1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) University of Cambridge 1995 - 2018 */
6 /* See the file NOTICE for conditions of use and distribution. */
8 /* Portions Copyright (c) The OpenSSL Project 1999 */
10 /* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
11 library. It is #included into the tls.c file when that library is used. The
12 code herein is based on a patch that was originally contributed by Steve
13 Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
15 No cryptographic code is included in Exim. All this module does is to call
16 functions from the OpenSSL library. */
21 #include <openssl/lhash.h>
22 #include <openssl/ssl.h>
23 #include <openssl/err.h>
24 #include <openssl/rand.h>
25 #ifndef OPENSSL_NO_ECDH
26 # include <openssl/ec.h>
29 # include <openssl/ocsp.h>
37 # define EXIM_OCSP_SKEW_SECONDS (300L)
38 # define EXIM_OCSP_MAX_AGE (-1L)
41 #if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
42 # define EXIM_HAVE_OPENSSL_TLSEXT
44 #if OPENSSL_VERSION_NUMBER >= 0x00908000L
45 # define EXIM_HAVE_RSA_GENKEY_EX
47 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
48 # define EXIM_HAVE_OCSP_RESP_COUNT
50 # define EXIM_HAVE_EPHEM_RSA_KEX
51 # define EXIM_HAVE_RAND_PSEUDO
53 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
54 # define EXIM_HAVE_SHA256
57 /* X509_check_host provides sane certificate hostname checking, but was added
58 to OpenSSL late, after other projects forked off the code-base. So in
59 addition to guarding against the base version number, beware that LibreSSL
60 does not (at this time) support this function.
62 If LibreSSL gains a different API, perhaps via libtls, then we'll probably
63 opt to disentangle and ask a LibreSSL user to provide glue for a third
64 crypto provider for libtls instead of continuing to tie the OpenSSL glue
65 into even twistier knots. If LibreSSL gains the same API, we can just
66 change this guard and punt the issue for a while longer. */
68 #ifndef LIBRESSL_VERSION_NUMBER
69 # if OPENSSL_VERSION_NUMBER >= 0x010100000L
70 # define EXIM_HAVE_OPENSSL_CHECKHOST
71 # define EXIM_HAVE_OPENSSL_DH_BITS
72 # define EXIM_HAVE_OPENSSL_TLS_METHOD
74 # define EXIM_NEED_OPENSSL_INIT
76 # if OPENSSL_VERSION_NUMBER >= 0x010000000L \
77 && (OPENSSL_VERSION_NUMBER & 0x0000ff000L) >= 0x000002000L
78 # define EXIM_HAVE_OPENSSL_CHECKHOST
82 #if !defined(LIBRESSL_VERSION_NUMBER) \
83 || LIBRESSL_VERSION_NUMBER >= 0x20010000L
84 # if !defined(OPENSSL_NO_ECDH)
85 # if OPENSSL_VERSION_NUMBER >= 0x0090800fL
86 # define EXIM_HAVE_ECDH
88 # if OPENSSL_VERSION_NUMBER >= 0x10002000L
89 # define EXIM_HAVE_OPENSSL_EC_NIST2NID
94 #ifndef LIBRESSL_VERSION_NUMBER
95 # if OPENSSL_VERSION_NUMBER >= 0x010101000L
96 # define OPENSSL_HAVE_KEYLOG_CB
100 #if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP)
101 # warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile"
102 # define DISABLE_OCSP
105 #ifdef EXIM_HAVE_OPENSSL_CHECKHOST
106 # include <openssl/x509v3.h>
109 /*************************************************
110 * OpenSSL option parse *
111 *************************************************/
113 typedef struct exim_openssl_option {
116 } exim_openssl_option;
117 /* We could use a macro to expand, but we need the ifdef and not all the
118 options document which version they were introduced in. Policylet: include
119 all options unless explicitly for DTLS, let the administrator choose which
122 This list is current as of:
124 Plus SSL_OP_SAFARI_ECDHE_ECDSA_BUG from 2013-June patch/discussion on openssl-dev
125 Plus SSL_OP_NO_TLSv1_3 for 1.1.2-dev
127 static exim_openssl_option exim_openssl_options[] = {
128 /* KEEP SORTED ALPHABETICALLY! */
130 { US"all", SSL_OP_ALL },
132 #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
133 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
135 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
136 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
138 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
139 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
141 #ifdef SSL_OP_EPHEMERAL_RSA
142 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
144 #ifdef SSL_OP_LEGACY_SERVER_CONNECT
145 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
147 #ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
148 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
150 #ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
151 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
153 #ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
154 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
156 #ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
157 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
159 #ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
160 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
162 #ifdef SSL_OP_NO_COMPRESSION
163 { US"no_compression", SSL_OP_NO_COMPRESSION },
165 #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
166 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
168 #ifdef SSL_OP_NO_SSLv2
169 { US"no_sslv2", SSL_OP_NO_SSLv2 },
171 #ifdef SSL_OP_NO_SSLv3
172 { US"no_sslv3", SSL_OP_NO_SSLv3 },
174 #ifdef SSL_OP_NO_TICKET
175 { US"no_ticket", SSL_OP_NO_TICKET },
177 #ifdef SSL_OP_NO_TLSv1
178 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
180 #ifdef SSL_OP_NO_TLSv1_1
181 #if SSL_OP_NO_TLSv1_1 == 0x00000400L
182 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
183 #warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
185 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
188 #ifdef SSL_OP_NO_TLSv1_2
189 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
191 #ifdef SSL_OP_NO_TLSv1_3
192 { US"no_tlsv1_3", SSL_OP_NO_TLSv1_3 },
194 #ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
195 { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG },
197 #ifdef SSL_OP_SINGLE_DH_USE
198 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
200 #ifdef SSL_OP_SINGLE_ECDH_USE
201 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
203 #ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
204 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
206 #ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
207 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
209 #ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
210 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
212 #ifdef SSL_OP_TLS_D5_BUG
213 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
215 #ifdef SSL_OP_TLS_ROLLBACK_BUG
216 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
221 static int exim_openssl_options_size = nelem(exim_openssl_options);
230 for (struct exim_openssl_option * o = exim_openssl_options;
231 o < exim_openssl_options + nelem(exim_openssl_options); o++)
233 /* Trailing X is workaround for problem with _OPT_OPENSSL_NO_TLSV1
234 being a ".ifdef _OPT_OPENSSL_NO_TLSV1_3" match */
236 spf(buf, sizeof(buf), US"_OPT_OPENSSL_%T_X", o->name);
237 builtin_macro_create(buf);
242 /******************************************************************************/
244 /* Structure for collecting random data for seeding. */
246 typedef struct randstuff {
251 /* Local static variables */
253 static BOOL client_verify_callback_called = FALSE;
254 static BOOL server_verify_callback_called = FALSE;
255 static const uschar *sid_ctx = US"exim";
257 /* We have three different contexts to care about.
259 Simple case: client, `client_ctx`
260 As a client, we can be doing a callout or cut-through delivery while receiving
261 a message. So we have a client context, which should have options initialised
262 from the SMTP Transport. We may also concurrently want to make TLS connections
263 to utility daemons, so client-contexts are allocated and passed around in call
264 args rather than using a gobal.
267 There are two cases: with and without ServerNameIndication from the client.
268 Given TLS SNI, we can be using different keys, certs and various other
269 configuration settings, because they're re-expanded with $tls_sni set. This
270 allows vhosting with TLS. This SNI is sent in the handshake.
271 A client might not send SNI, so we need a fallback, and an initial setup too.
272 So as a server, we start out using `server_ctx`.
273 If SNI is sent by the client, then we as server, mid-negotiation, try to clone
274 `server_sni` from `server_ctx` and then initialise settings by re-expanding
281 } exim_openssl_client_tls_ctx;
283 static SSL_CTX *server_ctx = NULL;
284 static SSL *server_ssl = NULL;
286 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
287 static SSL_CTX *server_sni = NULL;
290 static char ssl_errstring[256];
292 static int ssl_session_timeout = 200;
293 static BOOL client_verify_optional = FALSE;
294 static BOOL server_verify_optional = FALSE;
296 static BOOL reexpand_tls_files_for_sni = FALSE;
299 typedef struct tls_ext_ctx_cb {
304 STACK_OF(X509) *verify_stack; /* chain for verifying the proof */
308 uschar *file_expanded;
309 OCSP_RESPONSE *response;
312 X509_STORE *verify_store; /* non-null if status requested */
313 BOOL verify_required;
318 /* these are cached from first expand */
319 uschar *server_cipher_list;
320 /* only passed down to tls_error: */
322 const uschar * verify_cert_hostnames;
323 #ifndef DISABLE_EVENT
324 uschar * event_action;
328 /* should figure out a cleanup of API to handle state preserved per
329 implementation, for various reasons, which can be void * in the APIs.
330 For now, we hack around it. */
331 tls_ext_ctx_cb *client_static_cbinfo = NULL;
332 tls_ext_ctx_cb *server_static_cbinfo = NULL;
335 setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
336 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr );
339 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
340 static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
343 static int tls_server_stapling_cb(SSL *s, void *arg);
347 /*************************************************
349 *************************************************/
351 /* Called from lots of places when errors occur before actually starting to do
352 the TLS handshake, that is, while the session is still in clear. Always returns
353 DEFER for a server and FAIL for a client so that most calls can use "return
354 tls_error(...)" to do this processing and then give an appropriate return. A
355 single function is used for both server and client, because it is called from
356 some shared functions.
359 prefix text to include in the logged error
360 host NULL if setting up a server;
361 the connected host if setting up a client
362 msg error message or NULL if we should ask OpenSSL
363 errstr pointer to output error message
365 Returns: OK/DEFER/FAIL
369 tls_error(uschar * prefix, const host_item * host, uschar * msg, uschar ** errstr)
373 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
374 msg = US ssl_errstring;
377 msg = string_sprintf("(%s): %s", prefix, msg);
378 DEBUG(D_tls) debug_printf("TLS error '%s'\n", msg);
379 if (errstr) *errstr = msg;
380 return host ? FAIL : DEFER;
385 /*************************************************
386 * Callback to generate RSA key *
387 *************************************************/
391 s SSL connection (not used)
395 Returns: pointer to generated key
399 rsa_callback(SSL *s, int export, int keylength)
402 #ifdef EXIM_HAVE_RSA_GENKEY_EX
403 BIGNUM *bn = BN_new();
406 export = export; /* Shut picky compilers up */
407 DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
409 #ifdef EXIM_HAVE_RSA_GENKEY_EX
410 if ( !BN_set_word(bn, (unsigned long)RSA_F4)
411 || !(rsa_key = RSA_new())
412 || !RSA_generate_key_ex(rsa_key, keylength, bn, NULL)
415 if (!(rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL)))
419 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
420 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
432 x509_store_dump_cert_s_names(X509_STORE * store)
434 STACK_OF(X509_OBJECT) * roots= store->objs;
435 static uschar name[256];
437 for (int i= 0; i < sk_X509_OBJECT_num(roots); i++)
439 X509_OBJECT * tmp_obj= sk_X509_OBJECT_value(roots, i);
440 if(tmp_obj->type == X509_LU_X509)
442 X509_NAME * sn = X509_get_subject_name(tmp_obj->data.x509);
443 if (X509_NAME_oneline(sn, CS name, sizeof(name)))
445 name[sizeof(name)-1] = '\0';
446 debug_printf(" %s\n", name);
455 #ifndef DISABLE_EVENT
457 verify_event(tls_support * tlsp, X509 * cert, int depth, const uschar * dn,
458 BOOL *calledp, const BOOL *optionalp, const uschar * what)
464 ev = tlsp == &tls_out ? client_static_cbinfo->event_action : event_action;
467 DEBUG(D_tls) debug_printf("verify_event: %s %d\n", what, depth);
468 old_cert = tlsp->peercert;
469 tlsp->peercert = X509_dup(cert);
470 /* NB we do not bother setting peerdn */
471 if ((yield = event_raise(ev, US"tls:cert", string_sprintf("%d", depth))))
473 log_write(0, LOG_MAIN, "[%s] %s verify denied by event-action: "
474 "depth=%d cert=%s: %s",
475 tlsp == &tls_out ? deliver_host_address : sender_host_address,
476 what, depth, dn, yield);
480 if (old_cert) tlsp->peercert = old_cert; /* restore 1st failing cert */
481 return 1; /* reject (leaving peercert set) */
483 DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
484 "(host in tls_try_verify_hosts)\n");
486 X509_free(tlsp->peercert);
487 tlsp->peercert = old_cert;
493 /*************************************************
494 * Callback for verification *
495 *************************************************/
497 /* The SSL library does certificate verification if set up to do so. This
498 callback has the current yes/no state is in "state". If verification succeeded,
499 we set the certificate-verified flag. If verification failed, what happens
500 depends on whether the client is required to present a verifiable certificate
503 If verification is optional, we change the state to yes, but still log the
504 verification error. For some reason (it really would help to have proper
505 documentation of OpenSSL), this callback function then gets called again, this
506 time with state = 1. We must take care not to set the private verified flag on
507 the second time through.
509 Note: this function is not called if the client fails to present a certificate
510 when asked. We get here only if a certificate has been received. Handling of
511 optional verification for this case is done when requesting SSL to verify, by
512 setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
514 May be called multiple times for different issues with a certificate, even
515 for a given "depth" in the certificate chain.
518 preverify_ok current yes/no state as 1/0
519 x509ctx certificate information.
520 tlsp per-direction (client vs. server) support data
521 calledp has-been-called flag
522 optionalp verification-is-optional flag
524 Returns: 0 if verification should fail, otherwise 1
528 verify_callback(int preverify_ok, X509_STORE_CTX * x509ctx,
529 tls_support * tlsp, BOOL * calledp, BOOL * optionalp)
531 X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
532 int depth = X509_STORE_CTX_get_error_depth(x509ctx);
535 if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
537 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
538 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
539 tlsp == &tls_out ? deliver_host_address : sender_host_address);
542 dn[sizeof(dn)-1] = '\0';
544 if (preverify_ok == 0)
546 uschar * extra = verify_mode ? string_sprintf(" (during %c-verify for [%s])",
547 *verify_mode, sender_host_address)
549 log_write(0, LOG_MAIN, "[%s] SSL verify error%s: depth=%d error=%s cert=%s",
550 tlsp == &tls_out ? deliver_host_address : sender_host_address,
552 X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)), dn);
557 tlsp->peercert = X509_dup(cert); /* record failing cert */
558 return 0; /* reject */
560 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
561 "tls_try_verify_hosts)\n");
566 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n", depth, dn);
568 if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store)
569 { /* client, wanting stapling */
570 /* Add the server cert's signing chain as the one
571 for the verification of the OCSP stapled information. */
573 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
576 sk_X509_push(client_static_cbinfo->verify_stack, cert);
579 #ifndef DISABLE_EVENT
580 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
581 return 0; /* reject, with peercert set */
586 const uschar * verify_cert_hostnames;
588 if ( tlsp == &tls_out
589 && ((verify_cert_hostnames = client_static_cbinfo->verify_cert_hostnames)))
590 /* client, wanting hostname check */
593 #ifdef EXIM_HAVE_OPENSSL_CHECKHOST
594 # ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
595 # define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0
597 # ifndef X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
598 # define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0
601 const uschar * list = verify_cert_hostnames;
604 while ((name = string_nextinlist(&list, &sep, NULL, 0)))
605 if ((rc = X509_check_host(cert, CCS name, 0,
606 X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
607 | X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS,
612 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
613 tlsp == &tls_out ? deliver_host_address : sender_host_address);
620 if (!tls_is_name_for_cert(verify_cert_hostnames, cert))
623 uschar * extra = verify_mode
624 ? string_sprintf(" (during %c-verify for [%s])",
625 *verify_mode, sender_host_address)
627 log_write(0, LOG_MAIN,
628 "[%s] SSL verify error%s: certificate name mismatch: DN=\"%s\" H=\"%s\"",
629 tlsp == &tls_out ? deliver_host_address : sender_host_address,
630 extra, dn, verify_cert_hostnames);
635 tlsp->peercert = X509_dup(cert); /* record failing cert */
636 return 0; /* reject */
638 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
639 "tls_try_verify_hosts)\n");
643 #ifndef DISABLE_EVENT
644 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
645 return 0; /* reject, with peercert set */
648 DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
649 *calledp ? "" : " authenticated", dn);
650 if (!*calledp) tlsp->certificate_verified = TRUE;
654 return 1; /* accept, at least for this level */
658 verify_callback_client(int preverify_ok, X509_STORE_CTX *x509ctx)
660 return verify_callback(preverify_ok, x509ctx, &tls_out,
661 &client_verify_callback_called, &client_verify_optional);
665 verify_callback_server(int preverify_ok, X509_STORE_CTX *x509ctx)
667 return verify_callback(preverify_ok, x509ctx, &tls_in,
668 &server_verify_callback_called, &server_verify_optional);
674 /* This gets called *by* the dane library verify callback, which interposes
678 verify_callback_client_dane(int preverify_ok, X509_STORE_CTX * x509ctx)
680 X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
682 int depth = X509_STORE_CTX_get_error_depth(x509ctx);
683 #ifndef DISABLE_EVENT
684 BOOL dummy_called, optional = FALSE;
687 if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
689 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
690 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
691 deliver_host_address);
694 dn[sizeof(dn)-1] = '\0';
696 DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s depth %d %s\n",
697 preverify_ok ? "ok":"BAD", depth, dn);
699 #ifndef DISABLE_EVENT
700 if (verify_event(&tls_out, cert, depth, dn,
701 &dummy_called, &optional, US"DANE"))
702 return 0; /* reject, with peercert set */
705 if (preverify_ok == 1)
707 tls_out.dane_verified = tls_out.certificate_verified = TRUE;
709 if (client_static_cbinfo->u_ocsp.client.verify_store)
710 { /* client, wanting stapling */
711 /* Add the server cert's signing chain as the one
712 for the verification of the OCSP stapled information. */
714 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
717 sk_X509_push(client_static_cbinfo->verify_stack, cert);
723 int err = X509_STORE_CTX_get_error(x509ctx);
725 debug_printf(" - err %d '%s'\n", err, X509_verify_cert_error_string(err));
726 if (err == X509_V_ERR_APPLICATION_VERIFICATION)
732 #endif /*SUPPORT_DANE*/
735 /*************************************************
736 * Information callback *
737 *************************************************/
739 /* The SSL library functions call this from time to time to indicate what they
740 are doing. We copy the string to the debugging output when TLS debugging has
752 info_callback(SSL *s, int where, int ret)
758 if (where & SSL_ST_CONNECT)
759 str = US"SSL_connect";
760 else if (where & SSL_ST_ACCEPT)
761 str = US"SSL_accept";
763 str = US"SSL info (undefined)";
765 if (where & SSL_CB_LOOP)
766 debug_printf("%s: %s\n", str, SSL_state_string_long(s));
767 else if (where & SSL_CB_ALERT)
768 debug_printf("SSL3 alert %s:%s:%s\n",
769 str = where & SSL_CB_READ ? US"read" : US"write",
770 SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret));
771 else if (where & SSL_CB_EXIT)
773 debug_printf("%s: failed in %s\n", str, SSL_state_string_long(s));
775 debug_printf("%s: error in %s\n", str, SSL_state_string_long(s));
776 else if (where & SSL_CB_HANDSHAKE_START)
777 debug_printf("%s: hshake start: %s\n", str, SSL_state_string_long(s));
778 else if (where & SSL_CB_HANDSHAKE_DONE)
779 debug_printf("%s: hshake done: %s\n", str, SSL_state_string_long(s));
784 keylog_callback(const SSL *ssl, const char *line)
786 DEBUG(D_tls) debug_printf("%.200s\n", line);
791 /*************************************************
792 * Initialize for DH *
793 *************************************************/
795 /* If dhparam is set, expand it, and load up the parameters for DH encryption.
798 sctx The current SSL CTX (inbound or outbound)
799 dhparam DH parameter file or fixed parameter identity string
800 host connected host, if client; NULL if server
801 errstr error string pointer
803 Returns: TRUE if OK (nothing to set up, or setup worked)
807 init_dh(SSL_CTX *sctx, uschar *dhparam, const host_item *host, uschar ** errstr)
815 if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded, errstr))
818 if (!dhexpanded || !*dhexpanded)
819 bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
820 else if (dhexpanded[0] == '/')
822 if (!(bio = BIO_new_file(CS dhexpanded, "r")))
824 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
825 host, US strerror(errno), errstr);
831 if (Ustrcmp(dhexpanded, "none") == 0)
833 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
837 if (!(pem = std_dh_prime_named(dhexpanded)))
839 tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
840 host, US strerror(errno), errstr);
843 bio = BIO_new_mem_buf(CS pem, -1);
846 if (!(dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)))
849 tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
854 /* note: our default limit of 2236 is not a multiple of 8; the limit comes from
855 * an NSS limit, and the GnuTLS APIs handle bit-sizes fine, so we went with
856 * 2236. But older OpenSSL can only report in bytes (octets), not bits.
857 * If someone wants to dance at the edge, then they can raise the limit or use
858 * current libraries. */
859 #ifdef EXIM_HAVE_OPENSSL_DH_BITS
860 /* Added in commit 26c79d5641d; `git describe --contains` says OpenSSL_1_1_0-pre1~1022
861 * This predates OpenSSL_1_1_0 (before a, b, ...) so is in all 1.1.0 */
862 dh_bitsize = DH_bits(dh);
864 dh_bitsize = 8 * DH_size(dh);
867 /* Even if it is larger, we silently return success rather than cause things
868 * to fail out, so that a too-large DH will not knock out all TLS; it's a
869 * debatable choice. */
870 if (dh_bitsize > tls_dh_max_bits)
873 debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d\n",
874 dh_bitsize, tls_dh_max_bits);
878 SSL_CTX_set_tmp_dh(sctx, dh);
880 debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
881 dhexpanded ? dhexpanded : US"default", dh_bitsize);
893 /*************************************************
894 * Initialize for ECDH *
895 *************************************************/
897 /* Load parameters for ECDH encryption.
899 For now, we stick to NIST P-256 because: it's simple and easy to configure;
900 it avoids any patent issues that might bite redistributors; despite events in
901 the news and concerns over curve choices, we're not cryptographers, we're not
902 pretending to be, and this is "good enough" to be better than no support,
903 protecting against most adversaries. Given another year or two, there might
904 be sufficient clarity about a "right" way forward to let us make an informed
905 decision, instead of a knee-jerk reaction.
907 Longer-term, we should look at supporting both various named curves and
908 external files generated with "openssl ecparam", much as we do for init_dh().
909 We should also support "none" as a value, to explicitly avoid initialisation.
914 sctx The current SSL CTX (inbound or outbound)
915 host connected host, if client; NULL if server
916 errstr error string pointer
918 Returns: TRUE if OK (nothing to set up, or setup worked)
922 init_ecdh(SSL_CTX * sctx, host_item * host, uschar ** errstr)
924 #ifdef OPENSSL_NO_ECDH
933 if (host) /* No ECDH setup for clients, only for servers */
936 # ifndef EXIM_HAVE_ECDH
938 debug_printf("No OpenSSL API to define ECDH parameters, skipping\n");
942 if (!expand_check(tls_eccurve, US"tls_eccurve", &exp_curve, errstr))
944 if (!exp_curve || !*exp_curve)
947 /* "auto" needs to be handled carefully.
948 * OpenSSL < 1.0.2: we do not select anything, but fallback to prime256v1
949 * OpenSSL < 1.1.0: we have to call SSL_CTX_set_ecdh_auto
950 * (openssl/ssl.h defines SSL_CTRL_SET_ECDH_AUTO)
951 * OpenSSL >= 1.1.0: we do not set anything, the libray does autoselection
952 * https://github.com/openssl/openssl/commit/fe6ef2472db933f01b59cad82aa925736935984b
954 if (Ustrcmp(exp_curve, "auto") == 0)
956 #if OPENSSL_VERSION_NUMBER < 0x10002000L
957 DEBUG(D_tls) debug_printf(
958 "ECDH OpenSSL < 1.0.2: temp key parameter settings: overriding \"auto\" with \"prime256v1\"\n");
959 exp_curve = US"prime256v1";
961 # if defined SSL_CTRL_SET_ECDH_AUTO
962 DEBUG(D_tls) debug_printf(
963 "ECDH OpenSSL 1.0.2+ temp key parameter settings: autoselection\n");
964 SSL_CTX_set_ecdh_auto(sctx, 1);
967 DEBUG(D_tls) debug_printf(
968 "ECDH OpenSSL 1.1.0+ temp key parameter settings: default selection\n");
974 DEBUG(D_tls) debug_printf("ECDH: curve '%s'\n", exp_curve);
975 if ( (nid = OBJ_sn2nid (CCS exp_curve)) == NID_undef
976 # ifdef EXIM_HAVE_OPENSSL_EC_NIST2NID
977 && (nid = EC_curve_nist2nid(CCS exp_curve)) == NID_undef
981 tls_error(string_sprintf("Unknown curve name tls_eccurve '%s'", exp_curve),
986 if (!(ecdh = EC_KEY_new_by_curve_name(nid)))
988 tls_error(US"Unable to create ec curve", host, NULL, errstr);
992 /* The "tmp" in the name here refers to setting a temporary key
993 not to the stability of the interface. */
995 if ((rv = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0))
996 tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), host, NULL, errstr);
998 DEBUG(D_tls) debug_printf("ECDH: enabled '%s' curve\n", exp_curve);
1003 # endif /*EXIM_HAVE_ECDH*/
1004 #endif /*OPENSSL_NO_ECDH*/
1010 #ifndef DISABLE_OCSP
1011 /*************************************************
1012 * Load OCSP information into state *
1013 *************************************************/
1014 /* Called to load the server OCSP response from the given file into memory, once
1015 caller has determined this is needed. Checks validity. Debugs a message
1018 ASSUMES: single response, for single cert.
1021 sctx the SSL_CTX* to update
1022 cbinfo various parts of session state
1023 expanded the filename putatively holding an OCSP response
1028 ocsp_load_response(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo, const uschar *expanded)
1031 OCSP_RESPONSE * resp;
1032 OCSP_BASICRESP * basic_response;
1033 OCSP_SINGLERESP * single_response;
1034 ASN1_GENERALIZEDTIME * rev, * thisupd, * nextupd;
1035 STACK_OF(X509) * sk;
1036 unsigned long verify_flags;
1037 int status, reason, i;
1039 cbinfo->u_ocsp.server.file_expanded = string_copy(expanded);
1040 if (cbinfo->u_ocsp.server.response)
1042 OCSP_RESPONSE_free(cbinfo->u_ocsp.server.response);
1043 cbinfo->u_ocsp.server.response = NULL;
1046 if (!(bio = BIO_new_file(CS cbinfo->u_ocsp.server.file_expanded, "rb")))
1048 DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n",
1049 cbinfo->u_ocsp.server.file_expanded);
1053 resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
1057 DEBUG(D_tls) debug_printf("Error reading OCSP response.\n");
1061 if ((status = OCSP_response_status(resp)) != OCSP_RESPONSE_STATUS_SUCCESSFUL)
1063 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
1064 OCSP_response_status_str(status), status);
1068 if (!(basic_response = OCSP_response_get1_basic(resp)))
1071 debug_printf("OCSP response parse error: unable to extract basic response.\n");
1075 sk = cbinfo->verify_stack;
1076 verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
1078 /* May need to expose ability to adjust those flags?
1079 OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
1080 OCSP_TRUSTOTHER OCSP_NOINTERN */
1082 /* This does a full verify on the OCSP proof before we load it for serving
1083 up; possibly overkill - just date-checks might be nice enough.
1085 OCSP_basic_verify takes a "store" arg, but does not
1086 use it for the chain verification, which is all we do
1087 when OCSP_NOVERIFY is set. The content from the wire
1088 "basic_response" and a cert-stack "sk" are all that is used.
1090 We have a stack, loaded in setup_certs() if tls_verify_certificates
1091 was a file (not a directory, or "system"). It is unfortunate we
1092 cannot used the connection context store, as that would neatly
1093 handle the "system" case too, but there seems to be no library
1094 function for getting a stack from a store.
1095 [ In OpenSSL 1.1 - ? X509_STORE_CTX_get0_chain(ctx) ? ]
1096 We do not free the stack since it could be needed a second time for
1099 Separately we might try to replace using OCSP_basic_verify() - which seems to not
1100 be a public interface into the OpenSSL library (there's no manual entry) -
1101 But what with? We also use OCSP_basic_verify in the client stapling callback.
1102 And there we NEED it; we must verify that status... unless the
1103 library does it for us anyway? */
1105 if ((i = OCSP_basic_verify(basic_response, sk, NULL, verify_flags)) < 0)
1109 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
1110 debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
1115 /* Here's the simplifying assumption: there's only one response, for the
1116 one certificate we use, and nothing for anything else in a chain. If this
1117 proves false, we need to extract a cert id from our issued cert
1118 (tls_certificate) and use that for OCSP_resp_find_status() (which finds the
1119 right cert in the stack and then calls OCSP_single_get0_status()).
1121 I'm hoping to avoid reworking a bunch more of how we handle state here. */
1123 if (!(single_response = OCSP_resp_get0(basic_response, 0)))
1126 debug_printf("Unable to get first response from OCSP basic response.\n");
1130 status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
1131 if (status != V_OCSP_CERTSTATUS_GOOD)
1133 DEBUG(D_tls) debug_printf("OCSP response bad cert status: %s (%d) %s (%d)\n",
1134 OCSP_cert_status_str(status), status,
1135 OCSP_crl_reason_str(reason), reason);
1139 if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
1141 DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
1146 cbinfo->u_ocsp.server.response = resp; /*XXX stack?*/
1150 if (f.running_in_test_harness)
1152 extern char ** environ;
1153 if (environ) for (uschar ** p = USS environ; *p; p++)
1154 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
1156 DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
1157 goto supply_response;
1162 #endif /*!DISABLE_OCSP*/
1167 /* Create and install a selfsigned certificate, for use in server mode */
1170 tls_install_selfsign(SSL_CTX * sctx, uschar ** errstr)
1178 where = US"allocating pkey";
1179 if (!(pkey = EVP_PKEY_new()))
1182 where = US"allocating cert";
1183 if (!(x509 = X509_new()))
1186 where = US"generating pkey";
1187 if (!(rsa = rsa_callback(NULL, 0, 2048)))
1190 where = US"assigning pkey";
1191 if (!EVP_PKEY_assign_RSA(pkey, rsa))
1194 X509_set_version(x509, 2); /* N+1 - version 3 */
1195 ASN1_INTEGER_set(X509_get_serialNumber(x509), 1);
1196 X509_gmtime_adj(X509_get_notBefore(x509), 0);
1197 X509_gmtime_adj(X509_get_notAfter(x509), (long)60 * 60); /* 1 hour */
1198 X509_set_pubkey(x509, pkey);
1200 name = X509_get_subject_name(x509);
1201 X509_NAME_add_entry_by_txt(name, "C",
1202 MBSTRING_ASC, CUS "UK", -1, -1, 0);
1203 X509_NAME_add_entry_by_txt(name, "O",
1204 MBSTRING_ASC, CUS "Exim Developers", -1, -1, 0);
1205 X509_NAME_add_entry_by_txt(name, "CN",
1206 MBSTRING_ASC, CUS smtp_active_hostname, -1, -1, 0);
1207 X509_set_issuer_name(x509, name);
1209 where = US"signing cert";
1210 if (!X509_sign(x509, pkey, EVP_md5()))
1213 where = US"installing selfsign cert";
1214 if (!SSL_CTX_use_certificate(sctx, x509))
1217 where = US"installing selfsign key";
1218 if (!SSL_CTX_use_PrivateKey(sctx, pkey))
1224 (void) tls_error(where, NULL, NULL, errstr);
1225 if (x509) X509_free(x509);
1226 if (pkey) EVP_PKEY_free(pkey);
1234 tls_add_certfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
1237 DEBUG(D_tls) debug_printf("tls_certificate file %s\n", file);
1238 if (!SSL_CTX_use_certificate_chain_file(sctx, CS file))
1239 return tls_error(string_sprintf(
1240 "SSL_CTX_use_certificate_chain_file file=%s", file),
1241 cbinfo->host, NULL, errstr);
1246 tls_add_pkeyfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
1249 DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", file);
1250 if (!SSL_CTX_use_PrivateKey_file(sctx, CS file, SSL_FILETYPE_PEM))
1251 return tls_error(string_sprintf(
1252 "SSL_CTX_use_PrivateKey_file file=%s", file), cbinfo->host, NULL, errstr);
1257 /*************************************************
1258 * Expand key and cert file specs *
1259 *************************************************/
1261 /* Called once during tls_init and possibly again during TLS setup, for a
1262 new context, if Server Name Indication was used and tls_sni was seen in
1263 the certificate string.
1266 sctx the SSL_CTX* to update
1267 cbinfo various parts of session state
1268 errstr error string pointer
1270 Returns: OK/DEFER/FAIL
1274 tls_expand_session_files(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo,
1279 if (!cbinfo->certificate)
1281 if (!cbinfo->is_server) /* client */
1284 if (tls_install_selfsign(sctx, errstr) != OK)
1291 if (Ustrstr(cbinfo->certificate, US"tls_sni") ||
1292 Ustrstr(cbinfo->certificate, US"tls_in_sni") ||
1293 Ustrstr(cbinfo->certificate, US"tls_out_sni")
1295 reexpand_tls_files_for_sni = TRUE;
1297 if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded, errstr))
1301 if (cbinfo->is_server)
1303 const uschar * file_list = expanded;
1307 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1308 if ((err = tls_add_certfile(sctx, cbinfo, file, errstr)))
1311 else /* would there ever be a need for multiple client certs? */
1312 if ((err = tls_add_certfile(sctx, cbinfo, expanded, errstr)))
1315 if ( cbinfo->privatekey
1316 && !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded, errstr))
1319 /* If expansion was forced to fail, key_expanded will be NULL. If the result
1320 of the expansion is an empty string, ignore it also, and assume the private
1321 key is in the same file as the certificate. */
1323 if (expanded && *expanded)
1324 if (cbinfo->is_server)
1326 const uschar * file_list = expanded;
1330 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1331 if ((err = tls_add_pkeyfile(sctx, cbinfo, file, errstr)))
1334 else /* would there ever be a need for multiple client certs? */
1335 if ((err = tls_add_pkeyfile(sctx, cbinfo, expanded, errstr)))
1339 #ifndef DISABLE_OCSP
1340 if (cbinfo->is_server && cbinfo->u_ocsp.server.file)
1343 if (!expand_check(cbinfo->u_ocsp.server.file, US"tls_ocsp_file", &expanded, errstr))
1346 if (expanded && *expanded)
1348 DEBUG(D_tls) debug_printf("tls_ocsp_file %s\n", expanded);
1349 if ( cbinfo->u_ocsp.server.file_expanded
1350 && (Ustrcmp(expanded, cbinfo->u_ocsp.server.file_expanded) == 0))
1352 DEBUG(D_tls) debug_printf(" - value unchanged, using existing values\n");
1355 ocsp_load_response(sctx, cbinfo, expanded);
1366 /*************************************************
1367 * Callback to handle SNI *
1368 *************************************************/
1370 /* Called when acting as server during the TLS session setup if a Server Name
1371 Indication extension was sent by the client.
1373 API documentation is OpenSSL s_server.c implementation.
1376 s SSL* of the current session
1377 ad unknown (part of OpenSSL API) (unused)
1378 arg Callback of "our" registered data
1380 Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
1383 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
1385 tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
1387 const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
1388 tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
1390 int old_pool = store_pool;
1391 uschar * dummy_errstr;
1394 return SSL_TLSEXT_ERR_OK;
1396 DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
1397 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
1399 /* Make the extension value available for expansion */
1400 store_pool = POOL_PERM;
1401 tls_in.sni = string_copy(US servername);
1402 store_pool = old_pool;
1404 if (!reexpand_tls_files_for_sni)
1405 return SSL_TLSEXT_ERR_OK;
1407 /* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
1408 not confident that memcpy wouldn't break some internal reference counting.
1409 Especially since there's a references struct member, which would be off. */
1411 #ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
1412 if (!(server_sni = SSL_CTX_new(TLS_server_method())))
1414 if (!(server_sni = SSL_CTX_new(SSLv23_server_method())))
1417 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
1418 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
1422 /* Not sure how many of these are actually needed, since SSL object
1423 already exists. Might even need this selfsame callback, for reneg? */
1425 SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(server_ctx));
1426 SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(server_ctx));
1427 SSL_CTX_set_options(server_sni, SSL_CTX_get_options(server_ctx));
1428 SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(server_ctx));
1429 SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
1430 SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
1432 if ( !init_dh(server_sni, cbinfo->dhparam, NULL, &dummy_errstr)
1433 || !init_ecdh(server_sni, NULL, &dummy_errstr)
1437 if ( cbinfo->server_cipher_list
1438 && !SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list))
1441 #ifndef DISABLE_OCSP
1442 if (cbinfo->u_ocsp.server.file)
1444 SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb);
1445 SSL_CTX_set_tlsext_status_arg(server_sni, cbinfo);
1449 if ((rc = setup_certs(server_sni, tls_verify_certificates, tls_crl, NULL, FALSE,
1450 verify_callback_server, &dummy_errstr)) != OK)
1453 /* do this after setup_certs, because this can require the certs for verifying
1454 OCSP information. */
1455 if ((rc = tls_expand_session_files(server_sni, cbinfo, &dummy_errstr)) != OK)
1458 DEBUG(D_tls) debug_printf("Switching SSL context.\n");
1459 SSL_set_SSL_CTX(s, server_sni);
1460 return SSL_TLSEXT_ERR_OK;
1462 bad: return SSL_TLSEXT_ERR_ALERT_FATAL;
1464 #endif /* EXIM_HAVE_OPENSSL_TLSEXT */
1469 #ifndef DISABLE_OCSP
1471 /*************************************************
1472 * Callback to handle OCSP Stapling *
1473 *************************************************/
1475 /* Called when acting as server during the TLS session setup if the client
1476 requests OCSP information with a Certificate Status Request.
1478 Documentation via openssl s_server.c and the Apache patch from the OpenSSL
1484 tls_server_stapling_cb(SSL *s, void *arg)
1486 const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
1487 uschar *response_der; /*XXX blob */
1488 int response_der_len;
1490 /*XXX stack: use SSL_get_certificate() to see which cert; from that work
1491 out which ocsp blob to send. Unfortunately, SSL_get_certificate is known
1492 buggy in current OpenSSL; it returns the last cert loaded always rather than
1493 the one actually presented. So we can't support a stack of OCSP proofs at
1497 debug_printf("Received TLS status request (OCSP stapling); %s response\n",
1498 cbinfo->u_ocsp.server.response ? "have" : "lack");
1500 tls_in.ocsp = OCSP_NOT_RESP;
1501 if (!cbinfo->u_ocsp.server.response)
1502 return SSL_TLSEXT_ERR_NOACK;
1504 response_der = NULL;
1505 response_der_len = i2d_OCSP_RESPONSE(cbinfo->u_ocsp.server.response, /*XXX stack*/
1507 if (response_der_len <= 0)
1508 return SSL_TLSEXT_ERR_NOACK;
1510 SSL_set_tlsext_status_ocsp_resp(server_ssl, response_der, response_der_len);
1511 tls_in.ocsp = OCSP_VFIED;
1512 return SSL_TLSEXT_ERR_OK;
1517 time_print(BIO * bp, const char * str, ASN1_GENERALIZEDTIME * time)
1519 BIO_printf(bp, "\t%s: ", str);
1520 ASN1_GENERALIZEDTIME_print(bp, time);
1525 tls_client_stapling_cb(SSL *s, void *arg)
1527 tls_ext_ctx_cb * cbinfo = arg;
1528 const unsigned char * p;
1530 OCSP_RESPONSE * rsp;
1531 OCSP_BASICRESP * bs;
1534 DEBUG(D_tls) debug_printf("Received TLS status response (OCSP stapling):");
1535 len = SSL_get_tlsext_status_ocsp_resp(s, &p);
1538 /* Expect this when we requested ocsp but got none */
1539 if (cbinfo->u_ocsp.client.verify_required && LOGGING(tls_cipher))
1540 log_write(0, LOG_MAIN, "Received TLS status callback, null content");
1542 DEBUG(D_tls) debug_printf(" null\n");
1543 return cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1546 if(!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
1548 tls_out.ocsp = OCSP_FAILED;
1549 if (LOGGING(tls_cipher))
1550 log_write(0, LOG_MAIN, "Received TLS cert status response, parse error");
1552 DEBUG(D_tls) debug_printf(" parse error\n");
1556 if(!(bs = OCSP_response_get1_basic(rsp)))
1558 tls_out.ocsp = OCSP_FAILED;
1559 if (LOGGING(tls_cipher))
1560 log_write(0, LOG_MAIN, "Received TLS cert status response, error parsing response");
1562 DEBUG(D_tls) debug_printf(" error parsing response\n");
1563 OCSP_RESPONSE_free(rsp);
1567 /* We'd check the nonce here if we'd put one in the request. */
1568 /* However that would defeat cacheability on the server so we don't. */
1570 /* This section of code reworked from OpenSSL apps source;
1571 The OpenSSL Project retains copyright:
1572 Copyright (c) 1999 The OpenSSL Project. All rights reserved.
1577 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
1579 DEBUG(D_tls) bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
1581 /*OCSP_RESPONSE_print(bp, rsp, 0); extreme debug: stapling content */
1583 /* Use the chain that verified the server cert to verify the stapled info */
1584 /* DEBUG(D_tls) x509_store_dump_cert_s_names(cbinfo->u_ocsp.client.verify_store); */
1586 if ((i = OCSP_basic_verify(bs, cbinfo->verify_stack,
1587 cbinfo->u_ocsp.client.verify_store, 0)) <= 0)
1589 tls_out.ocsp = OCSP_FAILED;
1590 if (LOGGING(tls_cipher)) log_write(0, LOG_MAIN,
1591 "Received TLS cert status response, itself unverifiable: %s",
1592 ERR_reason_error_string(ERR_peek_error()));
1593 BIO_printf(bp, "OCSP response verify failure\n");
1594 ERR_print_errors(bp);
1595 OCSP_RESPONSE_print(bp, rsp, 0);
1599 BIO_printf(bp, "OCSP response well-formed and signed OK\n");
1601 /*XXX So we have a good stapled OCSP status. How do we know
1602 it is for the cert of interest? OpenSSL 1.1.0 has a routine
1603 OCSP_resp_find_status() which matches on a cert id, which presumably
1604 we should use. Making an id needs OCSP_cert_id_new(), which takes
1605 issuerName, issuerKey, serialNumber. Are they all in the cert?
1607 For now, carry on blindly accepting the resp. */
1610 OCSP_SINGLERESP * single;
1612 #ifdef EXIM_HAVE_OCSP_RESP_COUNT
1613 if (OCSP_resp_count(bs) != 1)
1615 STACK_OF(OCSP_SINGLERESP) * sresp = bs->tbsResponseData->responses;
1616 if (sk_OCSP_SINGLERESP_num(sresp) != 1)
1619 tls_out.ocsp = OCSP_FAILED;
1620 log_write(0, LOG_MAIN, "OCSP stapling "
1621 "with multiple responses not handled");
1624 single = OCSP_resp_get0(bs, 0);
1625 status = OCSP_single_get0_status(single, &reason, &rev,
1626 &thisupd, &nextupd);
1629 DEBUG(D_tls) time_print(bp, "This OCSP Update", thisupd);
1630 DEBUG(D_tls) if(nextupd) time_print(bp, "Next OCSP Update", nextupd);
1631 if (!OCSP_check_validity(thisupd, nextupd,
1632 EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
1634 tls_out.ocsp = OCSP_FAILED;
1635 DEBUG(D_tls) ERR_print_errors(bp);
1636 log_write(0, LOG_MAIN, "Server OSCP dates invalid");
1640 DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n",
1641 OCSP_cert_status_str(status));
1644 case V_OCSP_CERTSTATUS_GOOD:
1645 tls_out.ocsp = OCSP_VFIED;
1648 case V_OCSP_CERTSTATUS_REVOKED:
1649 tls_out.ocsp = OCSP_FAILED;
1650 log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
1651 reason != -1 ? "; reason: " : "",
1652 reason != -1 ? OCSP_crl_reason_str(reason) : "");
1653 DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
1656 tls_out.ocsp = OCSP_FAILED;
1657 log_write(0, LOG_MAIN,
1658 "Server certificate status unknown, in OCSP stapling");
1663 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1668 OCSP_RESPONSE_free(rsp);
1671 #endif /*!DISABLE_OCSP*/
1674 /*************************************************
1675 * Initialize for TLS *
1676 *************************************************/
1678 /* Called from both server and client code, to do preliminary initialization
1679 of the library. We allocate and return a context structure.
1682 ctxp returned SSL context
1683 host connected host, if client; NULL if server
1684 dhparam DH parameter file
1685 certificate certificate file
1686 privatekey private key
1687 ocsp_file file of stapling info (server); flag for require ocsp (client)
1688 addr address if client; NULL if server (for some randomness)
1689 cbp place to put allocated callback context
1690 errstr error string pointer
1692 Returns: OK/DEFER/FAIL
1696 tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate,
1698 #ifndef DISABLE_OCSP
1699 uschar *ocsp_file, /*XXX stack, in server*/
1701 address_item *addr, tls_ext_ctx_cb ** cbp, uschar ** errstr)
1706 tls_ext_ctx_cb * cbinfo;
1708 cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
1709 cbinfo->certificate = certificate;
1710 cbinfo->privatekey = privatekey;
1711 cbinfo->is_server = host==NULL;
1712 #ifndef DISABLE_OCSP
1713 cbinfo->verify_stack = NULL;
1716 cbinfo->u_ocsp.server.file = ocsp_file;
1717 cbinfo->u_ocsp.server.file_expanded = NULL;
1718 cbinfo->u_ocsp.server.response = NULL;
1721 cbinfo->u_ocsp.client.verify_store = NULL;
1723 cbinfo->dhparam = dhparam;
1724 cbinfo->server_cipher_list = NULL;
1725 cbinfo->host = host;
1726 #ifndef DISABLE_EVENT
1727 cbinfo->event_action = NULL;
1730 #ifdef EXIM_NEED_OPENSSL_INIT
1731 SSL_load_error_strings(); /* basic set up */
1732 OpenSSL_add_ssl_algorithms();
1735 #ifdef EXIM_HAVE_SHA256
1736 /* SHA256 is becoming ever more popular. This makes sure it gets added to the
1737 list of available digests. */
1738 EVP_add_digest(EVP_sha256());
1741 /* Create a context.
1742 The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant
1743 negotiation in the different methods; as far as I can tell, the only
1744 *_{server,client}_method which allows negotiation is SSLv23, which exists even
1745 when OpenSSL is built without SSLv2 support.
1746 By disabling with openssl_options, we can let admins re-enable with the
1749 #ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
1750 if (!(ctx = SSL_CTX_new(host ? TLS_client_method() : TLS_server_method())))
1752 if (!(ctx = SSL_CTX_new(host ? SSLv23_client_method() : SSLv23_server_method())))
1754 return tls_error(US"SSL_CTX_new", host, NULL, errstr);
1756 /* It turns out that we need to seed the random number generator this early in
1757 order to get the full complement of ciphers to work. It took me roughly a day
1758 of work to discover this by experiment.
1760 On systems that have /dev/urandom, SSL may automatically seed itself from
1761 there. Otherwise, we have to make something up as best we can. Double check
1767 gettimeofday(&r.tv, NULL);
1770 RAND_seed(US (&r), sizeof(r));
1771 RAND_seed(US big_buffer, big_buffer_size);
1772 if (addr != NULL) RAND_seed(US addr, sizeof(addr));
1775 return tls_error(US"RAND_status", host,
1776 US"unable to seed random number generator", errstr);
1779 /* Set up the information callback, which outputs if debugging is at a suitable
1782 DEBUG(D_tls) SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
1783 #ifdef OPENSSL_HAVE_KEYLOG_CB
1784 DEBUG(D_tls) SSL_CTX_set_keylog_callback(ctx, (void (*)())keylog_callback);
1787 /* Automatically re-try reads/writes after renegotiation. */
1788 (void) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
1790 /* Apply administrator-supplied work-arounds.
1791 Historically we applied just one requested option,
1792 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
1793 moved to an administrator-controlled list of options to specify and
1794 grandfathered in the first one as the default value for "openssl_options".
1796 No OpenSSL version number checks: the options we accept depend upon the
1797 availability of the option value macros from OpenSSL. */
1799 if (!tls_openssl_options_parse(openssl_options, &init_options))
1800 return tls_error(US"openssl_options parsing failed", host, NULL, errstr);
1804 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
1805 if (!(SSL_CTX_set_options(ctx, init_options)))
1806 return tls_error(string_sprintf(
1807 "SSL_CTX_set_option(%#lx)", init_options), host, NULL, errstr);
1810 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
1812 /* We'd like to disable session cache unconditionally, but foolish Outlook
1813 Express clients then give up the first TLS connection and make a second one
1814 (which works). Only when there is an IMAP service on the same machine.
1815 Presumably OE is trying to use the cache for A on B. Leave it enabled for
1816 now, until we work out a decent way of presenting control to the config. It
1817 will never be used because we use a new context every time. */
1819 (void) SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
1822 /* Initialize with DH parameters if supplied */
1823 /* Initialize ECDH temp key parameter selection */
1825 if ( !init_dh(ctx, dhparam, host, errstr)
1826 || !init_ecdh(ctx, host, errstr)
1830 /* Set up certificate and key (and perhaps OCSP info) */
1832 if ((rc = tls_expand_session_files(ctx, cbinfo, errstr)) != OK)
1835 /* If we need to handle SNI or OCSP, do so */
1837 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
1838 # ifndef DISABLE_OCSP
1839 if (!(cbinfo->verify_stack = sk_X509_new_null()))
1841 DEBUG(D_tls) debug_printf("failed to create stack for stapling verify\n");
1846 if (!host) /* server */
1848 # ifndef DISABLE_OCSP
1849 /* We check u_ocsp.server.file, not server.response, because we care about if
1850 the option exists, not what the current expansion might be, as SNI might
1851 change the certificate and OCSP file in use between now and the time the
1852 callback is invoked. */
1853 if (cbinfo->u_ocsp.server.file)
1855 SSL_CTX_set_tlsext_status_cb(ctx, tls_server_stapling_cb);
1856 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
1859 /* We always do this, so that $tls_sni is available even if not used in
1861 SSL_CTX_set_tlsext_servername_callback(ctx, tls_servername_cb);
1862 SSL_CTX_set_tlsext_servername_arg(ctx, cbinfo);
1864 # ifndef DISABLE_OCSP
1866 if(ocsp_file) /* wanting stapling */
1868 if (!(cbinfo->u_ocsp.client.verify_store = X509_STORE_new()))
1870 DEBUG(D_tls) debug_printf("failed to create store for stapling verify\n");
1873 SSL_CTX_set_tlsext_status_cb(ctx, tls_client_stapling_cb);
1874 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
1879 cbinfo->verify_cert_hostnames = NULL;
1881 #ifdef EXIM_HAVE_EPHEM_RSA_KEX
1882 /* Set up the RSA callback */
1883 SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
1886 /* Finally, set the timeout, and we are done */
1888 SSL_CTX_set_timeout(ctx, ssl_session_timeout);
1889 DEBUG(D_tls) debug_printf("Initialized TLS\n");
1900 /*************************************************
1901 * Get name of cipher in use *
1902 *************************************************/
1905 Argument: pointer to an SSL structure for the connection
1906 buffer to use for answer
1908 pointer to number of bits for cipher
1913 construct_cipher_name(SSL *ssl, uschar *cipherbuf, int bsize, int *bits)
1915 /* With OpenSSL 1.0.0a, 'c' needs to be const but the documentation doesn't
1916 yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
1917 the accessor functions use const in the prototype. */
1919 const uschar * ver = CUS SSL_get_version(ssl);
1920 const SSL_CIPHER * c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
1922 SSL_CIPHER_get_bits(c, bits);
1924 string_format(cipherbuf, bsize, "%s:%s:%u", ver,
1925 SSL_CIPHER_get_name(c), *bits);
1927 DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf);
1932 peer_cert(SSL * ssl, tls_support * tlsp, uschar * peerdn, unsigned siz)
1934 /*XXX we might consider a list-of-certs variable for the cert chain.
1935 SSL_get_peer_cert_chain(SSL*). We'd need a new variable type and support
1936 in list-handling functions, also consider the difference between the entire
1937 chain and the elements sent by the peer. */
1939 tlsp->peerdn = NULL;
1941 /* Will have already noted peercert on a verify fail; possibly not the leaf */
1942 if (!tlsp->peercert)
1943 tlsp->peercert = SSL_get_peer_certificate(ssl);
1944 /* Beware anonymous ciphers which lead to server_cert being NULL */
1946 if (!X509_NAME_oneline(X509_get_subject_name(tlsp->peercert), CS peerdn, siz))
1947 { DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n"); }
1950 peerdn[siz-1] = '\0';
1951 tlsp->peerdn = peerdn; /*XXX a static buffer... */
1959 /*************************************************
1960 * Set up for verifying certificates *
1961 *************************************************/
1963 #ifndef DISABLE_OCSP
1964 /* Load certs from file, return TRUE on success */
1967 chain_from_pem_file(const uschar * file, STACK_OF(X509) * verify_stack)
1972 while (sk_X509_num(verify_stack) > 0)
1973 X509_free(sk_X509_pop(verify_stack));
1975 if (!(bp = BIO_new_file(CS file, "r"))) return FALSE;
1976 while ((x = PEM_read_bio_X509(bp, NULL, 0, NULL)))
1977 sk_X509_push(verify_stack, x);
1985 /* Called by both client and server startup; on the server possibly
1986 repeated after a Server Name Indication.
1989 sctx SSL_CTX* to initialise
1990 certs certs file or NULL
1991 crl CRL file or NULL
1992 host NULL in a server; the remote host in a client
1993 optional TRUE if called from a server for a host in tls_try_verify_hosts;
1994 otherwise passed as FALSE
1995 cert_vfy_cb Callback function for certificate verification
1996 errstr error string pointer
1998 Returns: OK/DEFER/FAIL
2002 setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
2003 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr)
2005 uschar *expcerts, *expcrl;
2007 if (!expand_check(certs, US"tls_verify_certificates", &expcerts, errstr))
2009 DEBUG(D_tls) debug_printf("tls_verify_certificates: %s\n", expcerts);
2011 if (expcerts && *expcerts)
2013 /* Tell the library to use its compiled-in location for the system default
2014 CA bundle. Then add the ones specified in the config, if any. */
2016 if (!SSL_CTX_set_default_verify_paths(sctx))
2017 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL, errstr);
2019 if (Ustrcmp(expcerts, "system") != 0)
2021 struct stat statbuf;
2023 if (Ustat(expcerts, &statbuf) < 0)
2025 log_write(0, LOG_MAIN|LOG_PANIC,
2026 "failed to stat %s for certificates", expcerts);
2032 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
2033 { file = NULL; dir = expcerts; }
2036 file = expcerts; dir = NULL;
2037 #ifndef DISABLE_OCSP
2038 /* In the server if we will be offering an OCSP proof, load chain from
2039 file for verifying the OCSP proof at load time. */
2042 && statbuf.st_size > 0
2043 && server_static_cbinfo->u_ocsp.server.file
2044 && !chain_from_pem_file(file, server_static_cbinfo->verify_stack)
2047 log_write(0, LOG_MAIN|LOG_PANIC,
2048 "failed to load cert chain from %s", file);
2054 /* If a certificate file is empty, the next function fails with an
2055 unhelpful error message. If we skip it, we get the correct behaviour (no
2056 certificates are recognized, but the error message is still misleading (it
2057 says no certificate was supplied). But this is better. */
2059 if ( (!file || statbuf.st_size > 0)
2060 && !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
2061 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL, errstr);
2063 /* Load the list of CAs for which we will accept certs, for sending
2064 to the client. This is only for the one-file tls_verify_certificates
2066 If a list isn't loaded into the server, but some verify locations are set,
2067 the server end appears to make a wildcard request for client certs.
2068 Meanwhile, the client library as default behaviour *ignores* the list
2069 we send over the wire - see man SSL_CTX_set_client_cert_cb.
2070 Because of this, and that the dir variant is likely only used for
2071 the public-CA bundle (not for a private CA), not worth fixing. */
2075 STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
2077 SSL_CTX_set_client_CA_list(sctx, names);
2078 DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n",
2079 sk_X509_NAME_num(names));
2084 /* Handle a certificate revocation list. */
2086 #if OPENSSL_VERSION_NUMBER > 0x00907000L
2088 /* This bit of code is now the version supplied by Lars Mainka. (I have
2089 merely reformatted it into the Exim code style.)
2091 "From here I changed the code to add support for multiple crl's
2092 in pem format in one file or to support hashed directory entries in
2093 pem format instead of a file. This method now uses the library function
2094 X509_STORE_load_locations to add the CRL location to the SSL context.
2095 OpenSSL will then handle the verify against CA certs and CRLs by
2096 itself in the verify callback." */
2098 if (!expand_check(crl, US"tls_crl", &expcrl, errstr)) return DEFER;
2099 if (expcrl && *expcrl)
2101 struct stat statbufcrl;
2102 if (Ustat(expcrl, &statbufcrl) < 0)
2104 log_write(0, LOG_MAIN|LOG_PANIC,
2105 "failed to stat %s for certificates revocation lists", expcrl);
2110 /* is it a file or directory? */
2112 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
2113 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
2117 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
2123 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
2125 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
2126 return tls_error(US"X509_STORE_load_locations", host, NULL, errstr);
2128 /* setting the flags to check against the complete crl chain */
2130 X509_STORE_set_flags(cvstore,
2131 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
2135 #endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
2137 /* If verification is optional, don't fail if no certificate */
2139 SSL_CTX_set_verify(sctx,
2140 SSL_VERIFY_PEER | (optional ? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
2149 /*************************************************
2150 * Start a TLS session in a server *
2151 *************************************************/
2153 /* This is called when Exim is running as a server, after having received
2154 the STARTTLS command. It must respond to that command, and then negotiate
2158 require_ciphers allowed ciphers
2159 errstr pointer to error message
2161 Returns: OK on success
2162 DEFER for errors before the start of the negotiation
2163 FAIL for errors during the negotiation; the server can't
2168 tls_server_start(const uschar * require_ciphers, uschar ** errstr)
2171 uschar * expciphers;
2172 tls_ext_ctx_cb * cbinfo;
2173 static uschar peerdn[256];
2174 static uschar cipherbuf[256];
2176 /* Check for previous activation */
2178 if (tls_in.active.sock >= 0)
2180 tls_error(US"STARTTLS received after TLS started", NULL, US"", errstr);
2181 smtp_printf("554 Already in TLS\r\n", FALSE);
2185 /* Initialize the SSL library. If it fails, it will already have logged
2188 rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey,
2189 #ifndef DISABLE_OCSP
2190 tls_ocsp_file, /*XXX stack*/
2192 NULL, &server_static_cbinfo, errstr);
2193 if (rc != OK) return rc;
2194 cbinfo = server_static_cbinfo;
2196 if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers, errstr))
2199 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
2200 were historically separated by underscores. So that I can use either form in my
2201 tests, and also for general convenience, we turn underscores into hyphens here.
2203 XXX SSL_CTX_set_cipher_list() is replaced by SSL_CTX_set_ciphersuites()
2204 for TLS 1.3 . Since we do not call it at present we get the default list:
2205 TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
2210 uschar * s = expciphers;
2211 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
2212 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
2213 if (!SSL_CTX_set_cipher_list(server_ctx, CS expciphers))
2214 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL, errstr);
2215 cbinfo->server_cipher_list = expciphers;
2218 /* If this is a host for which certificate verification is mandatory or
2219 optional, set up appropriately. */
2221 tls_in.certificate_verified = FALSE;
2223 tls_in.dane_verified = FALSE;
2225 server_verify_callback_called = FALSE;
2227 if (verify_check_host(&tls_verify_hosts) == OK)
2229 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
2230 FALSE, verify_callback_server, errstr);
2231 if (rc != OK) return rc;
2232 server_verify_optional = FALSE;
2234 else if (verify_check_host(&tls_try_verify_hosts) == OK)
2236 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
2237 TRUE, verify_callback_server, errstr);
2238 if (rc != OK) return rc;
2239 server_verify_optional = TRUE;
2242 /* Prepare for new connection */
2244 if (!(server_ssl = SSL_new(server_ctx)))
2245 return tls_error(US"SSL_new", NULL, NULL, errstr);
2247 /* Warning: we used to SSL_clear(ssl) here, it was removed.
2249 * With the SSL_clear(), we get strange interoperability bugs with
2250 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
2251 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
2253 * The SSL_clear() call is to let an existing SSL* be reused, typically after
2254 * session shutdown. In this case, we have a brand new object and there's no
2255 * obvious reason to immediately clear it. I'm guessing that this was
2256 * originally added because of incomplete initialisation which the clear fixed,
2257 * in some historic release.
2260 /* Set context and tell client to go ahead, except in the case of TLS startup
2261 on connection, where outputting anything now upsets the clients and tends to
2262 make them disconnect. We need to have an explicit fflush() here, to force out
2263 the response. Other smtp_printf() calls do not need it, because in non-TLS
2264 mode, the fflush() happens when smtp_getc() is called. */
2266 SSL_set_session_id_context(server_ssl, sid_ctx, Ustrlen(sid_ctx));
2267 if (!tls_in.on_connect)
2269 smtp_printf("220 TLS go ahead\r\n", FALSE);
2273 /* Now negotiate the TLS session. We put our own timer on it, since it seems
2274 that the OpenSSL library doesn't. */
2276 SSL_set_wfd(server_ssl, fileno(smtp_out));
2277 SSL_set_rfd(server_ssl, fileno(smtp_in));
2278 SSL_set_accept_state(server_ssl);
2280 DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
2282 sigalrm_seen = FALSE;
2283 if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
2284 rc = SSL_accept(server_ssl);
2289 (void) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL, errstr);
2293 DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
2294 ERR_clear_error(); /* Even success can leave errors in the stack. Seen with
2295 anon-authentication ciphersuite negociated. */
2297 /* TLS has been set up. Adjust the input functions to read via TLS,
2298 and initialize things. */
2300 peer_cert(server_ssl, &tls_in, peerdn, sizeof(peerdn));
2302 construct_cipher_name(server_ssl, cipherbuf, sizeof(cipherbuf), &tls_in.bits);
2303 tls_in.cipher = cipherbuf;
2308 if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)) != NULL)
2309 debug_printf("Shared ciphers: %s\n", buf);
2312 /* Record the certificate we presented */
2314 X509 * crt = SSL_get_certificate(server_ssl);
2315 tls_in.ourcert = crt ? X509_dup(crt) : NULL;
2318 /* Only used by the server-side tls (tls_in), including tls_getc.
2319 Client-side (tls_out) reads (seem to?) go via
2320 smtp_read_response()/ip_recv().
2321 Hence no need to duplicate for _in and _out.
2323 if (!ssl_xfer_buffer) ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
2324 ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
2325 ssl_xfer_eof = ssl_xfer_error = FALSE;
2327 receive_getc = tls_getc;
2328 receive_getbuf = tls_getbuf;
2329 receive_get_cache = tls_get_cache;
2330 receive_ungetc = tls_ungetc;
2331 receive_feof = tls_feof;
2332 receive_ferror = tls_ferror;
2333 receive_smtp_buffered = tls_smtp_buffered;
2335 tls_in.active.sock = fileno(smtp_out);
2336 tls_in.active.tls_ctx = NULL; /* not using explicit ctx for server-side */
2344 tls_client_basic_ctx_init(SSL_CTX * ctx,
2345 host_item * host, smtp_transport_options_block * ob, tls_ext_ctx_cb * cbinfo,
2349 /* stick to the old behaviour for compatibility if tls_verify_certificates is
2350 set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only
2351 the specified host patterns if one of them is defined */
2353 if ( ( !ob->tls_verify_hosts
2354 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
2356 || verify_check_given_host(CUSS &ob->tls_verify_hosts, host) == OK
2358 client_verify_optional = FALSE;
2359 else if (verify_check_given_host(CUSS &ob->tls_try_verify_hosts, host) == OK)
2360 client_verify_optional = TRUE;
2364 if ((rc = setup_certs(ctx, ob->tls_verify_certificates,
2365 ob->tls_crl, host, client_verify_optional, verify_callback_client,
2369 if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
2371 cbinfo->verify_cert_hostnames =
2373 string_domain_utf8_to_alabel(host->name, NULL);
2377 DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
2378 cbinfo->verify_cert_hostnames);
2386 dane_tlsa_load(SSL * ssl, host_item * host, dns_answer * dnsa, uschar ** errstr)
2389 const char * hostnames[2] = { CS host->name, NULL };
2392 if (DANESSL_init(ssl, NULL, hostnames) != 1)
2393 return tls_error(US"hostnames load", host, NULL, errstr);
2395 for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
2396 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
2397 ) if (rr->type == T_TLSA && rr->size > 3)
2399 const uschar * p = rr->data;
2400 uint8_t usage, selector, mtype;
2401 const char * mdname;
2405 /* Only DANE-TA(2) and DANE-EE(3) are supported */
2406 if (usage != 2 && usage != 3) continue;
2413 default: continue; /* Only match-types 0, 1, 2 are supported */
2414 case 0: mdname = NULL; break;
2415 case 1: mdname = "sha256"; break;
2416 case 2: mdname = "sha512"; break;
2420 switch (DANESSL_add_tlsa(ssl, usage, selector, mdname, p, rr->size - 3))
2423 return tls_error(US"tlsa load", host, NULL, errstr);
2424 case 0: /* action not taken */
2428 tls_out.tlsa_usage |= 1<<usage;
2434 log_write(0, LOG_MAIN, "DANE error: No usable TLSA records");
2437 #endif /*SUPPORT_DANE*/
2441 /*************************************************
2442 * Start a TLS session in a client *
2443 *************************************************/
2445 /* Called from the smtp transport after STARTTLS has been accepted.
2448 fd the fd of the connection
2449 host connected host (for messages and option-tests)
2450 addr the first address (for some randomness; can be NULL)
2451 tb transport (always smtp)
2452 tlsa_dnsa tlsa lookup, if DANE, else null
2453 tlsp record details of channel configuration here; must be non-NULL
2454 errstr error string pointer
2456 Returns: Pointer to TLS session context, or NULL on error
2460 tls_client_start(int fd, host_item *host, address_item *addr,
2461 transport_instance * tb,
2463 dns_answer * tlsa_dnsa,
2465 tls_support * tlsp, uschar ** errstr)
2467 smtp_transport_options_block * ob = tb
2468 ? (smtp_transport_options_block *)tb->options_block
2469 : &smtp_transport_option_defaults;
2470 exim_openssl_client_tls_ctx * exim_client_ctx;
2471 static uschar peerdn[256];
2472 uschar * expciphers;
2474 static uschar cipherbuf[256];
2476 #ifndef DISABLE_OCSP
2477 BOOL request_ocsp = FALSE;
2478 BOOL require_ocsp = FALSE;
2482 store_pool = POOL_PERM;
2483 exim_client_ctx = store_get(sizeof(exim_openssl_client_tls_ctx));
2487 tlsp->tlsa_usage = 0;
2490 #ifndef DISABLE_OCSP
2492 # ifdef SUPPORT_DANE
2494 && ob->hosts_request_ocsp[0] == '*'
2495 && ob->hosts_request_ocsp[1] == '\0'
2498 /* Unchanged from default. Use a safer one under DANE */
2499 request_ocsp = TRUE;
2500 ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
2501 " {= {4}{$tls_out_tlsa_usage}} } "
2507 verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK))
2508 request_ocsp = TRUE;
2510 # ifdef SUPPORT_DANE
2514 verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
2518 rc = tls_init(&exim_client_ctx->ctx, host, NULL,
2519 ob->tls_certificate, ob->tls_privatekey,
2520 #ifndef DISABLE_OCSP
2521 (void *)(long)request_ocsp,
2523 addr, &client_static_cbinfo, errstr);
2524 if (rc != OK) return NULL;
2526 tlsp->certificate_verified = FALSE;
2527 client_verify_callback_called = FALSE;
2533 /* We fall back to tls_require_ciphers if unset, empty or forced failure, but
2534 other failures should be treated as problems. */
2535 if (ob->dane_require_tls_ciphers &&
2536 !expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
2537 &expciphers, errstr))
2539 if (expciphers && *expciphers == '\0')
2544 !expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
2545 &expciphers, errstr))
2548 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
2549 are separated by underscores. So that I can use either form in my tests, and
2550 also for general convenience, we turn underscores into hyphens here. */
2554 uschar *s = expciphers;
2555 while (*s) { if (*s == '_') *s = '-'; s++; }
2556 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
2557 if (!SSL_CTX_set_cipher_list(exim_client_ctx->ctx, CS expciphers))
2559 tls_error(US"SSL_CTX_set_cipher_list", host, NULL, errstr);
2567 SSL_CTX_set_verify(exim_client_ctx->ctx,
2568 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
2569 verify_callback_client_dane);
2571 if (!DANESSL_library_init())
2573 tls_error(US"library init", host, NULL, errstr);
2576 if (DANESSL_CTX_init(exim_client_ctx->ctx) <= 0)
2578 tls_error(US"context init", host, NULL, errstr);
2586 if (tls_client_basic_ctx_init(exim_client_ctx->ctx, host, ob,
2587 client_static_cbinfo, errstr) != OK)
2590 if (!(exim_client_ctx->ssl = SSL_new(exim_client_ctx->ctx)))
2592 tls_error(US"SSL_new", host, NULL, errstr);
2595 SSL_set_session_id_context(exim_client_ctx->ssl, sid_ctx, Ustrlen(sid_ctx));
2596 SSL_set_fd(exim_client_ctx->ssl, fd);
2597 SSL_set_connect_state(exim_client_ctx->ssl);
2601 if (!expand_check(ob->tls_sni, US"tls_sni", &tlsp->sni, errstr))
2605 DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n");
2607 else if (!Ustrlen(tlsp->sni))
2611 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
2612 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tlsp->sni);
2613 SSL_set_tlsext_host_name(exim_client_ctx->ssl, tlsp->sni);
2615 log_write(0, LOG_MAIN, "SNI unusable with this OpenSSL library version; ignoring \"%s\"\n",
2623 if (dane_tlsa_load(exim_client_ctx->ssl, host, tlsa_dnsa, errstr) != OK)
2627 #ifndef DISABLE_OCSP
2628 /* Request certificate status at connection-time. If the server
2629 does OCSP stapling we will get the callback (set in tls_init()) */
2630 # ifdef SUPPORT_DANE
2634 if ( ((s = ob->hosts_require_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
2635 || ((s = ob->hosts_request_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
2637 { /* Re-eval now $tls_out_tlsa_usage is populated. If
2638 this means we avoid the OCSP request, we wasted the setup
2639 cost in tls_init(). */
2640 require_ocsp = verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK;
2641 request_ocsp = require_ocsp
2642 || verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
2649 SSL_set_tlsext_status_type(exim_client_ctx->ssl, TLSEXT_STATUSTYPE_ocsp);
2650 client_static_cbinfo->u_ocsp.client.verify_required = require_ocsp;
2651 tlsp->ocsp = OCSP_NOT_RESP;
2655 #ifndef DISABLE_EVENT
2656 client_static_cbinfo->event_action = tb ? tb->event_action : NULL;
2659 /* There doesn't seem to be a built-in timeout on connection. */
2661 DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
2662 sigalrm_seen = FALSE;
2663 ALARM(ob->command_timeout);
2664 rc = SSL_connect(exim_client_ctx->ssl);
2669 DANESSL_cleanup(exim_client_ctx->ssl);
2674 tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL, errstr);
2678 DEBUG(D_tls) debug_printf("SSL_connect succeeded\n");
2680 peer_cert(exim_client_ctx->ssl, tlsp, peerdn, sizeof(peerdn));
2682 construct_cipher_name(exim_client_ctx->ssl, cipherbuf, sizeof(cipherbuf), &tlsp->bits);
2683 tlsp->cipher = cipherbuf;
2685 /* Record the certificate we presented */
2687 X509 * crt = SSL_get_certificate(exim_client_ctx->ssl);
2688 tlsp->ourcert = crt ? X509_dup(crt) : NULL;
2691 tlsp->active.sock = fd;
2692 tlsp->active.tls_ctx = exim_client_ctx;
2693 return exim_client_ctx;
2701 tls_refill(unsigned lim)
2706 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", server_ssl,
2707 ssl_xfer_buffer, ssl_xfer_buffer_size);
2709 if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
2710 inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer,
2711 MIN(ssl_xfer_buffer_size, lim));
2712 error = SSL_get_error(server_ssl, inbytes);
2713 if (smtp_receive_timeout > 0) ALARM_CLR(0);
2715 if (had_command_timeout) /* set by signal handler */
2716 smtp_command_timeout_exit(); /* does not return */
2717 if (had_command_sigterm)
2718 smtp_command_sigterm_exit();
2719 if (had_data_timeout)
2720 smtp_data_timeout_exit();
2721 if (had_data_sigint)
2722 smtp_data_sigint_exit();
2724 /* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
2725 closed down, not that the socket itself has been closed down. Revert to
2726 non-SSL handling. */
2730 case SSL_ERROR_NONE:
2733 case SSL_ERROR_ZERO_RETURN:
2734 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
2736 receive_getc = smtp_getc;
2737 receive_getbuf = smtp_getbuf;
2738 receive_get_cache = smtp_get_cache;
2739 receive_ungetc = smtp_ungetc;
2740 receive_feof = smtp_feof;
2741 receive_ferror = smtp_ferror;
2742 receive_smtp_buffered = smtp_buffered;
2744 if (SSL_get_shutdown(server_ssl) == SSL_RECEIVED_SHUTDOWN)
2745 SSL_shutdown(server_ssl);
2747 #ifndef DISABLE_OCSP
2748 sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free);
2749 server_static_cbinfo->verify_stack = NULL;
2751 SSL_free(server_ssl);
2752 SSL_CTX_free(server_ctx);
2755 tls_in.active.sock = -1;
2756 tls_in.active.tls_ctx = NULL;
2758 tls_in.cipher = NULL;
2759 tls_in.peerdn = NULL;
2764 /* Handle genuine errors */
2766 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
2767 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
2768 ssl_xfer_error = TRUE;
2772 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
2773 DEBUG(D_tls) if (error == SSL_ERROR_SYSCALL)
2774 debug_printf(" - syscall %s\n", strerror(errno));
2775 ssl_xfer_error = TRUE;
2779 #ifndef DISABLE_DKIM
2780 dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
2782 ssl_xfer_buffer_hwm = inbytes;
2783 ssl_xfer_buffer_lwm = 0;
2788 /*************************************************
2789 * TLS version of getc *
2790 *************************************************/
2792 /* This gets the next byte from the TLS input buffer. If the buffer is empty,
2793 it refills the buffer via the SSL reading function.
2795 Arguments: lim Maximum amount to read/buffer
2796 Returns: the next character or EOF
2798 Only used by the server-side TLS.
2802 tls_getc(unsigned lim)
2804 if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
2805 if (!tls_refill(lim))
2806 return ssl_xfer_error ? EOF : smtp_getc(lim);
2808 /* Something in the buffer; return next uschar */
2810 return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
2814 tls_getbuf(unsigned * len)
2819 if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
2820 if (!tls_refill(*len))
2822 if (!ssl_xfer_error) return smtp_getbuf(len);
2827 if ((size = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm) > *len)
2829 buf = &ssl_xfer_buffer[ssl_xfer_buffer_lwm];
2830 ssl_xfer_buffer_lwm += size;
2839 #ifndef DISABLE_DKIM
2840 int n = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm;
2842 dkim_exim_verify_feed(ssl_xfer_buffer+ssl_xfer_buffer_lwm, n);
2848 tls_could_read(void)
2850 return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm || SSL_pending(server_ssl) > 0;
2854 /*************************************************
2855 * Read bytes from TLS channel *
2856 *************************************************/
2860 ct_ctx client context pointer, or NULL for the one global server context
2864 Returns: the number of bytes read
2865 -1 after a failed read, including EOF
2867 Only used by the client-side TLS.
2871 tls_read(void * ct_ctx, uschar *buff, size_t len)
2873 SSL * ssl = ct_ctx ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl : server_ssl;
2877 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
2878 buff, (unsigned int)len);
2880 inbytes = SSL_read(ssl, CS buff, len);
2881 error = SSL_get_error(ssl, inbytes);
2883 if (error == SSL_ERROR_ZERO_RETURN)
2885 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
2888 else if (error != SSL_ERROR_NONE)
2898 /*************************************************
2899 * Write bytes down TLS channel *
2900 *************************************************/
2904 ct_ctx client context pointer, or NULL for the one global server context
2907 more further data expected soon
2909 Returns: the number of bytes after a successful write,
2910 -1 after a failed write
2912 Used by both server-side and client-side TLS.
2916 tls_write(void * ct_ctx, const uschar *buff, size_t len, BOOL more)
2919 int outbytes, error;
2920 SSL * ssl = ct_ctx ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl : server_ssl;
2921 static gstring * corked = NULL;
2923 DEBUG(D_tls) debug_printf("%s(%p, %lu%s)\n", __FUNCTION__,
2924 buff, (unsigned long)len, more ? ", more" : "");
2926 /* Lacking a CORK or MSG_MORE facility (such as GnuTLS has) we copy data when
2927 "more" is notified. This hack is only ok if small amounts are involved AND only
2928 one stream does it, in one context (i.e. no store reset). Currently it is used
2929 for the responses to the received SMTP MAIL , RCPT, DATA sequence, only. */
2930 /* + if PIPE_COMMAND, banner & ehlo-resp for smmtp-on-connect. Suspect there's
2931 a store reset there, so use POOL_PERM. */
2932 /* + if CHUNKING, cmds EHLO,MAIL,RCPT(s),BDAT */
2934 if ((more || corked))
2936 #ifdef EXPERIMENTAL_PIPE_CONNECT
2937 int save_pool = store_pool;
2938 store_pool = POOL_PERM;
2941 corked = string_catn(corked, buff, len);
2943 #ifdef EXPERIMENTAL_PIPE_CONNECT
2944 store_pool = save_pool;
2949 buff = CUS corked->s;
2954 for (int left = len; left > 0;)
2956 DEBUG(D_tls) debug_printf("SSL_write(%p, %p, %d)\n", ssl, buff, left);
2957 outbytes = SSL_write(ssl, CS buff, left);
2958 error = SSL_get_error(ssl, outbytes);
2959 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
2963 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
2964 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
2967 case SSL_ERROR_NONE:
2972 case SSL_ERROR_ZERO_RETURN:
2973 log_write(0, LOG_MAIN, "SSL channel closed on write");
2976 case SSL_ERROR_SYSCALL:
2977 log_write(0, LOG_MAIN, "SSL_write: (from %s) syscall: %s",
2978 sender_fullhost ? sender_fullhost : US"<unknown>",
2983 log_write(0, LOG_MAIN, "SSL_write error %d", error);
2992 /*************************************************
2993 * Close down a TLS session *
2994 *************************************************/
2996 /* This is also called from within a delivery subprocess forked from the
2997 daemon, to shut down the TLS library, without actually doing a shutdown (which
2998 would tamper with the SSL session in the parent process).
3001 ct_ctx client TLS context pointer, or NULL for the one global server context
3002 shutdown 1 if TLS close-alert is to be sent,
3003 2 if also response to be waited for
3007 Used by both server-side and client-side TLS.
3011 tls_close(void * ct_ctx, int shutdown)
3013 exim_openssl_client_tls_ctx * o_ctx = ct_ctx;
3014 SSL_CTX **ctxp = o_ctx ? &o_ctx->ctx : &server_ctx;
3015 SSL **sslp = o_ctx ? &o_ctx->ssl : &server_ssl;
3016 int *fdp = o_ctx ? &tls_out.active.sock : &tls_in.active.sock;
3018 if (*fdp < 0) return; /* TLS was not active */
3023 DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS%s\n",
3024 shutdown > 1 ? " (with response-wait)" : "");
3026 if ( (rc = SSL_shutdown(*sslp)) == 0 /* send "close notify" alert */
3030 rc = SSL_shutdown(*sslp); /* wait for response */
3034 if (rc < 0) DEBUG(D_tls)
3036 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3037 debug_printf("SSL_shutdown: %s\n", ssl_errstring);
3041 #ifndef DISABLE_OCSP
3042 if (!o_ctx) /* server side */
3044 sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free);
3045 server_static_cbinfo->verify_stack = NULL;
3049 SSL_CTX_free(*ctxp);
3059 /*************************************************
3060 * Let tls_require_ciphers be checked at startup *
3061 *************************************************/
3063 /* The tls_require_ciphers option, if set, must be something which the
3066 Returns: NULL on success, or error message
3070 tls_validate_require_cipher(void)
3073 uschar *s, *expciphers, *err;
3075 /* this duplicates from tls_init(), we need a better "init just global
3076 state, for no specific purpose" singleton function of our own */
3078 #ifdef EXIM_NEED_OPENSSL_INIT
3079 SSL_load_error_strings();
3080 OpenSSL_add_ssl_algorithms();
3082 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
3083 /* SHA256 is becoming ever more popular. This makes sure it gets added to the
3084 list of available digests. */
3085 EVP_add_digest(EVP_sha256());
3088 if (!(tls_require_ciphers && *tls_require_ciphers))
3091 if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers,
3093 return US"failed to expand tls_require_ciphers";
3095 if (!(expciphers && *expciphers))
3098 /* normalisation ripped from above */
3100 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
3104 #ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
3105 if (!(ctx = SSL_CTX_new(TLS_server_method())))
3107 if (!(ctx = SSL_CTX_new(SSLv23_server_method())))
3110 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3111 return string_sprintf("SSL_CTX_new() failed: %s", ssl_errstring);
3115 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
3117 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
3119 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3120 err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed: %s",
3121 expciphers, ssl_errstring);
3132 /*************************************************
3133 * Report the library versions. *
3134 *************************************************/
3136 /* There have historically been some issues with binary compatibility in
3137 OpenSSL libraries; if Exim (like many other applications) is built against
3138 one version of OpenSSL but the run-time linker picks up another version,
3139 it can result in serious failures, including crashing with a SIGSEGV. So
3140 report the version found by the compiler and the run-time version.
3142 Note: some OS vendors backport security fixes without changing the version
3143 number/string, and the version date remains unchanged. The _build_ date
3144 will change, so we can more usefully assist with version diagnosis by also
3145 reporting the build date.
3147 Arguments: a FILE* to print the results to
3152 tls_version_report(FILE *f)
3154 fprintf(f, "Library version: OpenSSL: Compile: %s\n"
3157 OPENSSL_VERSION_TEXT,
3158 SSLeay_version(SSLEAY_VERSION),
3159 SSLeay_version(SSLEAY_BUILT_ON));
3160 /* third line is 38 characters for the %s and the line is 73 chars long;
3161 the OpenSSL output includes a "built on: " prefix already. */
3167 /*************************************************
3168 * Random number generation *
3169 *************************************************/
3171 /* Pseudo-random number generation. The result is not expected to be
3172 cryptographically strong but not so weak that someone will shoot themselves
3173 in the foot using it as a nonce in input in some email header scheme or
3174 whatever weirdness they'll twist this into. The result should handle fork()
3175 and avoid repeating sequences. OpenSSL handles that for us.
3179 Returns a random number in range [0, max-1]
3183 vaguely_random_number(int max)
3187 static pid_t pidlast = 0;
3189 uschar smallbuf[sizeof(r)];
3195 if (pidnow != pidlast)
3197 /* Although OpenSSL documents that "OpenSSL makes sure that the PRNG state
3198 is unique for each thread", this doesn't apparently apply across processes,
3199 so our own warning from vaguely_random_number_fallback() applies here too.
3200 Fix per PostgreSQL. */
3206 /* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
3210 gettimeofday(&r.tv, NULL);
3213 RAND_seed(US (&r), sizeof(r));
3215 /* We're after pseudo-random, not random; if we still don't have enough data
3216 in the internal PRNG then our options are limited. We could sleep and hope
3217 for entropy to come along (prayer technique) but if the system is so depleted
3218 in the first place then something is likely to just keep taking it. Instead,
3219 we'll just take whatever little bit of pseudo-random we can still manage to
3222 needed_len = sizeof(r);
3223 /* Don't take 8 times more entropy than needed if int is 8 octets and we were
3224 asked for a number less than 10. */
3225 for (r = max, i = 0; r; ++i)
3231 #ifdef EXIM_HAVE_RAND_PSEUDO
3232 /* We do not care if crypto-strong */
3233 i = RAND_pseudo_bytes(smallbuf, needed_len);
3235 i = RAND_bytes(smallbuf, needed_len);
3241 debug_printf("OpenSSL RAND_pseudo_bytes() not supported by RAND method, using fallback.\n");
3242 return vaguely_random_number_fallback(max);
3246 for (uschar * p = smallbuf; needed_len; --needed_len, ++p)
3249 /* We don't particularly care about weighted results; if someone wants
3250 smooth distribution and cares enough then they should submit a patch then. */
3257 /*************************************************
3258 * OpenSSL option parse *
3259 *************************************************/
3261 /* Parse one option for tls_openssl_options_parse below
3264 name one option name
3265 value place to store a value for it
3266 Returns success or failure in parsing
3272 tls_openssl_one_option_parse(uschar *name, long *value)
3275 int last = exim_openssl_options_size;
3276 while (last > first)
3278 int middle = (first + last)/2;
3279 int c = Ustrcmp(name, exim_openssl_options[middle].name);
3282 *value = exim_openssl_options[middle].value;
3296 /*************************************************
3297 * OpenSSL option parsing logic *
3298 *************************************************/
3300 /* OpenSSL has a number of compatibility options which an administrator might
3301 reasonably wish to set. Interpret a list similarly to decode_bits(), so that
3302 we look like log_selector.
3305 option_spec the administrator-supplied string of options
3306 results ptr to long storage for the options bitmap
3307 Returns success or failure
3311 tls_openssl_options_parse(uschar *option_spec, long *results)
3316 BOOL adding, item_parsed;
3318 result = SSL_OP_NO_TICKET;
3319 /* Prior to 4.80 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed
3320 * from default because it increases BEAST susceptibility. */
3321 #ifdef SSL_OP_NO_SSLv2
3322 result |= SSL_OP_NO_SSLv2;
3324 #ifdef SSL_OP_SINGLE_DH_USE
3325 result |= SSL_OP_SINGLE_DH_USE;
3334 for (uschar * s = option_spec; *s != '\0'; /**/)
3336 while (isspace(*s)) ++s;
3339 if (*s != '+' && *s != '-')
3341 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
3342 "+ or - expected but found \"%s\"\n", s);
3345 adding = *s++ == '+';
3346 for (end = s; (*end != '\0') && !isspace(*end); ++end) /**/ ;
3349 item_parsed = tls_openssl_one_option_parse(s, &item);
3353 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
3356 DEBUG(D_tls) debug_printf("openssl option, %s from %lx: %lx (%s)\n",
3357 adding ? "adding" : "removing", result, item, s);
3369 #endif /*!MACRO_PREDEF*/
3372 /* End of tls-openssl.c */