1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) University of Cambridge 1995 - 2019 */
6 /* See the file NOTICE for conditions of use and distribution. */
8 /* Portions Copyright (c) The OpenSSL Project 1999 */
10 /* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
11 library. It is #included into the tls.c file when that library is used. The
12 code herein is based on a patch that was originally contributed by Steve
13 Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
15 No cryptographic code is included in Exim. All this module does is to call
16 functions from the OpenSSL library. */
21 #include <openssl/lhash.h>
22 #include <openssl/ssl.h>
23 #include <openssl/err.h>
24 #include <openssl/rand.h>
25 #ifndef OPENSSL_NO_ECDH
26 # include <openssl/ec.h>
29 # include <openssl/ocsp.h>
37 # define EXIM_OCSP_SKEW_SECONDS (300L)
38 # define EXIM_OCSP_MAX_AGE (-1L)
41 #if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
42 # define EXIM_HAVE_OPENSSL_TLSEXT
44 #if OPENSSL_VERSION_NUMBER >= 0x00908000L
45 # define EXIM_HAVE_RSA_GENKEY_EX
47 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
48 # define EXIM_HAVE_OCSP_RESP_COUNT
50 # define EXIM_HAVE_EPHEM_RSA_KEX
51 # define EXIM_HAVE_RAND_PSEUDO
53 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
54 # define EXIM_HAVE_SHA256
57 /* X509_check_host provides sane certificate hostname checking, but was added
58 to OpenSSL late, after other projects forked off the code-base. So in
59 addition to guarding against the base version number, beware that LibreSSL
60 does not (at this time) support this function.
62 If LibreSSL gains a different API, perhaps via libtls, then we'll probably
63 opt to disentangle and ask a LibreSSL user to provide glue for a third
64 crypto provider for libtls instead of continuing to tie the OpenSSL glue
65 into even twistier knots. If LibreSSL gains the same API, we can just
66 change this guard and punt the issue for a while longer. */
68 #ifndef LIBRESSL_VERSION_NUMBER
69 # if OPENSSL_VERSION_NUMBER >= 0x010100000L
70 # define EXIM_HAVE_OPENSSL_CHECKHOST
71 # define EXIM_HAVE_OPENSSL_DH_BITS
72 # define EXIM_HAVE_OPENSSL_TLS_METHOD
73 # define EXIM_HAVE_OPENSSL_KEYLOG
74 # define EXIM_HAVE_OPENSSL_CIPHER_GET_ID
75 # define EXIM_HAVE_SESSION_TICKET
76 # define EXIM_HAVE_OPESSL_TRACE
78 # define EXIM_NEED_OPENSSL_INIT
80 # if OPENSSL_VERSION_NUMBER >= 0x010000000L \
81 && (OPENSSL_VERSION_NUMBER & 0x0000ff000L) >= 0x000002000L
82 # define EXIM_HAVE_OPENSSL_CHECKHOST
86 #if !defined(LIBRESSL_VERSION_NUMBER) \
87 || LIBRESSL_VERSION_NUMBER >= 0x20010000L
88 # if !defined(OPENSSL_NO_ECDH)
89 # if OPENSSL_VERSION_NUMBER >= 0x0090800fL
90 # define EXIM_HAVE_ECDH
92 # if OPENSSL_VERSION_NUMBER >= 0x10002000L
93 # define EXIM_HAVE_OPENSSL_EC_NIST2NID
98 #ifndef LIBRESSL_VERSION_NUMBER
99 # if OPENSSL_VERSION_NUMBER >= 0x010101000L
100 # define OPENSSL_HAVE_KEYLOG_CB
101 # define OPENSSL_HAVE_NUM_TICKETS
102 # define EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
106 #if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP)
107 # warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile"
108 # define DISABLE_OCSP
111 #ifdef EXIM_HAVE_OPENSSL_CHECKHOST
112 # include <openssl/x509v3.h>
115 #ifndef EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
116 # ifndef EXIM_HAVE_OPENSSL_CIPHER_GET_ID
117 # define SSL_CIPHER_get_id(c) (c->id)
119 # ifndef MACRO_PREDEF
120 # include "tls-cipher-stdname.c"
124 /*************************************************
125 * OpenSSL option parse *
126 *************************************************/
128 typedef struct exim_openssl_option {
131 } exim_openssl_option;
132 /* We could use a macro to expand, but we need the ifdef and not all the
133 options document which version they were introduced in. Policylet: include
134 all options unless explicitly for DTLS, let the administrator choose which
137 This list is current as of:
139 Plus SSL_OP_SAFARI_ECDHE_ECDSA_BUG from 2013-June patch/discussion on openssl-dev
140 Plus SSL_OP_NO_TLSv1_3 for 1.1.2-dev
142 static exim_openssl_option exim_openssl_options[] = {
143 /* KEEP SORTED ALPHABETICALLY! */
145 { US"all", SSL_OP_ALL },
147 #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
148 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
150 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
151 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
153 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
154 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
156 #ifdef SSL_OP_EPHEMERAL_RSA
157 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
159 #ifdef SSL_OP_LEGACY_SERVER_CONNECT
160 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
162 #ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
163 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
165 #ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
166 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
168 #ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
169 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
171 #ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
172 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
174 #ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
175 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
177 #ifdef SSL_OP_NO_COMPRESSION
178 { US"no_compression", SSL_OP_NO_COMPRESSION },
180 #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
181 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
183 #ifdef SSL_OP_NO_SSLv2
184 { US"no_sslv2", SSL_OP_NO_SSLv2 },
186 #ifdef SSL_OP_NO_SSLv3
187 { US"no_sslv3", SSL_OP_NO_SSLv3 },
189 #ifdef SSL_OP_NO_TICKET
190 { US"no_ticket", SSL_OP_NO_TICKET },
192 #ifdef SSL_OP_NO_TLSv1
193 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
195 #ifdef SSL_OP_NO_TLSv1_1
196 #if SSL_OP_NO_TLSv1_1 == 0x00000400L
197 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
198 #warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
200 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
203 #ifdef SSL_OP_NO_TLSv1_2
204 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
206 #ifdef SSL_OP_NO_TLSv1_3
207 { US"no_tlsv1_3", SSL_OP_NO_TLSv1_3 },
209 #ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
210 { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG },
212 #ifdef SSL_OP_SINGLE_DH_USE
213 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
215 #ifdef SSL_OP_SINGLE_ECDH_USE
216 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
218 #ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
219 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
221 #ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
222 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
224 #ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
225 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
227 #ifdef SSL_OP_TLS_D5_BUG
228 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
230 #ifdef SSL_OP_TLS_ROLLBACK_BUG
231 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
236 static int exim_openssl_options_size = nelem(exim_openssl_options);
245 for (struct exim_openssl_option * o = exim_openssl_options;
246 o < exim_openssl_options + nelem(exim_openssl_options); o++)
248 /* Trailing X is workaround for problem with _OPT_OPENSSL_NO_TLSV1
249 being a ".ifdef _OPT_OPENSSL_NO_TLSV1_3" match */
251 spf(buf, sizeof(buf), US"_OPT_OPENSSL_%T_X", o->name);
252 builtin_macro_create(buf);
255 # ifdef EXPERIMENTAL_TLS_RESUME
256 builtin_macro_create_var(US"_RESUME_DECODE", RESUME_DECODE_STRING );
261 /******************************************************************************/
263 /* Structure for collecting random data for seeding. */
265 typedef struct randstuff {
270 /* Local static variables */
272 static BOOL client_verify_callback_called = FALSE;
273 static BOOL server_verify_callback_called = FALSE;
274 static const uschar *sid_ctx = US"exim";
276 /* We have three different contexts to care about.
278 Simple case: client, `client_ctx`
279 As a client, we can be doing a callout or cut-through delivery while receiving
280 a message. So we have a client context, which should have options initialised
281 from the SMTP Transport. We may also concurrently want to make TLS connections
282 to utility daemons, so client-contexts are allocated and passed around in call
283 args rather than using a gobal.
286 There are two cases: with and without ServerNameIndication from the client.
287 Given TLS SNI, we can be using different keys, certs and various other
288 configuration settings, because they're re-expanded with $tls_sni set. This
289 allows vhosting with TLS. This SNI is sent in the handshake.
290 A client might not send SNI, so we need a fallback, and an initial setup too.
291 So as a server, we start out using `server_ctx`.
292 If SNI is sent by the client, then we as server, mid-negotiation, try to clone
293 `server_sni` from `server_ctx` and then initialise settings by re-expanding
301 } exim_openssl_client_tls_ctx;
303 static SSL_CTX *server_ctx = NULL;
304 static SSL *server_ssl = NULL;
306 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
307 static SSL_CTX *server_sni = NULL;
310 static char ssl_errstring[256];
312 static int ssl_session_timeout = 3600;
313 static BOOL client_verify_optional = FALSE;
314 static BOOL server_verify_optional = FALSE;
316 static BOOL reexpand_tls_files_for_sni = FALSE;
319 typedef struct tls_ext_ctx_cb {
325 STACK_OF(X509) *verify_stack; /* chain for verifying the proof */
329 uschar *file_expanded;
330 OCSP_RESPONSE *response;
333 X509_STORE *verify_store; /* non-null if status requested */
334 BOOL verify_required;
339 /* these are cached from first expand */
340 uschar *server_cipher_list;
341 /* only passed down to tls_error: */
343 const uschar * verify_cert_hostnames;
344 #ifndef DISABLE_EVENT
345 uschar * event_action;
349 /* should figure out a cleanup of API to handle state preserved per
350 implementation, for various reasons, which can be void * in the APIs.
351 For now, we hack around it. */
352 tls_ext_ctx_cb *client_static_cbinfo = NULL; /*XXX should not use static; multiple concurrent clients! */
353 tls_ext_ctx_cb *server_static_cbinfo = NULL;
356 setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
357 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr );
360 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
361 static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
364 static int tls_server_stapling_cb(SSL *s, void *arg);
369 /* Daemon-called key create/rotate */
370 #ifdef EXPERIMENTAL_TLS_RESUME
371 static void tk_init(void);
372 static int tls_exdata_idx = -1;
376 tls_daemon_init(void)
378 #ifdef EXPERIMENTAL_TLS_RESUME
385 /*************************************************
387 *************************************************/
389 /* Called from lots of places when errors occur before actually starting to do
390 the TLS handshake, that is, while the session is still in clear. Always returns
391 DEFER for a server and FAIL for a client so that most calls can use "return
392 tls_error(...)" to do this processing and then give an appropriate return. A
393 single function is used for both server and client, because it is called from
394 some shared functions.
397 prefix text to include in the logged error
398 host NULL if setting up a server;
399 the connected host if setting up a client
400 msg error message or NULL if we should ask OpenSSL
401 errstr pointer to output error message
403 Returns: OK/DEFER/FAIL
407 tls_error(uschar * prefix, const host_item * host, uschar * msg, uschar ** errstr)
411 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
412 msg = US ssl_errstring;
415 msg = string_sprintf("(%s): %s", prefix, msg);
416 DEBUG(D_tls) debug_printf("TLS error '%s'\n", msg);
417 if (errstr) *errstr = msg;
418 return host ? FAIL : DEFER;
423 /*************************************************
424 * Callback to generate RSA key *
425 *************************************************/
429 s SSL connection (not used)
433 Returns: pointer to generated key
437 rsa_callback(SSL *s, int export, int keylength)
440 #ifdef EXIM_HAVE_RSA_GENKEY_EX
441 BIGNUM *bn = BN_new();
444 export = export; /* Shut picky compilers up */
445 DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
447 #ifdef EXIM_HAVE_RSA_GENKEY_EX
448 if ( !BN_set_word(bn, (unsigned long)RSA_F4)
449 || !(rsa_key = RSA_new())
450 || !RSA_generate_key_ex(rsa_key, keylength, bn, NULL)
453 if (!(rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL)))
457 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
458 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
470 x509_store_dump_cert_s_names(X509_STORE * store)
472 STACK_OF(X509_OBJECT) * roots= store->objs;
473 static uschar name[256];
475 for (int i= 0; i < sk_X509_OBJECT_num(roots); i++)
477 X509_OBJECT * tmp_obj= sk_X509_OBJECT_value(roots, i);
478 if(tmp_obj->type == X509_LU_X509)
480 X509_NAME * sn = X509_get_subject_name(tmp_obj->data.x509);
481 if (X509_NAME_oneline(sn, CS name, sizeof(name)))
483 name[sizeof(name)-1] = '\0';
484 debug_printf(" %s\n", name);
493 #ifndef DISABLE_EVENT
495 verify_event(tls_support * tlsp, X509 * cert, int depth, const uschar * dn,
496 BOOL *calledp, const BOOL *optionalp, const uschar * what)
502 ev = tlsp == &tls_out ? client_static_cbinfo->event_action : event_action;
505 DEBUG(D_tls) debug_printf("verify_event: %s %d\n", what, depth);
506 old_cert = tlsp->peercert;
507 tlsp->peercert = X509_dup(cert);
508 /* NB we do not bother setting peerdn */
509 if ((yield = event_raise(ev, US"tls:cert", string_sprintf("%d", depth))))
511 log_write(0, LOG_MAIN, "[%s] %s verify denied by event-action: "
512 "depth=%d cert=%s: %s",
513 tlsp == &tls_out ? deliver_host_address : sender_host_address,
514 what, depth, dn, yield);
518 if (old_cert) tlsp->peercert = old_cert; /* restore 1st failing cert */
519 return 1; /* reject (leaving peercert set) */
521 DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
522 "(host in tls_try_verify_hosts)\n");
524 X509_free(tlsp->peercert);
525 tlsp->peercert = old_cert;
531 /*************************************************
532 * Callback for verification *
533 *************************************************/
535 /* The SSL library does certificate verification if set up to do so. This
536 callback has the current yes/no state is in "state". If verification succeeded,
537 we set the certificate-verified flag. If verification failed, what happens
538 depends on whether the client is required to present a verifiable certificate
541 If verification is optional, we change the state to yes, but still log the
542 verification error. For some reason (it really would help to have proper
543 documentation of OpenSSL), this callback function then gets called again, this
544 time with state = 1. We must take care not to set the private verified flag on
545 the second time through.
547 Note: this function is not called if the client fails to present a certificate
548 when asked. We get here only if a certificate has been received. Handling of
549 optional verification for this case is done when requesting SSL to verify, by
550 setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
552 May be called multiple times for different issues with a certificate, even
553 for a given "depth" in the certificate chain.
556 preverify_ok current yes/no state as 1/0
557 x509ctx certificate information.
558 tlsp per-direction (client vs. server) support data
559 calledp has-been-called flag
560 optionalp verification-is-optional flag
562 Returns: 0 if verification should fail, otherwise 1
566 verify_callback(int preverify_ok, X509_STORE_CTX * x509ctx,
567 tls_support * tlsp, BOOL * calledp, BOOL * optionalp)
569 X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
570 int depth = X509_STORE_CTX_get_error_depth(x509ctx);
573 if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
575 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
576 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
577 tlsp == &tls_out ? deliver_host_address : sender_host_address);
580 dn[sizeof(dn)-1] = '\0';
582 if (preverify_ok == 0)
584 uschar * extra = verify_mode ? string_sprintf(" (during %c-verify for [%s])",
585 *verify_mode, sender_host_address)
587 log_write(0, LOG_MAIN, "[%s] SSL verify error%s: depth=%d error=%s cert=%s",
588 tlsp == &tls_out ? deliver_host_address : sender_host_address,
590 X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)), dn);
595 tlsp->peercert = X509_dup(cert); /* record failing cert */
596 return 0; /* reject */
598 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
599 "tls_try_verify_hosts)\n");
604 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n", depth, dn);
606 if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store)
607 { /* client, wanting stapling */
608 /* Add the server cert's signing chain as the one
609 for the verification of the OCSP stapled information. */
611 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
614 sk_X509_push(client_static_cbinfo->verify_stack, cert);
617 #ifndef DISABLE_EVENT
618 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
619 return 0; /* reject, with peercert set */
624 const uschar * verify_cert_hostnames;
626 if ( tlsp == &tls_out
627 && ((verify_cert_hostnames = client_static_cbinfo->verify_cert_hostnames)))
628 /* client, wanting hostname check */
631 #ifdef EXIM_HAVE_OPENSSL_CHECKHOST
632 # ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
633 # define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0
635 # ifndef X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
636 # define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0
639 const uschar * list = verify_cert_hostnames;
642 while ((name = string_nextinlist(&list, &sep, NULL, 0)))
643 if ((rc = X509_check_host(cert, CCS name, 0,
644 X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
645 | X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS,
650 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
651 tlsp == &tls_out ? deliver_host_address : sender_host_address);
658 if (!tls_is_name_for_cert(verify_cert_hostnames, cert))
661 uschar * extra = verify_mode
662 ? string_sprintf(" (during %c-verify for [%s])",
663 *verify_mode, sender_host_address)
665 log_write(0, LOG_MAIN,
666 "[%s] SSL verify error%s: certificate name mismatch: DN=\"%s\" H=\"%s\"",
667 tlsp == &tls_out ? deliver_host_address : sender_host_address,
668 extra, dn, verify_cert_hostnames);
673 tlsp->peercert = X509_dup(cert); /* record failing cert */
674 return 0; /* reject */
676 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
677 "tls_try_verify_hosts)\n");
681 #ifndef DISABLE_EVENT
682 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
683 return 0; /* reject, with peercert set */
686 DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
687 *calledp ? "" : " authenticated", dn);
688 if (!*calledp) tlsp->certificate_verified = TRUE;
692 return 1; /* accept, at least for this level */
696 verify_callback_client(int preverify_ok, X509_STORE_CTX *x509ctx)
698 return verify_callback(preverify_ok, x509ctx, &tls_out,
699 &client_verify_callback_called, &client_verify_optional);
703 verify_callback_server(int preverify_ok, X509_STORE_CTX *x509ctx)
705 return verify_callback(preverify_ok, x509ctx, &tls_in,
706 &server_verify_callback_called, &server_verify_optional);
712 /* This gets called *by* the dane library verify callback, which interposes
716 verify_callback_client_dane(int preverify_ok, X509_STORE_CTX * x509ctx)
718 X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
720 int depth = X509_STORE_CTX_get_error_depth(x509ctx);
721 #ifndef DISABLE_EVENT
722 BOOL dummy_called, optional = FALSE;
725 if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
727 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
728 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
729 deliver_host_address);
732 dn[sizeof(dn)-1] = '\0';
734 DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s depth %d %s\n",
735 preverify_ok ? "ok":"BAD", depth, dn);
737 #ifndef DISABLE_EVENT
738 if (verify_event(&tls_out, cert, depth, dn,
739 &dummy_called, &optional, US"DANE"))
740 return 0; /* reject, with peercert set */
743 if (preverify_ok == 1)
745 tls_out.dane_verified = tls_out.certificate_verified = TRUE;
747 if (client_static_cbinfo->u_ocsp.client.verify_store)
748 { /* client, wanting stapling */
749 /* Add the server cert's signing chain as the one
750 for the verification of the OCSP stapled information. */
752 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
755 sk_X509_push(client_static_cbinfo->verify_stack, cert);
761 int err = X509_STORE_CTX_get_error(x509ctx);
763 debug_printf(" - err %d '%s'\n", err, X509_verify_cert_error_string(err));
764 if (err == X509_V_ERR_APPLICATION_VERIFICATION)
770 #endif /*SUPPORT_DANE*/
773 /*************************************************
774 * Information callback *
775 *************************************************/
777 /* The SSL library functions call this from time to time to indicate what they
778 are doing. We copy the string to the debugging output when TLS debugging has
790 info_callback(SSL *s, int where, int ret)
796 if (where & SSL_ST_CONNECT)
797 str = US"SSL_connect";
798 else if (where & SSL_ST_ACCEPT)
799 str = US"SSL_accept";
801 str = US"SSL info (undefined)";
803 if (where & SSL_CB_LOOP)
804 debug_printf("%s: %s\n", str, SSL_state_string_long(s));
805 else if (where & SSL_CB_ALERT)
806 debug_printf("SSL3 alert %s:%s:%s\n",
807 str = where & SSL_CB_READ ? US"read" : US"write",
808 SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret));
809 else if (where & SSL_CB_EXIT)
811 debug_printf("%s: failed in %s\n", str, SSL_state_string_long(s));
813 debug_printf("%s: error in %s\n", str, SSL_state_string_long(s));
814 else if (where & SSL_CB_HANDSHAKE_START)
815 debug_printf("%s: hshake start: %s\n", str, SSL_state_string_long(s));
816 else if (where & SSL_CB_HANDSHAKE_DONE)
817 debug_printf("%s: hshake done: %s\n", str, SSL_state_string_long(s));
821 #ifdef OPENSSL_HAVE_KEYLOG_CB
823 keylog_callback(const SSL *ssl, const char *line)
825 DEBUG(D_tls) debug_printf("%.200s\n", line);
830 #ifdef EXPERIMENTAL_TLS_RESUME
831 /* Manage the keysets used for encrypting the session tickets, on the server. */
833 typedef struct { /* Session ticket encryption key */
836 const EVP_CIPHER * aes_cipher;
837 uschar aes_key[16]; /* size needed depends on cipher. aes_128 implies 128/8 = 16? */
838 const EVP_MD * hmac_hash;
844 /*XXX for now just always create/find the one key.
845 Worry about rotation and overlap later. */
847 static exim_stek exim_tk;
848 static exim_stek exim_tk_old;
855 if (exim_tk.renew >= time(NULL)) return;
856 exim_tk_old = exim_tk;
859 if (f.running_in_test_harness) ssl_session_timeout = 6;
861 DEBUG(D_tls) debug_printf("OpenSSL: %s STEK\n", exim_tk.name[0] ? "rotating" : "creating");
862 if (RAND_bytes(exim_tk.aes_key, sizeof(exim_tk.aes_key)) <= 0) return;
863 if (RAND_bytes(exim_tk.hmac_key, sizeof(exim_tk.hmac_key)) <= 0) return;
864 if (RAND_bytes(exim_tk.name+1, sizeof(exim_tk.name)-1) <= 0) return;
866 exim_tk.name[0] = 'E';
867 exim_tk.aes_cipher = EVP_aes_128_cbc();
868 exim_tk.hmac_hash = EVP_sha256();
869 exim_tk.expire = time(NULL) + ssl_session_timeout;
870 exim_tk.renew = exim_tk.expire - ssl_session_timeout/2;
876 if (!exim_tk.name[0]) return NULL;
881 tk_find(const uschar * name)
883 return memcmp(name, exim_tk.name, sizeof(exim_tk.name)) == 0 ? &exim_tk
884 : memcmp(name, exim_tk_old.name, sizeof(exim_tk_old.name)) == 0 ? &exim_tk_old
888 /* Callback for session tickets, on server */
890 ticket_key_callback(SSL * ssl, uschar key_name[16],
891 uschar * iv, EVP_CIPHER_CTX * ctx, HMAC_CTX * hctx, int enc)
893 tls_support * tlsp = server_static_cbinfo->tlsp;
898 DEBUG(D_tls) debug_printf("ticket_key_callback: create new session\n");
899 tlsp->resumption |= RESUME_CLIENT_REQUESTED;
901 if (RAND_bytes(iv, EVP_MAX_IV_LENGTH) <= 0)
902 return -1; /* insufficient random */
904 if (!(key = tk_current())) /* current key doesn't exist or isn't valid */
905 return 0; /* key couldn't be created */
906 memcpy(key_name, key->name, 16);
907 DEBUG(D_tls) debug_printf("STEK expire %ld\n", key->expire - time(NULL));
909 /*XXX will want these dependent on the ssl session strength */
910 HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key),
911 key->hmac_hash, NULL);
912 EVP_EncryptInit_ex(ctx, key->aes_cipher, NULL, key->aes_key, iv);
914 DEBUG(D_tls) debug_printf("ticket created\n");
919 time_t now = time(NULL);
921 DEBUG(D_tls) debug_printf("ticket_key_callback: retrieve session\n");
922 tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
924 if (!(key = tk_find(key_name)) || key->expire < now)
928 debug_printf("ticket not usable (%s)\n", key ? "expired" : "not found");
929 if (key) debug_printf("STEK expire %ld\n", key->expire - now);
934 HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key),
935 key->hmac_hash, NULL);
936 EVP_DecryptInit_ex(ctx, key->aes_cipher, NULL, key->aes_key, iv);
938 DEBUG(D_tls) debug_printf("ticket usable, STEK expire %ld\n", key->expire - now);
939 return key->renew < now ? 2 : 1;
946 /*************************************************
947 * Initialize for DH *
948 *************************************************/
950 /* If dhparam is set, expand it, and load up the parameters for DH encryption.
953 sctx The current SSL CTX (inbound or outbound)
954 dhparam DH parameter file or fixed parameter identity string
955 host connected host, if client; NULL if server
956 errstr error string pointer
958 Returns: TRUE if OK (nothing to set up, or setup worked)
962 init_dh(SSL_CTX *sctx, uschar *dhparam, const host_item *host, uschar ** errstr)
970 if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded, errstr))
973 if (!dhexpanded || !*dhexpanded)
974 bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
975 else if (dhexpanded[0] == '/')
977 if (!(bio = BIO_new_file(CS dhexpanded, "r")))
979 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
980 host, US strerror(errno), errstr);
986 if (Ustrcmp(dhexpanded, "none") == 0)
988 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
992 if (!(pem = std_dh_prime_named(dhexpanded)))
994 tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
995 host, US strerror(errno), errstr);
998 bio = BIO_new_mem_buf(CS pem, -1);
1001 if (!(dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)))
1004 tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
1005 host, NULL, errstr);
1009 /* note: our default limit of 2236 is not a multiple of 8; the limit comes from
1010 * an NSS limit, and the GnuTLS APIs handle bit-sizes fine, so we went with
1011 * 2236. But older OpenSSL can only report in bytes (octets), not bits.
1012 * If someone wants to dance at the edge, then they can raise the limit or use
1013 * current libraries. */
1014 #ifdef EXIM_HAVE_OPENSSL_DH_BITS
1015 /* Added in commit 26c79d5641d; `git describe --contains` says OpenSSL_1_1_0-pre1~1022
1016 * This predates OpenSSL_1_1_0 (before a, b, ...) so is in all 1.1.0 */
1017 dh_bitsize = DH_bits(dh);
1019 dh_bitsize = 8 * DH_size(dh);
1022 /* Even if it is larger, we silently return success rather than cause things
1023 * to fail out, so that a too-large DH will not knock out all TLS; it's a
1024 * debatable choice. */
1025 if (dh_bitsize > tls_dh_max_bits)
1028 debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d\n",
1029 dh_bitsize, tls_dh_max_bits);
1033 SSL_CTX_set_tmp_dh(sctx, dh);
1035 debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
1036 dhexpanded ? dhexpanded : US"default", dh_bitsize);
1048 /*************************************************
1049 * Initialize for ECDH *
1050 *************************************************/
1052 /* Load parameters for ECDH encryption.
1054 For now, we stick to NIST P-256 because: it's simple and easy to configure;
1055 it avoids any patent issues that might bite redistributors; despite events in
1056 the news and concerns over curve choices, we're not cryptographers, we're not
1057 pretending to be, and this is "good enough" to be better than no support,
1058 protecting against most adversaries. Given another year or two, there might
1059 be sufficient clarity about a "right" way forward to let us make an informed
1060 decision, instead of a knee-jerk reaction.
1062 Longer-term, we should look at supporting both various named curves and
1063 external files generated with "openssl ecparam", much as we do for init_dh().
1064 We should also support "none" as a value, to explicitly avoid initialisation.
1069 sctx The current SSL CTX (inbound or outbound)
1070 host connected host, if client; NULL if server
1071 errstr error string pointer
1073 Returns: TRUE if OK (nothing to set up, or setup worked)
1077 init_ecdh(SSL_CTX * sctx, host_item * host, uschar ** errstr)
1079 #ifdef OPENSSL_NO_ECDH
1088 if (host) /* No ECDH setup for clients, only for servers */
1091 # ifndef EXIM_HAVE_ECDH
1093 debug_printf("No OpenSSL API to define ECDH parameters, skipping\n");
1097 if (!expand_check(tls_eccurve, US"tls_eccurve", &exp_curve, errstr))
1099 if (!exp_curve || !*exp_curve)
1102 /* "auto" needs to be handled carefully.
1103 * OpenSSL < 1.0.2: we do not select anything, but fallback to prime256v1
1104 * OpenSSL < 1.1.0: we have to call SSL_CTX_set_ecdh_auto
1105 * (openssl/ssl.h defines SSL_CTRL_SET_ECDH_AUTO)
1106 * OpenSSL >= 1.1.0: we do not set anything, the libray does autoselection
1107 * https://github.com/openssl/openssl/commit/fe6ef2472db933f01b59cad82aa925736935984b
1109 if (Ustrcmp(exp_curve, "auto") == 0)
1111 #if OPENSSL_VERSION_NUMBER < 0x10002000L
1112 DEBUG(D_tls) debug_printf(
1113 "ECDH OpenSSL < 1.0.2: temp key parameter settings: overriding \"auto\" with \"prime256v1\"\n");
1114 exp_curve = US"prime256v1";
1116 # if defined SSL_CTRL_SET_ECDH_AUTO
1117 DEBUG(D_tls) debug_printf(
1118 "ECDH OpenSSL 1.0.2+ temp key parameter settings: autoselection\n");
1119 SSL_CTX_set_ecdh_auto(sctx, 1);
1122 DEBUG(D_tls) debug_printf(
1123 "ECDH OpenSSL 1.1.0+ temp key parameter settings: default selection\n");
1129 DEBUG(D_tls) debug_printf("ECDH: curve '%s'\n", exp_curve);
1130 if ( (nid = OBJ_sn2nid (CCS exp_curve)) == NID_undef
1131 # ifdef EXIM_HAVE_OPENSSL_EC_NIST2NID
1132 && (nid = EC_curve_nist2nid(CCS exp_curve)) == NID_undef
1136 tls_error(string_sprintf("Unknown curve name tls_eccurve '%s'", exp_curve),
1137 host, NULL, errstr);
1141 if (!(ecdh = EC_KEY_new_by_curve_name(nid)))
1143 tls_error(US"Unable to create ec curve", host, NULL, errstr);
1147 /* The "tmp" in the name here refers to setting a temporary key
1148 not to the stability of the interface. */
1150 if ((rv = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0))
1151 tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), host, NULL, errstr);
1153 DEBUG(D_tls) debug_printf("ECDH: enabled '%s' curve\n", exp_curve);
1158 # endif /*EXIM_HAVE_ECDH*/
1159 #endif /*OPENSSL_NO_ECDH*/
1165 #ifndef DISABLE_OCSP
1166 /*************************************************
1167 * Load OCSP information into state *
1168 *************************************************/
1169 /* Called to load the server OCSP response from the given file into memory, once
1170 caller has determined this is needed. Checks validity. Debugs a message
1173 ASSUMES: single response, for single cert.
1176 sctx the SSL_CTX* to update
1177 cbinfo various parts of session state
1178 expanded the filename putatively holding an OCSP response
1183 ocsp_load_response(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo, const uschar *expanded)
1186 OCSP_RESPONSE * resp;
1187 OCSP_BASICRESP * basic_response;
1188 OCSP_SINGLERESP * single_response;
1189 ASN1_GENERALIZEDTIME * rev, * thisupd, * nextupd;
1190 STACK_OF(X509) * sk;
1191 unsigned long verify_flags;
1192 int status, reason, i;
1194 cbinfo->u_ocsp.server.file_expanded = string_copy(expanded);
1195 if (cbinfo->u_ocsp.server.response)
1197 OCSP_RESPONSE_free(cbinfo->u_ocsp.server.response);
1198 cbinfo->u_ocsp.server.response = NULL;
1201 if (!(bio = BIO_new_file(CS cbinfo->u_ocsp.server.file_expanded, "rb")))
1203 DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n",
1204 cbinfo->u_ocsp.server.file_expanded);
1208 resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
1212 DEBUG(D_tls) debug_printf("Error reading OCSP response.\n");
1216 if ((status = OCSP_response_status(resp)) != OCSP_RESPONSE_STATUS_SUCCESSFUL)
1218 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
1219 OCSP_response_status_str(status), status);
1223 if (!(basic_response = OCSP_response_get1_basic(resp)))
1226 debug_printf("OCSP response parse error: unable to extract basic response.\n");
1230 sk = cbinfo->verify_stack;
1231 verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
1233 /* May need to expose ability to adjust those flags?
1234 OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
1235 OCSP_TRUSTOTHER OCSP_NOINTERN */
1237 /* This does a full verify on the OCSP proof before we load it for serving
1238 up; possibly overkill - just date-checks might be nice enough.
1240 OCSP_basic_verify takes a "store" arg, but does not
1241 use it for the chain verification, which is all we do
1242 when OCSP_NOVERIFY is set. The content from the wire
1243 "basic_response" and a cert-stack "sk" are all that is used.
1245 We have a stack, loaded in setup_certs() if tls_verify_certificates
1246 was a file (not a directory, or "system"). It is unfortunate we
1247 cannot used the connection context store, as that would neatly
1248 handle the "system" case too, but there seems to be no library
1249 function for getting a stack from a store.
1250 [ In OpenSSL 1.1 - ? X509_STORE_CTX_get0_chain(ctx) ? ]
1251 We do not free the stack since it could be needed a second time for
1254 Separately we might try to replace using OCSP_basic_verify() - which seems to not
1255 be a public interface into the OpenSSL library (there's no manual entry) -
1256 But what with? We also use OCSP_basic_verify in the client stapling callback.
1257 And there we NEED it; we must verify that status... unless the
1258 library does it for us anyway? */
1260 if ((i = OCSP_basic_verify(basic_response, sk, NULL, verify_flags)) < 0)
1264 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
1265 debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
1270 /* Here's the simplifying assumption: there's only one response, for the
1271 one certificate we use, and nothing for anything else in a chain. If this
1272 proves false, we need to extract a cert id from our issued cert
1273 (tls_certificate) and use that for OCSP_resp_find_status() (which finds the
1274 right cert in the stack and then calls OCSP_single_get0_status()).
1276 I'm hoping to avoid reworking a bunch more of how we handle state here. */
1278 if (!(single_response = OCSP_resp_get0(basic_response, 0)))
1281 debug_printf("Unable to get first response from OCSP basic response.\n");
1285 status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
1286 if (status != V_OCSP_CERTSTATUS_GOOD)
1288 DEBUG(D_tls) debug_printf("OCSP response bad cert status: %s (%d) %s (%d)\n",
1289 OCSP_cert_status_str(status), status,
1290 OCSP_crl_reason_str(reason), reason);
1294 if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
1296 DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
1301 cbinfo->u_ocsp.server.response = resp; /*XXX stack?*/
1305 if (f.running_in_test_harness)
1307 extern char ** environ;
1308 if (environ) for (uschar ** p = USS environ; *p; p++)
1309 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
1311 DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
1312 goto supply_response;
1317 #endif /*!DISABLE_OCSP*/
1322 /* Create and install a selfsigned certificate, for use in server mode */
1325 tls_install_selfsign(SSL_CTX * sctx, uschar ** errstr)
1333 where = US"allocating pkey";
1334 if (!(pkey = EVP_PKEY_new()))
1337 where = US"allocating cert";
1338 if (!(x509 = X509_new()))
1341 where = US"generating pkey";
1342 if (!(rsa = rsa_callback(NULL, 0, 2048)))
1345 where = US"assigning pkey";
1346 if (!EVP_PKEY_assign_RSA(pkey, rsa))
1349 X509_set_version(x509, 2); /* N+1 - version 3 */
1350 ASN1_INTEGER_set(X509_get_serialNumber(x509), 1);
1351 X509_gmtime_adj(X509_get_notBefore(x509), 0);
1352 X509_gmtime_adj(X509_get_notAfter(x509), (long)60 * 60); /* 1 hour */
1353 X509_set_pubkey(x509, pkey);
1355 name = X509_get_subject_name(x509);
1356 X509_NAME_add_entry_by_txt(name, "C",
1357 MBSTRING_ASC, CUS "UK", -1, -1, 0);
1358 X509_NAME_add_entry_by_txt(name, "O",
1359 MBSTRING_ASC, CUS "Exim Developers", -1, -1, 0);
1360 X509_NAME_add_entry_by_txt(name, "CN",
1361 MBSTRING_ASC, CUS smtp_active_hostname, -1, -1, 0);
1362 X509_set_issuer_name(x509, name);
1364 where = US"signing cert";
1365 if (!X509_sign(x509, pkey, EVP_md5()))
1368 where = US"installing selfsign cert";
1369 if (!SSL_CTX_use_certificate(sctx, x509))
1372 where = US"installing selfsign key";
1373 if (!SSL_CTX_use_PrivateKey(sctx, pkey))
1379 (void) tls_error(where, NULL, NULL, errstr);
1380 if (x509) X509_free(x509);
1381 if (pkey) EVP_PKEY_free(pkey);
1389 tls_add_certfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
1392 DEBUG(D_tls) debug_printf("tls_certificate file %s\n", file);
1393 if (!SSL_CTX_use_certificate_chain_file(sctx, CS file))
1394 return tls_error(string_sprintf(
1395 "SSL_CTX_use_certificate_chain_file file=%s", file),
1396 cbinfo->host, NULL, errstr);
1401 tls_add_pkeyfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
1404 DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", file);
1405 if (!SSL_CTX_use_PrivateKey_file(sctx, CS file, SSL_FILETYPE_PEM))
1406 return tls_error(string_sprintf(
1407 "SSL_CTX_use_PrivateKey_file file=%s", file), cbinfo->host, NULL, errstr);
1412 /*************************************************
1413 * Expand key and cert file specs *
1414 *************************************************/
1416 /* Called once during tls_init and possibly again during TLS setup, for a
1417 new context, if Server Name Indication was used and tls_sni was seen in
1418 the certificate string.
1421 sctx the SSL_CTX* to update
1422 cbinfo various parts of session state
1423 errstr error string pointer
1425 Returns: OK/DEFER/FAIL
1429 tls_expand_session_files(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo,
1434 if (!cbinfo->certificate)
1436 if (!cbinfo->is_server) /* client */
1439 if (tls_install_selfsign(sctx, errstr) != OK)
1446 if (Ustrstr(cbinfo->certificate, US"tls_sni") ||
1447 Ustrstr(cbinfo->certificate, US"tls_in_sni") ||
1448 Ustrstr(cbinfo->certificate, US"tls_out_sni")
1450 reexpand_tls_files_for_sni = TRUE;
1452 if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded, errstr))
1456 if (cbinfo->is_server)
1458 const uschar * file_list = expanded;
1462 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1463 if ((err = tls_add_certfile(sctx, cbinfo, file, errstr)))
1466 else /* would there ever be a need for multiple client certs? */
1467 if ((err = tls_add_certfile(sctx, cbinfo, expanded, errstr)))
1470 if ( cbinfo->privatekey
1471 && !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded, errstr))
1474 /* If expansion was forced to fail, key_expanded will be NULL. If the result
1475 of the expansion is an empty string, ignore it also, and assume the private
1476 key is in the same file as the certificate. */
1478 if (expanded && *expanded)
1479 if (cbinfo->is_server)
1481 const uschar * file_list = expanded;
1485 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1486 if ((err = tls_add_pkeyfile(sctx, cbinfo, file, errstr)))
1489 else /* would there ever be a need for multiple client certs? */
1490 if ((err = tls_add_pkeyfile(sctx, cbinfo, expanded, errstr)))
1494 #ifndef DISABLE_OCSP
1495 if (cbinfo->is_server && cbinfo->u_ocsp.server.file)
1498 if (!expand_check(cbinfo->u_ocsp.server.file, US"tls_ocsp_file", &expanded, errstr))
1501 if (expanded && *expanded)
1503 DEBUG(D_tls) debug_printf("tls_ocsp_file %s\n", expanded);
1504 if ( cbinfo->u_ocsp.server.file_expanded
1505 && (Ustrcmp(expanded, cbinfo->u_ocsp.server.file_expanded) == 0))
1507 DEBUG(D_tls) debug_printf(" - value unchanged, using existing values\n");
1510 ocsp_load_response(sctx, cbinfo, expanded);
1521 /*************************************************
1522 * Callback to handle SNI *
1523 *************************************************/
1525 /* Called when acting as server during the TLS session setup if a Server Name
1526 Indication extension was sent by the client.
1528 API documentation is OpenSSL s_server.c implementation.
1531 s SSL* of the current session
1532 ad unknown (part of OpenSSL API) (unused)
1533 arg Callback of "our" registered data
1535 Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
1537 XXX might need to change to using ClientHello callback,
1538 per https://www.openssl.org/docs/manmaster/man3/SSL_client_hello_cb_fn.html
1541 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
1543 tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
1545 const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
1546 tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
1548 int old_pool = store_pool;
1549 uschar * dummy_errstr;
1552 return SSL_TLSEXT_ERR_OK;
1554 DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
1555 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
1557 /* Make the extension value available for expansion */
1558 store_pool = POOL_PERM;
1559 tls_in.sni = string_copy(US servername);
1560 store_pool = old_pool;
1562 if (!reexpand_tls_files_for_sni)
1563 return SSL_TLSEXT_ERR_OK;
1565 /* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
1566 not confident that memcpy wouldn't break some internal reference counting.
1567 Especially since there's a references struct member, which would be off. */
1569 #ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
1570 if (!(server_sni = SSL_CTX_new(TLS_server_method())))
1572 if (!(server_sni = SSL_CTX_new(SSLv23_server_method())))
1575 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
1576 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
1580 /* Not sure how many of these are actually needed, since SSL object
1581 already exists. Might even need this selfsame callback, for reneg? */
1583 SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(server_ctx));
1584 SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(server_ctx));
1585 SSL_CTX_set_options(server_sni, SSL_CTX_get_options(server_ctx));
1586 SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(server_ctx));
1587 SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
1588 SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
1590 if ( !init_dh(server_sni, cbinfo->dhparam, NULL, &dummy_errstr)
1591 || !init_ecdh(server_sni, NULL, &dummy_errstr)
1595 if ( cbinfo->server_cipher_list
1596 && !SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list))
1599 #ifndef DISABLE_OCSP
1600 if (cbinfo->u_ocsp.server.file)
1602 SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb);
1603 SSL_CTX_set_tlsext_status_arg(server_sni, cbinfo);
1607 if ((rc = setup_certs(server_sni, tls_verify_certificates, tls_crl, NULL, FALSE,
1608 verify_callback_server, &dummy_errstr)) != OK)
1611 /* do this after setup_certs, because this can require the certs for verifying
1612 OCSP information. */
1613 if ((rc = tls_expand_session_files(server_sni, cbinfo, &dummy_errstr)) != OK)
1616 DEBUG(D_tls) debug_printf("Switching SSL context.\n");
1617 SSL_set_SSL_CTX(s, server_sni);
1618 return SSL_TLSEXT_ERR_OK;
1620 bad: return SSL_TLSEXT_ERR_ALERT_FATAL;
1622 #endif /* EXIM_HAVE_OPENSSL_TLSEXT */
1627 #ifndef DISABLE_OCSP
1629 /*************************************************
1630 * Callback to handle OCSP Stapling *
1631 *************************************************/
1633 /* Called when acting as server during the TLS session setup if the client
1634 requests OCSP information with a Certificate Status Request.
1636 Documentation via openssl s_server.c and the Apache patch from the OpenSSL
1642 tls_server_stapling_cb(SSL *s, void *arg)
1644 const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
1645 uschar *response_der; /*XXX blob */
1646 int response_der_len;
1648 /*XXX stack: use SSL_get_certificate() to see which cert; from that work
1649 out which ocsp blob to send. Unfortunately, SSL_get_certificate is known
1650 buggy in current OpenSSL; it returns the last cert loaded always rather than
1651 the one actually presented. So we can't support a stack of OCSP proofs at
1655 debug_printf("Received TLS status request (OCSP stapling); %s response\n",
1656 cbinfo->u_ocsp.server.response ? "have" : "lack");
1658 tls_in.ocsp = OCSP_NOT_RESP;
1659 if (!cbinfo->u_ocsp.server.response)
1660 return SSL_TLSEXT_ERR_NOACK;
1662 response_der = NULL;
1663 response_der_len = i2d_OCSP_RESPONSE(cbinfo->u_ocsp.server.response, /*XXX stack*/
1665 if (response_der_len <= 0)
1666 return SSL_TLSEXT_ERR_NOACK;
1668 SSL_set_tlsext_status_ocsp_resp(server_ssl, response_der, response_der_len);
1669 tls_in.ocsp = OCSP_VFIED;
1670 return SSL_TLSEXT_ERR_OK;
1675 time_print(BIO * bp, const char * str, ASN1_GENERALIZEDTIME * time)
1677 BIO_printf(bp, "\t%s: ", str);
1678 ASN1_GENERALIZEDTIME_print(bp, time);
1683 tls_client_stapling_cb(SSL *s, void *arg)
1685 tls_ext_ctx_cb * cbinfo = arg;
1686 const unsigned char * p;
1688 OCSP_RESPONSE * rsp;
1689 OCSP_BASICRESP * bs;
1692 DEBUG(D_tls) debug_printf("Received TLS status response (OCSP stapling):");
1693 len = SSL_get_tlsext_status_ocsp_resp(s, &p);
1696 /* Expect this when we requested ocsp but got none */
1697 if (cbinfo->u_ocsp.client.verify_required && LOGGING(tls_cipher))
1698 log_write(0, LOG_MAIN, "Received TLS status callback, null content");
1700 DEBUG(D_tls) debug_printf(" null\n");
1701 return cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1704 if(!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
1706 tls_out.ocsp = OCSP_FAILED;
1707 if (LOGGING(tls_cipher))
1708 log_write(0, LOG_MAIN, "Received TLS cert status response, parse error");
1710 DEBUG(D_tls) debug_printf(" parse error\n");
1714 if(!(bs = OCSP_response_get1_basic(rsp)))
1716 tls_out.ocsp = OCSP_FAILED;
1717 if (LOGGING(tls_cipher))
1718 log_write(0, LOG_MAIN, "Received TLS cert status response, error parsing response");
1720 DEBUG(D_tls) debug_printf(" error parsing response\n");
1721 OCSP_RESPONSE_free(rsp);
1725 /* We'd check the nonce here if we'd put one in the request. */
1726 /* However that would defeat cacheability on the server so we don't. */
1728 /* This section of code reworked from OpenSSL apps source;
1729 The OpenSSL Project retains copyright:
1730 Copyright (c) 1999 The OpenSSL Project. All rights reserved.
1735 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
1737 DEBUG(D_tls) bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
1739 /*OCSP_RESPONSE_print(bp, rsp, 0); extreme debug: stapling content */
1741 /* Use the chain that verified the server cert to verify the stapled info */
1742 /* DEBUG(D_tls) x509_store_dump_cert_s_names(cbinfo->u_ocsp.client.verify_store); */
1744 if ((i = OCSP_basic_verify(bs, cbinfo->verify_stack,
1745 cbinfo->u_ocsp.client.verify_store, 0)) <= 0)
1747 tls_out.ocsp = OCSP_FAILED;
1748 if (LOGGING(tls_cipher)) log_write(0, LOG_MAIN,
1749 "Received TLS cert status response, itself unverifiable: %s",
1750 ERR_reason_error_string(ERR_peek_error()));
1751 BIO_printf(bp, "OCSP response verify failure\n");
1752 ERR_print_errors(bp);
1753 OCSP_RESPONSE_print(bp, rsp, 0);
1757 BIO_printf(bp, "OCSP response well-formed and signed OK\n");
1759 /*XXX So we have a good stapled OCSP status. How do we know
1760 it is for the cert of interest? OpenSSL 1.1.0 has a routine
1761 OCSP_resp_find_status() which matches on a cert id, which presumably
1762 we should use. Making an id needs OCSP_cert_id_new(), which takes
1763 issuerName, issuerKey, serialNumber. Are they all in the cert?
1765 For now, carry on blindly accepting the resp. */
1768 OCSP_SINGLERESP * single;
1770 #ifdef EXIM_HAVE_OCSP_RESP_COUNT
1771 if (OCSP_resp_count(bs) != 1)
1773 STACK_OF(OCSP_SINGLERESP) * sresp = bs->tbsResponseData->responses;
1774 if (sk_OCSP_SINGLERESP_num(sresp) != 1)
1777 tls_out.ocsp = OCSP_FAILED;
1778 log_write(0, LOG_MAIN, "OCSP stapling "
1779 "with multiple responses not handled");
1782 single = OCSP_resp_get0(bs, 0);
1783 status = OCSP_single_get0_status(single, &reason, &rev,
1784 &thisupd, &nextupd);
1787 DEBUG(D_tls) time_print(bp, "This OCSP Update", thisupd);
1788 DEBUG(D_tls) if(nextupd) time_print(bp, "Next OCSP Update", nextupd);
1789 if (!OCSP_check_validity(thisupd, nextupd,
1790 EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
1792 tls_out.ocsp = OCSP_FAILED;
1793 DEBUG(D_tls) ERR_print_errors(bp);
1794 log_write(0, LOG_MAIN, "Server OSCP dates invalid");
1798 DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n",
1799 OCSP_cert_status_str(status));
1802 case V_OCSP_CERTSTATUS_GOOD:
1803 tls_out.ocsp = OCSP_VFIED;
1806 case V_OCSP_CERTSTATUS_REVOKED:
1807 tls_out.ocsp = OCSP_FAILED;
1808 log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
1809 reason != -1 ? "; reason: " : "",
1810 reason != -1 ? OCSP_crl_reason_str(reason) : "");
1811 DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
1814 tls_out.ocsp = OCSP_FAILED;
1815 log_write(0, LOG_MAIN,
1816 "Server certificate status unknown, in OCSP stapling");
1821 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1826 OCSP_RESPONSE_free(rsp);
1829 #endif /*!DISABLE_OCSP*/
1832 /*************************************************
1833 * Initialize for TLS *
1834 *************************************************/
1836 /* Called from both server and client code, to do preliminary initialization
1837 of the library. We allocate and return a context structure.
1840 ctxp returned SSL context
1841 host connected host, if client; NULL if server
1842 dhparam DH parameter file
1843 certificate certificate file
1844 privatekey private key
1845 ocsp_file file of stapling info (server); flag for require ocsp (client)
1846 addr address if client; NULL if server (for some randomness)
1847 cbp place to put allocated callback context
1848 errstr error string pointer
1850 Returns: OK/DEFER/FAIL
1854 tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate,
1856 #ifndef DISABLE_OCSP
1857 uschar *ocsp_file, /*XXX stack, in server*/
1859 address_item *addr, tls_ext_ctx_cb ** cbp,
1866 tls_ext_ctx_cb * cbinfo;
1868 cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
1869 cbinfo->tlsp = tlsp;
1870 cbinfo->certificate = certificate;
1871 cbinfo->privatekey = privatekey;
1872 cbinfo->is_server = host==NULL;
1873 #ifndef DISABLE_OCSP
1874 cbinfo->verify_stack = NULL;
1877 cbinfo->u_ocsp.server.file = ocsp_file;
1878 cbinfo->u_ocsp.server.file_expanded = NULL;
1879 cbinfo->u_ocsp.server.response = NULL;
1882 cbinfo->u_ocsp.client.verify_store = NULL;
1884 cbinfo->dhparam = dhparam;
1885 cbinfo->server_cipher_list = NULL;
1886 cbinfo->host = host;
1887 #ifndef DISABLE_EVENT
1888 cbinfo->event_action = NULL;
1891 #ifdef EXIM_NEED_OPENSSL_INIT
1892 SSL_load_error_strings(); /* basic set up */
1893 OpenSSL_add_ssl_algorithms();
1896 #ifdef EXIM_HAVE_SHA256
1897 /* SHA256 is becoming ever more popular. This makes sure it gets added to the
1898 list of available digests. */
1899 EVP_add_digest(EVP_sha256());
1902 /* Create a context.
1903 The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant
1904 negotiation in the different methods; as far as I can tell, the only
1905 *_{server,client}_method which allows negotiation is SSLv23, which exists even
1906 when OpenSSL is built without SSLv2 support.
1907 By disabling with openssl_options, we can let admins re-enable with the
1910 #ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
1911 if (!(ctx = SSL_CTX_new(host ? TLS_client_method() : TLS_server_method())))
1913 if (!(ctx = SSL_CTX_new(host ? SSLv23_client_method() : SSLv23_server_method())))
1915 return tls_error(US"SSL_CTX_new", host, NULL, errstr);
1917 /* It turns out that we need to seed the random number generator this early in
1918 order to get the full complement of ciphers to work. It took me roughly a day
1919 of work to discover this by experiment.
1921 On systems that have /dev/urandom, SSL may automatically seed itself from
1922 there. Otherwise, we have to make something up as best we can. Double check
1928 gettimeofday(&r.tv, NULL);
1931 RAND_seed(US (&r), sizeof(r));
1932 RAND_seed(US big_buffer, big_buffer_size);
1933 if (addr != NULL) RAND_seed(US addr, sizeof(addr));
1936 return tls_error(US"RAND_status", host,
1937 US"unable to seed random number generator", errstr);
1940 /* Set up the information callback, which outputs if debugging is at a suitable
1945 SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
1946 #if defined(EXIM_HAVE_OPESSL_TRACE) && !defined(OPENSSL_NO_SSL_TRACE)
1947 /* this needs a debug build of OpenSSL */
1948 SSL_CTX_set_msg_callback(ctx, (void (*)())SSL_trace);
1950 #ifdef OPENSSL_HAVE_KEYLOG_CB
1951 SSL_CTX_set_keylog_callback(ctx, (void (*)())keylog_callback);
1955 /* Automatically re-try reads/writes after renegotiation. */
1956 (void) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
1958 /* Apply administrator-supplied work-arounds.
1959 Historically we applied just one requested option,
1960 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
1961 moved to an administrator-controlled list of options to specify and
1962 grandfathered in the first one as the default value for "openssl_options".
1964 No OpenSSL version number checks: the options we accept depend upon the
1965 availability of the option value macros from OpenSSL. */
1967 if (!tls_openssl_options_parse(openssl_options, &init_options))
1968 return tls_error(US"openssl_options parsing failed", host, NULL, errstr);
1970 #ifdef EXPERIMENTAL_TLS_RESUME
1971 tlsp->resumption = RESUME_SUPPORTED;
1975 #ifdef EXPERIMENTAL_TLS_RESUME
1976 /* Should the server offer session resumption? */
1977 if (!host && verify_check_host(&tls_resumption_hosts) == OK)
1979 DEBUG(D_tls) debug_printf("tls_resumption_hosts overrides openssl_options\n");
1980 init_options &= ~SSL_OP_NO_TICKET;
1981 tlsp->resumption |= RESUME_SERVER_TICKET; /* server will give ticket on request */
1982 tlsp->host_resumable = TRUE;
1986 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
1987 if (!(SSL_CTX_set_options(ctx, init_options)))
1988 return tls_error(string_sprintf(
1989 "SSL_CTX_set_option(%#lx)", init_options), host, NULL, errstr);
1992 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
1994 /* We'd like to disable session cache unconditionally, but foolish Outlook
1995 Express clients then give up the first TLS connection and make a second one
1996 (which works). Only when there is an IMAP service on the same machine.
1997 Presumably OE is trying to use the cache for A on B. Leave it enabled for
1998 now, until we work out a decent way of presenting control to the config. It
1999 will never be used because we use a new context every time. */
2001 (void) SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
2004 /* Initialize with DH parameters if supplied */
2005 /* Initialize ECDH temp key parameter selection */
2007 if ( !init_dh(ctx, dhparam, host, errstr)
2008 || !init_ecdh(ctx, host, errstr)
2012 /* Set up certificate and key (and perhaps OCSP info) */
2014 if ((rc = tls_expand_session_files(ctx, cbinfo, errstr)) != OK)
2017 /* If we need to handle SNI or OCSP, do so */
2019 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
2020 # ifndef DISABLE_OCSP
2021 if (!(cbinfo->verify_stack = sk_X509_new_null()))
2023 DEBUG(D_tls) debug_printf("failed to create stack for stapling verify\n");
2028 if (!host) /* server */
2030 # ifndef DISABLE_OCSP
2031 /* We check u_ocsp.server.file, not server.response, because we care about if
2032 the option exists, not what the current expansion might be, as SNI might
2033 change the certificate and OCSP file in use between now and the time the
2034 callback is invoked. */
2035 if (cbinfo->u_ocsp.server.file)
2037 SSL_CTX_set_tlsext_status_cb(ctx, tls_server_stapling_cb);
2038 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
2041 /* We always do this, so that $tls_sni is available even if not used in
2043 SSL_CTX_set_tlsext_servername_callback(ctx, tls_servername_cb);
2044 SSL_CTX_set_tlsext_servername_arg(ctx, cbinfo);
2046 # ifndef DISABLE_OCSP
2048 if(ocsp_file) /* wanting stapling */
2050 if (!(cbinfo->u_ocsp.client.verify_store = X509_STORE_new()))
2052 DEBUG(D_tls) debug_printf("failed to create store for stapling verify\n");
2055 SSL_CTX_set_tlsext_status_cb(ctx, tls_client_stapling_cb);
2056 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
2061 cbinfo->verify_cert_hostnames = NULL;
2063 #ifdef EXIM_HAVE_EPHEM_RSA_KEX
2064 /* Set up the RSA callback */
2065 SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
2068 /* Finally, set the session cache timeout, and we are done.
2069 The period appears to be also used for (server-generated) session tickets */
2071 SSL_CTX_set_timeout(ctx, ssl_session_timeout);
2072 DEBUG(D_tls) debug_printf("Initialized TLS\n");
2083 /*************************************************
2084 * Get name of cipher in use *
2085 *************************************************/
2088 Argument: pointer to an SSL structure for the connection
2089 pointer to number of bits for cipher
2090 Returns: pointer to allocated string in perm-pool
2094 construct_cipher_name(SSL * ssl, int * bits)
2096 int pool = store_pool;
2097 /* With OpenSSL 1.0.0a, 'c' needs to be const but the documentation doesn't
2098 yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
2099 the accessor functions use const in the prototype. */
2101 const uschar * ver = CUS SSL_get_version(ssl);
2102 const SSL_CIPHER * c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
2105 SSL_CIPHER_get_bits(c, bits);
2107 store_pool = POOL_PERM;
2108 s = string_sprintf("%s:%s:%u", ver, SSL_CIPHER_get_name(c), *bits);
2110 DEBUG(D_tls) debug_printf("Cipher: %s\n", s);
2115 /* Get IETF-standard name for ciphersuite.
2116 Argument: pointer to an SSL structure for the connection
2117 Returns: pointer to string
2120 static const uschar *
2121 cipher_stdname_ssl(SSL * ssl)
2123 #ifdef EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
2124 return CUS SSL_CIPHER_standard_name(SSL_get_current_cipher(ssl));
2126 ushort id = 0xffff & SSL_CIPHER_get_id(SSL_get_current_cipher(ssl));
2127 return cipher_stdname(id >> 8, id & 0xff);
2133 peer_cert(SSL * ssl, tls_support * tlsp, uschar * peerdn, unsigned siz)
2135 /*XXX we might consider a list-of-certs variable for the cert chain.
2136 SSL_get_peer_cert_chain(SSL*). We'd need a new variable type and support
2137 in list-handling functions, also consider the difference between the entire
2138 chain and the elements sent by the peer. */
2140 tlsp->peerdn = NULL;
2142 /* Will have already noted peercert on a verify fail; possibly not the leaf */
2143 if (!tlsp->peercert)
2144 tlsp->peercert = SSL_get_peer_certificate(ssl);
2145 /* Beware anonymous ciphers which lead to server_cert being NULL */
2147 if (!X509_NAME_oneline(X509_get_subject_name(tlsp->peercert), CS peerdn, siz))
2148 { DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n"); }
2151 peerdn[siz-1] = '\0';
2152 tlsp->peerdn = peerdn; /*XXX a static buffer... */
2160 /*************************************************
2161 * Set up for verifying certificates *
2162 *************************************************/
2164 #ifndef DISABLE_OCSP
2165 /* Load certs from file, return TRUE on success */
2168 chain_from_pem_file(const uschar * file, STACK_OF(X509) * verify_stack)
2173 while (sk_X509_num(verify_stack) > 0)
2174 X509_free(sk_X509_pop(verify_stack));
2176 if (!(bp = BIO_new_file(CS file, "r"))) return FALSE;
2177 while ((x = PEM_read_bio_X509(bp, NULL, 0, NULL)))
2178 sk_X509_push(verify_stack, x);
2186 /* Called by both client and server startup; on the server possibly
2187 repeated after a Server Name Indication.
2190 sctx SSL_CTX* to initialise
2191 certs certs file or NULL
2192 crl CRL file or NULL
2193 host NULL in a server; the remote host in a client
2194 optional TRUE if called from a server for a host in tls_try_verify_hosts;
2195 otherwise passed as FALSE
2196 cert_vfy_cb Callback function for certificate verification
2197 errstr error string pointer
2199 Returns: OK/DEFER/FAIL
2203 setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
2204 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr)
2206 uschar *expcerts, *expcrl;
2208 if (!expand_check(certs, US"tls_verify_certificates", &expcerts, errstr))
2210 DEBUG(D_tls) debug_printf("tls_verify_certificates: %s\n", expcerts);
2212 if (expcerts && *expcerts)
2214 /* Tell the library to use its compiled-in location for the system default
2215 CA bundle. Then add the ones specified in the config, if any. */
2217 if (!SSL_CTX_set_default_verify_paths(sctx))
2218 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL, errstr);
2220 if (Ustrcmp(expcerts, "system") != 0)
2222 struct stat statbuf;
2224 if (Ustat(expcerts, &statbuf) < 0)
2226 log_write(0, LOG_MAIN|LOG_PANIC,
2227 "failed to stat %s for certificates", expcerts);
2233 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
2234 { file = NULL; dir = expcerts; }
2237 file = expcerts; dir = NULL;
2238 #ifndef DISABLE_OCSP
2239 /* In the server if we will be offering an OCSP proof, load chain from
2240 file for verifying the OCSP proof at load time. */
2243 && statbuf.st_size > 0
2244 && server_static_cbinfo->u_ocsp.server.file
2245 && !chain_from_pem_file(file, server_static_cbinfo->verify_stack)
2248 log_write(0, LOG_MAIN|LOG_PANIC,
2249 "failed to load cert chain from %s", file);
2255 /* If a certificate file is empty, the next function fails with an
2256 unhelpful error message. If we skip it, we get the correct behaviour (no
2257 certificates are recognized, but the error message is still misleading (it
2258 says no certificate was supplied). But this is better. */
2260 if ( (!file || statbuf.st_size > 0)
2261 && !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
2262 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL, errstr);
2264 /* Load the list of CAs for which we will accept certs, for sending
2265 to the client. This is only for the one-file tls_verify_certificates
2267 If a list isn't loaded into the server, but some verify locations are set,
2268 the server end appears to make a wildcard request for client certs.
2269 Meanwhile, the client library as default behaviour *ignores* the list
2270 we send over the wire - see man SSL_CTX_set_client_cert_cb.
2271 Because of this, and that the dir variant is likely only used for
2272 the public-CA bundle (not for a private CA), not worth fixing. */
2276 STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
2278 SSL_CTX_set_client_CA_list(sctx, names);
2279 DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n",
2280 sk_X509_NAME_num(names));
2285 /* Handle a certificate revocation list. */
2287 #if OPENSSL_VERSION_NUMBER > 0x00907000L
2289 /* This bit of code is now the version supplied by Lars Mainka. (I have
2290 merely reformatted it into the Exim code style.)
2292 "From here I changed the code to add support for multiple crl's
2293 in pem format in one file or to support hashed directory entries in
2294 pem format instead of a file. This method now uses the library function
2295 X509_STORE_load_locations to add the CRL location to the SSL context.
2296 OpenSSL will then handle the verify against CA certs and CRLs by
2297 itself in the verify callback." */
2299 if (!expand_check(crl, US"tls_crl", &expcrl, errstr)) return DEFER;
2300 if (expcrl && *expcrl)
2302 struct stat statbufcrl;
2303 if (Ustat(expcrl, &statbufcrl) < 0)
2305 log_write(0, LOG_MAIN|LOG_PANIC,
2306 "failed to stat %s for certificates revocation lists", expcrl);
2311 /* is it a file or directory? */
2313 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
2314 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
2318 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
2324 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
2326 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
2327 return tls_error(US"X509_STORE_load_locations", host, NULL, errstr);
2329 /* setting the flags to check against the complete crl chain */
2331 X509_STORE_set_flags(cvstore,
2332 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
2336 #endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
2338 /* If verification is optional, don't fail if no certificate */
2340 SSL_CTX_set_verify(sctx,
2341 SSL_VERIFY_PEER | (optional ? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
2350 /*************************************************
2351 * Start a TLS session in a server *
2352 *************************************************/
2354 /* This is called when Exim is running as a server, after having received
2355 the STARTTLS command. It must respond to that command, and then negotiate
2359 require_ciphers allowed ciphers
2360 errstr pointer to error message
2362 Returns: OK on success
2363 DEFER for errors before the start of the negotiation
2364 FAIL for errors during the negotiation; the server can't
2369 tls_server_start(const uschar * require_ciphers, uschar ** errstr)
2372 uschar * expciphers;
2373 tls_ext_ctx_cb * cbinfo;
2374 static uschar peerdn[256];
2376 /* Check for previous activation */
2378 if (tls_in.active.sock >= 0)
2380 tls_error(US"STARTTLS received after TLS started", NULL, US"", errstr);
2381 smtp_printf("554 Already in TLS\r\n", FALSE);
2385 /* Initialize the SSL library. If it fails, it will already have logged
2388 rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey,
2389 #ifndef DISABLE_OCSP
2390 tls_ocsp_file, /*XXX stack*/
2392 NULL, &server_static_cbinfo, &tls_in, errstr);
2393 if (rc != OK) return rc;
2394 cbinfo = server_static_cbinfo;
2396 if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers, errstr))
2399 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
2400 were historically separated by underscores. So that I can use either form in my
2401 tests, and also for general convenience, we turn underscores into hyphens here.
2403 XXX SSL_CTX_set_cipher_list() is replaced by SSL_CTX_set_ciphersuites()
2404 for TLS 1.3 . Since we do not call it at present we get the default list:
2405 TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
2410 for (uschar * s = expciphers; *s; s++ ) if (*s == '_') *s = '-';
2411 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
2412 if (!SSL_CTX_set_cipher_list(server_ctx, CS expciphers))
2413 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL, errstr);
2414 cbinfo->server_cipher_list = expciphers;
2417 /* If this is a host for which certificate verification is mandatory or
2418 optional, set up appropriately. */
2420 tls_in.certificate_verified = FALSE;
2422 tls_in.dane_verified = FALSE;
2424 server_verify_callback_called = FALSE;
2426 if (verify_check_host(&tls_verify_hosts) == OK)
2428 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
2429 FALSE, verify_callback_server, errstr);
2430 if (rc != OK) return rc;
2431 server_verify_optional = FALSE;
2433 else if (verify_check_host(&tls_try_verify_hosts) == OK)
2435 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
2436 TRUE, verify_callback_server, errstr);
2437 if (rc != OK) return rc;
2438 server_verify_optional = TRUE;
2441 #ifdef EXPERIMENTAL_TLS_RESUME
2442 SSL_CTX_set_tlsext_ticket_key_cb(server_ctx, ticket_key_callback);
2443 /* despite working, appears to always return failure, so ignoring */
2445 #ifdef OPENSSL_HAVE_NUM_TICKETS
2446 # ifdef EXPERIMENTAL_TLS_RESUME
2447 SSL_CTX_set_num_tickets(server_ctx, tls_in.host_resumable ? 1 : 0);
2449 SSL_CTX_set_num_tickets(server_ctx, 0); /* send no TLS1.3 stateful-tickets */
2454 /* Prepare for new connection */
2456 if (!(server_ssl = SSL_new(server_ctx)))
2457 return tls_error(US"SSL_new", NULL, NULL, errstr);
2459 /* Warning: we used to SSL_clear(ssl) here, it was removed.
2461 * With the SSL_clear(), we get strange interoperability bugs with
2462 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
2463 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
2465 * The SSL_clear() call is to let an existing SSL* be reused, typically after
2466 * session shutdown. In this case, we have a brand new object and there's no
2467 * obvious reason to immediately clear it. I'm guessing that this was
2468 * originally added because of incomplete initialisation which the clear fixed,
2469 * in some historic release.
2472 /* Set context and tell client to go ahead, except in the case of TLS startup
2473 on connection, where outputting anything now upsets the clients and tends to
2474 make them disconnect. We need to have an explicit fflush() here, to force out
2475 the response. Other smtp_printf() calls do not need it, because in non-TLS
2476 mode, the fflush() happens when smtp_getc() is called. */
2478 SSL_set_session_id_context(server_ssl, sid_ctx, Ustrlen(sid_ctx));
2479 if (!tls_in.on_connect)
2481 smtp_printf("220 TLS go ahead\r\n", FALSE);
2485 /* Now negotiate the TLS session. We put our own timer on it, since it seems
2486 that the OpenSSL library doesn't. */
2488 SSL_set_wfd(server_ssl, fileno(smtp_out));
2489 SSL_set_rfd(server_ssl, fileno(smtp_in));
2490 SSL_set_accept_state(server_ssl);
2492 DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
2494 sigalrm_seen = FALSE;
2495 if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
2496 rc = SSL_accept(server_ssl);
2501 (void) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL, errstr);
2505 DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
2506 ERR_clear_error(); /* Even success can leave errors in the stack. Seen with
2507 anon-authentication ciphersuite negotiated. */
2509 #ifdef EXPERIMENTAL_TLS_RESUME
2510 if (SSL_session_reused(server_ssl))
2512 tls_in.resumption |= RESUME_USED;
2513 DEBUG(D_tls) debug_printf("Session reused\n");
2517 /* TLS has been set up. Adjust the input functions to read via TLS,
2518 and initialize things. */
2520 peer_cert(server_ssl, &tls_in, peerdn, sizeof(peerdn));
2522 tls_in.cipher = construct_cipher_name(server_ssl, &tls_in.bits);
2523 tls_in.cipher_stdname = cipher_stdname_ssl(server_ssl);
2528 if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)))
2529 debug_printf("Shared ciphers: %s\n", buf);
2531 #ifdef EXIM_HAVE_OPENSSL_KEYLOG
2533 BIO * bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
2534 SSL_SESSION_print_keylog(bp, SSL_get_session(server_ssl));
2539 #ifdef EXIM_HAVE_SESSION_TICKET
2541 SSL_SESSION * ss = SSL_get_session(server_ssl);
2542 if (SSL_SESSION_has_ticket(ss))
2543 debug_printf("The session has a ticket, life %lu seconds\n",
2544 SSL_SESSION_get_ticket_lifetime_hint(ss));
2549 /* Record the certificate we presented */
2551 X509 * crt = SSL_get_certificate(server_ssl);
2552 tls_in.ourcert = crt ? X509_dup(crt) : NULL;
2555 /* Only used by the server-side tls (tls_in), including tls_getc.
2556 Client-side (tls_out) reads (seem to?) go via
2557 smtp_read_response()/ip_recv().
2558 Hence no need to duplicate for _in and _out.
2560 if (!ssl_xfer_buffer) ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
2561 ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
2562 ssl_xfer_eof = ssl_xfer_error = FALSE;
2564 receive_getc = tls_getc;
2565 receive_getbuf = tls_getbuf;
2566 receive_get_cache = tls_get_cache;
2567 receive_ungetc = tls_ungetc;
2568 receive_feof = tls_feof;
2569 receive_ferror = tls_ferror;
2570 receive_smtp_buffered = tls_smtp_buffered;
2572 tls_in.active.sock = fileno(smtp_out);
2573 tls_in.active.tls_ctx = NULL; /* not using explicit ctx for server-side */
2581 tls_client_basic_ctx_init(SSL_CTX * ctx,
2582 host_item * host, smtp_transport_options_block * ob, tls_ext_ctx_cb * cbinfo,
2586 /* stick to the old behaviour for compatibility if tls_verify_certificates is
2587 set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only
2588 the specified host patterns if one of them is defined */
2590 if ( ( !ob->tls_verify_hosts
2591 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
2593 || verify_check_given_host(CUSS &ob->tls_verify_hosts, host) == OK
2595 client_verify_optional = FALSE;
2596 else if (verify_check_given_host(CUSS &ob->tls_try_verify_hosts, host) == OK)
2597 client_verify_optional = TRUE;
2601 if ((rc = setup_certs(ctx, ob->tls_verify_certificates,
2602 ob->tls_crl, host, client_verify_optional, verify_callback_client,
2606 if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
2608 cbinfo->verify_cert_hostnames =
2610 string_domain_utf8_to_alabel(host->name, NULL);
2614 DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
2615 cbinfo->verify_cert_hostnames);
2623 dane_tlsa_load(SSL * ssl, host_item * host, dns_answer * dnsa, uschar ** errstr)
2626 const char * hostnames[2] = { CS host->name, NULL };
2629 if (DANESSL_init(ssl, NULL, hostnames) != 1)
2630 return tls_error(US"hostnames load", host, NULL, errstr);
2632 for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
2633 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
2634 ) if (rr->type == T_TLSA && rr->size > 3)
2636 const uschar * p = rr->data;
2637 uint8_t usage, selector, mtype;
2638 const char * mdname;
2642 /* Only DANE-TA(2) and DANE-EE(3) are supported */
2643 if (usage != 2 && usage != 3) continue;
2650 default: continue; /* Only match-types 0, 1, 2 are supported */
2651 case 0: mdname = NULL; break;
2652 case 1: mdname = "sha256"; break;
2653 case 2: mdname = "sha512"; break;
2657 switch (DANESSL_add_tlsa(ssl, usage, selector, mdname, p, rr->size - 3))
2660 return tls_error(US"tlsa load", host, NULL, errstr);
2661 case 0: /* action not taken */
2665 tls_out.tlsa_usage |= 1<<usage;
2671 log_write(0, LOG_MAIN, "DANE error: No usable TLSA records");
2674 #endif /*SUPPORT_DANE*/
2678 #ifdef EXPERIMENTAL_TLS_RESUME
2679 /* On the client, get any stashed session for the given IP from hints db
2680 and apply it to the ssl-connection for attempted resumption. */
2683 tls_retrieve_session(tls_support * tlsp, SSL * ssl, const uschar * key)
2685 tlsp->resumption |= RESUME_SUPPORTED;
2686 if (tlsp->host_resumable)
2688 dbdata_tls_session * dt;
2690 open_db dbblock, * dbm_file;
2692 tlsp->resumption |= RESUME_CLIENT_REQUESTED;
2693 DEBUG(D_tls) debug_printf("checking for resumable session for %s\n", key);
2694 if ((dbm_file = dbfn_open(US"tls", O_RDONLY, &dbblock, FALSE, FALSE)))
2696 /* key for the db is the IP */
2697 if ((dt = dbfn_read_with_length(dbm_file, key, &len)))
2699 SSL_SESSION * ss = NULL;
2700 const uschar * sess_asn1 = dt->session;
2702 len -= sizeof(dbdata_tls_session);
2703 if (!(d2i_SSL_SESSION(&ss, &sess_asn1, (long)len)))
2707 ERR_error_string_n(ERR_get_error(),
2708 ssl_errstring, sizeof(ssl_errstring));
2709 debug_printf("decoding session: %s\n", ssl_errstring);
2712 else if (!SSL_set_session(ssl, ss))
2716 ERR_error_string_n(ERR_get_error(),
2717 ssl_errstring, sizeof(ssl_errstring));
2718 debug_printf("applying session to ssl: %s\n", ssl_errstring);
2723 DEBUG(D_tls) debug_printf("good session\n");
2724 tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
2728 DEBUG(D_tls) debug_printf("no session record\n");
2729 dbfn_close(dbm_file);
2735 /* On the client, save the session for later resumption */
2738 tls_save_session_cb(SSL * ssl, SSL_SESSION * ss)
2740 tls_ext_ctx_cb * cbinfo = SSL_get_ex_data(ssl, tls_exdata_idx);
2743 DEBUG(D_tls) debug_printf("tls_save_session_cb\n");
2745 if (!cbinfo || !(tlsp = cbinfo->tlsp)->host_resumable) return 0;
2747 # ifdef EXIM_HAVE_SESSION_TICKET
2749 if (SSL_SESSION_is_resumable(ss))
2751 int len = i2d_SSL_SESSION(ss, NULL);
2752 int dlen = sizeof(dbdata_tls_session) + len;
2753 dbdata_tls_session * dt = store_get(dlen);
2754 uschar * s = dt->session;
2755 open_db dbblock, * dbm_file;
2757 DEBUG(D_tls) debug_printf("session is resumable\n");
2758 tlsp->resumption |= RESUME_SERVER_TICKET; /* server gave us a ticket */
2760 len = i2d_SSL_SESSION(ss, &s); /* s gets bumped to end */
2762 if ((dbm_file = dbfn_open(US"tls", O_RDWR, &dbblock, FALSE, FALSE)))
2764 const uschar * key = cbinfo->host->address;
2765 dbfn_delete(dbm_file, key);
2766 dbfn_write(dbm_file, key, dt, dlen);
2767 dbfn_close(dbm_file);
2768 DEBUG(D_tls) debug_printf("wrote session (len %u) to db\n",
2778 tls_client_ctx_resume_prehandshake(
2779 exim_openssl_client_tls_ctx * exim_client_ctx, tls_support * tlsp,
2780 smtp_transport_options_block * ob, host_item * host)
2782 /* Should the client request a session resumption ticket? */
2783 if (verify_check_given_host(CUSS &ob->tls_resumption_hosts, host) == OK)
2785 tlsp->host_resumable = TRUE;
2787 SSL_CTX_set_session_cache_mode(exim_client_ctx->ctx,
2788 SSL_SESS_CACHE_CLIENT
2789 | SSL_SESS_CACHE_NO_INTERNAL | SSL_SESS_CACHE_NO_AUTO_CLEAR);
2790 SSL_CTX_sess_set_new_cb(exim_client_ctx->ctx, tls_save_session_cb);
2795 tls_client_ssl_resume_prehandshake(SSL * ssl, tls_support * tlsp,
2796 host_item * host, uschar ** errstr)
2798 if (tlsp->host_resumable)
2801 debug_printf("tls_resumption_hosts overrides openssl_options, enabling tickets\n");
2802 SSL_clear_options(ssl, SSL_OP_NO_TICKET);
2804 tls_exdata_idx = SSL_get_ex_new_index(0, 0, 0, 0, 0);
2805 if (!SSL_set_ex_data(ssl, tls_exdata_idx, client_static_cbinfo))
2807 tls_error(US"set ex_data", host, NULL, errstr);
2810 debug_printf("tls_exdata_idx %d cbinfo %p\n", tls_exdata_idx, client_static_cbinfo);
2813 tlsp->resumption = RESUME_SUPPORTED;
2814 /* Pick up a previous session, saved on an old ticket */
2815 tls_retrieve_session(tlsp, ssl, host->address);
2820 tls_client_resume_posthandshake(exim_openssl_client_tls_ctx * exim_client_ctx,
2823 if (SSL_session_reused(exim_client_ctx->ssl))
2825 DEBUG(D_tls) debug_printf("The session was reused\n");
2826 tlsp->resumption |= RESUME_USED;
2829 #endif /* EXPERIMENTAL_TLS_RESUME */
2832 /*************************************************
2833 * Start a TLS session in a client *
2834 *************************************************/
2836 /* Called from the smtp transport after STARTTLS has been accepted.
2839 cctx connection context
2840 conn_args connection details
2841 cookie datum for randomness; can be NULL
2842 tlsp record details of TLS channel configuration here; must be non-NULL
2843 errstr error string pointer
2845 Returns: TRUE for success with TLS session context set in connection context,
2850 tls_client_start(client_conn_ctx * cctx, smtp_connect_args * conn_args,
2851 void * cookie, tls_support * tlsp, uschar ** errstr)
2853 host_item * host = conn_args->host; /* for msgs and option-tests */
2854 transport_instance * tb = conn_args->tblock; /* always smtp or NULL */
2855 smtp_transport_options_block * ob = tb
2856 ? (smtp_transport_options_block *)tb->options_block
2857 : &smtp_transport_option_defaults;
2858 exim_openssl_client_tls_ctx * exim_client_ctx;
2859 uschar * expciphers;
2861 static uschar peerdn[256];
2863 #ifndef DISABLE_OCSP
2864 BOOL request_ocsp = FALSE;
2865 BOOL require_ocsp = FALSE;
2869 store_pool = POOL_PERM;
2870 exim_client_ctx = store_get(sizeof(exim_openssl_client_tls_ctx));
2871 exim_client_ctx->corked = NULL;
2875 tlsp->tlsa_usage = 0;
2878 #ifndef DISABLE_OCSP
2880 # ifdef SUPPORT_DANE
2881 if ( conn_args->dane
2882 && ob->hosts_request_ocsp[0] == '*'
2883 && ob->hosts_request_ocsp[1] == '\0'
2886 /* Unchanged from default. Use a safer one under DANE */
2887 request_ocsp = TRUE;
2888 ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
2889 " {= {4}{$tls_out_tlsa_usage}} } "
2895 verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK))
2896 request_ocsp = TRUE;
2898 # ifdef SUPPORT_DANE
2902 verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
2906 rc = tls_init(&exim_client_ctx->ctx, host, NULL,
2907 ob->tls_certificate, ob->tls_privatekey,
2908 #ifndef DISABLE_OCSP
2909 (void *)(long)request_ocsp,
2911 cookie, &client_static_cbinfo, tlsp, errstr);
2912 if (rc != OK) return FALSE;
2914 tlsp->certificate_verified = FALSE;
2915 client_verify_callback_called = FALSE;
2919 if (conn_args->dane)
2921 /* We fall back to tls_require_ciphers if unset, empty or forced failure, but
2922 other failures should be treated as problems. */
2923 if (ob->dane_require_tls_ciphers &&
2924 !expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
2925 &expciphers, errstr))
2927 if (expciphers && *expciphers == '\0')
2932 !expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
2933 &expciphers, errstr))
2936 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
2937 are separated by underscores. So that I can use either form in my tests, and
2938 also for general convenience, we turn underscores into hyphens here. */
2942 uschar *s = expciphers;
2943 while (*s) { if (*s == '_') *s = '-'; s++; }
2944 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
2945 if (!SSL_CTX_set_cipher_list(exim_client_ctx->ctx, CS expciphers))
2947 tls_error(US"SSL_CTX_set_cipher_list", host, NULL, errstr);
2953 if (conn_args->dane)
2955 SSL_CTX_set_verify(exim_client_ctx->ctx,
2956 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
2957 verify_callback_client_dane);
2959 if (!DANESSL_library_init())
2961 tls_error(US"library init", host, NULL, errstr);
2964 if (DANESSL_CTX_init(exim_client_ctx->ctx) <= 0)
2966 tls_error(US"context init", host, NULL, errstr);
2974 if (tls_client_basic_ctx_init(exim_client_ctx->ctx, host, ob,
2975 client_static_cbinfo, errstr) != OK)
2978 #ifdef EXPERIMENTAL_TLS_RESUME
2979 tls_client_ctx_resume_prehandshake(exim_client_ctx, tlsp, ob, host);
2983 if (!(exim_client_ctx->ssl = SSL_new(exim_client_ctx->ctx)))
2985 tls_error(US"SSL_new", host, NULL, errstr);
2988 SSL_set_session_id_context(exim_client_ctx->ssl, sid_ctx, Ustrlen(sid_ctx));
2990 #ifdef EXPERIMENTAL_TLS_RESUME
2991 if (!tls_client_ssl_resume_prehandshake(exim_client_ctx->ssl, tlsp, host,
2996 SSL_set_fd(exim_client_ctx->ssl, cctx->sock);
2997 SSL_set_connect_state(exim_client_ctx->ssl);
3001 if (!expand_check(ob->tls_sni, US"tls_sni", &tlsp->sni, errstr))
3005 DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n");
3007 else if (!Ustrlen(tlsp->sni))
3011 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
3012 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tlsp->sni);
3013 SSL_set_tlsext_host_name(exim_client_ctx->ssl, tlsp->sni);
3015 log_write(0, LOG_MAIN, "SNI unusable with this OpenSSL library version; ignoring \"%s\"\n",
3022 if (conn_args->dane)
3023 if (dane_tlsa_load(exim_client_ctx->ssl, host, &conn_args->tlsa_dnsa, errstr) != OK)
3027 #ifndef DISABLE_OCSP
3028 /* Request certificate status at connection-time. If the server
3029 does OCSP stapling we will get the callback (set in tls_init()) */
3030 # ifdef SUPPORT_DANE
3034 if ( ((s = ob->hosts_require_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
3035 || ((s = ob->hosts_request_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
3037 { /* Re-eval now $tls_out_tlsa_usage is populated. If
3038 this means we avoid the OCSP request, we wasted the setup
3039 cost in tls_init(). */
3040 require_ocsp = verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK;
3041 request_ocsp = require_ocsp
3042 || verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
3049 SSL_set_tlsext_status_type(exim_client_ctx->ssl, TLSEXT_STATUSTYPE_ocsp);
3050 client_static_cbinfo->u_ocsp.client.verify_required = require_ocsp;
3051 tlsp->ocsp = OCSP_NOT_RESP;
3055 #ifndef DISABLE_EVENT
3056 client_static_cbinfo->event_action = tb ? tb->event_action : NULL;
3059 /* There doesn't seem to be a built-in timeout on connection. */
3061 DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
3062 sigalrm_seen = FALSE;
3063 ALARM(ob->command_timeout);
3064 rc = SSL_connect(exim_client_ctx->ssl);
3068 if (conn_args->dane)
3069 DANESSL_cleanup(exim_client_ctx->ssl);
3074 tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL, errstr);
3080 debug_printf("SSL_connect succeeded\n");
3081 #ifdef EXIM_HAVE_OPENSSL_KEYLOG
3083 BIO * bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
3084 SSL_SESSION_print_keylog(bp, SSL_get_session(exim_client_ctx->ssl));
3090 #ifdef EXPERIMENTAL_TLS_RESUME
3091 tls_client_resume_posthandshake(exim_client_ctx, tlsp);
3094 peer_cert(exim_client_ctx->ssl, tlsp, peerdn, sizeof(peerdn));
3096 tlsp->cipher = construct_cipher_name(exim_client_ctx->ssl, &tlsp->bits);
3097 tlsp->cipher_stdname = cipher_stdname_ssl(exim_client_ctx->ssl);
3099 /* Record the certificate we presented */
3101 X509 * crt = SSL_get_certificate(exim_client_ctx->ssl);
3102 tlsp->ourcert = crt ? X509_dup(crt) : NULL;
3105 tlsp->active.sock = cctx->sock;
3106 tlsp->active.tls_ctx = exim_client_ctx;
3107 cctx->tls_ctx = exim_client_ctx;
3116 tls_refill(unsigned lim)
3121 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", server_ssl,
3122 ssl_xfer_buffer, ssl_xfer_buffer_size);
3124 if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
3125 inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer,
3126 MIN(ssl_xfer_buffer_size, lim));
3127 error = SSL_get_error(server_ssl, inbytes);
3128 if (smtp_receive_timeout > 0) ALARM_CLR(0);
3130 if (had_command_timeout) /* set by signal handler */
3131 smtp_command_timeout_exit(); /* does not return */
3132 if (had_command_sigterm)
3133 smtp_command_sigterm_exit();
3134 if (had_data_timeout)
3135 smtp_data_timeout_exit();
3136 if (had_data_sigint)
3137 smtp_data_sigint_exit();
3139 /* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
3140 closed down, not that the socket itself has been closed down. Revert to
3141 non-SSL handling. */
3145 case SSL_ERROR_NONE:
3148 case SSL_ERROR_ZERO_RETURN:
3149 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
3151 receive_getc = smtp_getc;
3152 receive_getbuf = smtp_getbuf;
3153 receive_get_cache = smtp_get_cache;
3154 receive_ungetc = smtp_ungetc;
3155 receive_feof = smtp_feof;
3156 receive_ferror = smtp_ferror;
3157 receive_smtp_buffered = smtp_buffered;
3159 if (SSL_get_shutdown(server_ssl) == SSL_RECEIVED_SHUTDOWN)
3160 SSL_shutdown(server_ssl);
3162 #ifndef DISABLE_OCSP
3163 sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free);
3164 server_static_cbinfo->verify_stack = NULL;
3166 SSL_free(server_ssl);
3167 SSL_CTX_free(server_ctx);
3170 tls_in.active.sock = -1;
3171 tls_in.active.tls_ctx = NULL;
3173 tls_in.cipher = NULL;
3174 tls_in.peerdn = NULL;
3179 /* Handle genuine errors */
3181 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3182 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
3183 ssl_xfer_error = TRUE;
3187 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
3188 DEBUG(D_tls) if (error == SSL_ERROR_SYSCALL)
3189 debug_printf(" - syscall %s\n", strerror(errno));
3190 ssl_xfer_error = TRUE;
3194 #ifndef DISABLE_DKIM
3195 dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
3197 ssl_xfer_buffer_hwm = inbytes;
3198 ssl_xfer_buffer_lwm = 0;
3203 /*************************************************
3204 * TLS version of getc *
3205 *************************************************/
3207 /* This gets the next byte from the TLS input buffer. If the buffer is empty,
3208 it refills the buffer via the SSL reading function.
3210 Arguments: lim Maximum amount to read/buffer
3211 Returns: the next character or EOF
3213 Only used by the server-side TLS.
3217 tls_getc(unsigned lim)
3219 if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
3220 if (!tls_refill(lim))
3221 return ssl_xfer_error ? EOF : smtp_getc(lim);
3223 /* Something in the buffer; return next uschar */
3225 return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
3229 tls_getbuf(unsigned * len)
3234 if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
3235 if (!tls_refill(*len))
3237 if (!ssl_xfer_error) return smtp_getbuf(len);
3242 if ((size = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm) > *len)
3244 buf = &ssl_xfer_buffer[ssl_xfer_buffer_lwm];
3245 ssl_xfer_buffer_lwm += size;
3254 #ifndef DISABLE_DKIM
3255 int n = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm;
3257 dkim_exim_verify_feed(ssl_xfer_buffer+ssl_xfer_buffer_lwm, n);
3263 tls_could_read(void)
3265 return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm || SSL_pending(server_ssl) > 0;
3269 /*************************************************
3270 * Read bytes from TLS channel *
3271 *************************************************/
3275 ct_ctx client context pointer, or NULL for the one global server context
3279 Returns: the number of bytes read
3280 -1 after a failed read, including EOF
3282 Only used by the client-side TLS.
3286 tls_read(void * ct_ctx, uschar *buff, size_t len)
3288 SSL * ssl = ct_ctx ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl : server_ssl;
3292 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
3293 buff, (unsigned int)len);
3295 inbytes = SSL_read(ssl, CS buff, len);
3296 error = SSL_get_error(ssl, inbytes);
3298 if (error == SSL_ERROR_ZERO_RETURN)
3300 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
3303 else if (error != SSL_ERROR_NONE)
3313 /*************************************************
3314 * Write bytes down TLS channel *
3315 *************************************************/
3319 ct_ctx client context pointer, or NULL for the one global server context
3322 more further data expected soon
3324 Returns: the number of bytes after a successful write,
3325 -1 after a failed write
3327 Used by both server-side and client-side TLS.
3331 tls_write(void * ct_ctx, const uschar *buff, size_t len, BOOL more)
3334 int outbytes, error;
3336 ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl : server_ssl;
3337 static gstring * server_corked = NULL;
3338 gstring ** corkedp = ct_ctx
3339 ? &((exim_openssl_client_tls_ctx *)ct_ctx)->corked : &server_corked;
3340 gstring * corked = *corkedp;
3342 DEBUG(D_tls) debug_printf("%s(%p, %lu%s)\n", __FUNCTION__,
3343 buff, (unsigned long)len, more ? ", more" : "");
3345 /* Lacking a CORK or MSG_MORE facility (such as GnuTLS has) we copy data when
3346 "more" is notified. This hack is only ok if small amounts are involved AND only
3347 one stream does it, in one context (i.e. no store reset). Currently it is used
3348 for the responses to the received SMTP MAIL , RCPT, DATA sequence, only.
3349 We support callouts done by the server process by using a separate client
3350 context for the stashed information. */
3351 /* + if PIPE_COMMAND, banner & ehlo-resp for smmtp-on-connect. Suspect there's
3352 a store reset there, so use POOL_PERM. */
3353 /* + if CHUNKING, cmds EHLO,MAIL,RCPT(s),BDAT */
3355 if ((more || corked))
3357 #ifdef EXPERIMENTAL_PIPE_CONNECT
3358 int save_pool = store_pool;
3359 store_pool = POOL_PERM;
3362 corked = string_catn(corked, buff, len);
3364 #ifdef EXPERIMENTAL_PIPE_CONNECT
3365 store_pool = save_pool;
3373 buff = CUS corked->s;
3378 for (int left = len; left > 0;)
3380 DEBUG(D_tls) debug_printf("SSL_write(%p, %p, %d)\n", ssl, buff, left);
3381 outbytes = SSL_write(ssl, CS buff, left);
3382 error = SSL_get_error(ssl, outbytes);
3383 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
3387 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3388 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
3391 case SSL_ERROR_NONE:
3396 case SSL_ERROR_ZERO_RETURN:
3397 log_write(0, LOG_MAIN, "SSL channel closed on write");
3400 case SSL_ERROR_SYSCALL:
3401 log_write(0, LOG_MAIN, "SSL_write: (from %s) syscall: %s",
3402 sender_fullhost ? sender_fullhost : US"<unknown>",
3407 log_write(0, LOG_MAIN, "SSL_write error %d", error);
3416 /*************************************************
3417 * Close down a TLS session *
3418 *************************************************/
3420 /* This is also called from within a delivery subprocess forked from the
3421 daemon, to shut down the TLS library, without actually doing a shutdown (which
3422 would tamper with the SSL session in the parent process).
3425 ct_ctx client TLS context pointer, or NULL for the one global server context
3426 shutdown 1 if TLS close-alert is to be sent,
3427 2 if also response to be waited for
3431 Used by both server-side and client-side TLS.
3435 tls_close(void * ct_ctx, int shutdown)
3437 exim_openssl_client_tls_ctx * o_ctx = ct_ctx;
3438 SSL_CTX **ctxp = o_ctx ? &o_ctx->ctx : &server_ctx;
3439 SSL **sslp = o_ctx ? &o_ctx->ssl : &server_ssl;
3440 int *fdp = o_ctx ? &tls_out.active.sock : &tls_in.active.sock;
3442 if (*fdp < 0) return; /* TLS was not active */
3447 DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS%s\n",
3448 shutdown > 1 ? " (with response-wait)" : "");
3450 if ( (rc = SSL_shutdown(*sslp)) == 0 /* send "close notify" alert */
3454 rc = SSL_shutdown(*sslp); /* wait for response */
3458 if (rc < 0) DEBUG(D_tls)
3460 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3461 debug_printf("SSL_shutdown: %s\n", ssl_errstring);
3465 #ifndef DISABLE_OCSP
3466 if (!o_ctx) /* server side */
3468 sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free);
3469 server_static_cbinfo->verify_stack = NULL;
3473 SSL_CTX_free(*ctxp);
3483 /*************************************************
3484 * Let tls_require_ciphers be checked at startup *
3485 *************************************************/
3487 /* The tls_require_ciphers option, if set, must be something which the
3490 Returns: NULL on success, or error message
3494 tls_validate_require_cipher(void)
3497 uschar *s, *expciphers, *err;
3499 /* this duplicates from tls_init(), we need a better "init just global
3500 state, for no specific purpose" singleton function of our own */
3502 #ifdef EXIM_NEED_OPENSSL_INIT
3503 SSL_load_error_strings();
3504 OpenSSL_add_ssl_algorithms();
3506 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
3507 /* SHA256 is becoming ever more popular. This makes sure it gets added to the
3508 list of available digests. */
3509 EVP_add_digest(EVP_sha256());
3512 if (!(tls_require_ciphers && *tls_require_ciphers))
3515 if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers,
3517 return US"failed to expand tls_require_ciphers";
3519 if (!(expciphers && *expciphers))
3522 /* normalisation ripped from above */
3524 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
3528 #ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
3529 if (!(ctx = SSL_CTX_new(TLS_server_method())))
3531 if (!(ctx = SSL_CTX_new(SSLv23_server_method())))
3534 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3535 return string_sprintf("SSL_CTX_new() failed: %s", ssl_errstring);
3539 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
3541 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
3543 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3544 err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed: %s",
3545 expciphers, ssl_errstring);
3556 /*************************************************
3557 * Report the library versions. *
3558 *************************************************/
3560 /* There have historically been some issues with binary compatibility in
3561 OpenSSL libraries; if Exim (like many other applications) is built against
3562 one version of OpenSSL but the run-time linker picks up another version,
3563 it can result in serious failures, including crashing with a SIGSEGV. So
3564 report the version found by the compiler and the run-time version.
3566 Note: some OS vendors backport security fixes without changing the version
3567 number/string, and the version date remains unchanged. The _build_ date
3568 will change, so we can more usefully assist with version diagnosis by also
3569 reporting the build date.
3571 Arguments: a FILE* to print the results to
3576 tls_version_report(FILE *f)
3578 fprintf(f, "Library version: OpenSSL: Compile: %s\n"
3581 OPENSSL_VERSION_TEXT,
3582 SSLeay_version(SSLEAY_VERSION),
3583 SSLeay_version(SSLEAY_BUILT_ON));
3584 /* third line is 38 characters for the %s and the line is 73 chars long;
3585 the OpenSSL output includes a "built on: " prefix already. */
3591 /*************************************************
3592 * Random number generation *
3593 *************************************************/
3595 /* Pseudo-random number generation. The result is not expected to be
3596 cryptographically strong but not so weak that someone will shoot themselves
3597 in the foot using it as a nonce in input in some email header scheme or
3598 whatever weirdness they'll twist this into. The result should handle fork()
3599 and avoid repeating sequences. OpenSSL handles that for us.
3603 Returns a random number in range [0, max-1]
3607 vaguely_random_number(int max)
3611 static pid_t pidlast = 0;
3613 uschar smallbuf[sizeof(r)];
3619 if (pidnow != pidlast)
3621 /* Although OpenSSL documents that "OpenSSL makes sure that the PRNG state
3622 is unique for each thread", this doesn't apparently apply across processes,
3623 so our own warning from vaguely_random_number_fallback() applies here too.
3624 Fix per PostgreSQL. */
3630 /* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
3634 gettimeofday(&r.tv, NULL);
3637 RAND_seed(US (&r), sizeof(r));
3639 /* We're after pseudo-random, not random; if we still don't have enough data
3640 in the internal PRNG then our options are limited. We could sleep and hope
3641 for entropy to come along (prayer technique) but if the system is so depleted
3642 in the first place then something is likely to just keep taking it. Instead,
3643 we'll just take whatever little bit of pseudo-random we can still manage to
3646 needed_len = sizeof(r);
3647 /* Don't take 8 times more entropy than needed if int is 8 octets and we were
3648 asked for a number less than 10. */
3649 for (r = max, i = 0; r; ++i)
3655 #ifdef EXIM_HAVE_RAND_PSEUDO
3656 /* We do not care if crypto-strong */
3657 i = RAND_pseudo_bytes(smallbuf, needed_len);
3659 i = RAND_bytes(smallbuf, needed_len);
3665 debug_printf("OpenSSL RAND_pseudo_bytes() not supported by RAND method, using fallback.\n");
3666 return vaguely_random_number_fallback(max);
3670 for (uschar * p = smallbuf; needed_len; --needed_len, ++p)
3673 /* We don't particularly care about weighted results; if someone wants
3674 smooth distribution and cares enough then they should submit a patch then. */
3681 /*************************************************
3682 * OpenSSL option parse *
3683 *************************************************/
3685 /* Parse one option for tls_openssl_options_parse below
3688 name one option name
3689 value place to store a value for it
3690 Returns success or failure in parsing
3696 tls_openssl_one_option_parse(uschar *name, long *value)
3699 int last = exim_openssl_options_size;
3700 while (last > first)
3702 int middle = (first + last)/2;
3703 int c = Ustrcmp(name, exim_openssl_options[middle].name);
3706 *value = exim_openssl_options[middle].value;
3720 /*************************************************
3721 * OpenSSL option parsing logic *
3722 *************************************************/
3724 /* OpenSSL has a number of compatibility options which an administrator might
3725 reasonably wish to set. Interpret a list similarly to decode_bits(), so that
3726 we look like log_selector.
3729 option_spec the administrator-supplied string of options
3730 results ptr to long storage for the options bitmap
3731 Returns success or failure
3735 tls_openssl_options_parse(uschar *option_spec, long *results)
3740 BOOL adding, item_parsed;
3742 /* Server: send no (<= TLS1.2) session tickets */
3743 result = SSL_OP_NO_TICKET;
3745 /* Prior to 4.80 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed
3746 * from default because it increases BEAST susceptibility. */
3747 #ifdef SSL_OP_NO_SSLv2
3748 result |= SSL_OP_NO_SSLv2;
3750 #ifdef SSL_OP_NO_SSLv3
3751 result |= SSL_OP_NO_SSLv3;
3753 #ifdef SSL_OP_SINGLE_DH_USE
3754 result |= SSL_OP_SINGLE_DH_USE;
3763 for (uschar * s = option_spec; *s; /**/)
3765 while (isspace(*s)) ++s;
3768 if (*s != '+' && *s != '-')
3770 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
3771 "+ or - expected but found \"%s\"\n", s);
3774 adding = *s++ == '+';
3775 for (end = s; (*end != '\0') && !isspace(*end); ++end) /**/ ;
3778 item_parsed = tls_openssl_one_option_parse(s, &item);
3782 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
3785 DEBUG(D_tls) debug_printf("openssl option, %s %8lx: %lx (%s)\n",
3786 adding ? "adding to " : "removing from", result, item, s);
3798 #endif /*!MACRO_PREDEF*/
3801 /* End of tls-openssl.c */