need for multiple client certs? */
1314 if ((err = tls_add_certfile(sctx, cbinfo, expanded, errstr)))
1317 if ( cbinfo->privatekey
1318 && !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded, errstr))
1321 /* If expansion was forced to fail, key_expanded will be NULL. If the result
1322 of the expansion is an empty string, ignore it also, and assume the private
1323 key is in the same file as the certificate. */
1325 if (expanded && *expanded)
1326 if (cbinfo->is_server)
1328 const uschar * file_list = expanded;
1332 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1333 if ((err = tls_add_pkeyfile(sctx, cbinfo, file, errstr)))
1336 else /* would there ever be a need for multiple client certs? */
1337 if ((err = tls_add_pkeyfile(sctx, cbinfo, expanded, errstr)))
1341 #ifndef DISABLE_OCSP
1342 if (cbinfo->is_server && cbinfo->u_ocsp.server.file)
1345 if (!expand_check(cbinfo->u_ocsp.server.file, US"tls_ocsp_file", &expanded, errstr))
1348 if (expanded && *expanded)
1350 DEBUG(D_tls) debug_printf("tls_ocsp_file %s\n", expanded);
1351 if ( cbinfo->u_ocsp.server.file_expanded
1352 && (Ustrcmp(expanded, cbinfo->u_ocsp.server.file_expanded) == 0))
1354 DEBUG(D_tls) debug_printf(" - value unchanged, using existing values\n");
1357 ocsp_load_response(sctx, cbinfo, expanded);
1368 /*************************************************
1369 * Callback to handle SNI *
1370 *************************************************/
1372 /* Called when acting as server during the TLS session setup if a Server Name
1373 Indication extension was sent by the client.
1375 API documentation is OpenSSL s_server.c implementation.
1378 s SSL* of the current session
1379 ad unknown (part of OpenSSL API) (unused)
1380 arg Callback of "our" registered data
1382 Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
1385 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
1387 tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
1389 const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
1390 tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
1392 int old_pool = store_pool;
1393 uschar * dummy_errstr;
1396 return SSL_TLSEXT_ERR_OK;
1398 DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
1399 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
1401 /* Make the extension value available for expansion */
1402 store_pool = POOL_PERM;
1403 tls_in.sni = string_copy(US servername);
1404 store_pool = old_pool;
1406 if (!reexpand_tls_files_for_sni)
1407 return SSL_TLSEXT_ERR_OK;
1409 /* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
1410 not confident that memcpy wouldn't break some internal reference counting.
1411 Especially since there's a references struct member, which would be off. */
1413 #ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
1414 if (!(server_sni = SSL_CTX_new(TLS_server_method())))
1416 if (!(server_sni = SSL_CTX_new(SSLv23_server_method())))
1419 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
1420 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
1424 /* Not sure how many of these are actually needed, since SSL object
1425 already exists. Might even need this selfsame callback, for reneg? */
1427 SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(server_ctx));
1428 SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(server_ctx));
1429 SSL_CTX_set_options(server_sni, SSL_CTX_get_options(server_ctx));
1430 SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(server_ctx));
1431 SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
1432 SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
1434 if ( !init_dh(server_sni, cbinfo->dhparam, NULL, &dummy_errstr)
1435 || !init_ecdh(server_sni, NULL, &dummy_errstr)
1439 if ( cbinfo->server_cipher_list
1440 && !SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list))
1443 #ifndef DISABLE_OCSP
1444 if (cbinfo->u_ocsp.server.file)
1446 SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb);
1447 SSL_CTX_set_tlsext_status_arg(server_sni, cbinfo);
1451 if ((rc = setup_certs(server_sni, tls_verify_certificates, tls_crl, NULL, FALSE,
1452 verify_callback_server, &dummy_errstr)) != OK)
1455 /* do this after setup_certs, because this can require the certs for verifying
1456 OCSP information. */
1457 if ((rc = tls_expand_session_files(server_sni, cbinfo, &dummy_errstr)) != OK)
1460 DEBUG(D_tls) debug_printf("Switching SSL context.\n");
1461 SSL_set_SSL_CTX(s, server_sni);
1462 return SSL_TLSEXT_ERR_OK;
1464 bad: return SSL_TLSEXT_ERR_ALERT_FATAL;
1466 #endif /* EXIM_HAVE_OPENSSL_TLSEXT */
1471 #ifndef DISABLE_OCSP
1473 /*************************************************
1474 * Callback to handle OCSP Stapling *
1475 *************************************************/
1477 /* Called when acting as server during the TLS session setup if the client
1478 requests OCSP information with a Certificate Status Request.
1480 Documentation via openssl s_server.c and the Apache patch from the OpenSSL
1486 tls_server_stapling_cb(SSL *s, void *arg)
1488 const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
1489 uschar *response_der; /*XXX blob */
1490 int response_der_len;
1492 /*XXX stack: use SSL_get_certificate() to see which cert; from that work
1493 out which ocsp blob to send. Unfortunately, SSL_get_certificate is known
1494 buggy in current OpenSSL; it returns the last cert loaded always rather than
1495 the one actually presented. So we can't support a stack of OCSP proofs at
1499 debug_printf("Received TLS status request (OCSP stapling); %s response\n",
1500 cbinfo->u_ocsp.server.response ? "have" : "lack");
1502 tls_in.ocsp = OCSP_NOT_RESP;
1503 if (!cbinfo->u_ocsp.server.response)
1504 return SSL_TLSEXT_ERR_NOACK;
1506 response_der = NULL;
1507 response_der_len = i2d_OCSP_RESPONSE(cbinfo->u_ocsp.server.response, /*XXX stack*/
1509 if (response_der_len <= 0)
1510 return SSL_TLSEXT_ERR_NOACK;
1512 SSL_set_tlsext_status_ocsp_resp(server_ssl, response_der, response_der_len);
1513 tls_in.ocsp = OCSP_VFIED;
1514 return SSL_TLSEXT_ERR_OK;
1519 time_print(BIO * bp, const char * str, ASN1_GENERALIZEDTIME * time)
1521 BIO_printf(bp, "\t%s: ", str);
1522 ASN1_GENERALIZEDTIME_print(bp, time);
1527 tls_client_stapling_cb(SSL *s, void *arg)
1529 tls_ext_ctx_cb * cbinfo = arg;
1530 const unsigned char * p;
1532 OCSP_RESPONSE * rsp;
1533 OCSP_BASICRESP * bs;
1536 DEBUG(D_tls) debug_printf("Received TLS status response (OCSP stapling):");
1537 len = SSL_get_tlsext_status_ocsp_resp(s, &p);
1540 /* Expect this when we requested ocsp but got none */
1541 if (cbinfo->u_ocsp.client.verify_required && LOGGING(tls_cipher))
1542 log_write(0, LOG_MAIN, "Received TLS status callback, null content");
1544 DEBUG(D_tls) debug_printf(" null\n");
1545 return cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1548 if(!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
1550 tls_out.ocsp = OCSP_FAILED;
1551 if (LOGGING(tls_cipher))
1552 log_write(0, LOG_MAIN, "Received TLS cert status response, parse error");
1554 DEBUG(D_tls) debug_printf(" parse error\n");
1558 if(!(bs = OCSP_response_get1_basic(rsp)))
1560 tls_out.ocsp = OCSP_FAILED;
1561 if (LOGGING(tls_cipher))
1562 log_write(0, LOG_MAIN, "Received TLS cert status response, error parsing response");
1564 DEBUG(D_tls) debug_printf(" error parsing response\n");
1565 OCSP_RESPONSE_free(rsp);
1569 /* We'd check the nonce here if we'd put one in the request. */
1570 /* However that would defeat cacheability on the server so we don't. */
1572 /* This section of code reworked from OpenSSL apps source;
1573 The OpenSSL Project retains copyright:
1574 Copyright (c) 1999 The OpenSSL Project. All rights reserved.
1579 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
1581 DEBUG(D_tls) bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
1583 /*OCSP_RESPONSE_print(bp, rsp, 0); extreme debug: stapling content */
1585 /* Use the chain that verified the server cert to verify the stapled info */
1586 /* DEBUG(D_tls) x509_store_dump_cert_s_names(cbinfo->u_ocsp.client.verify_store); */
1588 if ((i = OCSP_basic_verify(bs, cbinfo->verify_stack,
1589 cbinfo->u_ocsp.client.verify_store, 0)) <= 0)
1591 tls_out.ocsp = OCSP_FAILED;
1592 if (LOGGING(tls_cipher)) log_write(0, LOG_MAIN,
1593 "Received TLS cert status response, itself unverifiable: %s",
1594 ERR_reason_error_string(ERR_peek_error()));
1595 BIO_printf(bp, "OCSP response verify failure\n");
1596 ERR_print_errors(bp);
1597 OCSP_RESPONSE_print(bp, rsp, 0);
1601 BIO_printf(bp, "OCSP response well-formed and signed OK\n");
1603 /*XXX So we have a good stapled OCSP status. How do we know
1604 it is for the cert of interest? OpenSSL 1.1.0 has a routine
1605 OCSP_resp_find_status() which matches on a cert id, which presumably
1606 we should use. Making an id needs OCSP_cert_id_new(), which takes
1607 issuerName, issuerKey, serialNumber. Are they all in the cert?
1609 For now, carry on blindly accepting the resp. */
1612 OCSP_SINGLERESP * single;
1614 #ifdef EXIM_HAVE_OCSP_RESP_COUNT
1615 if (OCSP_resp_count(bs) != 1)
1617 STACK_OF(OCSP_SINGLERESP) * sresp = bs->tbsResponseData->responses;
1618 if (sk_OCSP_SINGLERESP_num(sresp) != 1)
1621 tls_out.ocsp = OCSP_FAILED;
1622 log_write(0, LOG_MAIN, "OCSP stapling "
1623 "with multiple responses not handled");
1626 single = OCSP_resp_get0(bs, 0);
1627 status = OCSP_single_get0_status(single, &reason, &rev,
1628 &thisupd, &nextupd);
1631 DEBUG(D_tls) time_print(bp, "This OCSP Update", thisupd);
1632 DEBUG(D_tls) if(nextupd) time_print(bp, "Next OCSP Update", nextupd);
1633 if (!OCSP_check_validity(thisupd, nextupd,
1634 EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
1636 tls_out.ocsp = OCSP_FAILED;
1637 DEBUG(D_tls) ERR_print_errors(bp);
1638 log_write(0, LOG_MAIN, "Server OSCP dates invalid");
1642 DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n",
1643 OCSP_cert_status_str(status));
1646 case V_OCSP_CERTSTATUS_GOOD:
1647 tls_out.ocsp = OCSP_VFIED;
1650 case V_OCSP_CERTSTATUS_REVOKED:
1651 tls_out.ocsp = OCSP_FAILED;
1652 log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
1653 reason != -1 ? "; reason: " : "",
1654 reason != -1 ? OCSP_crl_reason_str(reason) : "");
1655 DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
1658 tls_out.ocsp = OCSP_FAILED;
1659 log_write(0, LOG_MAIN,
1660 "Server certificate status unknown, in OCSP stapling");
1665 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1670 OCSP_RESPONSE_free(rsp);
1673 #endif /*!DISABLE_OCSP*/
1676 /*************************************************
1677 * Initialize for TLS *
1678 *************************************************/
1680 /* Called from both server and client code, to do preliminary initialization
1681 of the library. We allocate and return a context structure.
1684 ctxp returned SSL context
1685 host connected host, if client; NULL if server
1686 dhparam DH parameter file
1687 certificate certificate file
1688 privatekey private key
1689 ocsp_file file of stapling info (server); flag for require ocsp (client)
1690 addr address if client; NULL if server (for some randomness)
1691 cbp place to put allocated callback context
1692 errstr error string pointer
1694 Returns: OK/DEFER/FAIL
1698 tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate,
1700 #ifndef DISABLE_OCSP
1701 uschar *ocsp_file, /*XXX stack, in server*/
1703 address_item *addr, tls_ext_ctx_cb ** cbp, uschar ** errstr)
1708 tls_ext_ctx_cb * cbinfo;
1710 cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
1711 cbinfo->certificate = certificate;
1712 cbinfo->privatekey = privatekey;
1713 cbinfo->is_server = host==NULL;
1714 #ifndef DISABLE_OCSP
1715 cbinfo->verify_stack = NULL;
1718 cbinfo->u_ocsp.server.file = ocsp_file;
1719 cbinfo->u_ocsp.server.file_expanded = NULL;
1720 cbinfo->u_ocsp.server.response = NULL;
1723 cbinfo->u_ocsp.client.verify_store = NULL;
1725 cbinfo->dhparam = dhparam;
1726 cbinfo->server_cipher_list = NULL;
1727 cbinfo->host = host;
1728 #ifndef DISABLE_EVENT
1729 cbinfo->event_action = NULL;
1732 #ifdef EXIM_NEED_OPENSSL_INIT
1733 SSL_load_error_strings(); /* basic set up */
1734 OpenSSL_add_ssl_algorithms();
1737 #ifdef EXIM_HAVE_SHA256
1738 /* SHA256 is becoming ever more popular. This makes sure it gets added to the
1739 list of available digests. */
1740 EVP_add_digest(EVP_sha256());
1743 /* Create a context.
1744 The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant
1745 negotiation in the different methods; as far as I can tell, the only
1746 *_{server,client}_method which allows negotiation is SSLv23, which exists even
1747 when OpenSSL is built without SSLv2 support.
1748 By disabling with openssl_options, we can let admins re-enable with the
1751 #ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
1752 if (!(ctx = SSL_CTX_new(host ? TLS_client_method() : TLS_server_method())))
1754 if (!(ctx = SSL_CTX_new(host ? SSLv23_client_method() : SSLv23_server_method())))
1756 return tls_error(US"SSL_CTX_new", host, NULL, errstr);
1758 /* It turns out that we need to seed the random number generator this early in
1759 order to get the full complement of ciphers to work. It took me roughly a day
1760 of work to discover this by experiment.
1762 On systems that have /dev/urandom, SSL may automatically seed itself from
1763 there. Otherwise, we have to make something up as best we can. Double check
1769 gettimeofday(&r.tv, NULL);
1772 RAND_seed(US (&r), sizeof(r));
1773 RAND_seed(US big_buffer, big_buffer_size);
1774 if (addr != NULL) RAND_seed(US addr, sizeof(addr));
1777 return tls_error(US"RAND_status", host,
1778 US"unable to seed random number generator", errstr);
1781 /* Set up the information callback, which outputs if debugging is at a suitable
1784 DEBUG(D_tls) SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
1785 #ifdef OPENSSL_HAVE_KEYLOG_CB
1786 DEBUG(D_tls) SSL_CTX_set_keylog_callback(ctx, (void (*)())keylog_callback);
1789 /* Automatically re-try reads/writes after renegotiation. */
1790 (void) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
1792 /* Apply administrator-supplied work-arounds.
1793 Historically we applied just one requested option,
1794 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
1795 moved to an administrator-controlled list of options to specify and
1796 grandfathered in the first one as the default value for "openssl_options".
1798 No OpenSSL version number checks: the options we accept depend upon the
1799 availability of the option value macros from OpenSSL. */
1801 if (!tls_openssl_options_parse(openssl_options, &init_options))
1802 return tls_error(US"openssl_options parsing failed", host, NULL, errstr);
1806 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
1807 if (!(SSL_CTX_set_options(ctx, init_options)))
1808 return tls_error(string_sprintf(
1809 "SSL_CTX_set_option(%#lx)", init_options), host, NULL, errstr);
1812 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
1814 #ifdef OPENSSL_HAVE_NUM_TICKETS
1815 SSL_CTX_set_num_tickets(ctx, 0); /* send no TLS1.3 stateful-tickets */
1818 /* We'd like to disable session cache unconditionally, but foolish Outlook
1819 Express clients then give up the first TLS connection and make a second one
1820 (which works). Only when there is an IMAP service on the same machine.
1821 Presumably OE is trying to use the cache for A on B. Leave it enabled for
1822 now, until we work out a decent way of presenting control to the config. It
1823 will never be used because we use a new context every time. */
1825 (void) SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
1828 /* Initialize with DH parameters if supplied */
1829 /* Initialize ECDH temp key parameter selection */
1831 if ( !init_dh(ctx, dhparam, host, errstr)
1832 || !init_ecdh(ctx, host, errstr)
1836 /* Set up certificate and key (and perhaps OCSP info) */
1838 if ((rc = tls_expand_session_files(ctx, cbinfo, errstr)) != OK)
1841 /* If we need to handle SNI or OCSP, do so */
1843 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
1844 # ifndef DISABLE_OCSP
1845 if (!(cbinfo->verify_stack = sk_X509_new_null()))
1847 DEBUG(D_tls) debug_printf("failed to create stack for stapling verify\n");
1852 if (!host) /* server */
1854 # ifndef DISABLE_OCSP
1855 /* We check u_ocsp.server.file, not server.response, because we care about if
1856 the option exists, not what the current expansion might be, as SNI might
1857 change the certificate and OCSP file in use between now and the time the
1858 callback is invoked. */
1859 if (cbinfo->u_ocsp.server.file)
1861 SSL_CTX_set_tlsext_status_cb(ctx, tls_server_stapling_cb);
1862 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
1865 /* We always do this, so that $tls_sni is available even if not used in
1867 SSL_CTX_set_tlsext_servername_callback(ctx, tls_servername_cb);
1868 SSL_CTX_set_tlsext_servername_arg(ctx, cbinfo);
1870 # ifndef DISABLE_OCSP
1872 if(ocsp_file) /* wanting stapling */
1874 if (!(cbinfo->u_ocsp.client.verify_store = X509_STORE_new()))
1876 DEBUG(D_tls) debug_printf("failed to create store for stapling verify\n");
1879 SSL_CTX_set_tlsext_status_cb(ctx, tls_client_stapling_cb);
1880 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
1885 cbinfo->verify_cert_hostnames = NULL;
1887 #ifdef EXIM_HAVE_EPHEM_RSA_KEX
1888 /* Set up the RSA callback */
1889 SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
1892 /* Finally, set the timeout, and we are done */
1894 SSL_CTX_set_timeout(ctx, ssl_session_timeout);
1895 DEBUG(D_tls) debug_printf("Initialized TLS\n");
1906 /*************************************************
1907 * Get name of cipher in use *
1908 *************************************************/
1911 Argument: pointer to an SSL structure for the connection
1912 buffer to use for answer
1914 pointer to number of bits for cipher
1919 construct_cipher_name(SSL *ssl, uschar *cipherbuf, int bsize, int *bits)
1921 /* With OpenSSL 1.0.0a, 'c' needs to be const but the documentation doesn't
1922 yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
1923 the accessor functions use const in the prototype. */
1925 const uschar * ver = CUS SSL_get_version(ssl);
1926 const SSL_CIPHER * c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
1928 SSL_CIPHER_get_bits(c, bits);
1930 string_format(cipherbuf, bsize, "%s:%s:%u", ver,
1931 SSL_CIPHER_get_name(c), *bits);
1933 DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf);
1938 peer_cert(SSL * ssl, tls_support * tlsp, uschar * peerdn, unsigned siz)
1940 /*XXX we might consider a list-of-certs variable for the cert chain.
1941 SSL_get_peer_cert_chain(SSL*). We'd need a new variable type and support
1942 in list-handling functions, also consider the difference between the entire
1943 chain and the elements sent by the peer. */
1945 tlsp->peerdn = NULL;
1947 /* Will have already noted peercert on a verify fail; possibly not the leaf */
1948 if (!tlsp->peercert)
1949 tlsp->peercert = SSL_get_peer_certificate(ssl);
1950 /* Beware anonymous ciphers which lead to server_cert being NULL */
1952 if (!X509_NAME_oneline(X509_get_subject_name(tlsp->peercert), CS peerdn, siz))
1953 { DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n"); }
1956 peerdn[siz-1] = '\0';
1957 tlsp->peerdn = peerdn; /*XXX a static buffer... */
1965 /*************************************************
1966 * Set up for verifying certificates *
1967 *************************************************/
1969 #ifndef DISABLE_OCSP
1970 /* Load certs from file, return TRUE on success */
1973 chain_from_pem_file(const uschar * file, STACK_OF(X509) * verify_stack)
1978 while (sk_X509_num(verify_stack) > 0)
1979 X509_free(sk_X509_pop(verify_stack));
1981 if (!(bp = BIO_new_file(CS file, "r"))) return FALSE;
1982 while ((x = PEM_read_bio_X509(bp, NULL, 0, NULL)))
1983 sk_X509_push(verify_stack, x);
1991 /* Called by both client and server startup; on the server possibly
1992 repeated after a Server Name Indication.
1995 sctx SSL_CTX* to initialise
1996 certs certs file or NULL
1997 crl CRL file or NULL
1998 host NULL in a server; the remote host in a client
1999 optional TRUE if called from a server for a host in tls_try_verify_hosts;
2000 otherwise passed as FALSE
2001 cert_vfy_cb Callback function for certificate verification
2002 errstr error string pointer
2004 Returns: OK/DEFER/FAIL
2008 setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
2009 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr)
2011 uschar *expcerts, *expcrl;
2013 if (!expand_check(certs, US"tls_verify_certificates", &expcerts, errstr))
2015 DEBUG(D_tls) debug_printf("tls_verify_certificates: %s\n", expcerts);
2017 if (expcerts && *expcerts)
2019 /* Tell the library to use its compiled-in location for the system default
2020 CA bundle. Then add the ones specified in the config, if any. */
2022 if (!SSL_CTX_set_default_verify_paths(sctx))
2023 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL, errstr);
2025 if (Ustrcmp(expcerts, "system") != 0)
2027 struct stat statbuf;
2029 if (Ustat(expcerts, &statbuf) < 0)
2031 log_write(0, LOG_MAIN|LOG_PANIC,
2032 "failed to stat %s for certificates", expcerts);
2038 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
2039 { file = NULL; dir = expcerts; }
2042 file = expcerts; dir = NULL;
2043 #ifndef DISABLE_OCSP
2044 /* In the server if we will be offering an OCSP proof, load chain from
2045 file for verifying the OCSP proof at load time. */
2048 && statbuf.st_size > 0
2049 && server_static_cbinfo->u_ocsp.server.file
2050 && !chain_from_pem_file(file, server_static_cbinfo->verify_stack)
2053 log_write(0, LOG_MAIN|LOG_PANIC,
2054 "failed to load cert chain from %s", file);
2060 /* If a certificate file is empty, the next function fails with an
2061 unhelpful error message. If we skip it, we get the correct behaviour (no
2062 certificates are recognized, but the error message is still misleading (it
2063 says no certificate was supplied). But this is better. */
2065 if ( (!file || statbuf.st_size > 0)
2066 && !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
2067 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL, errstr);
2069 /* Load the list of CAs for which we will accept certs, for sending
2070 to the client. This is only for the one-file tls_verify_certificates
2072 If a list isn't loaded into the server, but some verify locations are set,
2073 the server end appears to make a wildcard request for client certs.
2074 Meanwhile, the client library as default behaviour *ignores* the list
2075 we send over the wire - see man SSL_CTX_set_client_cert_cb.
2076 Because of this, and that the dir variant is likely only used for
2077 the public-CA bundle (not for a private CA), not worth fixing. */
2081 STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
2083 SSL_CTX_set_client_CA_list(sctx, names);
2084 DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n",
2085 sk_X509_NAME_num(names));
2090 /* Handle a certificate revocation list. */
2092 #if OPENSSL_VERSION_NUMBER > 0x00907000L
2094 /* This bit of code is now the version supplied by Lars Mainka. (I have
2095 merely reformatted it into the Exim code style.)
2097 "From here I changed the code to add support for multiple crl's
2098 in pem format in one file or to support hashed directory entries in
2099 pem format instead of a file. This method now uses the library function
2100 X509_STORE_load_locations to add the CRL location to the SSL context.
2101 OpenSSL will then handle the verify against CA certs and CRLs by
2102 itself in the verify callback." */
2104 if (!expand_check(crl, US"tls_crl", &expcrl, errstr)) return DEFER;
2105 if (expcrl && *expcrl)
2107 struct stat statbufcrl;
2108 if (Ustat(expcrl, &statbufcrl) < 0)
2110 log_write(0, LOG_MAIN|LOG_PANIC,
2111 "failed to stat %s for certificates revocation lists", expcrl);
2116 /* is it a file or directory? */
2118 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
2119 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
2123 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
2129 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
2131 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
2132 return tls_error(US"X509_STORE_load_locations", host, NULL, errstr);
2134 /* setting the flags to check against the complete crl chain */
2136 X509_STORE_set_flags(cvstore,
2137 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
2141 #endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
2143 /* If verification is optional, don't fail if no certificate */
2145 SSL_CTX_set_verify(sctx,
2146 SSL_VERIFY_PEER | (optional ? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
2155 /*************************************************
2156 * Start a TLS session in a server *
2157 *************************************************/
2159 /* This is called when Exim is running as a server, after having received
2160 the STARTTLS command. It must respond to that command, and then negotiate
2164 require_ciphers allowed ciphers
2165 errstr pointer to error message
2167 Returns: OK on success
2168 DEFER for errors before the start of the negotiation
2169 FAIL for errors during the negotiation; the server can't
2174 tls_server_start(const uschar * require_ciphers, uschar ** errstr)
2177 uschar * expciphers;
2178 tls_ext_ctx_cb * cbinfo;
2179 static uschar peerdn[256];
2180 static uschar cipherbuf[256];
2182 /* Check for previous activation */
2184 if (tls_in.active.sock >= 0)
2186 tls_error(US"STARTTLS received after TLS started", NULL, US"", errstr);
2187 smtp_printf("554 Already in TLS\r\n", FALSE);
2191 /* Initialize the SSL library. If it fails, it will already have logged
2194 rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey,
2195 #ifndef DISABLE_OCSP
2196 tls_ocsp_file, /*XXX stack*/
2198 NULL, &server_static_cbinfo, errstr);
2199 if (rc != OK) return rc;
2200 cbinfo = server_static_cbinfo;
2202 if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers, errstr))
2205 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
2206 were historically separated by underscores. So that I can use either form in my
2207 tests, and also for general convenience, we turn underscores into hyphens here.
2209 XXX SSL_CTX_set_cipher_list() is replaced by SSL_CTX_set_ciphersuites()
2210 for TLS 1.3 . Since we do not call it at present we get the default list:
2211 TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
2216 uschar * s = expciphers;
2217 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
2218 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
2219 if (!SSL_CTX_set_cipher_list(server_ctx, CS expciphers))
2220 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL, errstr);
2221 cbinfo->server_cipher_list = expciphers;
2224 /* If this is a host for which certificate verification is mandatory or
2225 optional, set up appropriately. */
2227 tls_in.certificate_verified = FALSE;
2229 tls_in.dane_verified = FALSE;
2231 server_verify_callback_called = FALSE;
2233 if (verify_check_host(&tls_verify_hosts) == OK)
2235 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
2236 FALSE, verify_callback_server, errstr);
2237 if (rc != OK) return rc;
2238 server_verify_optional = FALSE;
2240 else if (verify_check_host(&tls_try_verify_hosts) == OK)
2242 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
2243 TRUE, verify_callback_server, errstr);
2244 if (rc != OK) return rc;
2245 server_verify_optional = TRUE;
2248 /* Prepare for new connection */
2250 if (!(server_ssl = SSL_new(server_ctx)))
2251 return tls_error(US"SSL_new", NULL, NULL, errstr);
2253 /* Warning: we used to SSL_clear(ssl) here, it was removed.
2255 * With the SSL_clear(), we get strange interoperability bugs with
2256 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
2257 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
2259 * The SSL_clear() call is to let an existing SSL* be reused, typically after
2260 * session shutdown. In this case, we have a brand new object and there's no
2261 * obvious reason to immediately clear it. I'm guessing that this was
2262 * originally added because of incomplete initialisation which the clear fixed,
2263 * in some historic release.
2266 /* Set context and tell client to go ahead, except in the case of TLS startup
2267 on connection, where outputting anything now upsets the clients and tends to
2268 make them disconnect. We need to have an explicit fflush() here, to force out
2269 the response. Other smtp_printf() calls do not need it, because in non-TLS
2270 mode, the fflush() happens when smtp_getc() is called. */
2272 SSL_set_session_id_context(server_ssl, sid_ctx, Ustrlen(sid_ctx));
2273 if (!tls_in.on_connect)
2275 smtp_printf("220 TLS go ahead\r\n", FALSE);
2279 /* Now negotiate the TLS session. We put our own timer on it, since it seems
2280 that the OpenSSL library doesn't. */
2282 SSL_set_wfd(server_ssl, fileno(smtp_out));
2283 SSL_set_rfd(server_ssl, fileno(smtp_in));
2284 SSL_set_accept_state(server_ssl);
2286 DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
2288 sigalrm_seen = FALSE;
2289 if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
2290 rc = SSL_accept(server_ssl);
2295 (void) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL, errstr);
2299 DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
2301 /* TLS has been set up. Adjust the input functions to read via TLS,
2302 and initialize things. */
2304 peer_cert(server_ssl, &tls_in, peerdn, sizeof(peerdn));
2309 if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)) != NULL)
2310 debug_printf("Shared ciphers: %s\n", buf);
2312 #ifdef EXIM_HAVE_OPENSSL_KEYLOG
2314 BIO * bp = BIO_new(BIO_s_mem());
2317 SSL_SESSION_print_keylog(bp, SSL_get_session(server_ssl));
2318 len = (int) BIO_get_mem_data(bp, CSS &s);
2319 debug_printf("%.*s", len, s);
2325 construct_cipher_name(server_ssl, cipherbuf, sizeof(cipherbuf), &tls_in.bits);
2326 tls_in.cipher = cipherbuf;
2328 /* Record the certificate we presented */
2330 X509 * crt = SSL_get_certificate(server_ssl);
2331 tls_in.ourcert = crt ? X509_dup(crt) : NULL;
2334 /* Only used by the server-side tls (tls_in), including tls_getc.
2335 Client-side (tls_out) reads (seem to?) go via
2336 smtp_read_response()/ip_recv().
2337 Hence no need to duplicate for _in and _out.
2339 if (!ssl_xfer_buffer) ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
2340 ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
2341 ssl_xfer_eof = ssl_xfer_error = FALSE;
2343 receive_getc = tls_getc;
2344 receive_getbuf = tls_getbuf;
2345 receive_get_cache = tls_get_cache;
2346 receive_ungetc = tls_ungetc;
2347 receive_feof = tls_feof;
2348 receive_ferror = tls_ferror;
2349 receive_smtp_buffered = tls_smtp_buffered;
2351 tls_in.active.sock = fileno(smtp_out);
2352 tls_in.active.tls_ctx = NULL; /* not using explicit ctx for server-side */
2360 tls_client_basic_ctx_init(SSL_CTX * ctx,
2361 host_item * host, smtp_transport_options_block * ob, tls_ext_ctx_cb * cbinfo,
2365 /* stick to the old behaviour for compatibility if tls_verify_certificates is
2366 set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only
2367 the specified host patterns if one of them is defined */
2369 if ( ( !ob->tls_verify_hosts
2370 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
2372 || verify_check_given_host(CUSS &ob->tls_verify_hosts, host) == OK
2374 client_verify_optional = FALSE;
2375 else if (verify_check_given_host(CUSS &ob->tls_try_verify_hosts, host) == OK)
2376 client_verify_optional = TRUE;
2380 if ((rc = setup_certs(ctx, ob->tls_verify_certificates,
2381 ob->tls_crl, host, client_verify_optional, verify_callback_client,
2385 if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
2387 cbinfo->verify_cert_hostnames =
2389 string_domain_utf8_to_alabel(host->name, NULL);
2393 DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
2394 cbinfo->verify_cert_hostnames);
2402 dane_tlsa_load(SSL * ssl, host_item * host, dns_answer * dnsa, uschar ** errstr)
2405 const char * hostnames[2] = { CS host->name, NULL };
2408 if (DANESSL_init(ssl, NULL, hostnames) != 1)
2409 return tls_error(US"hostnames load", host, NULL, errstr);
2411 for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
2412 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
2413 ) if (rr->type == T_TLSA && rr->size > 3)
2415 const uschar * p = rr->data;
2416 uint8_t usage, selector, mtype;
2417 const char * mdname;
2421 /* Only DANE-TA(2) and DANE-EE(3) are supported */
2422 if (usage != 2 && usage != 3) continue;
2429 default: continue; /* Only match-types 0, 1, 2 are supported */
2430 case 0: mdname = NULL; break;
2431 case 1: mdname = "sha256"; break;
2432 case 2: mdname = "sha512"; break;
2436 switch (DANESSL_add_tlsa(ssl, usage, selector, mdname, p, rr->size - 3))
2439 return tls_error(US"tlsa load", host, NULL, errstr);
2440 case 0: /* action not taken */
2444 tls_out.tlsa_usage |= 1<<usage;
2450 log_write(0, LOG_MAIN, "DANE error: No usable TLSA records");
2453 #endif /*SUPPORT_DANE*/
2457 /*************************************************
2458 * Start a TLS session in a client *
2459 *************************************************/
2461 /* Called from the smtp transport after STARTTLS has been accepted.
2464 fd the fd of the connection
2465 host connected host (for messages and option-tests)
2466 addr the first address (for some randomness; can be NULL)
2467 tb transport (always smtp)
2468 tlsa_dnsa tlsa lookup, if DANE, else null
2469 tlsp record details of channel configuration here; must be non-NULL
2470 errstr error string pointer
2472 Returns: Pointer to TLS session context, or NULL on error
2476 tls_client_start(int fd, host_item *host, address_item *addr,
2477 transport_instance * tb,
2479 dns_answer * tlsa_dnsa,
2481 tls_support * tlsp, uschar ** errstr)
2483 smtp_transport_options_block * ob = tb
2484 ? (smtp_transport_options_block *)tb->options_block
2485 : &smtp_transport_option_defaults;
2486 exim_openssl_client_tls_ctx * exim_client_ctx;
2487 static uschar peerdn[256];
2488 uschar * expciphers;
2490 static uschar cipherbuf[256];
2492 #ifndef DISABLE_OCSP
2493 BOOL request_ocsp = FALSE;
2494 BOOL require_ocsp = FALSE;
2498 store_pool = POOL_PERM;
2499 exim_client_ctx = store_get(sizeof(exim_openssl_client_tls_ctx));
2503 tlsp->tlsa_usage = 0;
2506 #ifndef DISABLE_OCSP
2508 # ifdef SUPPORT_DANE
2510 && ob->hosts_request_ocsp[0] == '*'
2511 && ob->hosts_request_ocsp[1] == '\0'
2514 /* Unchanged from default. Use a safer one under DANE */
2515 request_ocsp = TRUE;
2516 ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
2517 " {= {4}{$tls_out_tlsa_usage}} } "
2523 verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK))
2524 request_ocsp = TRUE;
2526 # ifdef SUPPORT_DANE
2530 verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
2534 rc = tls_init(&exim_client_ctx->ctx, host, NULL,
2535 ob->tls_certificate, ob->tls_privatekey,
2536 #ifndef DISABLE_OCSP
2537 (void *)(long)request_ocsp,
2539 addr, &client_static_cbinfo, errstr);
2540 if (rc != OK) return NULL;
2542 tlsp->certificate_verified = FALSE;
2543 client_verify_callback_called = FALSE;
2549 /* We fall back to tls_require_ciphers if unset, empty or forced failure, but
2550 other failures should be treated as problems. */
2551 if (ob->dane_require_tls_ciphers &&
2552 !expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
2553 &expciphers, errstr))
2555 if (expciphers && *expciphers == '\0')
2560 !expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
2561 &expciphers, errstr))
2564 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
2565 are separated by underscores. So that I can use either form in my tests, and
2566 also for general convenience, we turn underscores into hyphens here. */
2570 uschar *s = expciphers;
2571 while (*s) { if (*s == '_') *s = '-'; s++; }
2572 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
2573 if (!SSL_CTX_set_cipher_list(exim_client_ctx->ctx, CS expciphers))
2575 tls_error(US"SSL_CTX_set_cipher_list", host, NULL, errstr);
2583 SSL_CTX_set_verify(exim_client_ctx->ctx,
2584 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
2585 verify_callback_client_dane);
2587 if (!DANESSL_library_init())
2589 tls_error(US"library init", host, NULL, errstr);
2592 if (DANESSL_CTX_init(exim_client_ctx->ctx) <= 0)
2594 tls_error(US"context init", host, NULL, errstr);
2602 if (tls_client_basic_ctx_init(exim_client_ctx->ctx, host, ob,
2603 client_static_cbinfo, errstr) != OK)
2606 if (!(exim_client_ctx->ssl = SSL_new(exim_client_ctx->ctx)))
2608 tls_error(US"SSL_new", host, NULL, errstr);
2611 SSL_set_session_id_context(exim_client_ctx->ssl, sid_ctx, Ustrlen(sid_ctx));
2612 SSL_set_fd(exim_client_ctx->ssl, fd);
2613 SSL_set_connect_state(exim_client_ctx->ssl);
2617 if (!expand_check(ob->tls_sni, US"tls_sni", &tlsp->sni, errstr))
2621 DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n");
2623 else if (!Ustrlen(tlsp->sni))
2627 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
2628 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tlsp->sni);
2629 SSL_set_tlsext_host_name(exim_client_ctx->ssl, tlsp->sni);
2631 log_write(0, LOG_MAIN, "SNI unusable with this OpenSSL library version; ignoring \"%s\"\n",
2639 if (dane_tlsa_load(exim_client_ctx->ssl, host, tlsa_dnsa, errstr) != OK)
2643 #ifndef DISABLE_OCSP
2644 /* Request certificate status at connection-time. If the server
2645 does OCSP stapling we will get the callback (set in tls_init()) */
2646 # ifdef SUPPORT_DANE
2650 if ( ((s = ob->hosts_require_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
2651 || ((s = ob->hosts_request_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
2653 { /* Re-eval now $tls_out_tlsa_usage is populated. If
2654 this means we avoid the OCSP request, we wasted the setup
2655 cost in tls_init(). */
2656 require_ocsp = verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK;
2657 request_ocsp = require_ocsp
2658 || verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
2665 SSL_set_tlsext_status_type(exim_client_ctx->ssl, TLSEXT_STATUSTYPE_ocsp);
2666 client_static_cbinfo->u_ocsp.client.verify_required = require_ocsp;
2667 tlsp->ocsp = OCSP_NOT_RESP;
2671 #ifndef DISABLE_EVENT
2672 client_static_cbinfo->event_action = tb ? tb->event_action : NULL;
2675 /* There doesn't seem to be a built-in timeout on connection. */
2677 DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
2678 sigalrm_seen = FALSE;
2679 ALARM(ob->command_timeout);
2680 rc = SSL_connect(exim_client_ctx->ssl);
2685 DANESSL_cleanup(exim_client_ctx->ssl);
2690 tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL, errstr);
2696 debug_printf("SSL_connect succeeded\n");
2697 #ifdef EXIM_HAVE_OPENSSL_KEYLOG
2699 BIO * bp = BIO_new(BIO_s_mem());
2702 SSL_SESSION_print_keylog(bp, SSL_get_session(server_ssl));
2703 len = (int) BIO_get_mem_data(bp, CSS &s);
2704 debug_printf("%.*s", len, s);
2710 peer_cert(exim_client_ctx->ssl, tlsp, peerdn, sizeof(peerdn));
2712 construct_cipher_name(exim_client_ctx->ssl, cipherbuf, sizeof(cipherbuf), &tlsp->bits);
2713 tlsp->cipher = cipherbuf;
2715 /* Record the certificate we presented */
2717 X509 * crt = SSL_get_certificate(exim_client_ctx->ssl);
2718 tlsp->ourcert = crt ? X509_dup(crt) : NULL;
2721 tlsp->active.sock = fd;
2722 tlsp->active.tls_ctx = exim_client_ctx;
2723 return exim_client_ctx;
2731 tls_refill(unsigned lim)
2736 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", server_ssl,
2737 ssl_xfer_buffer, ssl_xfer_buffer_size);
2739 if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
2740 inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer,
2741 MIN(ssl_xfer_buffer_size, lim));
2742 error = SSL_get_error(server_ssl, inbytes);
2743 if (smtp_receive_timeout > 0) ALARM_CLR(0);
2745 if (had_command_timeout) /* set by signal handler */
2746 smtp_command_timeout_exit(); /* does not return */
2747 if (had_command_sigterm)
2748 smtp_command_sigterm_exit();
2749 if (had_data_timeout)
2750 smtp_data_timeout_exit();
2751 if (had_data_sigint)
2752 smtp_data_sigint_exit();
2754 /* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
2755 closed down, not that the socket itself has been closed down. Revert to
2756 non-SSL handling. */
2760 case SSL_ERROR_NONE:
2763 case SSL_ERROR_ZERO_RETURN:
2764 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
2766 receive_getc = smtp_getc;
2767 receive_getbuf = smtp_getbuf;
2768 receive_get_cache = smtp_get_cache;
2769 receive_ungetc = smtp_ungetc;
2770 receive_feof = smtp_feof;
2771 receive_ferror = smtp_ferror;
2772 receive_smtp_buffered = smtp_buffered;
2774 if (SSL_get_shutdown(server_ssl) == SSL_RECEIVED_SHUTDOWN)
2775 SSL_shutdown(server_ssl);
2777 #ifndef DISABLE_OCSP
2778 sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free);
2779 server_static_cbinfo->verify_stack = NULL;
2781 SSL_free(server_ssl);
2782 SSL_CTX_free(server_ctx);
2785 tls_in.active.sock = -1;
2786 tls_in.active.tls_ctx = NULL;
2788 tls_in.cipher = NULL;
2789 tls_in.peerdn = NULL;
2794 /* Handle genuine errors */
2796 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
2797 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
2798 ssl_xfer_error = TRUE;
2802 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
2803 DEBUG(D_tls) if (error == SSL_ERROR_SYSCALL)
2804 debug_printf(" - syscall %s\n", strerror(errno));
2805 ssl_xfer_error = TRUE;
2809 #ifndef DISABLE_DKIM
2810 dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
2812 ssl_xfer_buffer_hwm = inbytes;
2813 ssl_xfer_buffer_lwm = 0;
2818 /*************************************************
2819 * TLS version of getc *
2820 *************************************************/
2822 /* This gets the next byte from the TLS input buffer. If the buffer is empty,
2823 it refills the buffer via the SSL reading function.
2825 Arguments: lim Maximum amount to read/buffer
2826 Returns: the next character or EOF
2828 Only used by the server-side TLS.
2832 tls_getc(unsigned lim)
2834 if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
2835 if (!tls_refill(lim))
2836 return ssl_xfer_error ? EOF : smtp_getc(lim);
2838 /* Something in the buffer; return next uschar */
2840 return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
2844 tls_getbuf(unsigned * len)
2849 if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
2850 if (!tls_refill(*len))
2852 if (!ssl_xfer_error) return smtp_getbuf(len);
2857 if ((size = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm) > *len)
2859 buf = &ssl_xfer_buffer[ssl_xfer_buffer_lwm];
2860 ssl_xfer_buffer_lwm += size;
2869 #ifndef DISABLE_DKIM
2870 int n = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm;
2872 dkim_exim_verify_feed(ssl_xfer_buffer+ssl_xfer_buffer_lwm, n);
2878 tls_could_read(void)
2880 return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm || SSL_pending(server_ssl) > 0;
2884 /*************************************************
2885 * Read bytes from TLS channel *
2886 *************************************************/
2890 ct_ctx client context pointer, or NULL for the one global server context
2894 Returns: the number of bytes read
2895 -1 after a failed read, including EOF
2897 Only used by the client-side TLS.
2901 tls_read(void * ct_ctx, uschar *buff, size_t len)
2903 SSL * ssl = ct_ctx ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl : server_ssl;
2907 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
2908 buff, (unsigned int)len);
2910 inbytes = SSL_read(ssl, CS buff, len);
2911 error = SSL_get_error(ssl, inbytes);
2913 if (error == SSL_ERROR_ZERO_RETURN)
2915 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
2918 else if (error != SSL_ERROR_NONE)
2928 /*************************************************
2929 * Write bytes down TLS channel *
2930 *************************************************/
2934 ct_ctx client context pointer, or NULL for the one global server context
2937 more further data expected soon
2939 Returns: the number of bytes after a successful write,
2940 -1 after a failed write
2942 Used by both server-side and client-side TLS.
2946 tls_write(void * ct_ctx, const uschar *buff, size_t len, BOOL more)
2949 int outbytes, error;
2950 SSL * ssl = ct_ctx ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl : server_ssl;
2951 static gstring * corked = NULL;
2953 DEBUG(D_tls) debug_printf("%s(%p, %lu%s)\n", __FUNCTION__,
2954 buff, (unsigned long)len, more ? ", more" : "");
2956 /* Lacking a CORK or MSG_MORE facility (such as GnuTLS has) we copy data when
2957 "more" is notified. This hack is only ok if small amounts are involved AND only
2958 one stream does it, in one context (i.e. no store reset). Currently it is used
2959 for the responses to the received SMTP MAIL , RCPT, DATA sequence, only. */
2960 /* + if PIPE_COMMAND, banner & ehlo-resp for smmtp-on-connect. Suspect there's
2961 a store reset there, so use POOL_PERM. */
2962 /* + if CHUNKING, cmds EHLO,MAIL,RCPT(s),BDAT */
2964 if ((more || corked))
2966 #ifdef EXPERIMENTAL_PIPE_CONNECT
2967 int save_pool = store_pool;
2968 store_pool = POOL_PERM;
2971 corked = string_catn(corked, buff, len);
2973 #ifdef EXPERIMENTAL_PIPE_CONNECT
2974 store_pool = save_pool;
2979 buff = CUS corked->s;
2984 for (int left = len; left > 0;)
2986 DEBUG(D_tls) debug_printf("SSL_write(%p, %p, %d)\n", ssl, buff, left);
2987 outbytes = SSL_write(ssl, CS buff, left);
2988 error = SSL_get_error(ssl, outbytes);
2989 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
2993 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
2994 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
2997 case SSL_ERROR_NONE:
3002 case SSL_ERROR_ZERO_RETURN:
3003 log_write(0, LOG_MAIN, "SSL channel closed on write");
3006 case SSL_ERROR_SYSCALL:
3007 log_write(0, LOG_MAIN, "SSL_write: (from %s) syscall: %s",
3008 sender_fullhost ? sender_fullhost : US"<unknown>",
3013 log_write(0, LOG_MAIN, "SSL_write error %d", error);
3022 /*************************************************
3023 * Close down a TLS session *
3024 *************************************************/
3026 /* This is also called from within a delivery subprocess forked from the
3027 daemon, to shut down the TLS library, without actually doing a shutdown (which
3028 would tamper with the SSL session in the parent process).
3031 ct_ctx client TLS context pointer, or NULL for the one global server context
3032 shutdown 1 if TLS close-alert is to be sent,
3033 2 if also response to be waited for
3037 Used by both server-side and client-side TLS.
3041 tls_close(void * ct_ctx, int shutdown)
3043 exim_openssl_client_tls_ctx * o_ctx = ct_ctx;
3044 SSL_CTX **ctxp = o_ctx ? &o_ctx->ctx : &server_ctx;
3045 SSL **sslp = o_ctx ? &o_ctx->ssl : &server_ssl;
3046 int *fdp = o_ctx ? &tls_out.active.sock : &tls_in.active.sock;
3048 if (*fdp < 0) return; /* TLS was not active */
3053 DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS%s\n",
3054 shutdown > 1 ? " (with response-wait)" : "");
3056 if ( (rc = SSL_shutdown(*sslp)) == 0 /* send "close notify" alert */
3060 rc = SSL_shutdown(*sslp); /* wait for response */
3064 if (rc < 0) DEBUG(D_tls)
3066 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3067 debug_printf("SSL_shutdown: %s\n", ssl_errstring);
3071 #ifndef DISABLE_OCSP
3072 if (!o_ctx) /* server side */
3074 sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free);
3075 server_static_cbinfo->verify_stack = NULL;
3079 SSL_CTX_free(*ctxp);
3089 /*************************************************
3090 * Let tls_require_ciphers be checked at startup *
3091 *************************************************/
3093 /* The tls_require_ciphers option, if set, must be something which the
3096 Returns: NULL on success, or error message
3100 tls_validate_require_cipher(void)
3103 uschar *s, *expciphers, *err;
3105 /* this duplicates from tls_init(), we need a better "init just global
3106 state, for no specific purpose" singleton function of our own */
3108 #ifdef EXIM_NEED_OPENSSL_INIT
3109 SSL_load_error_strings();
3110 OpenSSL_add_ssl_algorithms();
3112 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
3113 /* SHA256 is becoming ever more popular. This makes sure it gets added to the
3114 list of available digests. */
3115 EVP_add_digest(EVP_sha256());
3118 if (!(tls_require_ciphers && *tls_require_ciphers))
3121 if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers,
3123 return US"failed to expand tls_require_ciphers";
3125 if (!(expciphers && *expciphers))
3128 /* normalisation ripped from above */
3130 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
3134 #ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
3135 if (!(ctx = SSL_CTX_new(TLS_server_method())))
3137 if (!(ctx = SSL_CTX_new(SSLv23_server_method())))
3140 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3141 return string_sprintf("SSL_CTX_new() failed: %s", ssl_errstring);
3145 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
3147 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
3149 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3150 err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed: %s",
3151 expciphers, ssl_errstring);
3162 /*************************************************
3163 * Report the library versions. *
3164 *************************************************/
3166 /* There have historically been some issues with binary compatibility in
3167 OpenSSL libraries; if Exim (like many other applications) is built against
3168 one version of OpenSSL but the run-time linker picks up another version,
3169 it can result in serious failures, including crashing with a SIGSEGV. So
3170 report the version found by the compiler and the run-time version.
3172 Note: some OS vendors backport security fixes without changing the version
3173 number/string, and the version date remains unchanged. The _build_ date
3174 will change, so we can more usefully assist with version diagnosis by also
3175 reporting the build date.
3177 Arguments: a FILE* to print the results to
3182 tls_version_report(FILE *f)
3184 fprintf(f, "Library version: OpenSSL: Compile: %s\n"
3187 OPENSSL_VERSION_TEXT,
3188 SSLeay_version(SSLEAY_VERSION),
3189 SSLeay_version(SSLEAY_BUILT_ON));
3190 /* third line is 38 characters for the %s and the line is 73 chars long;
3191 the OpenSSL output includes a "built on: " prefix already. */
3197 /*************************************************
3198 * Random number generation *
3199 *************************************************/
3201 /* Pseudo-random number generation. The result is not expected to be
3202 cryptographically strong but not so weak that someone will shoot themselves
3203 in the foot using it as a nonce in input in some email header scheme or
3204 whatever weirdness they'll twist this into. The result should handle fork()
3205 and avoid repeating sequences. OpenSSL handles that for us.
3209 Returns a random number in range [0, max-1]
3213 vaguely_random_number(int max)
3217 static pid_t pidlast = 0;
3219 uschar smallbuf[sizeof(r)];
3225 if (pidnow != pidlast)
3227 /* Although OpenSSL documents that "OpenSSL makes sure that the PRNG state
3228 is unique for each thread", this doesn't apparently apply across processes,
3229 so our own warning from vaguely_random_number_fallback() applies here too.
3230 Fix per PostgreSQL. */
3236 /* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
3240 gettimeofday(&r.tv, NULL);
3243 RAND_seed(US (&r), sizeof(r));
3245 /* We're after pseudo-random, not random; if we still don't have enough data
3246 in the internal PRNG then our options are limited. We could sleep and hope
3247 for entropy to come along (prayer technique) but if the system is so depleted
3248 in the first place then something is likely to just keep taking it. Instead,
3249 we'll just take whatever little bit of pseudo-random we can still manage to
3252 needed_len = sizeof(r);
3253 /* Don't take 8 times more entropy than needed if int is 8 octets and we were
3254 asked for a number less than 10. */
3255 for (r = max, i = 0; r; ++i)
3261 #ifdef EXIM_HAVE_RAND_PSEUDO
3262 /* We do not care if crypto-strong */
3263 i = RAND_pseudo_bytes(smallbuf, needed_len);
3265 i = RAND_bytes(smallbuf, needed_len);
3271 debug_printf("OpenSSL RAND_pseudo_bytes() not supported by RAND method, using fallback.\n");
3272 return vaguely_random_number_fallback(max);
3276 for (uschar * p = smallbuf; needed_len; --needed_len, ++p)
3279 /* We don't particularly care about weighted results; if someone wants
3280 smooth distribution and cares enough then they should submit a patch then. */
3287 /*************************************************
3288 * OpenSSL option parse *
3289 *************************************************/
3291 /* Parse one option for tls_openssl_options_parse below
3294 name one option name
3295 value place to store a value for it
3296 Returns success or failure in parsing
3302 tls_openssl_one_option_parse(uschar *name, long *value)
3305 int last = exim_openssl_options_size;
3306 while (last > first)
3308 int middle = (first + last)/2;
3309 int c = Ustrcmp(name, exim_openssl_options[middle].name);
3312 *value = exim_openssl_options[middle].value;
3326 /*************************************************
3327 * OpenSSL option parsing logic *
3328 *************************************************/
3330 /* OpenSSL has a number of compatibility options which an administrator might
3331 reasonably wish to set. Interpret a list similarly to decode_bits(), so that
3332 we look like log_selector.
3335 option_spec the administrator-supplied string of options
3336 results ptr to long storage for the options bitmap
3337 Returns success or failure
3341 tls_openssl_options_parse(uschar *option_spec, long *results)
3346 BOOL adding, item_parsed;
3348 result = SSL_OP_NO_TICKET;
3349 /* Prior to 4.80 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed
3350 * from default because it increases BEAST susceptibility. */
3351 #ifdef SSL_OP_NO_SSLv2
3352 result |= SSL_OP_NO_SSLv2;
3354 #ifdef SSL_OP_SINGLE_DH_USE
3355 result |= SSL_OP_SINGLE_DH_USE;
3364 for (uschar * s = option_spec; *s != '\0'; /**/)
3366 while (isspace(*s)) ++s;
3369 if (*s != '+' && *s != '-')
3371 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
3372 "+ or - expected but found \"%s\"\n", s);
3375 adding = *s++ == '+';
3376 for (end = s; (*end != '\0') && !isspace(*end); ++end) /**/ ;
3379 item_parsed = tls_openssl_one_option_parse(s, &item);
3383 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
3386 DEBUG(D_tls) debug_printf("openssl option, %s from %lx: %lx (%s)\n",
3387 adding ? "adding" : "removing", result, item, s);
3399 #endif /*!MACRO_PREDEF*/
3402 /* End of tls-openssl.c */
git://git.exim.org / users / jgh / exim.git / blob