1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) University of Cambridge 1995 - 2018 */
6 /* See the file NOTICE for conditions of use and distribution. */
8 /* Portions Copyright (c) The OpenSSL Project 1999 */
10 /* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
11 library. It is #included into the tls.c file when that library is used. The
12 code herein is based on a patch that was originally contributed by Steve
13 Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
15 No cryptographic code is included in Exim. All this module does is to call
16 functions from the OpenSSL library. */
21 #include <openssl/lhash.h>
22 #include <openssl/ssl.h>
23 #include <openssl/err.h>
24 #include <openssl/rand.h>
25 #ifndef OPENSSL_NO_ECDH
26 # include <openssl/ec.h>
29 # include <openssl/ocsp.h>
37 # define EXIM_OCSP_SKEW_SECONDS (300L)
38 # define EXIM_OCSP_MAX_AGE (-1L)
41 #if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
42 # define EXIM_HAVE_OPENSSL_TLSEXT
44 #if OPENSSL_VERSION_NUMBER >= 0x00908000L
45 # define EXIM_HAVE_RSA_GENKEY_EX
47 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
48 # define EXIM_HAVE_OCSP_RESP_COUNT
50 # define EXIM_HAVE_EPHEM_RSA_KEX
51 # define EXIM_HAVE_RAND_PSEUDO
53 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
54 # define EXIM_HAVE_SHA256
57 /* X509_check_host provides sane certificate hostname checking, but was added
58 to OpenSSL late, after other projects forked off the code-base. So in
59 addition to guarding against the base version number, beware that LibreSSL
60 does not (at this time) support this function.
62 If LibreSSL gains a different API, perhaps via libtls, then we'll probably
63 opt to disentangle and ask a LibreSSL user to provide glue for a third
64 crypto provider for libtls instead of continuing to tie the OpenSSL glue
65 into even twistier knots. If LibreSSL gains the same API, we can just
66 change this guard and punt the issue for a while longer. */
68 #ifndef LIBRESSL_VERSION_NUMBER
69 # if OPENSSL_VERSION_NUMBER >= 0x010100000L
70 # define EXIM_HAVE_OPENSSL_CHECKHOST
71 # define EXIM_HAVE_OPENSSL_DH_BITS
72 # define EXIM_HAVE_OPENSSL_TLS_METHOD
74 # define EXIM_NEED_OPENSSL_INIT
76 # if OPENSSL_VERSION_NUMBER >= 0x010000000L \
77 && (OPENSSL_VERSION_NUMBER & 0x0000ff000L) >= 0x000002000L
78 # define EXIM_HAVE_OPENSSL_CHECKHOST
82 #if !defined(LIBRESSL_VERSION_NUMBER) \
83 || LIBRESSL_VERSION_NUMBER >= 0x20010000L
84 # if !defined(OPENSSL_NO_ECDH)
85 # if OPENSSL_VERSION_NUMBER >= 0x0090800fL
86 # define EXIM_HAVE_ECDH
88 # if OPENSSL_VERSION_NUMBER >= 0x10002000L
89 # define EXIM_HAVE_OPENSSL_EC_NIST2NID
94 #if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP)
95 # warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile"
99 #ifdef EXIM_HAVE_OPENSSL_CHECKHOST
100 # include <openssl/x509v3.h>
103 /*************************************************
104 * OpenSSL option parse *
105 *************************************************/
107 typedef struct exim_openssl_option {
110 } exim_openssl_option;
111 /* We could use a macro to expand, but we need the ifdef and not all the
112 options document which version they were introduced in. Policylet: include
113 all options unless explicitly for DTLS, let the administrator choose which
116 This list is current as of:
118 Plus SSL_OP_SAFARI_ECDHE_ECDSA_BUG from 2013-June patch/discussion on openssl-dev
119 Plus SSL_OP_NO_TLSv1_3 for 1.1.2-dev
121 static exim_openssl_option exim_openssl_options[] = {
122 /* KEEP SORTED ALPHABETICALLY! */
124 { US"all", SSL_OP_ALL },
126 #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
127 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
129 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
130 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
132 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
133 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
135 #ifdef SSL_OP_EPHEMERAL_RSA
136 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
138 #ifdef SSL_OP_LEGACY_SERVER_CONNECT
139 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
141 #ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
142 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
144 #ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
145 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
147 #ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
148 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
150 #ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
151 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
153 #ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
154 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
156 #ifdef SSL_OP_NO_COMPRESSION
157 { US"no_compression", SSL_OP_NO_COMPRESSION },
159 #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
160 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
162 #ifdef SSL_OP_NO_SSLv2
163 { US"no_sslv2", SSL_OP_NO_SSLv2 },
165 #ifdef SSL_OP_NO_SSLv3
166 { US"no_sslv3", SSL_OP_NO_SSLv3 },
168 #ifdef SSL_OP_NO_TICKET
169 { US"no_ticket", SSL_OP_NO_TICKET },
171 #ifdef SSL_OP_NO_TLSv1
172 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
174 #ifdef SSL_OP_NO_TLSv1_1
175 #if SSL_OP_NO_TLSv1_1 == 0x00000400L
176 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
177 #warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
179 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
182 #ifdef SSL_OP_NO_TLSv1_2
183 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
185 #ifdef SSL_OP_NO_TLSv1_3
186 { US"no_tlsv1_3", SSL_OP_NO_TLSv1_3 },
188 #ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
189 { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG },
191 #ifdef SSL_OP_SINGLE_DH_USE
192 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
194 #ifdef SSL_OP_SINGLE_ECDH_USE
195 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
197 #ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
198 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
200 #ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
201 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
203 #ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
204 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
206 #ifdef SSL_OP_TLS_D5_BUG
207 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
209 #ifdef SSL_OP_TLS_ROLLBACK_BUG
210 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
215 static int exim_openssl_options_size = nelem(exim_openssl_options);
224 for (struct exim_openssl_option * o = exim_openssl_options;
225 o < exim_openssl_options + nelem(exim_openssl_options); o++)
227 /* Trailing X is workaround for problem with _OPT_OPENSSL_NO_TLSV1
228 being a ".ifdef _OPT_OPENSSL_NO_TLSV1_3" match */
230 spf(buf, sizeof(buf), US"_OPT_OPENSSL_%T_X", o->name);
231 builtin_macro_create(buf);
236 /******************************************************************************/
238 /* Structure for collecting random data for seeding. */
240 typedef struct randstuff {
245 /* Local static variables */
247 static BOOL client_verify_callback_called = FALSE;
248 static BOOL server_verify_callback_called = FALSE;
249 static const uschar *sid_ctx = US"exim";
251 /* We have three different contexts to care about.
253 Simple case: client, `client_ctx`
254 As a client, we can be doing a callout or cut-through delivery while receiving
255 a message. So we have a client context, which should have options initialised
256 from the SMTP Transport. We may also concurrently want to make TLS connections
257 to utility daemons, so client-contexts are allocated and passed around in call
258 args rather than using a gobal.
261 There are two cases: with and without ServerNameIndication from the client.
262 Given TLS SNI, we can be using different keys, certs and various other
263 configuration settings, because they're re-expanded with $tls_sni set. This
264 allows vhosting with TLS. This SNI is sent in the handshake.
265 A client might not send SNI, so we need a fallback, and an initial setup too.
266 So as a server, we start out using `server_ctx`.
267 If SNI is sent by the client, then we as server, mid-negotiation, try to clone
268 `server_sni` from `server_ctx` and then initialise settings by re-expanding
275 } exim_openssl_client_tls_ctx;
277 static SSL_CTX *server_ctx = NULL;
278 static SSL *server_ssl = NULL;
280 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
281 static SSL_CTX *server_sni = NULL;
284 static char ssl_errstring[256];
286 static int ssl_session_timeout = 200;
287 static BOOL client_verify_optional = FALSE;
288 static BOOL server_verify_optional = FALSE;
290 static BOOL reexpand_tls_files_for_sni = FALSE;
293 typedef struct tls_ext_ctx_cb {
298 STACK_OF(X509) *verify_stack; /* chain for verifying the proof */
302 uschar *file_expanded;
303 OCSP_RESPONSE *response;
306 X509_STORE *verify_store; /* non-null if status requested */
307 BOOL verify_required;
312 /* these are cached from first expand */
313 uschar *server_cipher_list;
314 /* only passed down to tls_error: */
316 const uschar * verify_cert_hostnames;
317 #ifndef DISABLE_EVENT
318 uschar * event_action;
322 /* should figure out a cleanup of API to handle state preserved per
323 implementation, for various reasons, which can be void * in the APIs.
324 For now, we hack around it. */
325 tls_ext_ctx_cb *client_static_cbinfo = NULL;
326 tls_ext_ctx_cb *server_static_cbinfo = NULL;
329 setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
330 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr );
333 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
334 static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
337 static int tls_server_stapling_cb(SSL *s, void *arg);
341 /*************************************************
343 *************************************************/
345 /* Called from lots of places when errors occur before actually starting to do
346 the TLS handshake, that is, while the session is still in clear. Always returns
347 DEFER for a server and FAIL for a client so that most calls can use "return
348 tls_error(...)" to do this processing and then give an appropriate return. A
349 single function is used for both server and client, because it is called from
350 some shared functions.
353 prefix text to include in the logged error
354 host NULL if setting up a server;
355 the connected host if setting up a client
356 msg error message or NULL if we should ask OpenSSL
357 errstr pointer to output error message
359 Returns: OK/DEFER/FAIL
363 tls_error(uschar * prefix, const host_item * host, uschar * msg, uschar ** errstr)
367 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
368 msg = US ssl_errstring;
371 msg = string_sprintf("(%s): %s", prefix, msg);
372 DEBUG(D_tls) debug_printf("TLS error '%s'\n", msg);
373 if (errstr) *errstr = msg;
374 return host ? FAIL : DEFER;
379 /*************************************************
380 * Callback to generate RSA key *
381 *************************************************/
385 s SSL connection (not used)
389 Returns: pointer to generated key
393 rsa_callback(SSL *s, int export, int keylength)
396 #ifdef EXIM_HAVE_RSA_GENKEY_EX
397 BIGNUM *bn = BN_new();
400 export = export; /* Shut picky compilers up */
401 DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
403 #ifdef EXIM_HAVE_RSA_GENKEY_EX
404 if ( !BN_set_word(bn, (unsigned long)RSA_F4)
405 || !(rsa_key = RSA_new())
406 || !RSA_generate_key_ex(rsa_key, keylength, bn, NULL)
409 if (!(rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL)))
413 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
414 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
426 x509_store_dump_cert_s_names(X509_STORE * store)
428 STACK_OF(X509_OBJECT) * roots= store->objs;
429 static uschar name[256];
431 for (int i= 0; i < sk_X509_OBJECT_num(roots); i++)
433 X509_OBJECT * tmp_obj= sk_X509_OBJECT_value(roots, i);
434 if(tmp_obj->type == X509_LU_X509)
436 X509_NAME * sn = X509_get_subject_name(tmp_obj->data.x509);
437 if (X509_NAME_oneline(sn, CS name, sizeof(name)))
439 name[sizeof(name)-1] = '\0';
440 debug_printf(" %s\n", name);
449 #ifndef DISABLE_EVENT
451 verify_event(tls_support * tlsp, X509 * cert, int depth, const uschar * dn,
452 BOOL *calledp, const BOOL *optionalp, const uschar * what)
458 ev = tlsp == &tls_out ? client_static_cbinfo->event_action : event_action;
461 DEBUG(D_tls) debug_printf("verify_event: %s %d\n", what, depth);
462 old_cert = tlsp->peercert;
463 tlsp->peercert = X509_dup(cert);
464 /* NB we do not bother setting peerdn */
465 if ((yield = event_raise(ev, US"tls:cert", string_sprintf("%d", depth))))
467 log_write(0, LOG_MAIN, "[%s] %s verify denied by event-action: "
468 "depth=%d cert=%s: %s",
469 tlsp == &tls_out ? deliver_host_address : sender_host_address,
470 what, depth, dn, yield);
474 if (old_cert) tlsp->peercert = old_cert; /* restore 1st failing cert */
475 return 1; /* reject (leaving peercert set) */
477 DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
478 "(host in tls_try_verify_hosts)\n");
480 X509_free(tlsp->peercert);
481 tlsp->peercert = old_cert;
487 /*************************************************
488 * Callback for verification *
489 *************************************************/
491 /* The SSL library does certificate verification if set up to do so. This
492 callback has the current yes/no state is in "state". If verification succeeded,
493 we set the certificate-verified flag. If verification failed, what happens
494 depends on whether the client is required to present a verifiable certificate
497 If verification is optional, we change the state to yes, but still log the
498 verification error. For some reason (it really would help to have proper
499 documentation of OpenSSL), this callback function then gets called again, this
500 time with state = 1. We must take care not to set the private verified flag on
501 the second time through.
503 Note: this function is not called if the client fails to present a certificate
504 when asked. We get here only if a certificate has been received. Handling of
505 optional verification for this case is done when requesting SSL to verify, by
506 setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
508 May be called multiple times for different issues with a certificate, even
509 for a given "depth" in the certificate chain.
512 preverify_ok current yes/no state as 1/0
513 x509ctx certificate information.
514 tlsp per-direction (client vs. server) support data
515 calledp has-been-called flag
516 optionalp verification-is-optional flag
518 Returns: 0 if verification should fail, otherwise 1
522 verify_callback(int preverify_ok, X509_STORE_CTX * x509ctx,
523 tls_support * tlsp, BOOL * calledp, BOOL * optionalp)
525 X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
526 int depth = X509_STORE_CTX_get_error_depth(x509ctx);
529 if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
531 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
532 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
533 tlsp == &tls_out ? deliver_host_address : sender_host_address);
536 dn[sizeof(dn)-1] = '\0';
538 if (preverify_ok == 0)
540 uschar * extra = verify_mode ? string_sprintf(" (during %c-verify for [%s])",
541 *verify_mode, sender_host_address)
543 log_write(0, LOG_MAIN, "[%s] SSL verify error%s: depth=%d error=%s cert=%s",
544 tlsp == &tls_out ? deliver_host_address : sender_host_address,
546 X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)), dn);
551 tlsp->peercert = X509_dup(cert); /* record failing cert */
552 return 0; /* reject */
554 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
555 "tls_try_verify_hosts)\n");
560 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n", depth, dn);
562 if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store)
563 { /* client, wanting stapling */
564 /* Add the server cert's signing chain as the one
565 for the verification of the OCSP stapled information. */
567 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
570 sk_X509_push(client_static_cbinfo->verify_stack, cert);
573 #ifndef DISABLE_EVENT
574 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
575 return 0; /* reject, with peercert set */
580 const uschar * verify_cert_hostnames;
582 if ( tlsp == &tls_out
583 && ((verify_cert_hostnames = client_static_cbinfo->verify_cert_hostnames)))
584 /* client, wanting hostname check */
587 #ifdef EXIM_HAVE_OPENSSL_CHECKHOST
588 # ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
589 # define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0
591 # ifndef X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
592 # define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0
595 const uschar * list = verify_cert_hostnames;
598 while ((name = string_nextinlist(&list, &sep, NULL, 0)))
599 if ((rc = X509_check_host(cert, CCS name, 0,
600 X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
601 | X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS,
606 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
607 tlsp == &tls_out ? deliver_host_address : sender_host_address);
614 if (!tls_is_name_for_cert(verify_cert_hostnames, cert))
617 uschar * extra = verify_mode
618 ? string_sprintf(" (during %c-verify for [%s])",
619 *verify_mode, sender_host_address)
621 log_write(0, LOG_MAIN,
622 "[%s] SSL verify error%s: certificate name mismatch: DN=\"%s\" H=\"%s\"",
623 tlsp == &tls_out ? deliver_host_address : sender_host_address,
624 extra, dn, verify_cert_hostnames);
629 tlsp->peercert = X509_dup(cert); /* record failing cert */
630 return 0; /* reject */
632 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
633 "tls_try_verify_hosts)\n");
637 #ifndef DISABLE_EVENT
638 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
639 return 0; /* reject, with peercert set */
642 DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
643 *calledp ? "" : " authenticated", dn);
644 if (!*calledp) tlsp->certificate_verified = TRUE;
648 return 1; /* accept, at least for this level */
652 verify_callback_client(int preverify_ok, X509_STORE_CTX *x509ctx)
654 return verify_callback(preverify_ok, x509ctx, &tls_out,
655 &client_verify_callback_called, &client_verify_optional);
659 verify_callback_server(int preverify_ok, X509_STORE_CTX *x509ctx)
661 return verify_callback(preverify_ok, x509ctx, &tls_in,
662 &server_verify_callback_called, &server_verify_optional);
668 /* This gets called *by* the dane library verify callback, which interposes
672 verify_callback_client_dane(int preverify_ok, X509_STORE_CTX * x509ctx)
674 X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
676 int depth = X509_STORE_CTX_get_error_depth(x509ctx);
677 #ifndef DISABLE_EVENT
678 BOOL dummy_called, optional = FALSE;
681 if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
683 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
684 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
685 deliver_host_address);
688 dn[sizeof(dn)-1] = '\0';
690 DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s depth %d %s\n",
691 preverify_ok ? "ok":"BAD", depth, dn);
693 #ifndef DISABLE_EVENT
694 if (verify_event(&tls_out, cert, depth, dn,
695 &dummy_called, &optional, US"DANE"))
696 return 0; /* reject, with peercert set */
699 if (preverify_ok == 1)
701 tls_out.dane_verified = tls_out.certificate_verified = TRUE;
703 if (client_static_cbinfo->u_ocsp.client.verify_store)
704 { /* client, wanting stapling */
705 /* Add the server cert's signing chain as the one
706 for the verification of the OCSP stapled information. */
708 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
711 sk_X509_push(client_static_cbinfo->verify_stack, cert);
717 int err = X509_STORE_CTX_get_error(x509ctx);
719 debug_printf(" - err %d '%s'\n", err, X509_verify_cert_error_string(err));
720 if (err == X509_V_ERR_APPLICATION_VERIFICATION)
726 #endif /*SUPPORT_DANE*/
729 /*************************************************
730 * Information callback *
731 *************************************************/
733 /* The SSL library functions call this from time to time to indicate what they
734 are doing. We copy the string to the debugging output when TLS debugging has
746 info_callback(SSL *s, int where, int ret)
752 if (where & SSL_ST_CONNECT)
753 str = US"SSL_connect";
754 else if (where & SSL_ST_ACCEPT)
755 str = US"SSL_accept";
757 str = US"SSL info (undefined)";
759 if (where & SSL_CB_LOOP)
760 debug_printf("%s: %s\n", str, SSL_state_string_long(s));
761 else if (where & SSL_CB_ALERT)
762 debug_printf("SSL3 alert %s:%s:%s\n",
763 str = where & SSL_CB_READ ? US"read" : US"write",
764 SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret));
765 else if (where & SSL_CB_EXIT)
767 debug_printf("%s: failed in %s\n", str, SSL_state_string_long(s));
769 debug_printf("%s: error in %s\n", str, SSL_state_string_long(s));
770 else if (where & SSL_CB_HANDSHAKE_START)
771 debug_printf("%s: hshake start: %s\n", str, SSL_state_string_long(s));
772 else if (where & SSL_CB_HANDSHAKE_DONE)
773 debug_printf("%s: hshake done: %s\n", str, SSL_state_string_long(s));
779 /*************************************************
780 * Initialize for DH *
781 *************************************************/
783 /* If dhparam is set, expand it, and load up the parameters for DH encryption.
786 sctx The current SSL CTX (inbound or outbound)
787 dhparam DH parameter file or fixed parameter identity string
788 host connected host, if client; NULL if server
789 errstr error string pointer
791 Returns: TRUE if OK (nothing to set up, or setup worked)
795 init_dh(SSL_CTX *sctx, uschar *dhparam, const host_item *host, uschar ** errstr)
803 if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded, errstr))
806 if (!dhexpanded || !*dhexpanded)
807 bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
808 else if (dhexpanded[0] == '/')
810 if (!(bio = BIO_new_file(CS dhexpanded, "r")))
812 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
813 host, US strerror(errno), errstr);
819 if (Ustrcmp(dhexpanded, "none") == 0)
821 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
825 if (!(pem = std_dh_prime_named(dhexpanded)))
827 tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
828 host, US strerror(errno), errstr);
831 bio = BIO_new_mem_buf(CS pem, -1);
834 if (!(dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)))
837 tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
842 /* note: our default limit of 2236 is not a multiple of 8; the limit comes from
843 * an NSS limit, and the GnuTLS APIs handle bit-sizes fine, so we went with
844 * 2236. But older OpenSSL can only report in bytes (octets), not bits.
845 * If someone wants to dance at the edge, then they can raise the limit or use
846 * current libraries. */
847 #ifdef EXIM_HAVE_OPENSSL_DH_BITS
848 /* Added in commit 26c79d5641d; `git describe --contains` says OpenSSL_1_1_0-pre1~1022
849 * This predates OpenSSL_1_1_0 (before a, b, ...) so is in all 1.1.0 */
850 dh_bitsize = DH_bits(dh);
852 dh_bitsize = 8 * DH_size(dh);
855 /* Even if it is larger, we silently return success rather than cause things
856 * to fail out, so that a too-large DH will not knock out all TLS; it's a
857 * debatable choice. */
858 if (dh_bitsize > tls_dh_max_bits)
861 debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d\n",
862 dh_bitsize, tls_dh_max_bits);
866 SSL_CTX_set_tmp_dh(sctx, dh);
868 debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
869 dhexpanded ? dhexpanded : US"default", dh_bitsize);
881 /*************************************************
882 * Initialize for ECDH *
883 *************************************************/
885 /* Load parameters for ECDH encryption.
887 For now, we stick to NIST P-256 because: it's simple and easy to configure;
888 it avoids any patent issues that might bite redistributors; despite events in
889 the news and concerns over curve choices, we're not cryptographers, we're not
890 pretending to be, and this is "good enough" to be better than no support,
891 protecting against most adversaries. Given another year or two, there might
892 be sufficient clarity about a "right" way forward to let us make an informed
893 decision, instead of a knee-jerk reaction.
895 Longer-term, we should look at supporting both various named curves and
896 external files generated with "openssl ecparam", much as we do for init_dh().
897 We should also support "none" as a value, to explicitly avoid initialisation.
902 sctx The current SSL CTX (inbound or outbound)
903 host connected host, if client; NULL if server
904 errstr error string pointer
906 Returns: TRUE if OK (nothing to set up, or setup worked)
910 init_ecdh(SSL_CTX * sctx, host_item * host, uschar ** errstr)
912 #ifdef OPENSSL_NO_ECDH
921 if (host) /* No ECDH setup for clients, only for servers */
924 # ifndef EXIM_HAVE_ECDH
926 debug_printf("No OpenSSL API to define ECDH parameters, skipping\n");
930 if (!expand_check(tls_eccurve, US"tls_eccurve", &exp_curve, errstr))
932 if (!exp_curve || !*exp_curve)
935 /* "auto" needs to be handled carefully.
936 * OpenSSL < 1.0.2: we do not select anything, but fallback to prime256v1
937 * OpenSSL < 1.1.0: we have to call SSL_CTX_set_ecdh_auto
938 * (openssl/ssl.h defines SSL_CTRL_SET_ECDH_AUTO)
939 * OpenSSL >= 1.1.0: we do not set anything, the libray does autoselection
940 * https://github.com/openssl/openssl/commit/fe6ef2472db933f01b59cad82aa925736935984b
942 if (Ustrcmp(exp_curve, "auto") == 0)
944 #if OPENSSL_VERSION_NUMBER < 0x10002000L
945 DEBUG(D_tls) debug_printf(
946 "ECDH OpenSSL < 1.0.2: temp key parameter settings: overriding \"auto\" with \"prime256v1\"\n");
947 exp_curve = US"prime256v1";
949 # if defined SSL_CTRL_SET_ECDH_AUTO
950 DEBUG(D_tls) debug_printf(
951 "ECDH OpenSSL 1.0.2+ temp key parameter settings: autoselection\n");
952 SSL_CTX_set_ecdh_auto(sctx, 1);
955 DEBUG(D_tls) debug_printf(
956 "ECDH OpenSSL 1.1.0+ temp key parameter settings: default selection\n");
962 DEBUG(D_tls) debug_printf("ECDH: curve '%s'\n", exp_curve);
963 if ( (nid = OBJ_sn2nid (CCS exp_curve)) == NID_undef
964 # ifdef EXIM_HAVE_OPENSSL_EC_NIST2NID
965 && (nid = EC_curve_nist2nid(CCS exp_curve)) == NID_undef
969 tls_error(string_sprintf("Unknown curve name tls_eccurve '%s'", exp_curve),
974 if (!(ecdh = EC_KEY_new_by_curve_name(nid)))
976 tls_error(US"Unable to create ec curve", host, NULL, errstr);
980 /* The "tmp" in the name here refers to setting a temporary key
981 not to the stability of the interface. */
983 if ((rv = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0))
984 tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), host, NULL, errstr);
986 DEBUG(D_tls) debug_printf("ECDH: enabled '%s' curve\n", exp_curve);
991 # endif /*EXIM_HAVE_ECDH*/
992 #endif /*OPENSSL_NO_ECDH*/
999 /*************************************************
1000 * Load OCSP information into state *
1001 *************************************************/
1002 /* Called to load the server OCSP response from the given file into memory, once
1003 caller has determined this is needed. Checks validity. Debugs a message
1006 ASSUMES: single response, for single cert.
1009 sctx the SSL_CTX* to update
1010 cbinfo various parts of session state
1011 expanded the filename putatively holding an OCSP response
1016 ocsp_load_response(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo, const uschar *expanded)
1019 OCSP_RESPONSE * resp;
1020 OCSP_BASICRESP * basic_response;
1021 OCSP_SINGLERESP * single_response;
1022 ASN1_GENERALIZEDTIME * rev, * thisupd, * nextupd;
1023 STACK_OF(X509) * sk;
1024 unsigned long verify_flags;
1025 int status, reason, i;
1027 cbinfo->u_ocsp.server.file_expanded = string_copy(expanded);
1028 if (cbinfo->u_ocsp.server.response)
1030 OCSP_RESPONSE_free(cbinfo->u_ocsp.server.response);
1031 cbinfo->u_ocsp.server.response = NULL;
1034 if (!(bio = BIO_new_file(CS cbinfo->u_ocsp.server.file_expanded, "rb")))
1036 DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n",
1037 cbinfo->u_ocsp.server.file_expanded);
1041 resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
1045 DEBUG(D_tls) debug_printf("Error reading OCSP response.\n");
1049 if ((status = OCSP_response_status(resp)) != OCSP_RESPONSE_STATUS_SUCCESSFUL)
1051 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
1052 OCSP_response_status_str(status), status);
1056 if (!(basic_response = OCSP_response_get1_basic(resp)))
1059 debug_printf("OCSP response parse error: unable to extract basic response.\n");
1063 sk = cbinfo->verify_stack;
1064 verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
1066 /* May need to expose ability to adjust those flags?
1067 OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
1068 OCSP_TRUSTOTHER OCSP_NOINTERN */
1070 /* This does a full verify on the OCSP proof before we load it for serving
1071 up; possibly overkill - just date-checks might be nice enough.
1073 OCSP_basic_verify takes a "store" arg, but does not
1074 use it for the chain verification, which is all we do
1075 when OCSP_NOVERIFY is set. The content from the wire
1076 "basic_response" and a cert-stack "sk" are all that is used.
1078 We have a stack, loaded in setup_certs() if tls_verify_certificates
1079 was a file (not a directory, or "system"). It is unfortunate we
1080 cannot used the connection context store, as that would neatly
1081 handle the "system" case too, but there seems to be no library
1082 function for getting a stack from a store.
1083 [ In OpenSSL 1.1 - ? X509_STORE_CTX_get0_chain(ctx) ? ]
1084 We do not free the stack since it could be needed a second time for
1087 Separately we might try to replace using OCSP_basic_verify() - which seems to not
1088 be a public interface into the OpenSSL library (there's no manual entry) -
1089 But what with? We also use OCSP_basic_verify in the client stapling callback.
1090 And there we NEED it; we must verify that status... unless the
1091 library does it for us anyway? */
1093 if ((i = OCSP_basic_verify(basic_response, sk, NULL, verify_flags)) < 0)
1097 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
1098 debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
1103 /* Here's the simplifying assumption: there's only one response, for the
1104 one certificate we use, and nothing for anything else in a chain. If this
1105 proves false, we need to extract a cert id from our issued cert
1106 (tls_certificate) and use that for OCSP_resp_find_status() (which finds the
1107 right cert in the stack and then calls OCSP_single_get0_status()).
1109 I'm hoping to avoid reworking a bunch more of how we handle state here. */
1111 if (!(single_response = OCSP_resp_get0(basic_response, 0)))
1114 debug_printf("Unable to get first response from OCSP basic response.\n");
1118 status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
1119 if (status != V_OCSP_CERTSTATUS_GOOD)
1121 DEBUG(D_tls) debug_printf("OCSP response bad cert status: %s (%d) %s (%d)\n",
1122 OCSP_cert_status_str(status), status,
1123 OCSP_crl_reason_str(reason), reason);
1127 if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
1129 DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
1134 cbinfo->u_ocsp.server.response = resp; /*XXX stack?*/
1138 if (f.running_in_test_harness)
1140 extern char ** environ;
1141 if (environ) for (uschar ** p = USS environ; *p; p++)
1142 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
1144 DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
1145 goto supply_response;
1150 #endif /*!DISABLE_OCSP*/
1155 /* Create and install a selfsigned certificate, for use in server mode */
1158 tls_install_selfsign(SSL_CTX * sctx, uschar ** errstr)
1166 where = US"allocating pkey";
1167 if (!(pkey = EVP_PKEY_new()))
1170 where = US"allocating cert";
1171 if (!(x509 = X509_new()))
1174 where = US"generating pkey";
1175 if (!(rsa = rsa_callback(NULL, 0, 2048)))
1178 where = US"assigning pkey";
1179 if (!EVP_PKEY_assign_RSA(pkey, rsa))
1182 X509_set_version(x509, 2); /* N+1 - version 3 */
1183 ASN1_INTEGER_set(X509_get_serialNumber(x509), 1);
1184 X509_gmtime_adj(X509_get_notBefore(x509), 0);
1185 X509_gmtime_adj(X509_get_notAfter(x509), (long)60 * 60); /* 1 hour */
1186 X509_set_pubkey(x509, pkey);
1188 name = X509_get_subject_name(x509);
1189 X509_NAME_add_entry_by_txt(name, "C",
1190 MBSTRING_ASC, CUS "UK", -1, -1, 0);
1191 X509_NAME_add_entry_by_txt(name, "O",
1192 MBSTRING_ASC, CUS "Exim Developers", -1, -1, 0);
1193 X509_NAME_add_entry_by_txt(name, "CN",
1194 MBSTRING_ASC, CUS smtp_active_hostname, -1, -1, 0);
1195 X509_set_issuer_name(x509, name);
1197 where = US"signing cert";
1198 if (!X509_sign(x509, pkey, EVP_md5()))
1201 where = US"installing selfsign cert";
1202 if (!SSL_CTX_use_certificate(sctx, x509))
1205 where = US"installing selfsign key";
1206 if (!SSL_CTX_use_PrivateKey(sctx, pkey))
1212 (void) tls_error(where, NULL, NULL, errstr);
1213 if (x509) X509_free(x509);
1214 if (pkey) EVP_PKEY_free(pkey);
1222 tls_add_certfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
1225 DEBUG(D_tls) debug_printf("tls_certificate file %s\n", file);
1226 if (!SSL_CTX_use_certificate_chain_file(sctx, CS file))
1227 return tls_error(string_sprintf(
1228 "SSL_CTX_use_certificate_chain_file file=%s", file),
1229 cbinfo->host, NULL, errstr);
1234 tls_add_pkeyfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
1237 DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", file);
1238 if (!SSL_CTX_use_PrivateKey_file(sctx, CS file, SSL_FILETYPE_PEM))
1239 return tls_error(string_sprintf(
1240 "SSL_CTX_use_PrivateKey_file file=%s", file), cbinfo->host, NULL, errstr);
1245 /*************************************************
1246 * Expand key and cert file specs *
1247 *************************************************/
1249 /* Called once during tls_init and possibly again during TLS setup, for a
1250 new context, if Server Name Indication was used and tls_sni was seen in
1251 the certificate string.
1254 sctx the SSL_CTX* to update
1255 cbinfo various parts of session state
1256 errstr error string pointer
1258 Returns: OK/DEFER/FAIL
1262 tls_expand_session_files(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo,
1267 if (!cbinfo->certificate)
1269 if (!cbinfo->is_server) /* client */
1272 if (tls_install_selfsign(sctx, errstr) != OK)
1279 if (Ustrstr(cbinfo->certificate, US"tls_sni") ||
1280 Ustrstr(cbinfo->certificate, US"tls_in_sni") ||
1281 Ustrstr(cbinfo->certificate, US"tls_out_sni")
1283 reexpand_tls_files_for_sni = TRUE;
1285 if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded, errstr))
1289 if (cbinfo->is_server)
1291 const uschar * file_list = expanded;
1295 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1296 if ((err = tls_add_certfile(sctx, cbinfo, file, errstr)))
1299 else /* would there ever be a need for multiple client certs? */
1300 if ((err = tls_add_certfile(sctx, cbinfo, expanded, errstr)))
1303 if ( cbinfo->privatekey
1304 && !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded, errstr))
1307 /* If expansion was forced to fail, key_expanded will be NULL. If the result
1308 of the expansion is an empty string, ignore it also, and assume the private
1309 key is in the same file as the certificate. */
1311 if (expanded && *expanded)
1312 if (cbinfo->is_server)
1314 const uschar * file_list = expanded;
1318 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1319 if ((err = tls_add_pkeyfile(sctx, cbinfo, file, errstr)))
1322 else /* would there ever be a need for multiple client certs? */
1323 if ((err = tls_add_pkeyfile(sctx, cbinfo, expanded, errstr)))
1327 #ifndef DISABLE_OCSP
1328 if (cbinfo->is_server && cbinfo->u_ocsp.server.file)
1331 if (!expand_check(cbinfo->u_ocsp.server.file, US"tls_ocsp_file", &expanded, errstr))
1334 if (expanded && *expanded)
1336 DEBUG(D_tls) debug_printf("tls_ocsp_file %s\n", expanded);
1337 if ( cbinfo->u_ocsp.server.file_expanded
1338 && (Ustrcmp(expanded, cbinfo->u_ocsp.server.file_expanded) == 0))
1340 DEBUG(D_tls) debug_printf(" - value unchanged, using existing values\n");
1343 ocsp_load_response(sctx, cbinfo, expanded);
1354 /*************************************************
1355 * Callback to handle SNI *
1356 *************************************************/
1358 /* Called when acting as server during the TLS session setup if a Server Name
1359 Indication extension was sent by the client.
1361 API documentation is OpenSSL s_server.c implementation.
1364 s SSL* of the current session
1365 ad unknown (part of OpenSSL API) (unused)
1366 arg Callback of "our" registered data
1368 Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
1371 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
1373 tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
1375 const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
1376 tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
1378 int old_pool = store_pool;
1379 uschar * dummy_errstr;
1382 return SSL_TLSEXT_ERR_OK;
1384 DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
1385 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
1387 /* Make the extension value available for expansion */
1388 store_pool = POOL_PERM;
1389 tls_in.sni = string_copy(US servername);
1390 store_pool = old_pool;
1392 if (!reexpand_tls_files_for_sni)
1393 return SSL_TLSEXT_ERR_OK;
1395 /* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
1396 not confident that memcpy wouldn't break some internal reference counting.
1397 Especially since there's a references struct member, which would be off. */
1399 #ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
1400 if (!(server_sni = SSL_CTX_new(TLS_server_method())))
1402 if (!(server_sni = SSL_CTX_new(SSLv23_server_method())))
1405 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
1406 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
1410 /* Not sure how many of these are actually needed, since SSL object
1411 already exists. Might even need this selfsame callback, for reneg? */
1413 SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(server_ctx));
1414 SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(server_ctx));
1415 SSL_CTX_set_options(server_sni, SSL_CTX_get_options(server_ctx));
1416 SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(server_ctx));
1417 SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
1418 SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
1420 if ( !init_dh(server_sni, cbinfo->dhparam, NULL, &dummy_errstr)
1421 || !init_ecdh(server_sni, NULL, &dummy_errstr)
1425 if ( cbinfo->server_cipher_list
1426 && !SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list))
1429 #ifndef DISABLE_OCSP
1430 if (cbinfo->u_ocsp.server.file)
1432 SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb);
1433 SSL_CTX_set_tlsext_status_arg(server_sni, cbinfo);
1437 if ((rc = setup_certs(server_sni, tls_verify_certificates, tls_crl, NULL, FALSE,
1438 verify_callback_server, &dummy_errstr)) != OK)
1441 /* do this after setup_certs, because this can require the certs for verifying
1442 OCSP information. */
1443 if ((rc = tls_expand_session_files(server_sni, cbinfo, &dummy_errstr)) != OK)
1446 DEBUG(D_tls) debug_printf("Switching SSL context.\n");
1447 SSL_set_SSL_CTX(s, server_sni);
1448 return SSL_TLSEXT_ERR_OK;
1450 bad: return SSL_TLSEXT_ERR_ALERT_FATAL;
1452 #endif /* EXIM_HAVE_OPENSSL_TLSEXT */
1457 #ifndef DISABLE_OCSP
1459 /*************************************************
1460 * Callback to handle OCSP Stapling *
1461 *************************************************/
1463 /* Called when acting as server during the TLS session setup if the client
1464 requests OCSP information with a Certificate Status Request.
1466 Documentation via openssl s_server.c and the Apache patch from the OpenSSL
1472 tls_server_stapling_cb(SSL *s, void *arg)
1474 const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
1475 uschar *response_der; /*XXX blob */
1476 int response_der_len;
1478 /*XXX stack: use SSL_get_certificate() to see which cert; from that work
1479 out which ocsp blob to send. Unfortunately, SSL_get_certificate is known
1480 buggy in current OpenSSL; it returns the last cert loaded always rather than
1481 the one actually presented. So we can't support a stack of OCSP proofs at
1485 debug_printf("Received TLS status request (OCSP stapling); %s response\n",
1486 cbinfo->u_ocsp.server.response ? "have" : "lack");
1488 tls_in.ocsp = OCSP_NOT_RESP;
1489 if (!cbinfo->u_ocsp.server.response)
1490 return SSL_TLSEXT_ERR_NOACK;
1492 response_der = NULL;
1493 response_der_len = i2d_OCSP_RESPONSE(cbinfo->u_ocsp.server.response, /*XXX stack*/
1495 if (response_der_len <= 0)
1496 return SSL_TLSEXT_ERR_NOACK;
1498 SSL_set_tlsext_status_ocsp_resp(server_ssl, response_der, response_der_len);
1499 tls_in.ocsp = OCSP_VFIED;
1500 return SSL_TLSEXT_ERR_OK;
1505 time_print(BIO * bp, const char * str, ASN1_GENERALIZEDTIME * time)
1507 BIO_printf(bp, "\t%s: ", str);
1508 ASN1_GENERALIZEDTIME_print(bp, time);
1513 tls_client_stapling_cb(SSL *s, void *arg)
1515 tls_ext_ctx_cb * cbinfo = arg;
1516 const unsigned char * p;
1518 OCSP_RESPONSE * rsp;
1519 OCSP_BASICRESP * bs;
1522 DEBUG(D_tls) debug_printf("Received TLS status response (OCSP stapling):");
1523 len = SSL_get_tlsext_status_ocsp_resp(s, &p);
1526 /* Expect this when we requested ocsp but got none */
1527 if (cbinfo->u_ocsp.client.verify_required && LOGGING(tls_cipher))
1528 log_write(0, LOG_MAIN, "Received TLS status callback, null content");
1530 DEBUG(D_tls) debug_printf(" null\n");
1531 return cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1534 if(!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
1536 tls_out.ocsp = OCSP_FAILED;
1537 if (LOGGING(tls_cipher))
1538 log_write(0, LOG_MAIN, "Received TLS cert status response, parse error");
1540 DEBUG(D_tls) debug_printf(" parse error\n");
1544 if(!(bs = OCSP_response_get1_basic(rsp)))
1546 tls_out.ocsp = OCSP_FAILED;
1547 if (LOGGING(tls_cipher))
1548 log_write(0, LOG_MAIN, "Received TLS cert status response, error parsing response");
1550 DEBUG(D_tls) debug_printf(" error parsing response\n");
1551 OCSP_RESPONSE_free(rsp);
1555 /* We'd check the nonce here if we'd put one in the request. */
1556 /* However that would defeat cacheability on the server so we don't. */
1558 /* This section of code reworked from OpenSSL apps source;
1559 The OpenSSL Project retains copyright:
1560 Copyright (c) 1999 The OpenSSL Project. All rights reserved.
1565 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
1567 DEBUG(D_tls) bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
1569 /*OCSP_RESPONSE_print(bp, rsp, 0); extreme debug: stapling content */
1571 /* Use the chain that verified the server cert to verify the stapled info */
1572 /* DEBUG(D_tls) x509_store_dump_cert_s_names(cbinfo->u_ocsp.client.verify_store); */
1574 if ((i = OCSP_basic_verify(bs, cbinfo->verify_stack,
1575 cbinfo->u_ocsp.client.verify_store, 0)) <= 0)
1577 tls_out.ocsp = OCSP_FAILED;
1578 if (LOGGING(tls_cipher)) log_write(0, LOG_MAIN,
1579 "Received TLS cert status response, itself unverifiable: %s",
1580 ERR_reason_error_string(ERR_peek_error()));
1581 BIO_printf(bp, "OCSP response verify failure\n");
1582 ERR_print_errors(bp);
1583 OCSP_RESPONSE_print(bp, rsp, 0);
1587 BIO_printf(bp, "OCSP response well-formed and signed OK\n");
1589 /*XXX So we have a good stapled OCSP status. How do we know
1590 it is for the cert of interest? OpenSSL 1.1.0 has a routine
1591 OCSP_resp_find_status() which matches on a cert id, which presumably
1592 we should use. Making an id needs OCSP_cert_id_new(), which takes
1593 issuerName, issuerKey, serialNumber. Are they all in the cert?
1595 For now, carry on blindly accepting the resp. */
1598 OCSP_SINGLERESP * single;
1600 #ifdef EXIM_HAVE_OCSP_RESP_COUNT
1601 if (OCSP_resp_count(bs) != 1)
1603 STACK_OF(OCSP_SINGLERESP) * sresp = bs->tbsResponseData->responses;
1604 if (sk_OCSP_SINGLERESP_num(sresp) != 1)
1607 tls_out.ocsp = OCSP_FAILED;
1608 log_write(0, LOG_MAIN, "OCSP stapling "
1609 "with multiple responses not handled");
1612 single = OCSP_resp_get0(bs, 0);
1613 status = OCSP_single_get0_status(single, &reason, &rev,
1614 &thisupd, &nextupd);
1617 DEBUG(D_tls) time_print(bp, "This OCSP Update", thisupd);
1618 DEBUG(D_tls) if(nextupd) time_print(bp, "Next OCSP Update", nextupd);
1619 if (!OCSP_check_validity(thisupd, nextupd,
1620 EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
1622 tls_out.ocsp = OCSP_FAILED;
1623 DEBUG(D_tls) ERR_print_errors(bp);
1624 log_write(0, LOG_MAIN, "Server OSCP dates invalid");
1628 DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n",
1629 OCSP_cert_status_str(status));
1632 case V_OCSP_CERTSTATUS_GOOD:
1633 tls_out.ocsp = OCSP_VFIED;
1636 case V_OCSP_CERTSTATUS_REVOKED:
1637 tls_out.ocsp = OCSP_FAILED;
1638 log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
1639 reason != -1 ? "; reason: " : "",
1640 reason != -1 ? OCSP_crl_reason_str(reason) : "");
1641 DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
1644 tls_out.ocsp = OCSP_FAILED;
1645 log_write(0, LOG_MAIN,
1646 "Server certificate status unknown, in OCSP stapling");
1651 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1656 OCSP_RESPONSE_free(rsp);
1659 #endif /*!DISABLE_OCSP*/
1662 /*************************************************
1663 * Initialize for TLS *
1664 *************************************************/
1666 /* Called from both server and client code, to do preliminary initialization
1667 of the library. We allocate and return a context structure.
1670 ctxp returned SSL context
1671 host connected host, if client; NULL if server
1672 dhparam DH parameter file
1673 certificate certificate file
1674 privatekey private key
1675 ocsp_file file of stapling info (server); flag for require ocsp (client)
1676 addr address if client; NULL if server (for some randomness)
1677 cbp place to put allocated callback context
1678 errstr error string pointer
1680 Returns: OK/DEFER/FAIL
1684 tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate,
1686 #ifndef DISABLE_OCSP
1687 uschar *ocsp_file, /*XXX stack, in server*/
1689 address_item *addr, tls_ext_ctx_cb ** cbp, uschar ** errstr)
1694 tls_ext_ctx_cb * cbinfo;
1696 cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
1697 cbinfo->certificate = certificate;
1698 cbinfo->privatekey = privatekey;
1699 cbinfo->is_server = host==NULL;
1700 #ifndef DISABLE_OCSP
1701 cbinfo->verify_stack = NULL;
1704 cbinfo->u_ocsp.server.file = ocsp_file;
1705 cbinfo->u_ocsp.server.file_expanded = NULL;
1706 cbinfo->u_ocsp.server.response = NULL;
1709 cbinfo->u_ocsp.client.verify_store = NULL;
1711 cbinfo->dhparam = dhparam;
1712 cbinfo->server_cipher_list = NULL;
1713 cbinfo->host = host;
1714 #ifndef DISABLE_EVENT
1715 cbinfo->event_action = NULL;
1718 #ifdef EXIM_NEED_OPENSSL_INIT
1719 SSL_load_error_strings(); /* basic set up */
1720 OpenSSL_add_ssl_algorithms();
1723 #ifdef EXIM_HAVE_SHA256
1724 /* SHA256 is becoming ever more popular. This makes sure it gets added to the
1725 list of available digests. */
1726 EVP_add_digest(EVP_sha256());
1729 /* Create a context.
1730 The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant
1731 negotiation in the different methods; as far as I can tell, the only
1732 *_{server,client}_method which allows negotiation is SSLv23, which exists even
1733 when OpenSSL is built without SSLv2 support.
1734 By disabling with openssl_options, we can let admins re-enable with the
1737 #ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
1738 if (!(ctx = SSL_CTX_new(host ? TLS_client_method() : TLS_server_method())))
1740 if (!(ctx = SSL_CTX_new(host ? SSLv23_client_method() : SSLv23_server_method())))
1742 return tls_error(US"SSL_CTX_new", host, NULL, errstr);
1744 /* It turns out that we need to seed the random number generator this early in
1745 order to get the full complement of ciphers to work. It took me roughly a day
1746 of work to discover this by experiment.
1748 On systems that have /dev/urandom, SSL may automatically seed itself from
1749 there. Otherwise, we have to make something up as best we can. Double check
1755 gettimeofday(&r.tv, NULL);
1758 RAND_seed(US (&r), sizeof(r));
1759 RAND_seed(US big_buffer, big_buffer_size);
1760 if (addr != NULL) RAND_seed(US addr, sizeof(addr));
1763 return tls_error(US"RAND_status", host,
1764 US"unable to seed random number generator", errstr);
1767 /* Set up the information callback, which outputs if debugging is at a suitable
1770 DEBUG(D_tls) SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
1772 /* Automatically re-try reads/writes after renegotiation. */
1773 (void) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
1775 /* Apply administrator-supplied work-arounds.
1776 Historically we applied just one requested option,
1777 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
1778 moved to an administrator-controlled list of options to specify and
1779 grandfathered in the first one as the default value for "openssl_options".
1781 No OpenSSL version number checks: the options we accept depend upon the
1782 availability of the option value macros from OpenSSL. */
1784 if (!tls_openssl_options_parse(openssl_options, &init_options))
1785 return tls_error(US"openssl_options parsing failed", host, NULL, errstr);
1789 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
1790 if (!(SSL_CTX_set_options(ctx, init_options)))
1791 return tls_error(string_sprintf(
1792 "SSL_CTX_set_option(%#lx)", init_options), host, NULL, errstr);
1795 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
1797 /* We'd like to disable session cache unconditionally, but foolish Outlook
1798 Express clients then give up the first TLS connection and make a second one
1799 (which works). Only when there is an IMAP service on the same machine.
1800 Presumably OE is trying to use the cache for A on B. Leave it enabled for
1801 now, until we work out a decent way of presenting control to the config. It
1802 will never be used because we use a new context every time. */
1804 (void) SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
1807 /* Initialize with DH parameters if supplied */
1808 /* Initialize ECDH temp key parameter selection */
1810 if ( !init_dh(ctx, dhparam, host, errstr)
1811 || !init_ecdh(ctx, host, errstr)
1815 /* Set up certificate and key (and perhaps OCSP info) */
1817 if ((rc = tls_expand_session_files(ctx, cbinfo, errstr)) != OK)
1820 /* If we need to handle SNI or OCSP, do so */
1822 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
1823 # ifndef DISABLE_OCSP
1824 if (!(cbinfo->verify_stack = sk_X509_new_null()))
1826 DEBUG(D_tls) debug_printf("failed to create stack for stapling verify\n");
1831 if (!host) /* server */
1833 # ifndef DISABLE_OCSP
1834 /* We check u_ocsp.server.file, not server.response, because we care about if
1835 the option exists, not what the current expansion might be, as SNI might
1836 change the certificate and OCSP file in use between now and the time the
1837 callback is invoked. */
1838 if (cbinfo->u_ocsp.server.file)
1840 SSL_CTX_set_tlsext_status_cb(ctx, tls_server_stapling_cb);
1841 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
1844 /* We always do this, so that $tls_sni is available even if not used in
1846 SSL_CTX_set_tlsext_servername_callback(ctx, tls_servername_cb);
1847 SSL_CTX_set_tlsext_servername_arg(ctx, cbinfo);
1849 # ifndef DISABLE_OCSP
1851 if(ocsp_file) /* wanting stapling */
1853 if (!(cbinfo->u_ocsp.client.verify_store = X509_STORE_new()))
1855 DEBUG(D_tls) debug_printf("failed to create store for stapling verify\n");
1858 SSL_CTX_set_tlsext_status_cb(ctx, tls_client_stapling_cb);
1859 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
1864 cbinfo->verify_cert_hostnames = NULL;
1866 #ifdef EXIM_HAVE_EPHEM_RSA_KEX
1867 /* Set up the RSA callback */
1868 SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
1871 /* Finally, set the timeout, and we are done */
1873 SSL_CTX_set_timeout(ctx, ssl_session_timeout);
1874 DEBUG(D_tls) debug_printf("Initialized TLS\n");
1885 /*************************************************
1886 * Get name of cipher in use *
1887 *************************************************/
1890 Argument: pointer to an SSL structure for the connection
1891 buffer to use for answer
1893 pointer to number of bits for cipher
1898 construct_cipher_name(SSL *ssl, uschar *cipherbuf, int bsize, int *bits)
1900 /* With OpenSSL 1.0.0a, 'c' needs to be const but the documentation doesn't
1901 yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
1902 the accessor functions use const in the prototype. */
1904 const uschar * ver = CUS SSL_get_version(ssl);
1905 const SSL_CIPHER * c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
1907 SSL_CIPHER_get_bits(c, bits);
1909 string_format(cipherbuf, bsize, "%s:%s:%u", ver,
1910 SSL_CIPHER_get_name(c), *bits);
1912 DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf);
1917 peer_cert(SSL * ssl, tls_support * tlsp, uschar * peerdn, unsigned siz)
1919 /*XXX we might consider a list-of-certs variable for the cert chain.
1920 SSL_get_peer_cert_chain(SSL*). We'd need a new variable type and support
1921 in list-handling functions, also consider the difference between the entire
1922 chain and the elements sent by the peer. */
1924 tlsp->peerdn = NULL;
1926 /* Will have already noted peercert on a verify fail; possibly not the leaf */
1927 if (!tlsp->peercert)
1928 tlsp->peercert = SSL_get_peer_certificate(ssl);
1929 /* Beware anonymous ciphers which lead to server_cert being NULL */
1931 if (!X509_NAME_oneline(X509_get_subject_name(tlsp->peercert), CS peerdn, siz))
1932 { DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n"); }
1935 peerdn[siz-1] = '\0';
1936 tlsp->peerdn = peerdn; /*XXX a static buffer... */
1944 /*************************************************
1945 * Set up for verifying certificates *
1946 *************************************************/
1948 #ifndef DISABLE_OCSP
1949 /* Load certs from file, return TRUE on success */
1952 chain_from_pem_file(const uschar * file, STACK_OF(X509) * verify_stack)
1957 while (sk_X509_num(verify_stack) > 0)
1958 X509_free(sk_X509_pop(verify_stack));
1960 if (!(bp = BIO_new_file(CS file, "r"))) return FALSE;
1961 while ((x = PEM_read_bio_X509(bp, NULL, 0, NULL)))
1962 sk_X509_push(verify_stack, x);
1970 /* Called by both client and server startup; on the server possibly
1971 repeated after a Server Name Indication.
1974 sctx SSL_CTX* to initialise
1975 certs certs file or NULL
1976 crl CRL file or NULL
1977 host NULL in a server; the remote host in a client
1978 optional TRUE if called from a server for a host in tls_try_verify_hosts;
1979 otherwise passed as FALSE
1980 cert_vfy_cb Callback function for certificate verification
1981 errstr error string pointer
1983 Returns: OK/DEFER/FAIL
1987 setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
1988 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr)
1990 uschar *expcerts, *expcrl;
1992 if (!expand_check(certs, US"tls_verify_certificates", &expcerts, errstr))
1994 DEBUG(D_tls) debug_printf("tls_verify_certificates: %s\n", expcerts);
1996 if (expcerts && *expcerts)
1998 /* Tell the library to use its compiled-in location for the system default
1999 CA bundle. Then add the ones specified in the config, if any. */
2001 if (!SSL_CTX_set_default_verify_paths(sctx))
2002 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL, errstr);
2004 if (Ustrcmp(expcerts, "system") != 0)
2006 struct stat statbuf;
2008 if (Ustat(expcerts, &statbuf) < 0)
2010 log_write(0, LOG_MAIN|LOG_PANIC,
2011 "failed to stat %s for certificates", expcerts);
2017 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
2018 { file = NULL; dir = expcerts; }
2021 file = expcerts; dir = NULL;
2022 #ifndef DISABLE_OCSP
2023 /* In the server if we will be offering an OCSP proof, load chain from
2024 file for verifying the OCSP proof at load time. */
2027 && statbuf.st_size > 0
2028 && server_static_cbinfo->u_ocsp.server.file
2029 && !chain_from_pem_file(file, server_static_cbinfo->verify_stack)
2032 log_write(0, LOG_MAIN|LOG_PANIC,
2033 "failed to load cert chain from %s", file);
2039 /* If a certificate file is empty, the next function fails with an
2040 unhelpful error message. If we skip it, we get the correct behaviour (no
2041 certificates are recognized, but the error message is still misleading (it
2042 says no certificate was supplied). But this is better. */
2044 if ( (!file || statbuf.st_size > 0)
2045 && !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
2046 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL, errstr);
2048 /* Load the list of CAs for which we will accept certs, for sending
2049 to the client. This is only for the one-file tls_verify_certificates
2051 If a list isn't loaded into the server, but some verify locations are set,
2052 the server end appears to make a wildcard request for client certs.
2053 Meanwhile, the client library as default behaviour *ignores* the list
2054 we send over the wire - see man SSL_CTX_set_client_cert_cb.
2055 Because of this, and that the dir variant is likely only used for
2056 the public-CA bundle (not for a private CA), not worth fixing. */
2060 STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
2062 SSL_CTX_set_client_CA_list(sctx, names);
2063 DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n",
2064 sk_X509_NAME_num(names));
2069 /* Handle a certificate revocation list. */
2071 #if OPENSSL_VERSION_NUMBER > 0x00907000L
2073 /* This bit of code is now the version supplied by Lars Mainka. (I have
2074 merely reformatted it into the Exim code style.)
2076 "From here I changed the code to add support for multiple crl's
2077 in pem format in one file or to support hashed directory entries in
2078 pem format instead of a file. This method now uses the library function
2079 X509_STORE_load_locations to add the CRL location to the SSL context.
2080 OpenSSL will then handle the verify against CA certs and CRLs by
2081 itself in the verify callback." */
2083 if (!expand_check(crl, US"tls_crl", &expcrl, errstr)) return DEFER;
2084 if (expcrl && *expcrl)
2086 struct stat statbufcrl;
2087 if (Ustat(expcrl, &statbufcrl) < 0)
2089 log_write(0, LOG_MAIN|LOG_PANIC,
2090 "failed to stat %s for certificates revocation lists", expcrl);
2095 /* is it a file or directory? */
2097 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
2098 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
2102 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
2108 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
2110 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
2111 return tls_error(US"X509_STORE_load_locations", host, NULL, errstr);
2113 /* setting the flags to check against the complete crl chain */
2115 X509_STORE_set_flags(cvstore,
2116 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
2120 #endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
2122 /* If verification is optional, don't fail if no certificate */
2124 SSL_CTX_set_verify(sctx,
2125 SSL_VERIFY_PEER | (optional ? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
2134 /*************************************************
2135 * Start a TLS session in a server *
2136 *************************************************/
2138 /* This is called when Exim is running as a server, after having received
2139 the STARTTLS command. It must respond to that command, and then negotiate
2143 require_ciphers allowed ciphers
2144 errstr pointer to error message
2146 Returns: OK on success
2147 DEFER for errors before the start of the negotiation
2148 FAIL for errors during the negotiation; the server can't
2153 tls_server_start(const uschar * require_ciphers, uschar ** errstr)
2156 uschar * expciphers;
2157 tls_ext_ctx_cb * cbinfo;
2158 static uschar peerdn[256];
2159 static uschar cipherbuf[256];
2161 /* Check for previous activation */
2163 if (tls_in.active.sock >= 0)
2165 tls_error(US"STARTTLS received after TLS started", NULL, US"", errstr);
2166 smtp_printf("554 Already in TLS\r\n", FALSE);
2170 /* Initialize the SSL library. If it fails, it will already have logged
2173 rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey,
2174 #ifndef DISABLE_OCSP
2175 tls_ocsp_file, /*XXX stack*/
2177 NULL, &server_static_cbinfo, errstr);
2178 if (rc != OK) return rc;
2179 cbinfo = server_static_cbinfo;
2181 if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers, errstr))
2184 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
2185 were historically separated by underscores. So that I can use either form in my
2186 tests, and also for general convenience, we turn underscores into hyphens here.
2188 XXX SSL_CTX_set_cipher_list() is replaced by SSL_CTX_set_ciphersuites()
2189 for TLS 1.3 . Since we do not call it at present we get the default list:
2190 TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
2195 uschar * s = expciphers;
2196 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
2197 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
2198 if (!SSL_CTX_set_cipher_list(server_ctx, CS expciphers))
2199 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL, errstr);
2200 cbinfo->server_cipher_list = expciphers;
2203 /* If this is a host for which certificate verification is mandatory or
2204 optional, set up appropriately. */
2206 tls_in.certificate_verified = FALSE;
2208 tls_in.dane_verified = FALSE;
2210 server_verify_callback_called = FALSE;
2212 if (verify_check_host(&tls_verify_hosts) == OK)
2214 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
2215 FALSE, verify_callback_server, errstr);
2216 if (rc != OK) return rc;
2217 server_verify_optional = FALSE;
2219 else if (verify_check_host(&tls_try_verify_hosts) == OK)
2221 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
2222 TRUE, verify_callback_server, errstr);
2223 if (rc != OK) return rc;
2224 server_verify_optional = TRUE;
2227 /* Prepare for new connection */
2229 if (!(server_ssl = SSL_new(server_ctx)))
2230 return tls_error(US"SSL_new", NULL, NULL, errstr);
2232 /* Warning: we used to SSL_clear(ssl) here, it was removed.
2234 * With the SSL_clear(), we get strange interoperability bugs with
2235 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
2236 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
2238 * The SSL_clear() call is to let an existing SSL* be reused, typically after
2239 * session shutdown. In this case, we have a brand new object and there's no
2240 * obvious reason to immediately clear it. I'm guessing that this was
2241 * originally added because of incomplete initialisation which the clear fixed,
2242 * in some historic release.
2245 /* Set context and tell client to go ahead, except in the case of TLS startup
2246 on connection, where outputting anything now upsets the clients and tends to
2247 make them disconnect. We need to have an explicit fflush() here, to force out
2248 the response. Other smtp_printf() calls do not need it, because in non-TLS
2249 mode, the fflush() happens when smtp_getc() is called. */
2251 SSL_set_session_id_context(server_ssl, sid_ctx, Ustrlen(sid_ctx));
2252 if (!tls_in.on_connect)
2254 smtp_printf("220 TLS go ahead\r\n", FALSE);
2258 /* Now negotiate the TLS session. We put our own timer on it, since it seems
2259 that the OpenSSL library doesn't. */
2261 SSL_set_wfd(server_ssl, fileno(smtp_out));
2262 SSL_set_rfd(server_ssl, fileno(smtp_in));
2263 SSL_set_accept_state(server_ssl);
2265 DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
2267 sigalrm_seen = FALSE;
2268 if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
2269 rc = SSL_accept(server_ssl);
2274 (void) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL, errstr);
2278 DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
2279 ERR_clear_error(); /* Even success can leave errors in the stack. Seen with
2280 anon-authentication ciphersuite negociated. */
2282 /* TLS has been set up. Adjust the input functions to read via TLS,
2283 and initialize things. */
2285 peer_cert(server_ssl, &tls_in, peerdn, sizeof(peerdn));
2287 construct_cipher_name(server_ssl, cipherbuf, sizeof(cipherbuf), &tls_in.bits);
2288 tls_in.cipher = cipherbuf;
2293 if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)) != NULL)
2294 debug_printf("Shared ciphers: %s\n", buf);
2297 /* Record the certificate we presented */
2299 X509 * crt = SSL_get_certificate(server_ssl);
2300 tls_in.ourcert = crt ? X509_dup(crt) : NULL;
2303 /* Only used by the server-side tls (tls_in), including tls_getc.
2304 Client-side (tls_out) reads (seem to?) go via
2305 smtp_read_response()/ip_recv().
2306 Hence no need to duplicate for _in and _out.
2308 if (!ssl_xfer_buffer) ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
2309 ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
2310 ssl_xfer_eof = ssl_xfer_error = FALSE;
2312 receive_getc = tls_getc;
2313 receive_getbuf = tls_getbuf;
2314 receive_get_cache = tls_get_cache;
2315 receive_ungetc = tls_ungetc;
2316 receive_feof = tls_feof;
2317 receive_ferror = tls_ferror;
2318 receive_smtp_buffered = tls_smtp_buffered;
2320 tls_in.active.sock = fileno(smtp_out);
2321 tls_in.active.tls_ctx = NULL; /* not using explicit ctx for server-side */
2329 tls_client_basic_ctx_init(SSL_CTX * ctx,
2330 host_item * host, smtp_transport_options_block * ob, tls_ext_ctx_cb * cbinfo,
2334 /* stick to the old behaviour for compatibility if tls_verify_certificates is
2335 set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only
2336 the specified host patterns if one of them is defined */
2338 if ( ( !ob->tls_verify_hosts
2339 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
2341 || verify_check_given_host(CUSS &ob->tls_verify_hosts, host) == OK
2343 client_verify_optional = FALSE;
2344 else if (verify_check_given_host(CUSS &ob->tls_try_verify_hosts, host) == OK)
2345 client_verify_optional = TRUE;
2349 if ((rc = setup_certs(ctx, ob->tls_verify_certificates,
2350 ob->tls_crl, host, client_verify_optional, verify_callback_client,
2354 if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
2356 cbinfo->verify_cert_hostnames =
2358 string_domain_utf8_to_alabel(host->name, NULL);
2362 DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
2363 cbinfo->verify_cert_hostnames);
2371 dane_tlsa_load(SSL * ssl, host_item * host, dns_answer * dnsa, uschar ** errstr)
2374 const char * hostnames[2] = { CS host->name, NULL };
2377 if (DANESSL_init(ssl, NULL, hostnames) != 1)
2378 return tls_error(US"hostnames load", host, NULL, errstr);
2380 for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
2381 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
2382 ) if (rr->type == T_TLSA && rr->size > 3)
2384 const uschar * p = rr->data;
2385 uint8_t usage, selector, mtype;
2386 const char * mdname;
2390 /* Only DANE-TA(2) and DANE-EE(3) are supported */
2391 if (usage != 2 && usage != 3) continue;
2398 default: continue; /* Only match-types 0, 1, 2 are supported */
2399 case 0: mdname = NULL; break;
2400 case 1: mdname = "sha256"; break;
2401 case 2: mdname = "sha512"; break;
2405 switch (DANESSL_add_tlsa(ssl, usage, selector, mdname, p, rr->size - 3))
2408 return tls_error(US"tlsa load", host, NULL, errstr);
2409 case 0: /* action not taken */
2413 tls_out.tlsa_usage |= 1<<usage;
2419 log_write(0, LOG_MAIN, "DANE error: No usable TLSA records");
2422 #endif /*SUPPORT_DANE*/
2426 /*************************************************
2427 * Start a TLS session in a client *
2428 *************************************************/
2430 /* Called from the smtp transport after STARTTLS has been accepted.
2433 fd the fd of the connection
2434 host connected host (for messages and option-tests)
2435 addr the first address (for some randomness; can be NULL)
2436 tb transport (always smtp)
2437 tlsa_dnsa tlsa lookup, if DANE, else null
2438 tlsp record details of channel configuration here; must be non-NULL
2439 errstr error string pointer
2441 Returns: Pointer to TLS session context, or NULL on error
2445 tls_client_start(int fd, host_item *host, address_item *addr,
2446 transport_instance * tb,
2448 dns_answer * tlsa_dnsa,
2450 tls_support * tlsp, uschar ** errstr)
2452 smtp_transport_options_block * ob = tb
2453 ? (smtp_transport_options_block *)tb->options_block
2454 : &smtp_transport_option_defaults;
2455 exim_openssl_client_tls_ctx * exim_client_ctx;
2456 static uschar peerdn[256];
2457 uschar * expciphers;
2459 static uschar cipherbuf[256];
2461 #ifndef DISABLE_OCSP
2462 BOOL request_ocsp = FALSE;
2463 BOOL require_ocsp = FALSE;
2467 store_pool = POOL_PERM;
2468 exim_client_ctx = store_get(sizeof(exim_openssl_client_tls_ctx));
2472 tlsp->tlsa_usage = 0;
2475 #ifndef DISABLE_OCSP
2477 # ifdef SUPPORT_DANE
2479 && ob->hosts_request_ocsp[0] == '*'
2480 && ob->hosts_request_ocsp[1] == '\0'
2483 /* Unchanged from default. Use a safer one under DANE */
2484 request_ocsp = TRUE;
2485 ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
2486 " {= {4}{$tls_out_tlsa_usage}} } "
2492 verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK))
2493 request_ocsp = TRUE;
2495 # ifdef SUPPORT_DANE
2499 verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
2503 rc = tls_init(&exim_client_ctx->ctx, host, NULL,
2504 ob->tls_certificate, ob->tls_privatekey,
2505 #ifndef DISABLE_OCSP
2506 (void *)(long)request_ocsp,
2508 addr, &client_static_cbinfo, errstr);
2509 if (rc != OK) return NULL;
2511 tlsp->certificate_verified = FALSE;
2512 client_verify_callback_called = FALSE;
2518 /* We fall back to tls_require_ciphers if unset, empty or forced failure, but
2519 other failures should be treated as problems. */
2520 if (ob->dane_require_tls_ciphers &&
2521 !expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
2522 &expciphers, errstr))
2524 if (expciphers && *expciphers == '\0')
2529 !expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
2530 &expciphers, errstr))
2533 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
2534 are separated by underscores. So that I can use either form in my tests, and
2535 also for general convenience, we turn underscores into hyphens here. */
2539 uschar *s = expciphers;
2540 while (*s) { if (*s == '_') *s = '-'; s++; }
2541 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
2542 if (!SSL_CTX_set_cipher_list(exim_client_ctx->ctx, CS expciphers))
2544 tls_error(US"SSL_CTX_set_cipher_list", host, NULL, errstr);
2552 SSL_CTX_set_verify(exim_client_ctx->ctx,
2553 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
2554 verify_callback_client_dane);
2556 if (!DANESSL_library_init())
2558 tls_error(US"library init", host, NULL, errstr);
2561 if (DANESSL_CTX_init(exim_client_ctx->ctx) <= 0)
2563 tls_error(US"context init", host, NULL, errstr);
2571 if (tls_client_basic_ctx_init(exim_client_ctx->ctx, host, ob,
2572 client_static_cbinfo, errstr) != OK)
2575 if (!(exim_client_ctx->ssl = SSL_new(exim_client_ctx->ctx)))
2577 tls_error(US"SSL_new", host, NULL, errstr);
2580 SSL_set_session_id_context(exim_client_ctx->ssl, sid_ctx, Ustrlen(sid_ctx));
2581 SSL_set_fd(exim_client_ctx->ssl, fd);
2582 SSL_set_connect_state(exim_client_ctx->ssl);
2586 if (!expand_check(ob->tls_sni, US"tls_sni", &tlsp->sni, errstr))
2590 DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n");
2592 else if (!Ustrlen(tlsp->sni))
2596 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
2597 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tlsp->sni);
2598 SSL_set_tlsext_host_name(exim_client_ctx->ssl, tlsp->sni);
2600 log_write(0, LOG_MAIN, "SNI unusable with this OpenSSL library version; ignoring \"%s\"\n",
2608 if (dane_tlsa_load(exim_client_ctx->ssl, host, tlsa_dnsa, errstr) != OK)
2612 #ifndef DISABLE_OCSP
2613 /* Request certificate status at connection-time. If the server
2614 does OCSP stapling we will get the callback (set in tls_init()) */
2615 # ifdef SUPPORT_DANE
2619 if ( ((s = ob->hosts_require_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
2620 || ((s = ob->hosts_request_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
2622 { /* Re-eval now $tls_out_tlsa_usage is populated. If
2623 this means we avoid the OCSP request, we wasted the setup
2624 cost in tls_init(). */
2625 require_ocsp = verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK;
2626 request_ocsp = require_ocsp
2627 || verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
2634 SSL_set_tlsext_status_type(exim_client_ctx->ssl, TLSEXT_STATUSTYPE_ocsp);
2635 client_static_cbinfo->u_ocsp.client.verify_required = require_ocsp;
2636 tlsp->ocsp = OCSP_NOT_RESP;
2640 #ifndef DISABLE_EVENT
2641 client_static_cbinfo->event_action = tb ? tb->event_action : NULL;
2644 /* There doesn't seem to be a built-in timeout on connection. */
2646 DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
2647 sigalrm_seen = FALSE;
2648 ALARM(ob->command_timeout);
2649 rc = SSL_connect(exim_client_ctx->ssl);
2654 DANESSL_cleanup(exim_client_ctx->ssl);
2659 tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL, errstr);
2663 DEBUG(D_tls) debug_printf("SSL_connect succeeded\n");
2665 peer_cert(exim_client_ctx->ssl, tlsp, peerdn, sizeof(peerdn));
2667 construct_cipher_name(exim_client_ctx->ssl, cipherbuf, sizeof(cipherbuf), &tlsp->bits);
2668 tlsp->cipher = cipherbuf;
2670 /* Record the certificate we presented */
2672 X509 * crt = SSL_get_certificate(exim_client_ctx->ssl);
2673 tlsp->ourcert = crt ? X509_dup(crt) : NULL;
2676 tlsp->active.sock = fd;
2677 tlsp->active.tls_ctx = exim_client_ctx;
2678 return exim_client_ctx;
2686 tls_refill(unsigned lim)
2691 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", server_ssl,
2692 ssl_xfer_buffer, ssl_xfer_buffer_size);
2694 if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
2695 inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer,
2696 MIN(ssl_xfer_buffer_size, lim));
2697 error = SSL_get_error(server_ssl, inbytes);
2698 if (smtp_receive_timeout > 0) ALARM_CLR(0);
2700 if (had_command_timeout) /* set by signal handler */
2701 smtp_command_timeout_exit(); /* does not return */
2702 if (had_command_sigterm)
2703 smtp_command_sigterm_exit();
2704 if (had_data_timeout)
2705 smtp_data_timeout_exit();
2706 if (had_data_sigint)
2707 smtp_data_sigint_exit();
2709 /* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
2710 closed down, not that the socket itself has been closed down. Revert to
2711 non-SSL handling. */
2715 case SSL_ERROR_NONE:
2718 case SSL_ERROR_ZERO_RETURN:
2719 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
2721 receive_getc = smtp_getc;
2722 receive_getbuf = smtp_getbuf;
2723 receive_get_cache = smtp_get_cache;
2724 receive_ungetc = smtp_ungetc;
2725 receive_feof = smtp_feof;
2726 receive_ferror = smtp_ferror;
2727 receive_smtp_buffered = smtp_buffered;
2729 if (SSL_get_shutdown(server_ssl) == SSL_RECEIVED_SHUTDOWN)
2730 SSL_shutdown(server_ssl);
2732 #ifndef DISABLE_OCSP
2733 sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free);
2734 server_static_cbinfo->verify_stack = NULL;
2736 SSL_free(server_ssl);
2737 SSL_CTX_free(server_ctx);
2740 tls_in.active.sock = -1;
2741 tls_in.active.tls_ctx = NULL;
2743 tls_in.cipher = NULL;
2744 tls_in.peerdn = NULL;
2749 /* Handle genuine errors */
2751 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
2752 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
2753 ssl_xfer_error = TRUE;
2757 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
2758 DEBUG(D_tls) if (error == SSL_ERROR_SYSCALL)
2759 debug_printf(" - syscall %s\n", strerror(errno));
2760 ssl_xfer_error = TRUE;
2764 #ifndef DISABLE_DKIM
2765 dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
2767 ssl_xfer_buffer_hwm = inbytes;
2768 ssl_xfer_buffer_lwm = 0;
2773 /*************************************************
2774 * TLS version of getc *
2775 *************************************************/
2777 /* This gets the next byte from the TLS input buffer. If the buffer is empty,
2778 it refills the buffer via the SSL reading function.
2780 Arguments: lim Maximum amount to read/buffer
2781 Returns: the next character or EOF
2783 Only used by the server-side TLS.
2787 tls_getc(unsigned lim)
2789 if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
2790 if (!tls_refill(lim))
2791 return ssl_xfer_error ? EOF : smtp_getc(lim);
2793 /* Something in the buffer; return next uschar */
2795 return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
2799 tls_getbuf(unsigned * len)
2804 if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
2805 if (!tls_refill(*len))
2807 if (!ssl_xfer_error) return smtp_getbuf(len);
2812 if ((size = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm) > *len)
2814 buf = &ssl_xfer_buffer[ssl_xfer_buffer_lwm];
2815 ssl_xfer_buffer_lwm += size;
2824 #ifndef DISABLE_DKIM
2825 int n = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm;
2827 dkim_exim_verify_feed(ssl_xfer_buffer+ssl_xfer_buffer_lwm, n);
2833 tls_could_read(void)
2835 return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm || SSL_pending(server_ssl) > 0;
2839 /*************************************************
2840 * Read bytes from TLS channel *
2841 *************************************************/
2845 ct_ctx client context pointer, or NULL for the one global server context
2849 Returns: the number of bytes read
2850 -1 after a failed read, including EOF
2852 Only used by the client-side TLS.
2856 tls_read(void * ct_ctx, uschar *buff, size_t len)
2858 SSL * ssl = ct_ctx ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl : server_ssl;
2862 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
2863 buff, (unsigned int)len);
2865 inbytes = SSL_read(ssl, CS buff, len);
2866 error = SSL_get_error(ssl, inbytes);
2868 if (error == SSL_ERROR_ZERO_RETURN)
2870 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
2873 else if (error != SSL_ERROR_NONE)
2883 /*************************************************
2884 * Write bytes down TLS channel *
2885 *************************************************/
2889 ct_ctx client context pointer, or NULL for the one global server context
2892 more further data expected soon
2894 Returns: the number of bytes after a successful write,
2895 -1 after a failed write
2897 Used by both server-side and client-side TLS.
2901 tls_write(void * ct_ctx, const uschar *buff, size_t len, BOOL more)
2904 int outbytes, error;
2905 SSL * ssl = ct_ctx ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl : server_ssl;
2906 static gstring * corked = NULL;
2908 DEBUG(D_tls) debug_printf("%s(%p, %lu%s)\n", __FUNCTION__,
2909 buff, (unsigned long)len, more ? ", more" : "");
2911 /* Lacking a CORK or MSG_MORE facility (such as GnuTLS has) we copy data when
2912 "more" is notified. This hack is only ok if small amounts are involved AND only
2913 one stream does it, in one context (i.e. no store reset). Currently it is used
2914 for the responses to the received SMTP MAIL , RCPT, DATA sequence, only. */
2915 /* + if PIPE_COMMAND, banner & ehlo-resp for smmtp-on-connect. Suspect there's
2916 a store reset there, so use POOL_PERM. */
2917 /* + if CHUNKING, cmds EHLO,MAIL,RCPT(s),BDAT */
2919 if ((more || corked))
2921 #ifdef EXPERIMENTAL_PIPE_CONNECT
2922 int save_pool = store_pool;
2923 store_pool = POOL_PERM;
2926 corked = string_catn(corked, buff, len);
2928 #ifdef EXPERIMENTAL_PIPE_CONNECT
2929 store_pool = save_pool;
2934 buff = CUS corked->s;
2939 for (int left = len; left > 0;)
2941 DEBUG(D_tls) debug_printf("SSL_write(%p, %p, %d)\n", ssl, buff, left);
2942 outbytes = SSL_write(ssl, CS buff, left);
2943 error = SSL_get_error(ssl, outbytes);
2944 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
2948 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
2949 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
2952 case SSL_ERROR_NONE:
2957 case SSL_ERROR_ZERO_RETURN:
2958 log_write(0, LOG_MAIN, "SSL channel closed on write");
2961 case SSL_ERROR_SYSCALL:
2962 log_write(0, LOG_MAIN, "SSL_write: (from %s) syscall: %s",
2963 sender_fullhost ? sender_fullhost : US"<unknown>",
2968 log_write(0, LOG_MAIN, "SSL_write error %d", error);
2977 /*************************************************
2978 * Close down a TLS session *
2979 *************************************************/
2981 /* This is also called from within a delivery subprocess forked from the
2982 daemon, to shut down the TLS library, without actually doing a shutdown (which
2983 would tamper with the SSL session in the parent process).
2986 ct_ctx client TLS context pointer, or NULL for the one global server context
2987 shutdown 1 if TLS close-alert is to be sent,
2988 2 if also response to be waited for
2992 Used by both server-side and client-side TLS.
2996 tls_close(void * ct_ctx, int shutdown)
2998 exim_openssl_client_tls_ctx * o_ctx = ct_ctx;
2999 SSL_CTX **ctxp = o_ctx ? &o_ctx->ctx : &server_ctx;
3000 SSL **sslp = o_ctx ? &o_ctx->ssl : &server_ssl;
3001 int *fdp = o_ctx ? &tls_out.active.sock : &tls_in.active.sock;
3003 if (*fdp < 0) return; /* TLS was not active */
3008 DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS%s\n",
3009 shutdown > 1 ? " (with response-wait)" : "");
3011 if ( (rc = SSL_shutdown(*sslp)) == 0 /* send "close notify" alert */
3015 rc = SSL_shutdown(*sslp); /* wait for response */
3019 if (rc < 0) DEBUG(D_tls)
3021 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3022 debug_printf("SSL_shutdown: %s\n", ssl_errstring);
3026 #ifndef DISABLE_OCSP
3027 if (!o_ctx) /* server side */
3029 sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free);
3030 server_static_cbinfo->verify_stack = NULL;
3034 SSL_CTX_free(*ctxp);
3044 /*************************************************
3045 * Let tls_require_ciphers be checked at startup *
3046 *************************************************/
3048 /* The tls_require_ciphers option, if set, must be something which the
3051 Returns: NULL on success, or error message
3055 tls_validate_require_cipher(void)
3058 uschar *s, *expciphers, *err;
3060 /* this duplicates from tls_init(), we need a better "init just global
3061 state, for no specific purpose" singleton function of our own */
3063 #ifdef EXIM_NEED_OPENSSL_INIT
3064 SSL_load_error_strings();
3065 OpenSSL_add_ssl_algorithms();
3067 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
3068 /* SHA256 is becoming ever more popular. This makes sure it gets added to the
3069 list of available digests. */
3070 EVP_add_digest(EVP_sha256());
3073 if (!(tls_require_ciphers && *tls_require_ciphers))
3076 if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers,
3078 return US"failed to expand tls_require_ciphers";
3080 if (!(expciphers && *expciphers))
3083 /* normalisation ripped from above */
3085 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
3089 #ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
3090 if (!(ctx = SSL_CTX_new(TLS_server_method())))
3092 if (!(ctx = SSL_CTX_new(SSLv23_server_method())))
3095 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3096 return string_sprintf("SSL_CTX_new() failed: %s", ssl_errstring);
3100 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
3102 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
3104 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3105 err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed: %s",
3106 expciphers, ssl_errstring);
3117 /*************************************************
3118 * Report the library versions. *
3119 *************************************************/
3121 /* There have historically been some issues with binary compatibility in
3122 OpenSSL libraries; if Exim (like many other applications) is built against
3123 one version of OpenSSL but the run-time linker picks up another version,
3124 it can result in serious failures, including crashing with a SIGSEGV. So
3125 report the version found by the compiler and the run-time version.
3127 Note: some OS vendors backport security fixes without changing the version
3128 number/string, and the version date remains unchanged. The _build_ date
3129 will change, so we can more usefully assist with version diagnosis by also
3130 reporting the build date.
3132 Arguments: a FILE* to print the results to
3137 tls_version_report(FILE *f)
3139 fprintf(f, "Library version: OpenSSL: Compile: %s\n"
3142 OPENSSL_VERSION_TEXT,
3143 SSLeay_version(SSLEAY_VERSION),
3144 SSLeay_version(SSLEAY_BUILT_ON));
3145 /* third line is 38 characters for the %s and the line is 73 chars long;
3146 the OpenSSL output includes a "built on: " prefix already. */
3152 /*************************************************
3153 * Random number generation *
3154 *************************************************/
3156 /* Pseudo-random number generation. The result is not expected to be
3157 cryptographically strong but not so weak that someone will shoot themselves
3158 in the foot using it as a nonce in input in some email header scheme or
3159 whatever weirdness they'll twist this into. The result should handle fork()
3160 and avoid repeating sequences. OpenSSL handles that for us.
3164 Returns a random number in range [0, max-1]
3168 vaguely_random_number(int max)
3172 static pid_t pidlast = 0;
3174 uschar smallbuf[sizeof(r)];
3180 if (pidnow != pidlast)
3182 /* Although OpenSSL documents that "OpenSSL makes sure that the PRNG state
3183 is unique for each thread", this doesn't apparently apply across processes,
3184 so our own warning from vaguely_random_number_fallback() applies here too.
3185 Fix per PostgreSQL. */
3191 /* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
3195 gettimeofday(&r.tv, NULL);
3198 RAND_seed(US (&r), sizeof(r));
3200 /* We're after pseudo-random, not random; if we still don't have enough data
3201 in the internal PRNG then our options are limited. We could sleep and hope
3202 for entropy to come along (prayer technique) but if the system is so depleted
3203 in the first place then something is likely to just keep taking it. Instead,
3204 we'll just take whatever little bit of pseudo-random we can still manage to
3207 needed_len = sizeof(r);
3208 /* Don't take 8 times more entropy than needed if int is 8 octets and we were
3209 asked for a number less than 10. */
3210 for (r = max, i = 0; r; ++i)
3216 #ifdef EXIM_HAVE_RAND_PSEUDO
3217 /* We do not care if crypto-strong */
3218 i = RAND_pseudo_bytes(smallbuf, needed_len);
3220 i = RAND_bytes(smallbuf, needed_len);
3226 debug_printf("OpenSSL RAND_pseudo_bytes() not supported by RAND method, using fallback.\n");
3227 return vaguely_random_number_fallback(max);
3231 for (uschar * p = smallbuf; needed_len; --needed_len, ++p)
3234 /* We don't particularly care about weighted results; if someone wants
3235 smooth distribution and cares enough then they should submit a patch then. */
3242 /*************************************************
3243 * OpenSSL option parse *
3244 *************************************************/
3246 /* Parse one option for tls_openssl_options_parse below
3249 name one option name
3250 value place to store a value for it
3251 Returns success or failure in parsing
3257 tls_openssl_one_option_parse(uschar *name, long *value)
3260 int last = exim_openssl_options_size;
3261 while (last > first)
3263 int middle = (first + last)/2;
3264 int c = Ustrcmp(name, exim_openssl_options[middle].name);
3267 *value = exim_openssl_options[middle].value;
3281 /*************************************************
3282 * OpenSSL option parsing logic *
3283 *************************************************/
3285 /* OpenSSL has a number of compatibility options which an administrator might
3286 reasonably wish to set. Interpret a list similarly to decode_bits(), so that
3287 we look like log_selector.
3290 option_spec the administrator-supplied string of options
3291 results ptr to long storage for the options bitmap
3292 Returns success or failure
3296 tls_openssl_options_parse(uschar *option_spec, long *results)
3301 BOOL adding, item_parsed;
3303 result = SSL_OP_NO_TICKET;
3304 /* Prior to 4.80 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed
3305 * from default because it increases BEAST susceptibility. */
3306 #ifdef SSL_OP_NO_SSLv2
3307 result |= SSL_OP_NO_SSLv2;
3309 #ifdef SSL_OP_SINGLE_DH_USE
3310 result |= SSL_OP_SINGLE_DH_USE;
3319 for (uschar * s = option_spec; *s != '\0'; /**/)
3321 while (isspace(*s)) ++s;
3324 if (*s != '+' && *s != '-')
3326 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
3327 "+ or - expected but found \"%s\"\n", s);
3330 adding = *s++ == '+';
3331 for (end = s; (*end != '\0') && !isspace(*end); ++end) /**/ ;
3334 item_parsed = tls_openssl_one_option_parse(s, &item);
3338 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
3341 DEBUG(D_tls) debug_printf("openssl option, %s from %lx: %lx (%s)\n",
3342 adding ? "adding" : "removing", result, item, s);
3354 #endif /*!MACRO_PREDEF*/
3357 /* End of tls-openssl.c */