projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Docs: Add missing DMARC ACL control= entry
[exim.git] / src / src / tls-gnu.c
CommitLineData
059ec3d9
PH		 1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
f9ba5e22 5/* Copyright (c) University of Cambridge 1995 - 2018 */
059ec3d9
PH		 6/* See the file NOTICE for conditions of use and distribution. */
7
17c76198 8/* Copyright (c) Phil Pennock 2012 */
059ec3d9 9
17c76198
PP		 10/* This file provides TLS/SSL support for Exim using the GnuTLS library,
11one of the available supported implementations. This file is #included into
12tls.c when USE_GNUTLS has been set.
059ec3d9 13
17c76198
PP		 14The code herein is a revamp of GnuTLS integration using the current APIs; the
15original tls-gnu.c was based on a patch which was contributed by Nikos
6aa6fc9c 16Mavrogiannopoulos. The revamp is partially a rewrite, partially cut&paste as
17c76198 17appropriate.
059ec3d9 18
17c76198
PP		 19APIs current as of GnuTLS 2.12.18; note that the GnuTLS manual is for GnuTLS 3,
20which is not widely deployed by OS vendors. Will note issues below, which may
21assist in updating the code in the future. Another sources of hints is
22mod_gnutls for Apache (SNI callback registration and handling).
059ec3d9 23
17c76198
PP		 24Keeping client and server variables more split than before and is currently
25the norm, in anticipation of TLS in ACL callouts.
059ec3d9 26
17c76198
PP		 27I wanted to switch to gnutls_certificate_set_verify_function() so that
28certificate rejection could happen during handshake where it belongs, rather
29than being dropped afterwards, but that was introduced in 2.10.0 and Debian
30(6.0.5) is still on 2.8.6. So for now we have to stick with sub-par behaviour.
059ec3d9 31
17c76198
PP		 32(I wasn't looking for libraries quite that old, when updating to get rid of
33compiler warnings of deprecated APIs. If it turns out that a lot of the rest
34require current GnuTLS, then we'll drop support for the ancient libraries).
35*/
b5aea5e1 36
17c76198
PP		 37#include <gnutls/gnutls.h>
38/* needed for cert checks in verification and DN extraction: */
39#include <gnutls/x509.h>
40/* man-page is incorrect, gnutls_rnd() is not in gnutls.h: */
41#include <gnutls/crypto.h>
184384c3 42
a5f239e4
PP		 43/* needed to disable PKCS11 autoload unless requested */
44#if GNUTLS_VERSION_NUMBER >= 0x020c00
45# include <gnutls/pkcs11.h>
76075bb5 46# define SUPPORT_PARAM_TO_PK_BITS
a5f239e4 47#endif
7e07527a
JH		 48#if GNUTLS_VERSION_NUMBER < 0x030103 && !defined(DISABLE_OCSP)
49# warning "GnuTLS library version too old; define DISABLE_OCSP in Makefile"
50# define DISABLE_OCSP
51#endif
0cbf2b82 52#if GNUTLS_VERSION_NUMBER < 0x020a00 && !defined(DISABLE_EVENT)
774ef2d7 53# warning "GnuTLS library version too old; tls:cert event unsupported"
0cbf2b82 54# define DISABLE_EVENT
a7538db1 55#endif
a7fec7a7
JH		 56#if GNUTLS_VERSION_NUMBER >= 0x030306
57# define SUPPORT_CA_DIR
58#else
59# undef SUPPORT_CA_DIR
60#endif
11a04b5a 61#if GNUTLS_VERSION_NUMBER >= 0x030014
cb1d7830
JH		 62# define SUPPORT_SYSDEFAULT_CABUNDLE
63#endif
184384c3
JH		 64#if GNUTLS_VERSION_NUMBER >= 0x030104
65# define GNUTLS_CERT_VFY_STATUS_PRINT
66#endif
925ac8e4
JH		 67#if GNUTLS_VERSION_NUMBER >= 0x030109
68# define SUPPORT_CORK
69#endif
f20cfa4a
JH		 70#if GNUTLS_VERSION_NUMBER >= 0x03010a
71# define SUPPORT_GNUTLS_SESS_DESC
72#endif
4d2a62a3
JH		 73#if GNUTLS_VERSION_NUMBER >= 0x030300
74# define GNUTLS_AUTO_GLOBAL_INIT
9f707b89 75# define GNUTLS_AUTO_PKCS11_MANUAL
4d2a62a3 76#endif
97277c1f
JH		 77#if (GNUTLS_VERSION_NUMBER >= 0x030404) \
78 || (GNUTLS_VERSION_NUMBER >= 0x030311) && (GNUTLS_VERSION_NUMBER & 0xffff00 == 0x030300)
79# ifndef DISABLE_OCSP
80# define EXIM_HAVE_OCSP
81# endif
82#endif
f20cfa4a
JH		 83#if GNUTLS_VERSION_NUMBER >= 0x030500
84# define SUPPORT_GNUTLS_KEYLOG
85#endif
47195144
JH		 86#if GNUTLS_VERSION_NUMBER >= 0x030506 && !defined(DISABLE_OCSP)
87# define SUPPORT_SRV_OCSP_STACK
88#endif
49132a3b
JH		 89#if GNUTLS_VERSION_NUMBER >= 0x030600
90# define GNUTLS_AUTO_DHPARAMS
91#endif
be427508 92#if GNUTLS_VERSION_NUMBER >= 0x030603
e326959e 93# define EXIM_HAVE_TLS1_3
be427508 94# define SUPPORT_GNUTLS_EXT_RAW_PARSE
e326959e 95# define GNUTLS_OCSP_STATUS_REQUEST_GET2
be427508 96#endif
c0635b6d
JH		 97
98#ifdef SUPPORT_DANE
99# if GNUTLS_VERSION_NUMBER >= 0x030000
100# define DANESSL_USAGE_DANE_TA 2
101# define DANESSL_USAGE_DANE_EE 3
102# else
103# error GnuTLS version too early for DANE
104# endif
105# if GNUTLS_VERSION_NUMBER < 0x999999
106# define GNUTLS_BROKEN_DANE_VALIDATION
107# endif
899b8bbc 108#endif
7e07527a 109
43e2db44
JH		 110#ifdef EXPERIMENTAL_TLS_RESUME
111# if GNUTLS_VERSION_NUMBER < 0x030603
112# error GNUTLS version too early for session-resumption
113# endif
114#endif
115
f2de3a33 116#ifndef DISABLE_OCSP
2b4a568d
JH		 117# include <gnutls/ocsp.h>
118#endif
899b8bbc
JH		 119#ifdef SUPPORT_DANE
120# include <gnutls/dane.h>
121#endif
059ec3d9 122
f1be21cf
JH		 123#include "tls-cipher-stdname.c"
124
125
b10c87b3
JH		 126#ifdef MACRO_PREDEF
127void
128options_tls(void)
129{
130# ifdef EXPERIMENTAL_TLS_RESUME
131builtin_macro_create_var(US"_RESUME_DECODE", RESUME_DECODE_STRING );
132# endif
e326959e
JH		 133# ifdef EXIM_HAVE_TLS1_3
134builtin_macro_create(US"_HAVE_TLS1_3");
135# endif
97277c1f
JH		 136# ifdef EXIM_HAVE_OCSP
137builtin_macro_create(US"_HAVE_TLS_OCSP");
138# endif
139# ifdef SUPPORT_SRV_OCSP_STACK
140builtin_macro_create(US"_HAVE_TLS_OCSP_LIST");
141# endif
b10c87b3
JH		 142}
143#else
144
145
17c76198 146/* GnuTLS 2 vs 3
059ec3d9 147
17c76198
PP		 148GnuTLS 3 only:
149 gnutls_global_set_audit_log_function()
059ec3d9 150
17c76198
PP		 151Changes:
152 gnutls_certificate_verify_peers2(): is new, drop the 2 for old version
153*/
059ec3d9 154
17c76198 155/* Local static variables for GnuTLS */
059ec3d9 156
17c76198 157/* Values for verify_requirement */
059ec3d9 158
e51c7be2 159enum peer_verify_requirement
899b8bbc 160 { VERIFY_NONE, VERIFY_OPTIONAL, VERIFY_REQUIRED, VERIFY_DANE };
059ec3d9 161
17c76198
PP		 162/* This holds most state for server or client; with this, we can set up an
163outbound TLS-enabled connection in an ACL callout, while not stomping all
164over the TLS variables available for expansion.
059ec3d9 165
17c76198
PP		 166Some of these correspond to variables in globals.c; those variables will
167be set to point to content in one of these instances, as appropriate for
168the stage of the process lifetime.
059ec3d9 169
b1a32a3c 170Not handled here: global tlsp->tls_channelbinding.
17c76198 171*/
059ec3d9 172
17c76198 173typedef struct exim_gnutls_state {
9d1c15ef 174 gnutls_session_t session;
17c76198 175 gnutls_certificate_credentials_t x509_cred;
9d1c15ef 176 gnutls_priority_t priority_cache;
17c76198 177 enum peer_verify_requirement verify_requirement;
9d1c15ef
JH		 178 int fd_in;
179 int fd_out;
180 BOOL peer_cert_verified;
899b8bbc 181 BOOL peer_dane_verified;
9d1c15ef
JH		 182 BOOL trigger_sni_changes;
183 BOOL have_set_peerdn;
5fd28bb8 184 const struct host_item *host; /* NULL if server */
afdb5e9c 185 gnutls_x509_crt_t peercert;
9d1c15ef
JH		 186 uschar *peerdn;
187 uschar *ciphersuite;
188 uschar *received_sni;
17c76198
PP		 189
190 const uschar *tls_certificate;
191 const uschar *tls_privatekey;
192 const uschar *tls_sni; /* client send only, not received */
193 const uschar *tls_verify_certificates;
194 const uschar *tls_crl;
195 const uschar *tls_require_ciphers;
e51c7be2 196
17c76198
PP		 197 uschar *exp_tls_certificate;
198 uschar *exp_tls_privatekey;
17c76198
PP		 199 uschar *exp_tls_verify_certificates;
200 uschar *exp_tls_crl;
201 uschar *exp_tls_require_ciphers;
55414b25 202 const uschar *exp_tls_verify_cert_hostnames;
0cbf2b82 203#ifndef DISABLE_EVENT
a7538db1
JH		 204 uschar *event_action;
205#endif
899b8bbc
JH		 206#ifdef SUPPORT_DANE
207 char * const * dane_data;
208 const int * dane_data_len;
209#endif
17c76198 210
389ca47a 211 tls_support *tlsp; /* set in tls_init() */
817d9f57 212
17c76198
PP		 213 uschar *xfer_buffer;
214 int xfer_buffer_lwm;
215 int xfer_buffer_hwm;
8b77d27a
JH		 216 BOOL xfer_eof; /*XXX never gets set! */
217 BOOL xfer_error;
17c76198
PP		 218} exim_gnutls_state_st;
219
220static const exim_gnutls_state_st exim_gnutls_state_init = {
b10c87b3 221 /* all elements not explicitly intialised here get 0/NULL/FALSE */
f2ed27cf
JH		 222 .fd_in = -1,
223 .fd_out = -1,
17c76198 224};
83da1223 225
17c76198
PP		 226/* Not only do we have our own APIs which don't pass around state, assuming
227it's held in globals, GnuTLS doesn't appear to let us register callback data
228for callbacks, or as part of the session, so we have to keep a "this is the
229context we're currently dealing with" pointer and rely upon being
230single-threaded to keep from processing data on an inbound TLS connection while
231talking to another TLS connection for an outbound check. This does mean that
232there's no way for heart-beats to be responded to, for the duration of the
a7538db1
JH		 233second connection.
234XXX But see gnutls_session_get_ptr()
235*/
059ec3d9 236
74f1a423 237static exim_gnutls_state_st state_server;
059ec3d9 238
49132a3b 239#ifndef GNUTLS_AUTO_DHPARAMS
17c76198
PP		 240/* dh_params are initialised once within the lifetime of a process using TLS;
241if we used TLS in a long-lived daemon, we'd have to reconsider this. But we
242don't want to repeat this. */
83da1223 243
17c76198 244static gnutls_dh_params_t dh_server_params = NULL;
49132a3b 245#endif
059ec3d9 246
dea4b568 247static int ssl_session_timeout = 7200; /* Two hours */
059ec3d9 248
fc243e94 249static const uschar * const exim_default_gnutls_priority = US"NORMAL";
83da1223 250
17c76198 251/* Guard library core initialisation */
83da1223 252
17c76198 253static BOOL exim_gnutls_base_init_done = FALSE;
059ec3d9 254
4fb7df6d 255#ifndef DISABLE_OCSP
9196d5bf 256static BOOL gnutls_buggy_ocsp = FALSE;
e5489333 257static BOOL exim_testharness_disable_ocsp_validity_check = FALSE;
4fb7df6d 258#endif
9196d5bf 259
b10c87b3
JH		 260#ifdef EXPERIMENTAL_TLS_RESUME
261static gnutls_datum_t server_sessticket_key;
262#endif
059ec3d9 263
17c76198
PP		 264/* ------------------------------------------------------------------------ */
265/* macros */
83da1223 266
17c76198 267#define MAX_HOST_LEN 255
83da1223 268
17c76198
PP		 269/* Set this to control gnutls_global_set_log_level(); values 0 to 9 will setup
270the library logging; a value less than 0 disables the calls to set up logging
dc6d1769
JH		 271callbacks. GNuTLS also looks for an environment variable - except not for
272setuid binaries, making it useless - "GNUTLS_DEBUG_LEVEL".
273Allegedly the testscript line "GNUTLS_DEBUG_LEVEL=9 sudo exim ..." would work,
274but the env var must be added to /etc/sudoers too. */
2c17bb02 275#ifndef EXIM_GNUTLS_LIBRARY_LOG_LEVEL
b1a4f234 276# define EXIM_GNUTLS_LIBRARY_LOG_LEVEL -1
2c17bb02 277#endif
83da1223 278
2c17bb02 279#ifndef EXIM_CLIENT_DH_MIN_BITS
a7538db1 280# define EXIM_CLIENT_DH_MIN_BITS 1024
2c17bb02 281#endif
83da1223 282
af3498d6
PP		 283/* With GnuTLS 2.12.x+ we have gnutls_sec_param_to_pk_bits() with which we
284can ask for a bit-strength. Without that, we stick to the constant we had
285before, for now. */
2c17bb02 286#ifndef EXIM_SERVER_DH_BITS_PRE2_12
a7538db1 287# define EXIM_SERVER_DH_BITS_PRE2_12 1024
2c17bb02 288#endif
af3498d6 289
cf0c6164
JH		 290#define expand_check_tlsvar(Varname, errstr) \
291 expand_check(state->Varname, US #Varname, &state->exp_##Varname, errstr)
83da1223 292
17c76198 293#if GNUTLS_VERSION_NUMBER >= 0x020c00
e51c7be2
JH		 294# define HAVE_GNUTLS_SESSION_CHANNEL_BINDING
295# define HAVE_GNUTLS_SEC_PARAM_CONSTANTS
296# define HAVE_GNUTLS_RND
2519e60d
TL		 297/* The security fix we provide with the gnutls_allow_auto_pkcs11 option
298 * (4.82 PP/09) introduces a compatibility regression. The symbol simply
299 * isn't available sometimes, so this needs to become a conditional
300 * compilation; the sanest way to deal with this being a problem on
301 * older OSes is to block it in the Local/Makefile with this compiler
302 * definition */
e51c7be2
JH		 303# ifndef AVOID_GNUTLS_PKCS11
304# define HAVE_GNUTLS_PKCS11
305# endif /* AVOID_GNUTLS_PKCS11 */
17c76198 306#endif
83da1223 307
af3498d6
PP		 308
309
310
311/* ------------------------------------------------------------------------ */
312/* Callback declarations */
313
314#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
315static void exim_gnutls_logger_cb(int level, const char *message);
316#endif
317
318static int exim_sni_handling_cb(gnutls_session_t session);
319
e5489333
JH		 320#ifdef EXPERIMENTAL_TLS_RESUME
321static int
322tls_server_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
323 unsigned incoming, const gnutls_datum_t * msg);
324#endif
af3498d6
PP		 325
326
b10c87b3
JH		 327/* Daemon one-time initialisation */
328void
329tls_daemon_init(void)
330{
331#ifdef EXPERIMENTAL_TLS_RESUME
332/* We are dependent on the GnuTLS implementation of the Session Ticket
333encryption; both the strength and the key rotation period. We hope that
334the strength at least matches that of the ciphersuite (but GnuTLS does not
335document this). */
336
337static BOOL once = FALSE;
338if (once) return;
339once = TRUE;
340gnutls_session_ticket_key_generate(&server_sessticket_key); /* >= 2.10.0 */
341if (f.running_in_test_harness) ssl_session_timeout = 6;
342#endif
343}
344
17c76198
PP		 345/* ------------------------------------------------------------------------ */
346/* Static functions */
059ec3d9
PH		 347
348/*************************************************
349* Handle TLS error *
350*************************************************/
351
352/* Called from lots of places when errors occur before actually starting to do
353the TLS handshake, that is, while the session is still in clear. Always returns
354DEFER for a server and FAIL for a client so that most calls can use "return
355tls_error(...)" to do this processing and then give an appropriate return. A
356single function is used for both server and client, because it is called from
357some shared functions.
358
359Argument:
360 prefix text to include in the logged error
7199e1ee
TF		 361 msg additional error string (may be NULL)
362 usually obtained from gnutls_strerror()
17c76198
PP		 363 host NULL if setting up a server;
364 the connected host if setting up a client
cf0c6164 365 errstr pointer to returned error string
059ec3d9
PH		 366
367Returns: OK/DEFER/FAIL
368*/
369
370static int
48224640 371tls_error(const uschar *prefix, const uschar *msg, const host_item *host,
cf0c6164 372 uschar ** errstr)
059ec3d9 373{
cf0c6164 374if (errstr)
48224640 375 *errstr = string_sprintf("(%s)%s%s", prefix, msg ? ": " : "", msg ? msg : US"");
cf0c6164 376return host ? FAIL : DEFER;
059ec3d9
PH		 377}
378
379
452a164f
JH		 380static int
381tls_error_gnu(const uschar *prefix, int err, const host_item *host,
382 uschar ** errstr)
383{
384return tls_error(prefix, US gnutls_strerror(err), host, errstr);
385}
386
387static int
388tls_error_sys(const uschar *prefix, int err, const host_item *host,
389 uschar ** errstr)
390{
391return tls_error(prefix, US strerror(err), host, errstr);
392}
059ec3d9 393
17c76198 394
059ec3d9 395/*************************************************
17c76198 396* Deal with logging errors during I/O *
059ec3d9
PH		 397*************************************************/
398
17c76198 399/* We have to get the identity of the peer from saved data.
059ec3d9 400
17c76198
PP		 401Argument:
402 state the current GnuTLS exim state container
403 rc the GnuTLS error code, or 0 if it's a local error
404 when text identifying read or write
95f52235 405 text local error text when rc is 0
059ec3d9 406
17c76198 407Returns: nothing
059ec3d9
PH		 408*/
409
17c76198
PP		 410static void
411record_io_error(exim_gnutls_state_st *state, int rc, uschar *when, uschar *text)
059ec3d9 412{
48224640 413const uschar * msg;
cf0c6164 414uschar * errstr;
059ec3d9 415
17c76198 416if (rc == GNUTLS_E_FATAL_ALERT_RECEIVED)
95f52235 417 msg = string_sprintf("A TLS fatal alert has been received: %s",
17c76198
PP		 418 US gnutls_alert_get_name(gnutls_alert_get(state->session)));
419else
48224640 420 msg = US gnutls_strerror(rc);
059ec3d9 421
cf0c6164
JH		 422(void) tls_error(when, msg, state->host, &errstr);
423
424if (state->host)
425 log_write(0, LOG_MAIN, "H=%s [%s] TLS error on connection %s",
426 state->host->name, state->host->address, errstr);
427else
428 {
429 uschar * conn_info = smtp_get_connection_info();
430 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0) conn_info += 5;
431 /* I'd like to get separated H= here, but too hard for now */
432 log_write(0, LOG_MAIN, "TLS error on %s %s", conn_info, errstr);
433 }
17c76198 434}
059ec3d9 435
059ec3d9 436
059ec3d9 437
059ec3d9 438
17c76198
PP		 439/*************************************************
440* Set various Exim expansion vars *
441*************************************************/
059ec3d9 442
e51c7be2
JH		 443#define exim_gnutls_cert_err(Label) \
444 do \
445 { \
446 if (rc != GNUTLS_E_SUCCESS) \
447 { \
448 DEBUG(D_tls) debug_printf("TLS: cert problem: %s: %s\n", \
449 (Label), gnutls_strerror(rc)); \
450 return rc; \
451 } \
452 } while (0)
9d1c15ef
JH		 453
454static int
27f19eb4 455import_cert(const gnutls_datum_t * cert, gnutls_x509_crt_t * crtp)
9d1c15ef
JH		 456{
457int rc;
458
459rc = gnutls_x509_crt_init(crtp);
460exim_gnutls_cert_err(US"gnutls_x509_crt_init (crt)");
461
462rc = gnutls_x509_crt_import(*crtp, cert, GNUTLS_X509_FMT_DER);
463exim_gnutls_cert_err(US"failed to import certificate [gnutls_x509_crt_import(cert)]");
464
465return rc;
466}
467
468#undef exim_gnutls_cert_err
469
470
17c76198
PP		 471/* We set various Exim global variables from the state, once a session has
472been established. With TLS callouts, may need to change this to stack
473variables, or just re-call it with the server state after client callout
474has finished.
059ec3d9 475
9d1c15ef 476Make sure anything set here is unset in tls_getc().
17c76198
PP		 477
478Sets:
479 tls_active fd
480 tls_bits strength indicator
481 tls_certificate_verified bool indicator
b1a32a3c 482 tls_channelbinding for some SASL mechanisms
da40b1ec 483 tls_ver a string
17c76198 484 tls_cipher a string
9d1c15ef 485 tls_peercert pointer to library internal
17c76198
PP		 486 tls_peerdn a string
487 tls_sni a (UTF-8) string
9d1c15ef 488 tls_ourcert pointer to library internal
17c76198
PP		 489
490Argument:
491 state the relevant exim_gnutls_state_st *
492*/
493
494static void
9d1c15ef 495extract_exim_vars_from_tls_state(exim_gnutls_state_st * state)
17c76198 496{
17c76198
PP		 497#ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
498int old_pool;
499int rc;
500gnutls_datum_t channel;
501#endif
9d1c15ef 502tls_support * tlsp = state->tlsp;
17c76198 503
74f1a423
JH		 504tlsp->active.sock = state->fd_out;
505tlsp->active.tls_ctx = state;
17c76198 506
817d9f57 507DEBUG(D_tls) debug_printf("cipher: %s\n", state->ciphersuite);
17c76198 508
9d1c15ef 509tlsp->certificate_verified = state->peer_cert_verified;
899b8bbc
JH		 510#ifdef SUPPORT_DANE
511tlsp->dane_verified = state->peer_dane_verified;
512#endif
059ec3d9 513
b1a32a3c 514/* note that tls_channelbinding is not saved to the spool file, since it's
17c76198
PP		 515only available for use for authenticators while this TLS session is running. */
516
b1a32a3c 517tlsp->channelbinding = NULL;
17c76198
PP		 518#ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
519channel.data = NULL;
520channel.size = 0;
1f20760b
JH		 521if ((rc = gnutls_session_channel_binding(state->session, GNUTLS_CB_TLS_UNIQUE, &channel)))
522 { DEBUG(D_tls) debug_printf("Channel binding error: %s\n", gnutls_strerror(rc)); }
523else
524 {
b1a32a3c
JH		 525 /* Declare the taintedness of the binding info. On server, untainted; on
526 client, tainted - being the Finish msg from the server. */
527
17c76198
PP		 528 old_pool = store_pool;
529 store_pool = POOL_PERM;
b1a32a3c
JH		 530 tlsp->channelbinding = b64encode_taint(CUS channel.data, (int)channel.size,
531 !!state->host);
17c76198 532 store_pool = old_pool;
b1a32a3c 533 DEBUG(D_tls) debug_printf("Have channel bindings cached for possible auth usage\n");
1f20760b 534 }
17c76198
PP		 535#endif
536
9d1c15ef
JH		 537/* peercert is set in peer_status() */
538tlsp->peerdn = state->peerdn;
539tlsp->sni = state->received_sni;
540
541/* record our certificate */
542 {
27f19eb4 543 const gnutls_datum_t * cert = gnutls_certificate_get_ours(state->session);
9d1c15ef
JH		 544 gnutls_x509_crt_t crt;
545
546 tlsp->ourcert = cert && import_cert(cert, &crt)==0 ? crt : NULL;
547 }
059ec3d9
PH		 548}
549
550
551
17c76198 552
49132a3b 553#ifndef GNUTLS_AUTO_DHPARAMS
059ec3d9 554/*************************************************
575643cd 555* Setup up DH parameters *
059ec3d9
PH		 556*************************************************/
557
575643cd 558/* Generating the D-H parameters may take a long time. They only need to
059ec3d9
PH		 559be re-generated every so often, depending on security policy. What we do is to
560keep these parameters in a file in the spool directory. If the file does not
561exist, we generate them. This means that it is easy to cause a regeneration.
562
563The new file is written as a temporary file and renamed, so that an incomplete
564file is never present. If two processes both compute some new parameters, you
565waste a bit of effort, but it doesn't seem worth messing around with locking to
566prevent this.
567
059ec3d9
PH		 568Returns: OK/DEFER/FAIL
569*/
570
571static int
cf0c6164 572init_server_dh(uschar ** errstr)
059ec3d9 573{
17c76198
PP		 574int fd, rc;
575unsigned int dh_bits;
49132a3b 576gnutls_datum_t m = {.data = NULL, .size = 0};
a799883d
PP		 577uschar filename_buf[PATH_MAX];
578uschar *filename = NULL;
17c76198 579size_t sz;
a799883d
PP		 580uschar *exp_tls_dhparam;
581BOOL use_file_in_spool = FALSE;
17c76198 582host_item *host = NULL; /* dummy for macros */
059ec3d9 583
17c76198 584DEBUG(D_tls) debug_printf("Initialising GnuTLS server params.\n");
059ec3d9 585
452a164f
JH		 586if ((rc = gnutls_dh_params_init(&dh_server_params)))
587 return tls_error_gnu(US"gnutls_dh_params_init", rc, host, errstr);
059ec3d9 588
cf0c6164 589if (!expand_check(tls_dhparam, US"tls_dhparam", &exp_tls_dhparam, errstr))
a799883d
PP		 590 return DEFER;
591
592if (!exp_tls_dhparam)
593 {
594 DEBUG(D_tls) debug_printf("Loading default hard-coded DH params\n");
595 m.data = US std_dh_prime_default();
596 m.size = Ustrlen(m.data);
597 }
598else if (Ustrcmp(exp_tls_dhparam, "historic") == 0)
599 use_file_in_spool = TRUE;
600else if (Ustrcmp(exp_tls_dhparam, "none") == 0)
601 {
602 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
603 return OK;
604 }
605else if (exp_tls_dhparam[0] != '/')
606 {
f5d25c2b 607 if (!(m.data = US std_dh_prime_named(exp_tls_dhparam)))
48224640 608 return tls_error(US"No standard prime named", exp_tls_dhparam, NULL, errstr);
a799883d
PP		 609 m.size = Ustrlen(m.data);
610 }
611else
a799883d 612 filename = exp_tls_dhparam;
a799883d
PP		 613
614if (m.data)
615 {
452a164f
JH		 616 if ((rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM)))
617 return tls_error_gnu(US"gnutls_dh_params_import_pkcs3", rc, host, errstr);
a799883d
PP		 618 DEBUG(D_tls) debug_printf("Loaded fixed standard D-H parameters\n");
619 return OK;
620 }
621
af3498d6
PP		 622#ifdef HAVE_GNUTLS_SEC_PARAM_CONSTANTS
623/* If you change this constant, also change dh_param_fn_ext so that we can use a
17c76198 624different filename and ensure we have sufficient bits. */
452a164f
JH		 625
626if (!(dh_bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL)))
cf0c6164 627 return tls_error(US"gnutls_sec_param_to_pk_bits() failed", NULL, NULL, errstr);
af3498d6 628DEBUG(D_tls)
b34fc30c 629 debug_printf("GnuTLS tells us that for D-H PK, NORMAL is %d bits.\n",
af3498d6
PP		 630 dh_bits);
631#else
632dh_bits = EXIM_SERVER_DH_BITS_PRE2_12;
633DEBUG(D_tls)
634 debug_printf("GnuTLS lacks gnutls_sec_param_to_pk_bits(), using %d bits.\n",
635 dh_bits);
636#endif
059ec3d9 637
3375e053
PP		 638/* Some clients have hard-coded limits. */
639if (dh_bits > tls_dh_max_bits)
640 {
641 DEBUG(D_tls)
642 debug_printf("tls_dh_max_bits clamping override, using %d bits instead.\n",
643 tls_dh_max_bits);
644 dh_bits = tls_dh_max_bits;
645 }
646
a799883d
PP		 647if (use_file_in_spool)
648 {
649 if (!string_format(filename_buf, sizeof(filename_buf),
650 "%s/gnutls-params-%d", spool_directory, dh_bits))
cf0c6164 651 return tls_error(US"overlong filename", NULL, NULL, errstr);
a799883d
PP		 652 filename = filename_buf;
653 }
059ec3d9 654
b5aea5e1 655/* Open the cache file for reading and if successful, read it and set up the
575643cd 656parameters. */
059ec3d9 657
f5d25c2b 658if ((fd = Uopen(filename, O_RDONLY, 0)) >= 0)
059ec3d9 659 {
b5aea5e1 660 struct stat statbuf;
17c76198
PP		 661 FILE *fp;
662 int saved_errno;
663
664 if (fstat(fd, &statbuf) < 0) /* EIO */
665 {
666 saved_errno = errno;
667 (void)close(fd);
452a164f 668 return tls_error_sys(US"TLS cache stat failed", saved_errno, NULL, errstr);
17c76198
PP		 669 }
670 if (!S_ISREG(statbuf.st_mode))
b5aea5e1
PH		 671 {
672 (void)close(fd);
cf0c6164 673 return tls_error(US"TLS cache not a file", NULL, NULL, errstr);
17c76198 674 }
40c90bca 675 if (!(fp = fdopen(fd, "rb")))
17c76198
PP		 676 {
677 saved_errno = errno;
678 (void)close(fd);
452a164f
JH		 679 return tls_error_sys(US"fdopen(TLS cache stat fd) failed",
680 saved_errno, NULL, errstr);
b5aea5e1 681 }
059ec3d9 682
b5aea5e1 683 m.size = statbuf.st_size;
f3ebb786 684 if (!(m.data = store_malloc(m.size)))
17c76198
PP		 685 {
686 fclose(fp);
452a164f 687 return tls_error_sys(US"malloc failed", errno, NULL, errstr);
17c76198 688 }
40c90bca 689 if (!(sz = fread(m.data, m.size, 1, fp)))
17c76198
PP		 690 {
691 saved_errno = errno;
692 fclose(fp);
f3ebb786 693 store_free(m.data);
452a164f 694 return tls_error_sys(US"fread failed", saved_errno, NULL, errstr);
17c76198
PP		 695 }
696 fclose(fp);
b5aea5e1 697
17c76198 698 rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM);
f3ebb786 699 store_free(m.data);
452a164f
JH		 700 if (rc)
701 return tls_error_gnu(US"gnutls_dh_params_import_pkcs3", rc, host, errstr);
17c76198 702 DEBUG(D_tls) debug_printf("read D-H parameters from file \"%s\"\n", filename);
b5aea5e1
PH		 703 }
704
705/* If the file does not exist, fall through to compute new data and cache it.
706If there was any other opening error, it is serious. */
707
182ad5cf
PH		 708else if (errno == ENOENT)
709 {
17c76198 710 rc = -1;
182ad5cf 711 DEBUG(D_tls)
17c76198 712 debug_printf("D-H parameter cache file \"%s\" does not exist\n", filename);
182ad5cf
PH		 713 }
714else
17c76198 715 return tls_error(string_open_failed(errno, "\"%s\" for reading", filename),
cf0c6164 716 NULL, NULL, errstr);
b5aea5e1
PH		 717
718/* If ret < 0, either the cache file does not exist, or the data it contains
719is not useful. One particular case of this is when upgrading from an older
720release of Exim in which the data was stored in a different format. We don't
721try to be clever and support both formats; we just regenerate new data in this
722case. */
723
17c76198 724if (rc < 0)
b5aea5e1 725 {
17c76198 726 uschar *temp_fn;
201f5254 727 unsigned int dh_bits_gen = dh_bits;
059ec3d9 728
17c76198
PP		 729 if ((PATH_MAX - Ustrlen(filename)) < 10)
730 return tls_error(US"Filename too long to generate replacement",
48224640 731 filename, NULL, errstr);
059ec3d9 732
48224640 733 temp_fn = string_copy(US"%s.XXXXXXX");
f5d25c2b 734 if ((fd = mkstemp(CS temp_fn)) < 0) /* modifies temp_fn */
452a164f 735 return tls_error_sys(US"Unable to open temp file", errno, NULL, errstr);
b66fecb4 736 (void)exim_chown(temp_fn, exim_uid, exim_gid); /* Probably not necessary */
059ec3d9 737
49132a3b
JH		 738 /* GnuTLS overshoots! If we ask for 2236, we might get 2237 or more. But
739 there's no way to ask GnuTLS how many bits there really are. We can ask
740 how many bits were used in a TLS session, but that's it! The prime itself
741 is hidden behind too much abstraction. So we ask for less, and proceed on
742 a wing and a prayer. First attempt, subtracted 3 for 2233 and got 2240. */
743
cae6e576 744 if (dh_bits >= EXIM_CLIENT_DH_MIN_BITS + 10)
201f5254
PP		 745 {
746 dh_bits_gen = dh_bits - 10;
747 DEBUG(D_tls)
748 debug_printf("being paranoid about DH generation, make it '%d' bits'\n",
749 dh_bits_gen);
750 }
751
752 DEBUG(D_tls)
753 debug_printf("requesting generation of %d bit Diffie-Hellman prime ...\n",
754 dh_bits_gen);
452a164f
JH		 755 if ((rc = gnutls_dh_params_generate2(dh_server_params, dh_bits_gen)))
756 return tls_error_gnu(US"gnutls_dh_params_generate2", rc, host, errstr);
17c76198
PP		 757
758 /* gnutls_dh_params_export_pkcs3() will tell us the exact size, every time,
759 and I confirmed that a NULL call to get the size first is how the GnuTLS
760 sample apps handle this. */
761
762 sz = 0;
763 m.data = NULL;
452a164f
JH		 764 if ( (rc = gnutls_dh_params_export_pkcs3(dh_server_params,
765 GNUTLS_X509_FMT_PEM, m.data, &sz))
766 && rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
767 return tls_error_gnu(US"gnutls_dh_params_export_pkcs3(NULL) sizing",
768 rc, host, errstr);
17c76198 769 m.size = sz;
f3ebb786 770 if (!(m.data = store_malloc(m.size)))
452a164f 771 return tls_error_sys(US"memory allocation failed", errno, NULL, errstr);
40c90bca 772
1f00591e 773 /* this will return a size 1 less than the allocation size above */
452a164f
JH		 774 if ((rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM,
775 m.data, &sz)))
17c76198 776 {
f3ebb786 777 store_free(m.data);
452a164f 778 return tls_error_gnu(US"gnutls_dh_params_export_pkcs3() real", rc, host, errstr);
17c76198 779 }
1f00591e 780 m.size = sz; /* shrink by 1, probably */
059ec3d9 781
f5d25c2b 782 if ((sz = write_to_fd_buf(fd, m.data, (size_t) m.size)) != m.size)
17c76198 783 {
f3ebb786 784 store_free(m.data);
452a164f
JH		 785 return tls_error_sys(US"TLS cache write D-H params failed",
786 errno, NULL, errstr);
17c76198 787 }
f3ebb786 788 store_free(m.data);
f5d25c2b 789 if ((sz = write_to_fd_buf(fd, US"\n", 1)) != 1)
452a164f
JH		 790 return tls_error_sys(US"TLS cache write D-H params final newline failed",
791 errno, NULL, errstr);
17c76198 792
f5d25c2b 793 if ((rc = close(fd)))
452a164f 794 return tls_error_sys(US"TLS cache write close() failed", errno, NULL, errstr);
059ec3d9 795
17c76198 796 if (Urename(temp_fn, filename) < 0)
452a164f
JH		 797 return tls_error_sys(string_sprintf("failed to rename \"%s\" as \"%s\"",
798 temp_fn, filename), errno, NULL, errstr);
059ec3d9 799
17c76198 800 DEBUG(D_tls) debug_printf("wrote D-H parameters to file \"%s\"\n", filename);
059ec3d9
PH		 801 }
802
17c76198 803DEBUG(D_tls) debug_printf("initialized server D-H parameters\n");
059ec3d9
PH		 804return OK;
805}
49132a3b 806#endif
059ec3d9
PH		 807
808
809
810
23bb6982
JH		 811/* Create and install a selfsigned certificate, for use in server mode */
812
813static int
cf0c6164 814tls_install_selfsign(exim_gnutls_state_st * state, uschar ** errstr)
23bb6982
JH		 815{
816gnutls_x509_crt_t cert = NULL;
817time_t now;
818gnutls_x509_privkey_t pkey = NULL;
819const uschar * where;
820int rc;
821
822where = US"initialising pkey";
823if ((rc = gnutls_x509_privkey_init(&pkey))) goto err;
824
825where = US"initialising cert";
826if ((rc = gnutls_x509_crt_init(&cert))) goto err;
827
828where = US"generating pkey";
829if ((rc = gnutls_x509_privkey_generate(pkey, GNUTLS_PK_RSA,
76075bb5 830#ifdef SUPPORT_PARAM_TO_PK_BITS
4312da48
JH		 831# ifndef GNUTLS_SEC_PARAM_MEDIUM
832# define GNUTLS_SEC_PARAM_MEDIUM GNUTLS_SEC_PARAM_HIGH
833# endif
6aac3239 834 gnutls_sec_param_to_pk_bits(GNUTLS_PK_RSA, GNUTLS_SEC_PARAM_MEDIUM),
76075bb5 835#else
6aac3239 836 2048,
76075bb5
JH		 837#endif
838 0)))
23bb6982
JH		 839 goto err;
840
841where = US"configuring cert";
1613fd68 842now = 1;
23bb6982
JH		 843if ( (rc = gnutls_x509_crt_set_version(cert, 3))
844 || (rc = gnutls_x509_crt_set_serial(cert, &now, sizeof(now)))
845 || (rc = gnutls_x509_crt_set_activation_time(cert, now = time(NULL)))
846 || (rc = gnutls_x509_crt_set_expiration_time(cert, now + 60 * 60)) /* 1 hr */
847 || (rc = gnutls_x509_crt_set_key(cert, pkey))
848
849 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
850 GNUTLS_OID_X520_COUNTRY_NAME, 0, "UK", 2))
851 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
852 GNUTLS_OID_X520_ORGANIZATION_NAME, 0, "Exim Developers", 15))
853 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
854 GNUTLS_OID_X520_COMMON_NAME, 0,
855 smtp_active_hostname, Ustrlen(smtp_active_hostname)))
856 )
857 goto err;
858
859where = US"signing cert";
860if ((rc = gnutls_x509_crt_sign(cert, cert, pkey))) goto err;
861
862where = US"installing selfsign cert";
863 /* Since: 2.4.0 */
864if ((rc = gnutls_certificate_set_x509_key(state->x509_cred, &cert, 1, pkey)))
865 goto err;
866
867rc = OK;
868
869out:
870 if (cert) gnutls_x509_crt_deinit(cert);
871 if (pkey) gnutls_x509_privkey_deinit(pkey);
872 return rc;
873
874err:
452a164f 875 rc = tls_error_gnu(where, rc, NULL, errstr);
23bb6982
JH		 876 goto out;
877}
878
879
880
881
47195144
JH		 882/* Add certificate and key, from files.
883
884Return:
885 Zero or negative: good. Negate value for certificate index if < 0.
886 Greater than zero: FAIL or DEFER code.
887*/
888
ba86e143
JH		 889static int
890tls_add_certfile(exim_gnutls_state_st * state, const host_item * host,
891 uschar * certfile, uschar * keyfile, uschar ** errstr)
892{
893int rc = gnutls_certificate_set_x509_key_file(state->x509_cred,
894 CS certfile, CS keyfile, GNUTLS_X509_FMT_PEM);
47195144 895if (rc < 0)
452a164f 896 return tls_error_gnu(
47195144 897 string_sprintf("cert/key setup: cert=%s key=%s", certfile, keyfile),
452a164f 898 rc, host, errstr);
47195144 899return -rc;
ba86e143
JH		 900}
901
902
d896cef5
JH		 903#if !defined(DISABLE_OCSP) && !defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
904/* Load an OCSP proof from file for sending by the server. Called
905on getting a status-request handshake message, for earlier versions
906of GnuTLS. */
907
908static int
909server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
910 gnutls_datum_t * ocsp_response)
911{
912int ret;
913DEBUG(D_tls) debug_printf("OCSP stapling callback: %s\n", US ptr);
914
915if ((ret = gnutls_load_file(ptr, ocsp_response)) < 0)
916 {
917 DEBUG(D_tls) debug_printf("Failed to load ocsp stapling file %s\n",
918 CS ptr);
919 tls_in.ocsp = OCSP_NOT_RESP;
920 return GNUTLS_E_NO_CERTIFICATE_STATUS;
921 }
922
923tls_in.ocsp = OCSP_VFY_NOT_TRIED;
924return 0;
925}
926#endif
927
928
be427508 929#ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
e5489333
JH		 930/* Make a note that we saw a status-request */
931static int
932tls_server_clienthello_ext(void * ctx, unsigned tls_id,
933 const unsigned char *data, unsigned size)
934{
935/* https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml */
936if (tls_id == 5) /* status_request */
937 {
e326959e 938 DEBUG(D_tls) debug_printf("Seen status_request extension from client\n");
e5489333
JH		 939 tls_in.ocsp = OCSP_NOT_RESP;
940 }
941return 0;
942}
943
944/* Callback for client-hello, on server, if we think we might serve stapled-OCSP */
945static int
946tls_server_clienthello_cb(gnutls_session_t session, unsigned int htype,
947 unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
948{
949/* Call fn for each extension seen. 3.6.3 onwards */
950return gnutls_ext_raw_parse(NULL, tls_server_clienthello_ext, msg,
951 GNUTLS_EXT_RAW_FLAG_TLS_CLIENT_HELLO);
952}
e326959e
JH		 953
954
955/* Make a note that we saw a status-response */
956static int
957tls_server_servercerts_ext(void * ctx, unsigned tls_id,
958 const unsigned char *data, unsigned size)
959{
960/* debug_printf("%s %u\n", __FUNCTION__, tls_id); */
961/* https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml */
962if (FALSE && tls_id == 5) /* status_request */
963 {
964 DEBUG(D_tls) debug_printf("Seen status_request extension\n");
965 tls_in.ocsp = exim_testharness_disable_ocsp_validity_check
966 ? OCSP_VFY_NOT_TRIED : OCSP_VFIED; /* We know that GnuTLS verifies responses */
967 }
968return 0;
969}
970
971/* Callback for certificates packet, on server, if we think we might serve stapled-OCSP */
972static int
973tls_server_servercerts_cb(gnutls_session_t session, unsigned int htype,
974 unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
975{
976/* Call fn for each extension seen. 3.6.3 onwards */
977#ifdef notdef
978/*XXX crashes */
979return gnutls_ext_raw_parse(NULL, tls_server_servercerts_ext, msg, 0);
980#endif
981}
be427508 982#endif
e5489333 983
e326959e
JH		 984/*XXX in tls1.3 the cert-status travel as an extension next to the cert, in the
985 "Handshake Protocol: Certificate" record.
986So we need to spot the Certificate handshake message, parse it and spot any status_request extension(s)
987
988This is different to tls1.2 - where it is a separate record (wireshake term) / handshake message (gnutls term).
989*/
990
727a5d25 991#if defined(EXPERIMENTAL_TLS_RESUME) || defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
e5489333
JH		 992/* Callback for certificate-status, on server. We sent stapled OCSP. */
993static int
994tls_server_certstatus_cb(gnutls_session_t session, unsigned int htype,
995 unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
996{
e326959e 997DEBUG(D_tls) debug_printf("Sending certificate-status\n"); /*XXX we get this for tls1.2 but not for 1.3 */
e5489333
JH		 998#ifdef SUPPORT_SRV_OCSP_STACK
999tls_in.ocsp = exim_testharness_disable_ocsp_validity_check
1000 ? OCSP_VFY_NOT_TRIED : OCSP_VFIED; /* We know that GnuTLS verifies responses */
1001#else
1002tls_in.ocsp = OCSP_VFY_NOT_TRIED;
1003#endif
1004return 0;
1005}
1006
1007/* Callback for handshake messages, on server */
1008static int
1009tls_server_hook_cb(gnutls_session_t sess, u_int htype, unsigned when,
1010 unsigned incoming, const gnutls_datum_t * msg)
1011{
e326959e 1012/* debug_printf("%s: htype %u\n", __FUNCTION__, htype); */
e5489333
JH		 1013switch (htype)
1014 {
727a5d25 1015# ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
e5489333
JH		 1016 case GNUTLS_HANDSHAKE_CLIENT_HELLO:
1017 return tls_server_clienthello_cb(sess, htype, when, incoming, msg);
e326959e
JH		 1018 case GNUTLS_HANDSHAKE_CERTIFICATE_PKT:
1019 return tls_server_servercerts_cb(sess, htype, when, incoming, msg);
727a5d25 1020# endif
e5489333
JH		 1021 case GNUTLS_HANDSHAKE_CERTIFICATE_STATUS:
1022 return tls_server_certstatus_cb(sess, htype, when, incoming, msg);
727a5d25 1023# ifdef EXPERIMENTAL_TLS_RESUME
e5489333
JH		 1024 case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET:
1025 return tls_server_ticket_cb(sess, htype, when, incoming, msg);
727a5d25 1026# endif
e5489333
JH		 1027 default:
1028 return 0;
1029 }
1030}
727a5d25 1031#endif
e5489333
JH		 1032
1033
727a5d25 1034#if !defined(DISABLE_OCSP) && defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
e5489333
JH		 1035static void
1036tls_server_testharness_ocsp_fiddle(void)
1037{
1038extern char ** environ;
1039if (environ) for (uschar ** p = USS environ; *p; p++)
1040 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
1041 {
1042 DEBUG(D_tls) debug_printf("Permitting known bad OCSP response\n");
1043 exim_testharness_disable_ocsp_validity_check = TRUE;
1044 }
1045}
727a5d25 1046#endif
e5489333 1047
059ec3d9 1048/*************************************************
17c76198 1049* Variables re-expanded post-SNI *
059ec3d9
PH		 1050*************************************************/
1051
17c76198
PP		 1052/* Called from both server and client code, via tls_init(), and also from
1053the SNI callback after receiving an SNI, if tls_certificate includes "tls_sni".
1054
1055We can tell the two apart by state->received_sni being non-NULL in callback.
1056
1057The callback should not call us unless state->trigger_sni_changes is true,
1058which we are responsible for setting on the first pass through.
059ec3d9
PH		 1059
1060Arguments:
17c76198 1061 state exim_gnutls_state_st *
cf0c6164 1062 errstr error string pointer
059ec3d9
PH		 1063
1064Returns: OK/DEFER/FAIL
1065*/
1066
1067static int
ba86e143 1068tls_expand_session_files(exim_gnutls_state_st * state, uschar ** errstr)
059ec3d9 1069{
1365611d 1070struct stat statbuf;
059ec3d9 1071int rc;
17c76198
PP		 1072const host_item *host = state->host; /* macro should be reconsidered? */
1073uschar *saved_tls_certificate = NULL;
1074uschar *saved_tls_privatekey = NULL;
1075uschar *saved_tls_verify_certificates = NULL;
1076uschar *saved_tls_crl = NULL;
1077int cert_count;
1078
1079/* We check for tls_sni *before* expansion. */
2b4a568d 1080if (!host) /* server */
17c76198
PP		 1081 if (!state->received_sni)
1082 {
ba86e143
JH		 1083 if ( state->tls_certificate
1084 && ( Ustrstr(state->tls_certificate, US"tls_sni")
1085 || Ustrstr(state->tls_certificate, US"tls_in_sni")
1086 || Ustrstr(state->tls_certificate, US"tls_out_sni")
1087 ) )
17c76198
PP		 1088 {
1089 DEBUG(D_tls) debug_printf("We will re-expand TLS session files if we receive SNI.\n");
1090 state->trigger_sni_changes = TRUE;
1091 }
1092 }
1093 else
1094 {
1365611d 1095 /* useful for debugging */
17c76198
PP		 1096 saved_tls_certificate = state->exp_tls_certificate;
1097 saved_tls_privatekey = state->exp_tls_privatekey;
1098 saved_tls_verify_certificates = state->exp_tls_verify_certificates;
1099 saved_tls_crl = state->exp_tls_crl;
1100 }
059ec3d9 1101
452a164f
JH		 1102if ((rc = gnutls_certificate_allocate_credentials(&state->x509_cred)))
1103 return tls_error_gnu(US"gnutls_certificate_allocate_credentials",
1104 rc, host, errstr);
47195144
JH		 1105
1106#ifdef SUPPORT_SRV_OCSP_STACK
1107gnutls_certificate_set_flags(state->x509_cred, GNUTLS_CERTIFICATE_API_V2);
e326959e
JH		 1108
1109# if !defined(DISABLE_OCSP) && defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
1110if (!host && tls_ocsp_file)
1111 {
1112 if (f.running_in_test_harness)
1113 tls_server_testharness_ocsp_fiddle();
1114
1115 if (exim_testharness_disable_ocsp_validity_check)
1116 gnutls_certificate_set_flags(state->x509_cred,
1117 GNUTLS_CERTIFICATE_API_V2 | GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK);
1118 }
1119# endif
47195144 1120#endif
1365611d 1121
17c76198
PP		 1122/* remember: expand_check_tlsvar() is expand_check() but fiddling with
1123state members, assuming consistent naming; and expand_check() returns
1124false if expansion failed, unless expansion was forced to fail. */
059ec3d9 1125
17c76198
PP		 1126/* check if we at least have a certificate, before doing expensive
1127D-H generation. */
059ec3d9 1128
cf0c6164 1129if (!expand_check_tlsvar(tls_certificate, errstr))
17c76198 1130 return DEFER;
059ec3d9 1131
17c76198 1132/* certificate is mandatory in server, optional in client */
059ec3d9 1133
23bb6982
JH		 1134if ( !state->exp_tls_certificate
1135 || !*state->exp_tls_certificate
1136 )
2b4a568d 1137 if (!host)
cf0c6164 1138 return tls_install_selfsign(state, errstr);
17c76198
PP		 1139 else
1140 DEBUG(D_tls) debug_printf("TLS: no client certificate specified; okay\n");
059ec3d9 1141
cf0c6164 1142if (state->tls_privatekey && !expand_check_tlsvar(tls_privatekey, errstr))
059ec3d9
PH		 1143 return DEFER;
1144
17c76198
PP		 1145/* tls_privatekey is optional, defaulting to same file as certificate */
1146
e326959e 1147if (!state->tls_privatekey || !*state->tls_privatekey)
059ec3d9 1148 {
17c76198
PP		 1149 state->tls_privatekey = state->tls_certificate;
1150 state->exp_tls_privatekey = state->exp_tls_certificate;
059ec3d9 1151 }
c91535f3 1152
059ec3d9 1153
17c76198 1154if (state->exp_tls_certificate && *state->exp_tls_certificate)
059ec3d9
PH		 1155 {
1156 DEBUG(D_tls) debug_printf("certificate file = %s\nkey file = %s\n",
17c76198
PP		 1157 state->exp_tls_certificate, state->exp_tls_privatekey);
1158
1159 if (state->received_sni)
23bb6982
JH		 1160 if ( Ustrcmp(state->exp_tls_certificate, saved_tls_certificate) == 0
1161 && Ustrcmp(state->exp_tls_privatekey, saved_tls_privatekey) == 0
1162 )
17c76198 1163 {
b34fc30c 1164 DEBUG(D_tls) debug_printf("TLS SNI: cert and key unchanged\n");
17c76198
PP		 1165 }
1166 else
1167 {
b34fc30c 1168 DEBUG(D_tls) debug_printf("TLS SNI: have a changed cert/key pair.\n");
17c76198 1169 }
059ec3d9 1170
ba86e143
JH		 1171 if (!host) /* server */
1172 {
1173 const uschar * clist = state->exp_tls_certificate;
1174 const uschar * klist = state->exp_tls_privatekey;
47195144
JH		 1175 const uschar * olist;
1176 int csep = 0, ksep = 0, osep = 0, cnt = 0;
1177 uschar * cfile, * kfile, * ofile;
47195144 1178#ifndef DISABLE_OCSP
e326959e
JH		 1179# ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
1180 gnutls_x509_crt_fmt_t ocsp_fmt = GNUTLS_X509_FMT_DER;
1181# endif
1182
47195144
JH		 1183 if (!expand_check(tls_ocsp_file, US"tls_ocsp_file", &ofile, errstr))
1184 return DEFER;
1185 olist = ofile;
1186#endif
ba86e143
JH		 1187
1188 while (cfile = string_nextinlist(&clist, &csep, NULL, 0))
47195144 1189
ba86e143
JH		 1190 if (!(kfile = string_nextinlist(&klist, &ksep, NULL, 0)))
1191 return tls_error(US"cert/key setup: out of keys", NULL, host, errstr);
47195144 1192 else if (0 < (rc = tls_add_certfile(state, host, cfile, kfile, errstr)))
ba86e143
JH		 1193 return rc;
1194 else
47195144
JH		 1195 {
1196 int gnutls_cert_index = -rc;
e326959e
JH		 1197 DEBUG(D_tls) debug_printf("TLS: cert/key %d %s registered\n",
1198 gnutls_cert_index, cfile);
47195144
JH		 1199
1200#ifndef DISABLE_OCSP
1201 if (tls_ocsp_file)
e5489333 1202 {
e326959e 1203 /* Set the OCSP stapling server info */
47195144
JH		 1204 if (gnutls_buggy_ocsp)
1205 {
1206 DEBUG(D_tls)
1207 debug_printf("GnuTLS library is buggy for OCSP; avoiding\n");
1208 }
1209 else if ((ofile = string_nextinlist(&olist, &osep, NULL, 0)))
1210 {
e326959e
JH		 1211 DEBUG(D_tls) debug_printf("OCSP response file %d = %s\n",
1212 gnutls_cert_index, ofile);
be427508 1213# ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
e326959e 1214 if (Ustrncmp(ofile, US"PEM ", 4) == 0)
47195144 1215 {
e326959e
JH		 1216 ocsp_fmt = GNUTLS_X509_FMT_PEM;
1217 ofile += 4;
1218 }
1219 else if (Ustrncmp(ofile, US"DER ", 4) == 0)
1220 {
1221 ocsp_fmt = GNUTLS_X509_FMT_DER;
1222 ofile += 4;
1223 }
e5489333 1224
e326959e
JH		 1225 if ((rc = gnutls_certificate_set_ocsp_status_request_file2(
1226 state->x509_cred, CCS ofile, gnutls_cert_index,
1227 ocsp_fmt)) < 0)
1228 return tls_error_gnu(
1229 US"gnutls_certificate_set_ocsp_status_request_file2",
1230 rc, host, errstr);
1231 DEBUG(D_tls)
1232 debug_printf(" %d response%s loaded\n", rc, rc>1 ? "s":"");
e5489333 1233
e326959e
JH		 1234 /* Arrange callbacks for OCSP request observability */
1235
1236 gnutls_handshake_set_hook_function(state->session,
1237 GNUTLS_HANDSHAKE_ANY, GNUTLS_HOOK_POST, tls_server_hook_cb);
1238
1239# else
1240# if defined(SUPPORT_SRV_OCSP_STACK)
be427508
JH		 1241 if ((rc = gnutls_certificate_set_ocsp_status_request_function2(
1242 state->x509_cred, gnutls_cert_index,
1243 server_ocsp_stapling_cb, ofile)))
1244 return tls_error_gnu(
1245 US"gnutls_certificate_set_ocsp_status_request_function2",
1246 rc, host, errstr);
1247 else
e326959e 1248# endif
e5489333
JH		 1249 {
1250 if (cnt++ > 0)
1251 {
1252 DEBUG(D_tls)
1253 debug_printf("oops; multiple OCSP files not supported\n");
1254 break;
1255 }
d896cef5
JH		 1256 gnutls_certificate_set_ocsp_status_request_function(
1257 state->x509_cred, server_ocsp_stapling_cb, ofile);
e5489333 1258 }
e326959e 1259# endif /* SUPPORT_GNUTLS_EXT_RAW_PARSE */
47195144
JH		 1260 }
1261 else
1262 DEBUG(D_tls) debug_printf("ran out of OCSP response files in list\n");
e5489333 1263 }
fd71e7b8 1264#endif /* DISABLE_OCSP */
47195144 1265 }
ba86e143 1266 }
e5489333 1267 else /* client */
ba86e143 1268 {
47195144 1269 if (0 < (rc = tls_add_certfile(state, host,
ba86e143
JH		 1270 state->exp_tls_certificate, state->exp_tls_privatekey, errstr)))
1271 return rc;
1272 DEBUG(D_tls) debug_printf("TLS: cert/key registered\n");
1273 }
1274
b34fc30c 1275 } /* tls_certificate */
059ec3d9 1276
2b4a568d 1277
059ec3d9
PH		 1278/* Set the trusted CAs file if one is provided, and then add the CRL if one is
1279provided. Experiment shows that, if the certificate file is empty, an unhelpful
1280error message is provided. However, if we just refrain from setting anything up
1281in that case, certificate verification fails, which seems to be the correct
1282behaviour. */
1283
610ff438 1284if (state->tls_verify_certificates && *state->tls_verify_certificates)
059ec3d9 1285 {
cf0c6164 1286 if (!expand_check_tlsvar(tls_verify_certificates, errstr))
059ec3d9 1287 return DEFER;
610ff438
JH		 1288#ifndef SUPPORT_SYSDEFAULT_CABUNDLE
1289 if (Ustrcmp(state->exp_tls_verify_certificates, "system") == 0)
1290 state->exp_tls_verify_certificates = NULL;
1291#endif
17c76198 1292 if (state->tls_crl && *state->tls_crl)
cf0c6164 1293 if (!expand_check_tlsvar(tls_crl, errstr))
17c76198 1294 return DEFER;
059ec3d9 1295
1365611d
PP		 1296 if (!(state->exp_tls_verify_certificates &&
1297 *state->exp_tls_verify_certificates))
b34fc30c
PP		 1298 {
1299 DEBUG(D_tls)
1365611d
PP		 1300 debug_printf("TLS: tls_verify_certificates expanded empty, ignoring\n");
1301 /* With no tls_verify_certificates, we ignore tls_crl too */
17c76198 1302 return OK;
b34fc30c 1303 }
1365611d 1304 }
83e2f8a2
PP		 1305else
1306 {
1307 DEBUG(D_tls)
1308 debug_printf("TLS: tls_verify_certificates not set or empty, ignoring\n");
1309 return OK;
1310 }
17c76198 1311
cb1d7830
JH		 1312#ifdef SUPPORT_SYSDEFAULT_CABUNDLE
1313if (Ustrcmp(state->exp_tls_verify_certificates, "system") == 0)
1314 cert_count = gnutls_certificate_set_x509_system_trust(state->x509_cred);
1315else
1316#endif
1365611d 1317 {
cb1d7830
JH		 1318 if (Ustat(state->exp_tls_verify_certificates, &statbuf) < 0)
1319 {
d896cef5 1320 log_write(0, LOG_MAIN|LOG_PANIC, "could not stat '%s' "
cb1d7830
JH		 1321 "(tls_verify_certificates): %s", state->exp_tls_verify_certificates,
1322 strerror(errno));
1323 return DEFER;
1324 }
17c76198 1325
a7fec7a7 1326#ifndef SUPPORT_CA_DIR
cb1d7830
JH		 1327 /* The test suite passes in /dev/null; we could check for that path explicitly,
1328 but who knows if someone has some weird FIFO which always dumps some certs, or
1329 other weirdness. The thing we really want to check is that it's not a
1330 directory, since while OpenSSL supports that, GnuTLS does not.
60f914bc 1331 So s/!S_ISREG/S_ISDIR/ and change some messaging ... */
cb1d7830
JH		 1332 if (S_ISDIR(statbuf.st_mode))
1333 {
1334 DEBUG(D_tls)
1335 debug_printf("verify certificates path is a dir: \"%s\"\n",
1336 state->exp_tls_verify_certificates);
1337 log_write(0, LOG_MAIN|LOG_PANIC,
1338 "tls_verify_certificates \"%s\" is a directory",
1339 state->exp_tls_verify_certificates);
1340 return DEFER;
1341 }
a7fec7a7 1342#endif
059ec3d9 1343
cb1d7830
JH		 1344 DEBUG(D_tls) debug_printf("verify certificates = %s size=" OFF_T_FMT "\n",
1345 state->exp_tls_verify_certificates, statbuf.st_size);
059ec3d9 1346
cb1d7830
JH		 1347 if (statbuf.st_size == 0)
1348 {
1349 DEBUG(D_tls)
1350 debug_printf("cert file empty, no certs, no verification, ignoring any CRL\n");
1351 return OK;
1352 }
059ec3d9 1353
cb1d7830 1354 cert_count =
a7fec7a7
JH		 1355
1356#ifdef SUPPORT_CA_DIR
cb1d7830
JH		 1357 (statbuf.st_mode & S_IFMT) == S_IFDIR
1358 ?
1359 gnutls_certificate_set_x509_trust_dir(state->x509_cred,
1360 CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM)
1361 :
a7fec7a7 1362#endif
cb1d7830
JH		 1363 gnutls_certificate_set_x509_trust_file(state->x509_cred,
1364 CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM);
12d95aa6
JH		 1365
1366#ifdef SUPPORT_CA_DIR
1367 /* Mimic the behaviour with OpenSSL of not advertising a usable-cert list
1368 when using the directory-of-certs config model. */
1369
1370 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
1371 gnutls_certificate_send_x509_rdn_sequence(state->session, 1);
1372#endif
cb1d7830 1373 }
a7fec7a7 1374
1365611d 1375if (cert_count < 0)
452a164f
JH		 1376 return tls_error_gnu(US"setting certificate trust", cert_count, host, errstr);
1377DEBUG(D_tls)
1378 debug_printf("Added %d certificate authorities.\n", cert_count);
059ec3d9 1379
5c8cda3a
PP		 1380if (state->tls_crl && *state->tls_crl &&
1381 state->exp_tls_crl && *state->exp_tls_crl)
1365611d 1382 {
5c8cda3a 1383 DEBUG(D_tls) debug_printf("loading CRL file = %s\n", state->exp_tls_crl);
452a164f
JH		 1384 if ((cert_count = gnutls_certificate_set_x509_crl_file(state->x509_cred,
1385 CS state->exp_tls_crl, GNUTLS_X509_FMT_PEM)) < 0)
1386 return tls_error_gnu(US"gnutls_certificate_set_x509_crl_file",
1387 cert_count, host, errstr);
1388
5c8cda3a 1389 DEBUG(D_tls) debug_printf("Processed %d CRLs.\n", cert_count);
1365611d 1390 }
059ec3d9 1391
059ec3d9
PH		 1392return OK;
1393}
1394
1395
1396
1397
1365611d
PP		 1398/*************************************************
1399* Set X.509 state variables *
1400*************************************************/
1401
1402/* In GnuTLS, the registered cert/key are not replaced by a later
1403set of a cert/key, so for SNI support we need a whole new x509_cred
1404structure. Which means various other non-re-expanded pieces of state
1405need to be re-set in the new struct, so the setting logic is pulled
1406out to this.
1407
1408Arguments:
1409 state exim_gnutls_state_st *
cf0c6164 1410 errstr error string pointer
1365611d
PP		 1411
1412Returns: OK/DEFER/FAIL
1413*/
1414
1415static int
cf0c6164 1416tls_set_remaining_x509(exim_gnutls_state_st *state, uschar ** errstr)
1365611d
PP		 1417{
1418int rc;
1419const host_item *host = state->host; /* macro should be reconsidered? */
1420
49132a3b 1421#ifndef GNUTLS_AUTO_DHPARAMS
1365611d
PP		 1422/* Create D-H parameters, or read them from the cache file. This function does
1423its own SMTP error messaging. This only happens for the server, TLS D-H ignores
1424client-side params. */
1425
1426if (!state->host)
1427 {
1428 if (!dh_server_params)
452a164f 1429 if ((rc = init_server_dh(errstr)) != OK) return rc;
49132a3b
JH		 1430
1431 /* Unnecessary & discouraged with 3.6.0 or later */
1365611d
PP		 1432 gnutls_certificate_set_dh_params(state->x509_cred, dh_server_params);
1433 }
49132a3b 1434#endif
1365611d
PP		 1435
1436/* Link the credentials to the session. */
1437
452a164f
JH		 1438if ((rc = gnutls_credentials_set(state->session,
1439 GNUTLS_CRD_CERTIFICATE, state->x509_cred)))
1440 return tls_error_gnu(US"gnutls_credentials_set", rc, host, errstr);
1365611d
PP		 1441
1442return OK;
1443}
1444
059ec3d9 1445/*************************************************
17c76198 1446* Initialize for GnuTLS *
059ec3d9
PH		 1447*************************************************/
1448
9196d5bf 1449
4fb7df6d
JH		 1450#ifndef DISABLE_OCSP
1451
9196d5bf
JH		 1452static BOOL
1453tls_is_buggy_ocsp(void)
1454{
1455const uschar * s;
1456uschar maj, mid, mic;
1457
1458s = CUS gnutls_check_version(NULL);
1459maj = atoi(CCS s);
1460if (maj == 3)
1461 {
1462 while (*s && *s != '.') s++;
1463 mid = atoi(CCS ++s);
1464 if (mid <= 2)
1465 return TRUE;
1466 else if (mid >= 5)
1467 return FALSE;
1468 else
1469 {
1470 while (*s && *s != '.') s++;
1471 mic = atoi(CCS ++s);
1472 return mic <= (mid == 3 ? 16 : 3);
1473 }
1474 }
1475return FALSE;
1476}
1477
4fb7df6d 1478#endif
9196d5bf
JH		 1479
1480
17c76198
PP		 1481/* Called from both server and client code. In the case of a server, errors
1482before actual TLS negotiation return DEFER.
059ec3d9
PH		 1483
1484Arguments:
17c76198
PP		 1485 host connected host, if client; NULL if server
1486 certificate certificate file
1487 privatekey private key file
1488 sni TLS SNI to send, sometimes when client; else NULL
1489 cas CA certs file
1490 crl CRL file
1491 require_ciphers tls_require_ciphers setting
817d9f57 1492 caller_state returned state-info structure
cf0c6164 1493 errstr error string pointer
059ec3d9 1494
17c76198 1495Returns: OK/DEFER/FAIL
059ec3d9
PH		 1496*/
1497
17c76198
PP		 1498static int
1499tls_init(
1500 const host_item *host,
1501 const uschar *certificate,
1502 const uschar *privatekey,
1503 const uschar *sni,
1504 const uschar *cas,
1505 const uschar *crl,
1506 const uschar *require_ciphers,
cf0c6164 1507 exim_gnutls_state_st **caller_state,
74f1a423 1508 tls_support * tlsp,
cf0c6164 1509 uschar ** errstr)
059ec3d9 1510{
00c0dd4e 1511exim_gnutls_state_st * state;
17c76198
PP		 1512int rc;
1513size_t sz;
00c0dd4e
JH		 1514const char * errpos;
1515const uschar * p;
17c76198
PP		 1516
1517if (!exim_gnutls_base_init_done)
059ec3d9 1518 {
17c76198
PP		 1519 DEBUG(D_tls) debug_printf("GnuTLS global init required.\n");
1520
9f707b89 1521#if defined(HAVE_GNUTLS_PKCS11) && !defined(GNUTLS_AUTO_PKCS11_MANUAL)
a5f239e4
PP		 1522 /* By default, gnutls_global_init will init PKCS11 support in auto mode,
1523 which loads modules from a config file, which sounds good and may be wanted
1524 by some sysadmin, but also means in common configurations that GNOME keyring
1525 environment variables are used and so breaks for users calling mailq.
1526 To prevent this, we init PKCS11 first, which is the documented approach. */
2519e60d 1527 if (!gnutls_allow_auto_pkcs11)
452a164f
JH		 1528 if ((rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL)))
1529 return tls_error_gnu(US"gnutls_pkcs11_init", rc, host, errstr);
a5f239e4
PP		 1530#endif
1531
4d2a62a3 1532#ifndef GNUTLS_AUTO_GLOBAL_INIT
452a164f
JH		 1533 if ((rc = gnutls_global_init()))
1534 return tls_error_gnu(US"gnutls_global_init", rc, host, errstr);
4d2a62a3 1535#endif
17c76198
PP		 1536
1537#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
1538 DEBUG(D_tls)
059ec3d9 1539 {
17c76198 1540 gnutls_global_set_log_function(exim_gnutls_logger_cb);
aded2255 1541 /* arbitrarily chosen level; bump up to 9 for more */
17c76198 1542 gnutls_global_set_log_level(EXIM_GNUTLS_LIBRARY_LOG_LEVEL);
059ec3d9 1543 }
17c76198
PP		 1544#endif
1545
4fb7df6d
JH		 1546#ifndef DISABLE_OCSP
1547 if (tls_ocsp_file && (gnutls_buggy_ocsp = tls_is_buggy_ocsp()))
9196d5bf 1548 log_write(0, LOG_MAIN, "OCSP unusable with this GnuTLS library version");
4fb7df6d 1549#endif
9196d5bf 1550
17c76198 1551 exim_gnutls_base_init_done = TRUE;
059ec3d9 1552 }
059ec3d9 1553
17c76198
PP		 1554if (host)
1555 {
74f1a423
JH		 1556 /* For client-side sessions we allocate a context. This lets us run
1557 several in parallel. */
1558 int old_pool = store_pool;
1559 store_pool = POOL_PERM;
f3ebb786 1560 state = store_get(sizeof(exim_gnutls_state_st), FALSE);
74f1a423
JH		 1561 store_pool = old_pool;
1562
17c76198 1563 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
74f1a423 1564 state->tlsp = tlsp;
17c76198
PP		 1565 DEBUG(D_tls) debug_printf("initialising GnuTLS client session\n");
1566 rc = gnutls_init(&state->session, GNUTLS_CLIENT);
1567 }
1568else
1569 {
1570 state = &state_server;
1571 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
74f1a423 1572 state->tlsp = tlsp;
17c76198
PP		 1573 DEBUG(D_tls) debug_printf("initialising GnuTLS server session\n");
1574 rc = gnutls_init(&state->session, GNUTLS_SERVER);
1575 }
452a164f
JH		 1576if (rc)
1577 return tls_error_gnu(US"gnutls_init", rc, host, errstr);
059ec3d9 1578
17c76198 1579state->host = host;
059ec3d9 1580
17c76198
PP		 1581state->tls_certificate = certificate;
1582state->tls_privatekey = privatekey;
5779e6aa 1583state->tls_require_ciphers = require_ciphers;
17c76198
PP		 1584state->tls_sni = sni;
1585state->tls_verify_certificates = cas;
1586state->tls_crl = crl;
059ec3d9 1587
17c76198
PP		 1588/* This handles the variables that might get re-expanded after TLS SNI;
1589that's tls_certificate, tls_privatekey, tls_verify_certificates, tls_crl */
059ec3d9 1590
17c76198
PP		 1591DEBUG(D_tls)
1592 debug_printf("Expanding various TLS configuration options for session credentials.\n");
cf0c6164 1593if ((rc = tls_expand_session_files(state, errstr)) != OK) return rc;
059ec3d9 1594
1365611d
PP		 1595/* These are all other parts of the x509_cred handling, since SNI in GnuTLS
1596requires a new structure afterwards. */
83da1223 1597
cf0c6164 1598if ((rc = tls_set_remaining_x509(state, errstr)) != OK) return rc;
83da1223 1599
17c76198
PP		 1600/* set SNI in client, only */
1601if (host)
1602 {
cf0c6164 1603 if (!expand_check(sni, US"tls_out_sni", &state->tlsp->sni, errstr))
17c76198 1604 return DEFER;
0df4ab80 1605 if (state->tlsp->sni && *state->tlsp->sni)
17c76198
PP		 1606 {
1607 DEBUG(D_tls)
0df4ab80
JH		 1608 debug_printf("Setting TLS client SNI to \"%s\"\n", state->tlsp->sni);
1609 sz = Ustrlen(state->tlsp->sni);
452a164f
JH		 1610 if ((rc = gnutls_server_name_set(state->session,
1611 GNUTLS_NAME_DNS, state->tlsp->sni, sz)))
1612 return tls_error_gnu(US"gnutls_server_name_set", rc, host, errstr);
17c76198
PP		 1613 }
1614 }
1615else if (state->tls_sni)
1616 DEBUG(D_tls) debug_printf("*** PROBABLY A BUG *** " \
ba86e143 1617 "have an SNI set for a server [%s]\n", state->tls_sni);
83da1223 1618
17c76198 1619/* This is the priority string support,
42bfef1e 1620http://www.gnutls.org/manual/html_node/Priority-Strings.html
17c76198
PP		 1621and replaces gnutls_require_kx, gnutls_require_mac & gnutls_require_protocols.
1622This was backwards incompatible, but means Exim no longer needs to track
1623all algorithms and provide string forms for them. */
83da1223 1624
fc243e94 1625p = NULL;
17c76198 1626if (state->tls_require_ciphers && *state->tls_require_ciphers)
83da1223 1627 {
cf0c6164 1628 if (!expand_check_tlsvar(tls_require_ciphers, errstr))
17c76198
PP		 1629 return DEFER;
1630 if (state->exp_tls_require_ciphers && *state->exp_tls_require_ciphers)
83da1223 1631 {
17c76198 1632 p = state->exp_tls_require_ciphers;
fc243e94 1633 DEBUG(D_tls) debug_printf("GnuTLS session cipher/priority \"%s\"\n", p);
83da1223
PH		 1634 }
1635 }
fc243e94 1636if (!p)
17c76198 1637 {
fc243e94 1638 p = exim_default_gnutls_priority;
83e2f8a2 1639 DEBUG(D_tls)
fc243e94 1640 debug_printf("GnuTLS using default session cipher/priority \"%s\"\n", p);
17c76198 1641 }
83da1223 1642
452a164f
JH		 1643if ((rc = gnutls_priority_init(&state->priority_cache, CCS p, &errpos)))
1644 return tls_error_gnu(string_sprintf(
1645 "gnutls_priority_init(%s) failed at offset %ld, \"%.6s..\"",
1646 p, errpos - CS p, errpos),
1647 rc, host, errstr);
17c76198 1648
452a164f
JH		 1649if ((rc = gnutls_priority_set(state->session, state->priority_cache)))
1650 return tls_error_gnu(US"gnutls_priority_set", rc, host, errstr);
17c76198 1651
b10c87b3
JH		 1652/* This also sets the server ticket expiration time to the same, and
1653the STEK rotation time to 3x. */
1654
17c76198
PP		 1655gnutls_db_set_cache_expiration(state->session, ssl_session_timeout);
1656
1657/* Reduce security in favour of increased compatibility, if the admin
1658decides to make that trade-off. */
1659if (gnutls_compat_mode)
83da1223 1660 {
17c76198
PP		 1661#if LIBGNUTLS_VERSION_NUMBER >= 0x020104
1662 DEBUG(D_tls) debug_printf("lowering GnuTLS security, compatibility mode\n");
1663 gnutls_session_enable_compatibility_mode(state->session);
1664#else
1665 DEBUG(D_tls) debug_printf("Unable to set gnutls_compat_mode - GnuTLS version too old\n");
1666#endif
83da1223
PH		 1667 }
1668
17c76198 1669*caller_state = state;
17c76198 1670return OK;
83da1223
PH		 1671}
1672
1673
1674
059ec3d9 1675/*************************************************
17c76198 1676* Extract peer information *
059ec3d9
PH		 1677*************************************************/
1678
f1be21cf
JH		 1679static const uschar *
1680cipher_stdname_kcm(gnutls_kx_algorithm_t kx, gnutls_cipher_algorithm_t cipher,
1681 gnutls_mac_algorithm_t mac)
1682{
1683uschar cs_id[2];
1684gnutls_kx_algorithm_t kx_i;
1685gnutls_cipher_algorithm_t cipher_i;
1686gnutls_mac_algorithm_t mac_i;
1687
1688for (size_t i = 0;
1689 gnutls_cipher_suite_info(i, cs_id, &kx_i, &cipher_i, &mac_i, NULL);
1690 i++)
1691 if (kx_i == kx && cipher_i == cipher && mac_i == mac)
1692 return cipher_stdname(cs_id[0], cs_id[1]);
1693return NULL;
1694}
1695
1696
1697
17c76198 1698/* Called from both server and client code.
4fe99a6c
PP		 1699Only this is allowed to set state->peerdn and state->have_set_peerdn
1700and we use that to detect double-calls.
059ec3d9 1701
75fe387d
PP		 1702NOTE: the state blocks last while the TLS connection is up, which is fine
1703for logging in the server side, but for the client side, we log after teardown
1704in src/deliver.c. While the session is up, we can twist about states and
1705repoint tls_* globals, but those variables used for logging or other variable
1706expansion that happens _after_ delivery need to have a longer life-time.
1707
1708So for those, we get the data from POOL_PERM; the re-invoke guard keeps us from
1709doing this more than once per generation of a state context. We set them in
1710the state context, and repoint tls_* to them. After the state goes away, the
1711tls_* copies of the pointers remain valid and client delivery logging is happy.
1712
1713tls_certificate_verified is a BOOL, so the tls_peerdn and tls_cipher issues
1714don't apply.
1715
059ec3d9 1716Arguments:
17c76198 1717 state exim_gnutls_state_st *
cf0c6164 1718 errstr pointer to error string
059ec3d9 1719
17c76198 1720Returns: OK/DEFER/FAIL
059ec3d9
PH		 1721*/
1722
17c76198 1723static int
b10c87b3 1724peer_status(exim_gnutls_state_st * state, uschar ** errstr)
059ec3d9 1725{
b10c87b3
JH		 1726gnutls_session_t session = state->session;
1727const gnutls_datum_t * cert_list;
75fe387d 1728int old_pool, rc;
17c76198 1729unsigned int cert_list_size = 0;
4fe99a6c
PP		 1730gnutls_protocol_t protocol;
1731gnutls_cipher_algorithm_t cipher;
1732gnutls_kx_algorithm_t kx;
1733gnutls_mac_algorithm_t mac;
17c76198
PP		 1734gnutls_certificate_type_t ct;
1735gnutls_x509_crt_t crt;
b10c87b3 1736uschar * dn_buf;
17c76198 1737size_t sz;
059ec3d9 1738
4fe99a6c 1739if (state->have_set_peerdn)
17c76198 1740 return OK;
4fe99a6c 1741state->have_set_peerdn = TRUE;
059ec3d9 1742
4fe99a6c 1743state->peerdn = NULL;
059ec3d9 1744
4fe99a6c 1745/* tls_cipher */
b10c87b3
JH		 1746cipher = gnutls_cipher_get(session);
1747protocol = gnutls_protocol_get_version(session);
1748mac = gnutls_mac_get(session);
b9c6f63c
JH		 1749kx =
1750#ifdef GNUTLS_TLS1_3
1751 protocol >= GNUTLS_TLS1_3 ? 0 :
1752#endif
b10c87b3 1753 gnutls_kx_get(session);
4fe99a6c 1754
75fe387d 1755old_pool = store_pool;
f1be21cf 1756 {
b10c87b3 1757 tls_support * tlsp = state->tlsp;
f1be21cf 1758 store_pool = POOL_PERM;
d9acfc1c
JH		 1759
1760#ifdef SUPPORT_GNUTLS_SESS_DESC
1761 {
1762 gstring * g = NULL;
b10c87b3 1763 uschar * s = US gnutls_session_get_desc(session), c;
d9acfc1c
JH		 1764
1765 /* Nikos M suggests we use this by preference. It returns like:
1766 (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
1767
1768 For partial back-compat, put a colon after the TLS version, replace the
1769 )-( grouping with __, replace in-group - with _ and append the :keysize. */
1770
1771 /* debug_printf("peer_status: gnutls_session_get_desc %s\n", s); */
1772
1773 for (s++; (c = *s) && c != ')'; s++) g = string_catn(g, s, 1);
da40b1ec
JH		 1774
1775 tlsp->ver = string_copyn(g->s, g->ptr);
1776 for (uschar * p = US tlsp->ver; *p; p++)
1777 if (*p == '-') { *p = '\0'; break; } /* TLS1.0-PKIX -> TLS1.0 */
1778
d9acfc1c
JH		 1779 g = string_catn(g, US":", 1);
1780 if (*s) s++; /* now on _ between groups */
1781 while ((c = *s))
1782 {
da40b1ec
JH		 1783 for (*++s && ++s; (c = *s) && c != ')'; s++)
1784 g = string_catn(g, c == '-' ? US"_" : s, 1);
d9acfc1c
JH		 1785 /* now on ) closing group */
1786 if ((c = *s) && *++s == '-') g = string_catn(g, US"__", 2);
1787 /* now on _ between groups */
1788 }
1789 g = string_catn(g, US":", 1);
1790 g = string_cat(g, string_sprintf("%d", (int) gnutls_cipher_get_key_size(cipher) * 8));
1791 state->ciphersuite = string_from_gstring(g);
1792 }
1793#else
f1be21cf
JH		 1794 state->ciphersuite = string_sprintf("%s:%s:%d",
1795 gnutls_protocol_get_name(protocol),
1796 gnutls_cipher_suite_get_name(kx, cipher, mac),
1797 (int) gnutls_cipher_get_key_size(cipher) * 8);
1798
1799 /* I don't see a way that spaces could occur, in the current GnuTLS
1800 code base, but it was a concern in the old code and perhaps older GnuTLS
1801 releases did return "TLS 1.0"; play it safe, just in case. */
1802
1803 for (uschar * p = state->ciphersuite; *p; p++) if (isspace(*p)) *p = '-';
da40b1ec
JH		 1804 tlsp->ver = string_copyn(state->ciphersuite,
1805 Ustrchr(state->ciphersuite, ':') - state->ciphersuite);
d9acfc1c
JH		 1806#endif
1807
1808/* debug_printf("peer_status: ciphersuite %s\n", state->ciphersuite); */
1809
b10c87b3
JH		 1810 tlsp->cipher = state->ciphersuite;
1811 tlsp->bits = gnutls_cipher_get_key_size(cipher) * 8;
f1be21cf 1812
b10c87b3 1813 tlsp->cipher_stdname = cipher_stdname_kcm(kx, cipher, mac);
f1be21cf 1814 }
75fe387d 1815store_pool = old_pool;
4fe99a6c
PP		 1816
1817/* tls_peerdn */
b10c87b3 1818cert_list = gnutls_certificate_get_peers(session, &cert_list_size);
83da1223 1819
f1be21cf 1820if (!cert_list || cert_list_size == 0)
17c76198 1821 {
17c76198
PP		 1822 DEBUG(D_tls) debug_printf("TLS: no certificate from peer (%p & %d)\n",
1823 cert_list, cert_list_size);
e51c7be2 1824 if (state->verify_requirement >= VERIFY_REQUIRED)
17c76198 1825 return tls_error(US"certificate verification failed",
48224640 1826 US"no certificate received from peer", state->host, errstr);
17c76198
PP		 1827 return OK;
1828 }
059ec3d9 1829
b10c87b3 1830if ((ct = gnutls_certificate_type_get(session)) != GNUTLS_CRT_X509)
059ec3d9 1831 {
95f52235 1832 const uschar * ctn = US gnutls_certificate_type_get_name(ct);
17c76198
PP		 1833 DEBUG(D_tls)
1834 debug_printf("TLS: peer cert not X.509 but instead \"%s\"\n", ctn);
e51c7be2 1835 if (state->verify_requirement >= VERIFY_REQUIRED)
17c76198 1836 return tls_error(US"certificate verification not possible, unhandled type",
cf0c6164 1837 ctn, state->host, errstr);
17c76198 1838 return OK;
83da1223 1839 }
059ec3d9 1840
e51c7be2
JH		 1841#define exim_gnutls_peer_err(Label) \
1842 do { \
1843 if (rc != GNUTLS_E_SUCCESS) \
1844 { \
1845 DEBUG(D_tls) debug_printf("TLS: peer cert problem: %s: %s\n", \
1846 (Label), gnutls_strerror(rc)); \
1847 if (state->verify_requirement >= VERIFY_REQUIRED) \
452a164f 1848 return tls_error_gnu((Label), rc, state->host, errstr); \
e51c7be2
JH		 1849 return OK; \
1850 } \
1851 } while (0)
17c76198 1852
9d1c15ef
JH		 1853rc = import_cert(&cert_list[0], &crt);
1854exim_gnutls_peer_err(US"cert 0");
1855
1856state->tlsp->peercert = state->peercert = crt;
17c76198 1857
17c76198
PP		 1858sz = 0;
1859rc = gnutls_x509_crt_get_dn(crt, NULL, &sz);
1860if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
83da1223 1861 {
17c76198
PP		 1862 exim_gnutls_peer_err(US"getting size for cert DN failed");
1863 return FAIL; /* should not happen */
059ec3d9 1864 }
f3ebb786 1865dn_buf = store_get_perm(sz, TRUE); /* tainted */
17c76198
PP		 1866rc = gnutls_x509_crt_get_dn(crt, CS dn_buf, &sz);
1867exim_gnutls_peer_err(US"failed to extract certificate DN [gnutls_x509_crt_get_dn(cert 0)]");
9d1c15ef 1868
17c76198
PP		 1869state->peerdn = dn_buf;
1870
1871return OK;
1872#undef exim_gnutls_peer_err
1873}
059ec3d9 1874
059ec3d9 1875
059ec3d9 1876
059ec3d9 1877
17c76198
PP		 1878/*************************************************
1879* Verify peer certificate *
1880*************************************************/
059ec3d9 1881
17c76198
PP		 1882/* Called from both server and client code.
1883*Should* be using a callback registered with
1884gnutls_certificate_set_verify_function() to fail the handshake if we dislike
1885the peer information, but that's too new for some OSes.
059ec3d9 1886
17c76198 1887Arguments:
899b8bbc
JH		 1888 state exim_gnutls_state_st *
1889 errstr where to put an error message
059ec3d9 1890
17c76198
PP		 1891Returns:
1892 FALSE if the session should be rejected
1893 TRUE if the cert is okay or we just don't care
1894*/
059ec3d9 1895
17c76198 1896static BOOL
28646fa9 1897verify_certificate(exim_gnutls_state_st * state, uschar ** errstr)
17c76198
PP		 1898{
1899int rc;
899b8bbc
JH		 1900uint verify;
1901
8008accd 1902DEBUG(D_tls) debug_printf("TLS: checking peer certificate\n");
cf0c6164 1903*errstr = NULL;
b10c87b3 1904rc = peer_status(state, errstr);
17c76198 1905
b10c87b3
JH		 1906if (state->verify_requirement == VERIFY_NONE)
1907 return TRUE;
1908
1909if (rc != OK || !state->peerdn)
e6060e2c 1910 {
17c76198 1911 verify = GNUTLS_CERT_INVALID;
cf0c6164 1912 *errstr = US"certificate not supplied";
17c76198
PP		 1913 }
1914else
899b8bbc
JH		 1915
1916 {
1917#ifdef SUPPORT_DANE
1918 if (state->verify_requirement == VERIFY_DANE && state->host)
1919 {
1920 /* Using dane_verify_session_crt() would be easy, as it does it all for us
1921 including talking to a DNS resolver. But we want to do that bit ourselves
1922 as the testsuite intercepts and fakes its own DNS environment. */
1923
1924 dane_state_t s;
1925 dane_query_t r;
899b8bbc 1926 uint lsize;
94c13285
JH		 1927 const gnutls_datum_t * certlist =
1928 gnutls_certificate_get_peers(state->session, &lsize);
1929 int usage = tls_out.tlsa_usage;
1930
1931# ifdef GNUTLS_BROKEN_DANE_VALIDATION
1932 /* Split the TLSA records into two sets, TA and EE selectors. Run the
1933 dane-verification separately so that we know which selector verified;
570cb1bd 1934 then we know whether to do name-verification (needed for TA but not EE). */
94c13285
JH		 1935
1936 if (usage == ((1<<DANESSL_USAGE_DANE_TA) | (1<<DANESSL_USAGE_DANE_EE)))
bd5b3f3c 1937 { /* a mixed-usage bundle */
94c13285
JH		 1938 int i, j, nrec;
1939 const char ** dd;
1940 int * ddl;
1941
1942 for(nrec = 0; state->dane_data_len[nrec]; ) nrec++;
1943 nrec++;
1944
f3ebb786
JH		 1945 dd = store_get(nrec * sizeof(uschar *), FALSE);
1946 ddl = store_get(nrec * sizeof(int), FALSE);
94c13285
JH		 1947 nrec--;
1948
1949 if ((rc = dane_state_init(&s, 0)))
1950 goto tlsa_prob;
1951
1952 for (usage = DANESSL_USAGE_DANE_EE;
1953 usage >= DANESSL_USAGE_DANE_TA; usage--)
1954 { /* take records with this usage */
1955 for (j = i = 0; i < nrec; i++)
1956 if (state->dane_data[i][0] == usage)
1957 {
1958 dd[j] = state->dane_data[i];
1959 ddl[j++] = state->dane_data_len[i];
1960 }
1961 if (j)
1962 {
1963 dd[j] = NULL;
1964 ddl[j] = 0;
1965
1966 if ((rc = dane_raw_tlsa(s, &r, (char * const *)dd, ddl, 1, 0)))
1967 goto tlsa_prob;
1968
1969 if ((rc = dane_verify_crt_raw(s, certlist, lsize,
1970 gnutls_certificate_type_get(state->session),
1971 r, 0,
1972 usage == DANESSL_USAGE_DANE_EE
1973 ? DANE_VFLAG_ONLY_CHECK_EE_USAGE : 0,
1974 &verify)))
1975 {
1976 DEBUG(D_tls)
1977 debug_printf("TLSA record problem: %s\n", dane_strerror(rc));
1978 }
1979 else if (verify == 0) /* verification passed */
1980 {
1981 usage = 1 << usage;
1982 break;
1983 }
1984 }
1985 }
899b8bbc 1986
94c13285
JH		 1987 if (rc) goto tlsa_prob;
1988 }
1989 else
1990# endif
899b8bbc 1991 {
94c13285
JH		 1992 if ( (rc = dane_state_init(&s, 0))
1993 || (rc = dane_raw_tlsa(s, &r, state->dane_data, state->dane_data_len,
1994 1, 0))
1995 || (rc = dane_verify_crt_raw(s, certlist, lsize,
1996 gnutls_certificate_type_get(state->session),
5ec37a55 1997 r, 0,
94c13285
JH		 1998# ifdef GNUTLS_BROKEN_DANE_VALIDATION
1999 usage == (1 << DANESSL_USAGE_DANE_EE)
2000 ? DANE_VFLAG_ONLY_CHECK_EE_USAGE : 0,
2001# else
2002 0,
2003# endif
2004 &verify))
2005 )
2006 goto tlsa_prob;
899b8bbc 2007 }
94c13285
JH		 2008
2009 if (verify != 0) /* verification failed */
899b8bbc
JH		 2010 {
2011 gnutls_datum_t str;
2012 (void) dane_verification_status_print(verify, &str, 0);
2013 *errstr = US str.data; /* don't bother to free */
2014 goto badcert;
2015 }
28646fa9 2016
94c13285
JH		 2017# ifdef GNUTLS_BROKEN_DANE_VALIDATION
2018 /* If a TA-mode TLSA record was used for verification we must additionally
570cb1bd 2019 verify the cert name (but not the CA chain). For EE-mode, skip it. */
28646fa9 2020
94c13285
JH		 2021 if (usage & (1 << DANESSL_USAGE_DANE_EE))
2022# endif
28646fa9 2023 {
570cb1bd 2024 state->peer_dane_verified = state->peer_cert_verified = TRUE;
28646fa9
JH		 2025 goto goodcert;
2026 }
570cb1bd
JH		 2027# ifdef GNUTLS_BROKEN_DANE_VALIDATION
2028 /* Assume that the name on the A-record is the one that should be matching
2029 the cert. An alternate view is that the domain part of the email address
2030 is also permissible. */
2031
2032 if (gnutls_x509_crt_check_hostname(state->tlsp->peercert,
2033 CS state->host->name))
2034 {
2035 state->peer_dane_verified = state->peer_cert_verified = TRUE;
2036 goto goodcert;
2037 }
2038# endif
899b8bbc 2039 }
570cb1bd 2040#endif /*SUPPORT_DANE*/
899b8bbc 2041
17c76198 2042 rc = gnutls_certificate_verify_peers2(state->session, &verify);
899b8bbc 2043 }
e6060e2c 2044
899b8bbc 2045/* Handle the result of verification. INVALID is set if any others are. */
059ec3d9 2046
28646fa9 2047if (rc < 0 || verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED))
17c76198
PP		 2048 {
2049 state->peer_cert_verified = FALSE;
cf0c6164 2050 if (!*errstr)
184384c3
JH		 2051 {
2052#ifdef GNUTLS_CERT_VFY_STATUS_PRINT
2053 DEBUG(D_tls)
2054 {
2055 gnutls_datum_t txt;
2056
2057 if (gnutls_certificate_verification_status_print(verify,
2058 gnutls_certificate_type_get(state->session), &txt, 0)
2059 == GNUTLS_E_SUCCESS)
2060 {
2061 debug_printf("%s\n", txt.data);
2062 gnutls_free(txt.data);
2063 }
2064 }
2065#endif
cf0c6164
JH		 2066 *errstr = verify & GNUTLS_CERT_REVOKED
2067 ? US"certificate revoked" : US"certificate invalid";
184384c3 2068 }
059ec3d9 2069
17c76198 2070 DEBUG(D_tls)
e51c7be2 2071 debug_printf("TLS certificate verification failed (%s): peerdn=\"%s\"\n",
cf0c6164 2072 *errstr, state->peerdn ? state->peerdn : US"<unset>");
059ec3d9 2073
e51c7be2 2074 if (state->verify_requirement >= VERIFY_REQUIRED)
899b8bbc 2075 goto badcert;
17c76198 2076 DEBUG(D_tls)
4789da3a 2077 debug_printf("TLS verify failure overridden (host in tls_try_verify_hosts)\n");
17c76198 2078 }
e51c7be2 2079
17c76198
PP		 2080else
2081 {
5fd28bb8
JH		 2082 /* Client side, check the server's certificate name versus the name on the
2083 A-record for the connection we made. What to do for server side - what name
2084 to use for client? We document that there is no such checking for server
2085 side. */
2086
2087 if ( state->exp_tls_verify_cert_hostnames
2088 && !gnutls_x509_crt_check_hostname(state->tlsp->peercert,
2089 CS state->exp_tls_verify_cert_hostnames)
2090 )
e51c7be2 2091 {
5fd28bb8
JH		 2092 DEBUG(D_tls)
2093 debug_printf("TLS certificate verification failed: cert name mismatch\n");
2094 if (state->verify_requirement >= VERIFY_REQUIRED)
2095 goto badcert;
2096 return TRUE;
e51c7be2 2097 }
5fd28bb8 2098
17c76198 2099 state->peer_cert_verified = TRUE;
e51c7be2 2100 DEBUG(D_tls) debug_printf("TLS certificate verified: peerdn=\"%s\"\n",
4fe99a6c 2101 state->peerdn ? state->peerdn : US"<unset>");
17c76198 2102 }
059ec3d9 2103
28646fa9
JH		 2104goodcert:
2105 state->tlsp->peerdn = state->peerdn;
2106 return TRUE;
899b8bbc 2107
b83314e3 2108#ifdef SUPPORT_DANE
94c13285 2109tlsa_prob:
624f33df
JH		 2110 *errstr = string_sprintf("TLSA record problem: %s",
2111 rc == DANE_E_REQUESTED_DATA_NOT_AVAILABLE ? "none usable" : dane_strerror(rc));
b83314e3
JH		 2112#endif
2113
899b8bbc
JH		 2114badcert:
2115 gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_BAD_CERTIFICATE);
2116 return FALSE;
17c76198 2117}
059ec3d9 2118
17c76198
PP		 2119
2120
2121
2122/* ------------------------------------------------------------------------ */
2123/* Callbacks */
2124
2125/* Logging function which can be registered with
2126 * gnutls_global_set_log_function()
2127 * gnutls_global_set_log_level() 0..9
2128 */
af3498d6 2129#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
059ec3d9 2130static void
17c76198 2131exim_gnutls_logger_cb(int level, const char *message)
059ec3d9 2132{
8c79eebf
PP		 2133 size_t len = strlen(message);
2134 if (len < 1)
2135 {
2136 DEBUG(D_tls) debug_printf("GnuTLS<%d> empty debug message\n", level);
2137 return;
2138 }
2139 DEBUG(D_tls) debug_printf("GnuTLS<%d>: %s%s", level, message,
2140 message[len-1] == '\n' ? "" : "\n");
17c76198 2141}
af3498d6 2142#endif
059ec3d9 2143
059ec3d9 2144
17c76198
PP		 2145/* Called after client hello, should handle SNI work.
2146This will always set tls_sni (state->received_sni) if available,
2147and may trigger presenting different certificates,
2148if state->trigger_sni_changes is TRUE.
059ec3d9 2149
17c76198
PP		 2150Should be registered with
2151 gnutls_handshake_set_post_client_hello_function()
059ec3d9 2152
17c76198
PP		 2153"This callback must return 0 on success or a gnutls error code to terminate the
2154handshake.".
059ec3d9 2155
17c76198
PP		 2156For inability to get SNI information, we return 0.
2157We only return non-zero if re-setup failed.
817d9f57 2158Only used for server-side TLS.
17c76198 2159*/
44bbabb5 2160
17c76198
PP		 2161static int
2162exim_sni_handling_cb(gnutls_session_t session)
2163{
2164char sni_name[MAX_HOST_LEN];
2165size_t data_len = MAX_HOST_LEN;
817d9f57 2166exim_gnutls_state_st *state = &state_server;
17c76198
PP		 2167unsigned int sni_type;
2168int rc, old_pool;
cf0c6164 2169uschar * dummy_errstr;
17c76198
PP		 2170
2171rc = gnutls_server_name_get(session, sni_name, &data_len, &sni_type, 0);
b34fc30c
PP		 2172if (rc != GNUTLS_E_SUCCESS)
2173 {
8775d84f 2174 DEBUG(D_tls)
b34fc30c
PP		 2175 if (rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
2176 debug_printf("TLS: no SNI presented in handshake.\n");
2177 else
2178 debug_printf("TLS failure: gnutls_server_name_get(): %s [%d]\n",
2179 gnutls_strerror(rc), rc);
b34fc30c
PP		 2180 return 0;
2181 }
2182
17c76198
PP		 2183if (sni_type != GNUTLS_NAME_DNS)
2184 {
2185 DEBUG(D_tls) debug_printf("TLS: ignoring SNI of unhandled type %u\n", sni_type);
2186 return 0;
2187 }
44bbabb5 2188
17c76198
PP		 2189/* We now have a UTF-8 string in sni_name */
2190old_pool = store_pool;
2191store_pool = POOL_PERM;
89a80675 2192state->received_sni = string_copy_taint(US sni_name, TRUE);
17c76198
PP		 2193store_pool = old_pool;
2194
2195/* We set this one now so that variable expansions below will work */
817d9f57 2196state->tlsp->sni = state->received_sni;
17c76198
PP		 2197
2198DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", sni_name,
2199 state->trigger_sni_changes ? "" : " (unused for certificate selection)");
2200
2201if (!state->trigger_sni_changes)
2202 return 0;
2203
cf0c6164 2204if ((rc = tls_expand_session_files(state, &dummy_errstr)) != OK)
17c76198
PP		 2205 {
2206 /* If the setup of certs/etc failed before handshake, TLS would not have
2207 been offered. The best we can do now is abort. */
2208 return GNUTLS_E_APPLICATION_ERROR_MIN;
2209 }
2210
cf0c6164 2211rc = tls_set_remaining_x509(state, &dummy_errstr);
1365611d
PP		 2212if (rc != OK) return GNUTLS_E_APPLICATION_ERROR_MIN;
2213
2214return 0;
059ec3d9
PH		 2215}
2216
2217
2218
0cbf2b82 2219#ifndef DISABLE_EVENT
a7538db1
JH		 2220/*
2221We use this callback to get observability and detail-level control
723fe533
JH		 2222for an exim TLS connection (either direction), raising a tls:cert event
2223for each cert in the chain presented by the peer. Any event
a7538db1
JH		 2224can deny verification.
2225
2226Return 0 for the handshake to continue or non-zero to terminate.
2227*/
2228
2229static int
723fe533 2230verify_cb(gnutls_session_t session)
a7538db1 2231{
27f19eb4 2232const gnutls_datum_t * cert_list;
a7538db1
JH		 2233unsigned int cert_list_size = 0;
2234gnutls_x509_crt_t crt;
2235int rc;
b30275b8 2236uschar * yield;
a7538db1
JH		 2237exim_gnutls_state_st * state = gnutls_session_get_ptr(session);
2238
bd5b3f3c 2239if ((cert_list = gnutls_certificate_get_peers(session, &cert_list_size)))
a7538db1
JH		 2240 while (cert_list_size--)
2241 {
bd5b3f3c 2242 if ((rc = import_cert(&cert_list[cert_list_size], &crt)) != GNUTLS_E_SUCCESS)
a7538db1
JH		 2243 {
2244 DEBUG(D_tls) debug_printf("TLS: peer cert problem: depth %d: %s\n",
2245 cert_list_size, gnutls_strerror(rc));
2246 break;
2247 }
2248
2249 state->tlsp->peercert = crt;
b30275b8
JH		 2250 if ((yield = event_raise(state->event_action,
2251 US"tls:cert", string_sprintf("%d", cert_list_size))))
a7538db1
JH		 2252 {
2253 log_write(0, LOG_MAIN,
b30275b8
JH		 2254 "SSL verify denied by event-action: depth=%d: %s",
2255 cert_list_size, yield);
a7538db1
JH		 2256 return 1; /* reject */
2257 }
2258 state->tlsp->peercert = NULL;
2259 }
2260
2261return 0;
2262}
2263
2264#endif
44662487
JH		 2265
2266
f20cfa4a
JH		 2267static gstring *
2268ddump(gnutls_datum_t * d)
2269{
2270gstring * g = string_get((d->size+1) * 2);
2271uschar * s = d->data;
2272for (unsigned i = d->size; i > 0; i--, s++)
2273 {
2274 g = string_catn(g, US "0123456789abcdef" + (*s >> 4), 1);
2275 g = string_catn(g, US "0123456789abcdef" + (*s & 0xf), 1);
2276 }
2277return g;
2278}
17c76198 2279
dc6d1769
JH		 2280static void
2281post_handshake_debug(exim_gnutls_state_st * state)
2282{
dc6d1769
JH		 2283#ifdef SUPPORT_GNUTLS_SESS_DESC
2284debug_printf("%s\n", gnutls_session_get_desc(state->session));
2285#endif
e326959e 2286
86ede124 2287#ifdef SUPPORT_GNUTLS_KEYLOG
e326959e 2288# ifdef EXIM_HAVE_TLS1_3
dc6d1769 2289if (gnutls_protocol_get_version(state->session) < GNUTLS_TLS1_3)
86ede124 2290# else
a8af957d 2291if (TRUE)
86ede124 2292# endif
dc6d1769
JH		 2293 {
2294 gnutls_datum_t c, s;
2295 gstring * gc, * gs;
86ede124 2296 /* For TLS1.2 we only want the client random and the master secret */
dc6d1769
JH		 2297 gnutls_session_get_random(state->session, &c, &s);
2298 gnutls_session_get_master_secret(state->session, &s);
2299 gc = ddump(&c);
2300 gs = ddump(&s);
2301 debug_printf("CLIENT_RANDOM %.*s %.*s\n", (int)gc->ptr, gc->s, (int)gs->ptr, gs->s);
2302 }
2303else
2304 debug_printf("To get keying info for TLS1.3 is hard:\n"
2305 " set environment variable SSLKEYLOGFILE to a filename writable by uid exim\n"
2306 " add SSLKEYLOGFILE to keep_environment in the exim config\n"
2307 " run exim as root\n"
e326959e 2308 " if using sudo, add SSLKEYLOGFILE to env_keep in /etc/sudoers\n"
86ede124
JH		 2309 " (works for TLS1.2 also, and saves cut-paste into file)"
2310 " Trying to use add_environment for this will not work\n");
dc6d1769
JH		 2311#endif
2312}
2313
b10c87b3
JH		 2314
2315#ifdef EXPERIMENTAL_TLS_RESUME
2316static int
2317tls_server_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
2318 unsigned incoming, const gnutls_datum_t * msg)
2319{
2320DEBUG(D_tls) debug_printf("newticket cb\n");
2321tls_in.resumption |= RESUME_CLIENT_REQUESTED;
2322return 0;
2323}
2324
2325static void
2326tls_server_resume_prehandshake(exim_gnutls_state_st * state)
2327{
2328/* Should the server offer session resumption? */
2329tls_in.resumption = RESUME_SUPPORTED;
2330if (verify_check_host(&tls_resumption_hosts) == OK)
2331 {
2332 int rc;
2333 /* GnuTLS appears to not do ticket overlap, but does emit a fresh ticket when
2334 an offered resumption is unacceptable. We lose one resumption per ticket
2335 lifetime, and sessions cannot be indefinitely re-used. There seems to be no
2336 way (3.6.7) of changing the default number of 2 TLS1.3 tickets issued, but at
2337 least they go out in a single packet. */
2338
2339 if (!(rc = gnutls_session_ticket_enable_server(state->session,
2340 &server_sessticket_key)))
2341 tls_in.resumption |= RESUME_SERVER_TICKET;
2342 else
2343 DEBUG(D_tls)
2344 debug_printf("enabling session tickets: %s\n", US gnutls_strerror(rc));
2345
2346 /* Try to tell if we see a ticket request */
2347 gnutls_handshake_set_hook_function(state->session,
e5489333 2348 GNUTLS_HANDSHAKE_ANY, GNUTLS_HOOK_POST, tls_server_hook_cb);
b10c87b3
JH		 2349 }
2350}
2351
2352static void
2353tls_server_resume_posthandshake(exim_gnutls_state_st * state)
2354{
2355if (gnutls_session_resumption_requested(state->session))
2356 {
2357 /* This tells us the client sent a full ticket. We use a
2358 callback on session-ticket request, elsewhere, to tell
2359 if a client asked for a ticket. */
2360
2361 tls_in.resumption |= RESUME_CLIENT_SUGGESTED;
2362 DEBUG(D_tls) debug_printf("client requested resumption\n");
2363 }
2364if (gnutls_session_is_resumed(state->session))
2365 {
2366 tls_in.resumption |= RESUME_USED;
2367 DEBUG(D_tls) debug_printf("Session resumed\n");
2368 }
2369}
2370#endif
17c76198
PP		 2371/* ------------------------------------------------------------------------ */
2372/* Exported functions */
2373
2374
2375
2376
059ec3d9
PH		 2377/*************************************************
2378* Start a TLS session in a server *
2379*************************************************/
2380
2381/* This is called when Exim is running as a server, after having received
2382the STARTTLS command. It must respond to that command, and then negotiate
2383a TLS session.
2384
2385Arguments:
83da1223 2386 require_ciphers list of allowed ciphers or NULL
cf0c6164 2387 errstr pointer to error string
059ec3d9
PH		 2388
2389Returns: OK on success
2390 DEFER for errors before the start of the negotiation
4c04137d 2391 FAIL for errors during the negotiation; the server can't
059ec3d9
PH		 2392 continue running.
2393*/
2394
2395int
cf0c6164 2396tls_server_start(const uschar * require_ciphers, uschar ** errstr)
059ec3d9
PH		 2397{
2398int rc;
cf0c6164 2399exim_gnutls_state_st * state = NULL;
059ec3d9
PH		 2400
2401/* Check for previous activation */
74f1a423 2402if (tls_in.active.sock >= 0)
059ec3d9 2403 {
48224640 2404 tls_error(US"STARTTLS received after TLS started", US "", NULL, errstr);
925ac8e4 2405 smtp_printf("554 Already in TLS\r\n", FALSE);
059ec3d9
PH		 2406 return FAIL;
2407 }
2408
2409/* Initialize the library. If it fails, it will already have logged the error
2410and sent an SMTP response. */
2411
17c76198 2412DEBUG(D_tls) debug_printf("initialising GnuTLS as a server\n");
059ec3d9 2413
d85cdeb5
JH		 2414 {
2415#ifdef MEASURE_TIMING
2416 struct timeval t0;
2417 gettimeofday(&t0, NULL);
2418#endif
2419
2420 if ((rc = tls_init(NULL, tls_certificate, tls_privatekey,
2421 NULL, tls_verify_certificates, tls_crl,
2422 require_ciphers, &state, &tls_in, errstr)) != OK) return rc;
2423
2424#ifdef MEASURE_TIMING
2425 report_time_since(&t0, US"server tls_init (delta)");
2426#endif
2427 }
059ec3d9 2428
b10c87b3
JH		 2429#ifdef EXPERIMENTAL_TLS_RESUME
2430tls_server_resume_prehandshake(state);
2431#endif
2432
059ec3d9
PH		 2433/* If this is a host for which certificate verification is mandatory or
2434optional, set up appropriately. */
2435
059ec3d9 2436if (verify_check_host(&tls_verify_hosts) == OK)
17c76198 2437 {
e51c7be2
JH		 2438 DEBUG(D_tls)
2439 debug_printf("TLS: a client certificate will be required.\n");
17c76198
PP		 2440 state->verify_requirement = VERIFY_REQUIRED;
2441 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
2442 }
059ec3d9 2443else if (verify_check_host(&tls_try_verify_hosts) == OK)
17c76198 2444 {
e51c7be2
JH		 2445 DEBUG(D_tls)
2446 debug_printf("TLS: a client certificate will be requested but not required.\n");
17c76198
PP		 2447 state->verify_requirement = VERIFY_OPTIONAL;
2448 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
2449 }
2450else
2451 {
e51c7be2
JH		 2452 DEBUG(D_tls)
2453 debug_printf("TLS: a client certificate will not be requested.\n");
17c76198
PP		 2454 state->verify_requirement = VERIFY_NONE;
2455 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
2456 }
059ec3d9 2457
0cbf2b82 2458#ifndef DISABLE_EVENT
723fe533
JH		 2459if (event_action)
2460 {
2461 state->event_action = event_action;
2462 gnutls_session_set_ptr(state->session, state);
2463 gnutls_certificate_set_verify_function(state->x509_cred, verify_cb);
2464 }
2465#endif
2466
17c76198
PP		 2467/* Register SNI handling; always, even if not in tls_certificate, so that the
2468expansion variable $tls_sni is always available. */
059ec3d9 2469
17c76198
PP		 2470gnutls_handshake_set_post_client_hello_function(state->session,
2471 exim_sni_handling_cb);
059ec3d9
PH		 2472
2473/* Set context and tell client to go ahead, except in the case of TLS startup
2474on connection, where outputting anything now upsets the clients and tends to
2475make them disconnect. We need to have an explicit fflush() here, to force out
2476the response. Other smtp_printf() calls do not need it, because in non-TLS
2477mode, the fflush() happens when smtp_getc() is called. */
2478
817d9f57 2479if (!state->tlsp->on_connect)
059ec3d9 2480 {
925ac8e4 2481 smtp_printf("220 TLS go ahead\r\n", FALSE);
9d1c15ef 2482 fflush(smtp_out);
059ec3d9
PH		 2483 }
2484
2485/* Now negotiate the TLS session. We put our own timer on it, since it seems
8008accd
JH		 2486that the GnuTLS library doesn't.
2487From 3.1.0 there is gnutls_handshake_set_timeout() - but it requires you
2488to set (and clear down afterwards) up a pull-timeout callback function that does
2489a select, so we're no better off unless avoiding signals becomes an issue. */
059ec3d9 2490
17c76198 2491gnutls_transport_set_ptr2(state->session,
27f19eb4
JH		 2492 (gnutls_transport_ptr_t)(long) fileno(smtp_in),
2493 (gnutls_transport_ptr_t)(long) fileno(smtp_out));
17c76198
PP		 2494state->fd_in = fileno(smtp_in);
2495state->fd_out = fileno(smtp_out);
059ec3d9
PH		 2496
2497sigalrm_seen = FALSE;
c2a1bba0 2498if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
17c76198 2499do
17c76198 2500 rc = gnutls_handshake(state->session);
157a7880 2501while (rc == GNUTLS_E_AGAIN || rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen);
c2a1bba0 2502ALARM_CLR(0);
059ec3d9 2503
17c76198 2504if (rc != GNUTLS_E_SUCCESS)
059ec3d9 2505 {
059ec3d9
PH		 2506 /* It seems that, except in the case of a timeout, we have to close the
2507 connection right here; otherwise if the other end is running OpenSSL it hangs
2508 until the server times out. */
2509
60d10ce7 2510 if (sigalrm_seen)
ad7fc6eb 2511 {
48224640 2512 tls_error(US"gnutls_handshake", US"timed out", NULL, errstr);
ad7fc6eb
JH		 2513 gnutls_db_remove_session(state->session);
2514 }
60d10ce7 2515 else
059ec3d9 2516 {
452a164f 2517 tls_error_gnu(US"gnutls_handshake", rc, NULL, errstr);
f5d25c2b 2518 (void) gnutls_alert_send_appropriate(state->session, rc);
ad7fc6eb 2519 gnutls_deinit(state->session);
ed62aae3 2520 gnutls_certificate_free_credentials(state->x509_cred);
60d10ce7 2521 millisleep(500);
ad7fc6eb 2522 shutdown(state->fd_out, SHUT_WR);
d7978c0f 2523 for (int i = 1024; fgetc(smtp_in) != EOF && i > 0; ) i--; /* drain skt */
f1e894f3
PH		 2524 (void)fclose(smtp_out);
2525 (void)fclose(smtp_in);
60d10ce7 2526 smtp_out = smtp_in = NULL;
059ec3d9
PH		 2527 }
2528
2529 return FAIL;
2530 }
2531
b10c87b3
JH		 2532#ifdef EXPERIMENTAL_TLS_RESUME
2533tls_server_resume_posthandshake(state);
2534#endif
2535
dc6d1769 2536DEBUG(D_tls) post_handshake_debug(state);
059ec3d9 2537
17c76198
PP		 2538/* Verify after the fact */
2539
899b8bbc 2540if (!verify_certificate(state, errstr))
059ec3d9 2541 {
9d1c15ef 2542 if (state->verify_requirement != VERIFY_OPTIONAL)
17c76198 2543 {
cf0c6164 2544 (void) tls_error(US"certificate verification failed", *errstr, NULL, errstr);
9d1c15ef 2545 return FAIL;
17c76198 2546 }
9d1c15ef
JH		 2547 DEBUG(D_tls)
2548 debug_printf("TLS: continuing on only because verification was optional, after: %s\n",
cf0c6164 2549 *errstr);
059ec3d9
PH		 2550 }
2551
17c76198
PP		 2552/* Sets various Exim expansion variables; always safe within server */
2553
9d1c15ef 2554extract_exim_vars_from_tls_state(state);
059ec3d9
PH		 2555
2556/* TLS has been set up. Adjust the input functions to read via TLS,
2557and initialize appropriately. */
2558
17c76198 2559state->xfer_buffer = store_malloc(ssl_xfer_buffer_size);
059ec3d9
PH		 2560
2561receive_getc = tls_getc;
0d81dabc 2562receive_getbuf = tls_getbuf;
584e96c6 2563receive_get_cache = tls_get_cache;
059ec3d9
PH		 2564receive_ungetc = tls_ungetc;
2565receive_feof = tls_feof;
2566receive_ferror = tls_ferror;
58eb016e 2567receive_smtp_buffered = tls_smtp_buffered;
059ec3d9 2568
059ec3d9
PH		 2569return OK;
2570}
2571
2572
2573
2574
aa2a70ba
JH		 2575static void
2576tls_client_setup_hostname_checks(host_item * host, exim_gnutls_state_st * state,
2577 smtp_transport_options_block * ob)
2578{
3fb3231c 2579if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
aa2a70ba 2580 {
4af0d74a 2581 state->exp_tls_verify_cert_hostnames =
8c5d388a 2582#ifdef SUPPORT_I18N
4af0d74a
JH		 2583 string_domain_utf8_to_alabel(host->name, NULL);
2584#else
2585 host->name;
2586#endif
aa2a70ba
JH		 2587 DEBUG(D_tls)
2588 debug_printf("TLS: server cert verification includes hostname: \"%s\".\n",
2589 state->exp_tls_verify_cert_hostnames);
2590 }
2591}
aa2a70ba
JH		 2592
2593
899b8bbc
JH		 2594
2595
2596#ifdef SUPPORT_DANE
2597/* Given our list of RRs from the TLSA lookup, build a lookup block in
2598GnuTLS-DANE's preferred format. Hang it on the state str for later
2599use in DANE verification.
2600
2601We point at the dnsa data not copy it, so it must remain valid until
2602after verification is done.*/
2603
3674140c 2604static BOOL
899b8bbc
JH		 2605dane_tlsa_load(exim_gnutls_state_st * state, dns_answer * dnsa)
2606{
899b8bbc
JH		 2607dns_scan dnss;
2608int i;
2609const char ** dane_data;
2610int * dane_data_len;
2611
d7978c0f
JH		 2612i = 1;
2613for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
899b8bbc
JH		 2614 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
2615 ) if (rr->type == T_TLSA) i++;
2616
f3ebb786
JH		 2617dane_data = store_get(i * sizeof(uschar *), FALSE);
2618dane_data_len = store_get(i * sizeof(int), FALSE);
899b8bbc 2619
d7978c0f
JH		 2620i = 0;
2621for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
899b8bbc 2622 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
1b76ad22 2623 ) if (rr->type == T_TLSA && rr->size > 3)
899b8bbc
JH		 2624 {
2625 const uschar * p = rr->data;
f3ebb786 2626/*XXX need somehow to mark rr and its data as tainted. Doues this mean copying it? */
3674140c
JH		 2627 uint8_t usage = p[0], sel = p[1], type = p[2];
2628
2629 DEBUG(D_tls)
2630 debug_printf("TLSA: %d %d %d size %d\n", usage, sel, type, rr->size);
2631
94c13285
JH		 2632 if ( (usage != DANESSL_USAGE_DANE_TA && usage != DANESSL_USAGE_DANE_EE)
2633 || (sel != 0 && sel != 1)
2634 )
2635 continue;
3674140c
JH		 2636 switch(type)
2637 {
2638 case 0: /* Full: cannot check at present */
2639 break;
2640 case 1: if (rr->size != 3 + 256/8) continue; /* sha2-256 */
2641 break;
2642 case 2: if (rr->size != 3 + 512/8) continue; /* sha2-512 */
2643 break;
2644 default: continue;
2645 }
899b8bbc
JH		 2646
2647 tls_out.tlsa_usage |= 1<<usage;
48224640 2648 dane_data[i] = CS p;
899b8bbc
JH		 2649 dane_data_len[i++] = rr->size;
2650 }
3674140c
JH		 2651
2652if (!i) return FALSE;
2653
899b8bbc
JH		 2654dane_data[i] = NULL;
2655dane_data_len[i] = 0;
2656
2657state->dane_data = (char * const *)dane_data;
2658state->dane_data_len = dane_data_len;
3674140c 2659return TRUE;
899b8bbc
JH		 2660}
2661#endif
2662
2663
2664
b10c87b3
JH		 2665#ifdef EXPERIMENTAL_TLS_RESUME
2666/* On the client, get any stashed session for the given IP from hints db
2667and apply it to the ssl-connection for attempted resumption. Although
2668there is a gnutls_session_ticket_enable_client() interface it is
2669documented as unnecessary (as of 3.6.7) as "session tickets are emabled
2670by deafult". There seems to be no way to disable them, so even hosts not
2671enabled by the transport option will be sent a ticket request. We will
2672however avoid storing and retrieving session information. */
2673
2674static void
2675tls_retrieve_session(tls_support * tlsp, gnutls_session_t session,
2676 host_item * host, smtp_transport_options_block * ob)
2677{
2678tlsp->resumption = RESUME_SUPPORTED;
2679if (verify_check_given_host(CUSS &ob->tls_resumption_hosts, host) == OK)
2680 {
2681 dbdata_tls_session * dt;
2682 int len, rc;
2683 open_db dbblock, * dbm_file;
2684
2685 DEBUG(D_tls)
2686 debug_printf("check for resumable session for %s\n", host->address);
2687 tlsp->host_resumable = TRUE;
2688 tlsp->resumption |= RESUME_CLIENT_REQUESTED;
2689 if ((dbm_file = dbfn_open(US"tls", O_RDONLY, &dbblock, FALSE, FALSE)))
2690 {
dea4b568
JH		 2691 /* Key for the db is the IP. We'd like to filter the retrieved session
2692 for ticket advisory expiry, but 3.6.1 seems to give no access to that */
2693
b10c87b3
JH		 2694 if ((dt = dbfn_read_with_length(dbm_file, host->address, &len)))
2695 if (!(rc = gnutls_session_set_data(session,
2696 CUS dt->session, (size_t)len - sizeof(dbdata_tls_session))))
2697 {
2698 DEBUG(D_tls) debug_printf("good session\n");
2699 tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
2700 }
2701 else DEBUG(D_tls) debug_printf("setting session resumption data: %s\n",
2702 US gnutls_strerror(rc));
2703 dbfn_close(dbm_file);
2704 }
2705 }
2706}
2707
2708
2709static void
2710tls_save_session(tls_support * tlsp, gnutls_session_t session, const host_item * host)
2711{
2712/* TLS 1.2 - we get both the callback and the direct posthandshake call,
2713but this flag is not set until the second. TLS 1.3 it's the other way about.
2714Keep both calls as the session data cannot be extracted before handshake
2715completes. */
2716
2717if (gnutls_session_get_flags(session) & GNUTLS_SFLAGS_SESSION_TICKET)
2718 {
2719 gnutls_datum_t tkt;
2720 int rc;
2721
2722 DEBUG(D_tls) debug_printf("server offered session ticket\n");
2723 tlsp->ticket_received = TRUE;
2724 tlsp->resumption |= RESUME_SERVER_TICKET;
2725
2726 if (tlsp->host_resumable)
2727 if (!(rc = gnutls_session_get_data2(session, &tkt)))
2728 {
2729 open_db dbblock, * dbm_file;
2730 int dlen = sizeof(dbdata_tls_session) + tkt.size;
f3ebb786 2731 dbdata_tls_session * dt = store_get(dlen, TRUE);
b10c87b3
JH		 2732
2733 DEBUG(D_tls) debug_printf("session data size %u\n", (unsigned)tkt.size);
2734 memcpy(dt->session, tkt.data, tkt.size);
2735 gnutls_free(tkt.data);
2736
2737 if ((dbm_file = dbfn_open(US"tls", O_RDWR, &dbblock, FALSE, FALSE)))
2738 {
2739 /* key for the db is the IP */
2740 dbfn_delete(dbm_file, host->address);
2741 dbfn_write(dbm_file, host->address, dt, dlen);
2742 dbfn_close(dbm_file);
2743
2744 DEBUG(D_tls)
2745 debug_printf("wrote session db (len %u)\n", (unsigned)dlen);
2746 }
2747 }
2748 else DEBUG(D_tls)
2749 debug_printf("extract session data: %s\n", US gnutls_strerror(rc));
2750 }
2751}
2752
2753
2754/* With a TLS1.3 session, the ticket(s) are not seen until
2755the first data read is attempted. And there's often two of them.
2756Pick them up with this callback. We are also called for 1.2
2757but we do nothing.
2758*/
2759static int
2760tls_client_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
2761 unsigned incoming, const gnutls_datum_t * msg)
2762{
2763exim_gnutls_state_st * state = gnutls_session_get_ptr(sess);
2764tls_support * tlsp = state->tlsp;
2765
2766DEBUG(D_tls) debug_printf("newticket cb\n");
2767
2768if (!tlsp->ticket_received)
2769 tls_save_session(tlsp, sess, state->host);
2770return 0;
2771}
2772
2773
2774static void
2775tls_client_resume_prehandshake(exim_gnutls_state_st * state,
2776 tls_support * tlsp, host_item * host,
2777 smtp_transport_options_block * ob)
2778{
2779gnutls_session_set_ptr(state->session, state);
2780gnutls_handshake_set_hook_function(state->session,
2781 GNUTLS_HANDSHAKE_NEW_SESSION_TICKET, GNUTLS_HOOK_POST, tls_client_ticket_cb);
2782
2783tls_retrieve_session(tlsp, state->session, host, ob);
2784}
2785
2786static void
2787tls_client_resume_posthandshake(exim_gnutls_state_st * state,
2788 tls_support * tlsp, host_item * host)
2789{
2790if (gnutls_session_is_resumed(state->session))
2791 {
2792 DEBUG(D_tls) debug_printf("Session resumed\n");
2793 tlsp->resumption |= RESUME_USED;
2794 }
2795
2796tls_save_session(tlsp, state->session, host);
2797}
2798#endif /* EXPERIMENTAL_TLS_RESUME */
2799
2800
059ec3d9
PH		 2801/*************************************************
2802* Start a TLS session in a client *
2803*************************************************/
2804
2805/* Called from the smtp transport after STARTTLS has been accepted.
2806
2807Arguments:
c05bdbd6
JH		 2808 cctx connection context
2809 conn_args connection details
2810 cookie datum for randomness (not used)
2811 tlsp record details of channel configuration here; must be non-NULL
2812 errstr error string pointer
2813
2814Returns: TRUE for success with TLS session context set in smtp context,
2815 FALSE on error
059ec3d9
PH		 2816*/
2817
c05bdbd6
JH		 2818BOOL
2819tls_client_start(client_conn_ctx * cctx, smtp_connect_args * conn_args,
2820 void * cookie ARG_UNUSED,
2821 tls_support * tlsp, uschar ** errstr)
059ec3d9 2822{
c05bdbd6
JH		 2823host_item * host = conn_args->host; /* for msgs and option-tests */
2824transport_instance * tb = conn_args->tblock; /* always smtp or NULL */
2825smtp_transport_options_block * ob = tb
afdb5e9c
JH		 2826 ? (smtp_transport_options_block *)tb->options_block
2827 : &smtp_transport_option_defaults;
059ec3d9 2828int rc;
899b8bbc 2829exim_gnutls_state_st * state = NULL;
c05bdbd6 2830uschar * cipher_list = NULL;
74f1a423 2831
f2de3a33 2832#ifndef DISABLE_OCSP
5130845b 2833BOOL require_ocsp =
3fb3231c 2834 verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK;
44662487 2835BOOL request_ocsp = require_ocsp ? TRUE
3fb3231c 2836 : verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
2b4a568d 2837#endif
059ec3d9 2838
c05bdbd6 2839DEBUG(D_tls) debug_printf("initialising GnuTLS as a client on fd %d\n", cctx->sock);
059ec3d9 2840
5ec37a55 2841#ifdef SUPPORT_DANE
c05bdbd6
JH		 2842/* If dane is flagged, have either request or require dane for this host, and
2843a TLSA record found. Therefore, dane verify required. Which implies cert must
2844be requested and supplied, dane verify must pass, and cert verify irrelevant
2845(incl. hostnames), and (caller handled) require_tls */
2846
2847if (conn_args->dane && ob->dane_require_tls_ciphers)
5ec37a55
PP		 2848 {
2849 /* not using expand_check_tlsvar because not yet in state */
2850 if (!expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
2851 &cipher_list, errstr))
c05bdbd6 2852 return FALSE;
cf260049
JH		 2853 cipher_list = cipher_list && *cipher_list
2854 ? ob->dane_require_tls_ciphers : ob->tls_require_ciphers;
5ec37a55
PP		 2855 }
2856#endif
2857
2858if (!cipher_list)
2859 cipher_list = ob->tls_require_ciphers;
2860
d85cdeb5
JH		 2861 {
2862#ifdef MEASURE_TIMING
2863 struct timeval t0;
2864 gettimeofday(&t0, NULL);
2865#endif
2866
2867 if (tls_init(host, ob->tls_certificate, ob->tls_privatekey,
2868 ob->tls_sni, ob->tls_verify_certificates, ob->tls_crl,
2869 cipher_list, &state, tlsp, errstr) != OK)
2870 return FALSE;
2871
2872#ifdef MEASURE_TIMING
2873 report_time_since(&t0, US"client tls_init (delta)");
2874#endif
2875 }
059ec3d9 2876
54c90be1 2877 {
65867078
JH		 2878 int dh_min_bits = ob->tls_dh_min_bits;
2879 if (dh_min_bits < EXIM_CLIENT_DH_MIN_MIN_BITS)
2880 {
2881 DEBUG(D_tls)
2882 debug_printf("WARNING: tls_dh_min_bits far too low,"
2883 " clamping %d up to %d\n",
2884 dh_min_bits, EXIM_CLIENT_DH_MIN_MIN_BITS);
2885 dh_min_bits = EXIM_CLIENT_DH_MIN_MIN_BITS;
2886 }
54c90be1 2887
65867078
JH		 2888 DEBUG(D_tls) debug_printf("Setting D-H prime minimum"
2889 " acceptable bits to %d\n",
2890 dh_min_bits);
2891 gnutls_dh_set_prime_bits(state->session, dh_min_bits);
2892 }
83da1223 2893
94431adb 2894/* Stick to the old behaviour for compatibility if tls_verify_certificates is
2b4a568d
JH		 2895set but both tls_verify_hosts and tls_try_verify_hosts are unset. Check only
2896the specified host patterns if one of them is defined */
2897
899b8bbc 2898#ifdef SUPPORT_DANE
c05bdbd6 2899if (conn_args->dane && dane_tlsa_load(state, &conn_args->tlsa_dnsa))
899b8bbc
JH		 2900 {
2901 DEBUG(D_tls)
2902 debug_printf("TLS: server certificate DANE required.\n");
2903 state->verify_requirement = VERIFY_DANE;
2904 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
899b8bbc
JH		 2905 }
2906else
2907#endif
2908 if ( ( state->exp_tls_verify_certificates
2909 && !ob->tls_verify_hosts
2910 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
2911 )
3fb3231c 2912 || verify_check_given_host(CUSS &ob->tls_verify_hosts, host) == OK
899b8bbc 2913 )
17c76198 2914 {
aa2a70ba 2915 tls_client_setup_hostname_checks(host, state, ob);
aa2a70ba
JH		 2916 DEBUG(D_tls)
2917 debug_printf("TLS: server certificate verification required.\n");
2918 state->verify_requirement = VERIFY_REQUIRED;
52f93eed
WB		 2919 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
2920 }
3fb3231c 2921else if (verify_check_given_host(CUSS &ob->tls_try_verify_hosts, host) == OK)
52f93eed 2922 {
aa2a70ba 2923 tls_client_setup_hostname_checks(host, state, ob);
e51c7be2
JH		 2924 DEBUG(D_tls)
2925 debug_printf("TLS: server certificate verification optional.\n");
52f93eed 2926 state->verify_requirement = VERIFY_OPTIONAL;
17c76198
PP		 2927 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
2928 }
2929else
2930 {
e51c7be2
JH		 2931 DEBUG(D_tls)
2932 debug_printf("TLS: server certificate verification not required.\n");
52f93eed
WB		 2933 state->verify_requirement = VERIFY_NONE;
2934 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
17c76198 2935 }
059ec3d9 2936
f2de3a33
JH		 2937#ifndef DISABLE_OCSP
2938 /* supported since GnuTLS 3.1.3 */
44662487 2939if (request_ocsp)
9d1c15ef
JH		 2940 {
2941 DEBUG(D_tls) debug_printf("TLS: will request OCSP stapling\n");
65867078
JH		 2942 if ((rc = gnutls_ocsp_status_request_enable_client(state->session,
2943 NULL, 0, NULL)) != OK)
74f1a423 2944 {
452a164f 2945 tls_error_gnu(US"cert-status-req", rc, state->host, errstr);
c05bdbd6 2946 return FALSE;
74f1a423
JH		 2947 }
2948 tlsp->ocsp = OCSP_NOT_RESP;
9d1c15ef 2949 }
2b4a568d
JH		 2950#endif
2951
b10c87b3
JH		 2952#ifdef EXPERIMENTAL_TLS_RESUME
2953tls_client_resume_prehandshake(state, tlsp, host, ob);
2954#endif
2955
0cbf2b82 2956#ifndef DISABLE_EVENT
afdb5e9c 2957if (tb && tb->event_action)
a7538db1 2958 {
774ef2d7 2959 state->event_action = tb->event_action;
a7538db1 2960 gnutls_session_set_ptr(state->session, state);
723fe533 2961 gnutls_certificate_set_verify_function(state->x509_cred, verify_cb);
a7538db1
JH		 2962 }
2963#endif
2964
c05bdbd6
JH		 2965gnutls_transport_set_ptr(state->session, (gnutls_transport_ptr_t)(long) cctx->sock);
2966state->fd_in = cctx->sock;
2967state->fd_out = cctx->sock;
059ec3d9 2968
9d1c15ef 2969DEBUG(D_tls) debug_printf("about to gnutls_handshake\n");
059ec3d9
PH		 2970/* There doesn't seem to be a built-in timeout on connection. */
2971
2972sigalrm_seen = FALSE;
c2a1bba0 2973ALARM(ob->command_timeout);
17c76198 2974do
17c76198 2975 rc = gnutls_handshake(state->session);
f1fed05b 2976while (rc == GNUTLS_E_AGAIN || rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen);
c2a1bba0 2977ALARM_CLR(0);
059ec3d9 2978
4fe99a6c 2979if (rc != GNUTLS_E_SUCCESS)
74f1a423 2980 {
60d10ce7
JH		 2981 if (sigalrm_seen)
2982 {
2983 gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_USER_CANCELED);
48224640 2984 tls_error(US"gnutls_handshake", US"timed out", state->host, errstr);
60d10ce7
JH		 2985 }
2986 else
452a164f 2987 tls_error_gnu(US"gnutls_handshake", rc, state->host, errstr);
c05bdbd6 2988 return FALSE;
74f1a423 2989 }
4fe99a6c 2990
dc6d1769 2991DEBUG(D_tls) post_handshake_debug(state);
059ec3d9 2992
17c76198 2993/* Verify late */
059ec3d9 2994
899b8bbc 2995if (!verify_certificate(state, errstr))
74f1a423
JH		 2996 {
2997 tls_error(US"certificate verification failed", *errstr, state->host, errstr);
c05bdbd6 2998 return FALSE;
74f1a423 2999 }
059ec3d9 3000
f2de3a33 3001#ifndef DISABLE_OCSP
7a501c87 3002if (request_ocsp)
2b4a568d
JH		 3003 {
3004 DEBUG(D_tls)
3005 {
3006 gnutls_datum_t stapling;
3007 gnutls_ocsp_resp_t resp;
3008 gnutls_datum_t printed;
e326959e
JH		 3009 unsigned idx = 0;
3010
3011 for (;
3012# ifdef GNUTLS_OCSP_STATUS_REQUEST_GET2
3013 (rc = gnutls_ocsp_status_request_get2(state->session, idx, &stapling)) == 0;
3014#else
3015 (rc = gnutls_ocsp_status_request_get(state->session, &stapling)) == 0;
3016#endif
3017 idx++)
3018 if ( (rc= gnutls_ocsp_resp_init(&resp)) == 0
3019 && (rc= gnutls_ocsp_resp_import(resp, &stapling)) == 0
3020 && (rc= gnutls_ocsp_resp_print(resp, GNUTLS_OCSP_PRINT_COMPACT, &printed)) == 0
3021 )
3022 {
3023 debug_printf("%.4096s", printed.data);
3024 gnutls_free(printed.data);
3025 }
3026 else
3027 (void) tls_error_gnu(US"ocsp decode", rc, state->host, errstr);
3028 if (idx == 0 && rc)
452a164f 3029 (void) tls_error_gnu(US"ocsp decode", rc, state->host, errstr);
2b4a568d
JH		 3030 }
3031
2b4a568d 3032 if (gnutls_ocsp_status_request_is_checked(state->session, 0) == 0)
018058b2 3033 {
74f1a423
JH		 3034 tlsp->ocsp = OCSP_FAILED;
3035 tls_error(US"certificate status check failed", NULL, state->host, errstr);
7a501c87
JH		 3036 if (require_ocsp)
3037 return FALSE;
3038 }
3039 else
3040 {
3041 DEBUG(D_tls) debug_printf("Passed OCSP checking\n");
3042 tlsp->ocsp = OCSP_VFIED;
018058b2 3043 }
2b4a568d
JH		 3044 }
3045#endif
3046
b10c87b3
JH		 3047#ifdef EXPERIMENTAL_TLS_RESUME
3048tls_client_resume_posthandshake(state, tlsp, host);
3049#endif
059ec3d9 3050
4fe99a6c 3051/* Sets various Exim expansion variables; may need to adjust for ACL callouts */
059ec3d9 3052
9d1c15ef 3053extract_exim_vars_from_tls_state(state);
059ec3d9 3054
c05bdbd6
JH		 3055cctx->tls_ctx = state;
3056return TRUE;
059ec3d9
PH		 3057}
3058
3059
3060
17c76198 3061
059ec3d9 3062/*************************************************
17c76198 3063* Close down a TLS session *
059ec3d9
PH		 3064*************************************************/
3065
17c76198
PP		 3066/* This is also called from within a delivery subprocess forked from the
3067daemon, to shut down the TLS library, without actually doing a shutdown (which
3068would tamper with the TLS session in the parent process).
059ec3d9 3069
dec766a1 3070Arguments:
74f1a423 3071 ct_ctx client context pointer, or NULL for the one global server context
dec766a1 3072 shutdown 1 if TLS close-alert is to be sent,
afdb5e9c 3073 2 if also response to be waited for
dec766a1 3074
17c76198 3075Returns: nothing
059ec3d9
PH		 3076*/
3077
17c76198 3078void
74f1a423 3079tls_close(void * ct_ctx, int shutdown)
059ec3d9 3080{
74f1a423 3081exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
bd231acd 3082tls_support * tlsp = state->tlsp;
059ec3d9 3083
bd231acd 3084if (!tlsp || tlsp->active.sock < 0) return; /* TLS was not active */
17c76198
PP		 3085
3086if (shutdown)
3087 {
dec766a1
WB		 3088 DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS%s\n",
3089 shutdown > 1 ? " (with response-wait)" : "");
3090
c2a1bba0 3091 ALARM(2);
dec766a1 3092 gnutls_bye(state->session, shutdown > 1 ? GNUTLS_SHUT_RDWR : GNUTLS_SHUT_WR);
c2a1bba0 3093 ALARM_CLR(0);
17c76198
PP		 3094 }
3095
bd231acd
JH		 3096if (!ct_ctx) /* server */
3097 {
3098 receive_getc = smtp_getc;
3099 receive_getbuf = smtp_getbuf;
3100 receive_get_cache = smtp_get_cache;
3101 receive_ungetc = smtp_ungetc;
3102 receive_feof = smtp_feof;
3103 receive_ferror = smtp_ferror;
3104 receive_smtp_buffered = smtp_buffered;
3105 }
3106
17c76198 3107gnutls_deinit(state->session);
ed62aae3
HSHR		 3108gnutls_certificate_free_credentials(state->x509_cred);
3109
bd231acd
JH		 3110tlsp->active.sock = -1;
3111tlsp->active.tls_ctx = NULL;
3112/* Leave bits, peercert, cipher, peerdn, certificate_verified set, for logging */
b1a32a3c 3113tlsp->channelbinding = NULL;
bd231acd 3114
17c76198 3115
b808677c 3116if (state->xfer_buffer) store_free(state->xfer_buffer);
17c76198 3117memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
059ec3d9
PH		 3118}
3119
3120
3121
17c76198 3122
0d81dabc
JH		 3123static BOOL
3124tls_refill(unsigned lim)
3125{
3126exim_gnutls_state_st * state = &state_server;
3127ssize_t inbytes;
3128
3129DEBUG(D_tls) debug_printf("Calling gnutls_record_recv(%p, %p, %u)\n",
3130 state->session, state->xfer_buffer, ssl_xfer_buffer_size);
3131
f1fed05b 3132sigalrm_seen = FALSE;
c2a1bba0 3133if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
4896a319
AM		 3134
3135do
3136 inbytes = gnutls_record_recv(state->session, state->xfer_buffer,
3137 MIN(ssl_xfer_buffer_size, lim));
3138while (inbytes == GNUTLS_E_AGAIN);
3139
c2a1bba0 3140if (smtp_receive_timeout > 0) ALARM_CLR(0);
9723f966
JH		 3141
3142if (had_command_timeout) /* set by signal handler */
3143 smtp_command_timeout_exit(); /* does not return */
3144if (had_command_sigterm)
3145 smtp_command_sigterm_exit();
3146if (had_data_timeout)
3147 smtp_data_timeout_exit();
3148if (had_data_sigint)
3149 smtp_data_sigint_exit();
3150
3151/* Timeouts do not get this far. A zero-byte return appears to mean that the
3152TLS session has been closed down, not that the socket itself has been closed
3153down. Revert to non-TLS handling. */
0d81dabc
JH		 3154
3155if (sigalrm_seen)
3156 {
3157 DEBUG(D_tls) debug_printf("Got tls read timeout\n");
8b77d27a 3158 state->xfer_error = TRUE;
0d81dabc
JH		 3159 return FALSE;
3160 }
3161
3162else if (inbytes == 0)
3163 {
3164 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
bd231acd 3165 tls_close(NULL, TLS_NO_SHUTDOWN);
0d81dabc
JH		 3166 return FALSE;
3167 }
3168
3169/* Handle genuine errors */
3170
3171else if (inbytes < 0)
3172 {
95f52235 3173 DEBUG(D_tls) debug_printf("%s: err from gnutls_record_recv\n", __FUNCTION__);
0d81dabc 3174 record_io_error(state, (int) inbytes, US"recv", NULL);
8b77d27a 3175 state->xfer_error = TRUE;
0d81dabc
JH		 3176 return FALSE;
3177 }
3178#ifndef DISABLE_DKIM
3179dkim_exim_verify_feed(state->xfer_buffer, inbytes);
3180#endif
3181state->xfer_buffer_hwm = (int) inbytes;
3182state->xfer_buffer_lwm = 0;
3183return TRUE;
3184}
3185
059ec3d9
PH		 3186/*************************************************
3187* TLS version of getc *
3188*************************************************/
3189
3190/* This gets the next byte from the TLS input buffer. If the buffer is empty,
3191it refills the buffer via the GnuTLS reading function.
817d9f57 3192Only used by the server-side TLS.
059ec3d9 3193
17c76198
PP		 3194This feeds DKIM and should be used for all message-body reads.
3195
aded2255 3196Arguments: lim Maximum amount to read/buffer
059ec3d9
PH		 3197Returns: the next character or EOF
3198*/
3199
3200int
bd8fbe36 3201tls_getc(unsigned lim)
059ec3d9 3202{
0d81dabc 3203exim_gnutls_state_st * state = &state_server;
059ec3d9 3204
0d81dabc
JH		 3205if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
3206 if (!tls_refill(lim))
3207 return state->xfer_error ? EOF : smtp_getc(lim);
ed62aae3 3208
0d81dabc 3209/* Something in the buffer; return next uschar */
059ec3d9 3210
0d81dabc
JH		 3211return state->xfer_buffer[state->xfer_buffer_lwm++];
3212}
059ec3d9 3213
0d81dabc
JH		 3214uschar *
3215tls_getbuf(unsigned * len)
3216{
3217exim_gnutls_state_st * state = &state_server;
3218unsigned size;
3219uschar * buf;
059ec3d9 3220
0d81dabc
JH		 3221if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
3222 if (!tls_refill(*len))
059ec3d9 3223 {
0d81dabc
JH		 3224 if (!state->xfer_error) return smtp_getbuf(len);
3225 *len = 0;
3226 return NULL;
059ec3d9 3227 }
059ec3d9 3228
0d81dabc
JH		 3229if ((size = state->xfer_buffer_hwm - state->xfer_buffer_lwm) > *len)
3230 size = *len;
3231buf = &state->xfer_buffer[state->xfer_buffer_lwm];
3232state->xfer_buffer_lwm += size;
3233*len = size;
3234return buf;
059ec3d9
PH		 3235}
3236
0d81dabc 3237
584e96c6
JH		 3238void
3239tls_get_cache()
3240{
9960d1e5 3241#ifndef DISABLE_DKIM
584e96c6
JH		 3242exim_gnutls_state_st * state = &state_server;
3243int n = state->xfer_buffer_hwm - state->xfer_buffer_lwm;
3244if (n > 0)
3245 dkim_exim_verify_feed(state->xfer_buffer+state->xfer_buffer_lwm, n);
584e96c6 3246#endif
9960d1e5 3247}
584e96c6 3248
059ec3d9 3249
925ac8e4
JH		 3250BOOL
3251tls_could_read(void)
3252{
3253return state_server.xfer_buffer_lwm < state_server.xfer_buffer_hwm
3254 || gnutls_record_check_pending(state_server.session) > 0;
3255}
3256
3257
059ec3d9 3258
17c76198 3259
059ec3d9
PH		 3260/*************************************************
3261* Read bytes from TLS channel *
3262*************************************************/
3263
17c76198
PP		 3264/* This does not feed DKIM, so if the caller uses this for reading message body,
3265then the caller must feed DKIM.
817d9f57 3266
059ec3d9 3267Arguments:
74f1a423 3268 ct_ctx client context pointer, or NULL for the one global server context
059ec3d9
PH		 3269 buff buffer of data
3270 len size of buffer
3271
3272Returns: the number of bytes read
afdb5e9c 3273 -1 after a failed read, including EOF
059ec3d9
PH		 3274*/
3275
3276int
74f1a423 3277tls_read(void * ct_ctx, uschar *buff, size_t len)
059ec3d9 3278{
74f1a423 3279exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
17c76198 3280ssize_t inbytes;
059ec3d9 3281
17c76198
PP		 3282if (len > INT_MAX)
3283 len = INT_MAX;
059ec3d9 3284
17c76198
PP		 3285if (state->xfer_buffer_lwm < state->xfer_buffer_hwm)
3286 DEBUG(D_tls)
3287 debug_printf("*** PROBABLY A BUG *** " \
3288 "tls_read() called with data in the tls_getc() buffer, %d ignored\n",
3289 state->xfer_buffer_hwm - state->xfer_buffer_lwm);
3290
3291DEBUG(D_tls)
3292 debug_printf("Calling gnutls_record_recv(%p, %p, " SIZE_T_FMT ")\n",
3293 state->session, buff, len);
3294
4896a319
AM		 3295do
3296 inbytes = gnutls_record_recv(state->session, buff, len);
3297while (inbytes == GNUTLS_E_AGAIN);
3298
059ec3d9
PH		 3299if (inbytes > 0) return inbytes;
3300if (inbytes == 0)
3301 {
3302 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
3303 }
5fd28bb8 3304else
4896a319 3305 {
95f52235 3306 DEBUG(D_tls) debug_printf("%s: err from gnutls_record_recv\n", __FUNCTION__);
4896a319
AM		 3307 record_io_error(state, (int)inbytes, US"recv", NULL);
3308 }
059ec3d9
PH		 3309
3310return -1;
3311}
3312
3313
3314
17c76198 3315
059ec3d9
PH		 3316/*************************************************
3317* Write bytes down TLS channel *
3318*************************************************/
3319
3320/*
3321Arguments:
74f1a423 3322 ct_ctx client context pointer, or NULL for the one global server context
059ec3d9
PH		 3323 buff buffer of data
3324 len number of bytes
925ac8e4 3325 more more data expected soon
059ec3d9 3326
30398c06
JH		 3327Calling with len zero and more unset will flush buffered writes. The buff
3328argument can be null for that case.
3329
059ec3d9
PH		 3330Returns: the number of bytes after a successful write,
3331 -1 after a failed write
3332*/
3333
3334int
74f1a423 3335tls_write(void * ct_ctx, const uschar * buff, size_t len, BOOL more)
059ec3d9 3336{
17c76198
PP		 3337ssize_t outbytes;
3338size_t left = len;
74f1a423 3339exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
925ac8e4
JH		 3340#ifdef SUPPORT_CORK
3341static BOOL corked = FALSE;
3342
3343if (more && !corked) gnutls_record_cork(state->session);
3344#endif
3345
3346DEBUG(D_tls) debug_printf("%s(%p, " SIZE_T_FMT "%s)\n", __FUNCTION__,
3347 buff, left, more ? ", more" : "");
059ec3d9 3348
059ec3d9
PH		 3349while (left > 0)
3350 {
17c76198
PP		 3351 DEBUG(D_tls) debug_printf("gnutls_record_send(SSL, %p, " SIZE_T_FMT ")\n",
3352 buff, left);
4896a319
AM		 3353
3354 do
3355 outbytes = gnutls_record_send(state->session, buff, left);
3356 while (outbytes == GNUTLS_E_AGAIN);
059ec3d9 3357
17c76198 3358 DEBUG(D_tls) debug_printf("outbytes=" SSIZE_T_FMT "\n", outbytes);
059ec3d9
PH		 3359 if (outbytes < 0)
3360 {
1b76ad22 3361 DEBUG(D_tls) debug_printf("%s: gnutls_record_send err\n", __FUNCTION__);
17c76198 3362 record_io_error(state, outbytes, US"send", NULL);
059ec3d9
PH		 3363 return -1;
3364 }
3365 if (outbytes == 0)
3366 {
17c76198 3367 record_io_error(state, 0, US"send", US"TLS channel closed on write");
059ec3d9
PH		 3368 return -1;
3369 }
3370
3371 left -= outbytes;
3372 buff += outbytes;
3373 }
3374
17c76198
PP		 3375if (len > INT_MAX)
3376 {
3377 DEBUG(D_tls)
3378 debug_printf("Whoops! Wrote more bytes (" SIZE_T_FMT ") than INT_MAX\n",
3379 len);
3380 len = INT_MAX;
3381 }
3382
925ac8e4
JH		 3383#ifdef SUPPORT_CORK
3384if (more != corked)
3385 {
3386 if (!more) (void) gnutls_record_uncork(state->session, 0);
3387 corked = more;
3388 }
3389#endif
3390
17c76198 3391return (int) len;
059ec3d9
PH		 3392}
3393
3394
3395
17c76198 3396
059ec3d9 3397/*************************************************
17c76198 3398* Random number generation *
059ec3d9
PH		 3399*************************************************/
3400
17c76198
PP		 3401/* Pseudo-random number generation. The result is not expected to be
3402cryptographically strong but not so weak that someone will shoot themselves
3403in the foot using it as a nonce in input in some email header scheme or
3404whatever weirdness they'll twist this into. The result should handle fork()
3405and avoid repeating sequences. OpenSSL handles that for us.
059ec3d9 3406
17c76198
PP		 3407Arguments:
3408 max range maximum
3409Returns a random number in range [0, max-1]
059ec3d9
PH		 3410*/
3411
af3498d6 3412#ifdef HAVE_GNUTLS_RND
17c76198
PP		 3413int
3414vaguely_random_number(int max)
059ec3d9 3415{
17c76198
PP		 3416unsigned int r;
3417int i, needed_len;
17c76198
PP		 3418uschar smallbuf[sizeof(r)];
3419
3420if (max <= 1)
3421 return 0;
3422
3423needed_len = sizeof(r);
3424/* Don't take 8 times more entropy than needed if int is 8 octets and we were
d7978c0f
JH		 3425asked for a number less than 10. */
3426
17c76198
PP		 3427for (r = max, i = 0; r; ++i)
3428 r >>= 1;
3429i = (i + 7) / 8;
3430if (i < needed_len)
3431 needed_len = i;
3432
3433i = gnutls_rnd(GNUTLS_RND_NONCE, smallbuf, needed_len);
3434if (i < 0)
059ec3d9 3435 {
17c76198
PP		 3436 DEBUG(D_all) debug_printf("gnutls_rnd() failed, using fallback.\n");
3437 return vaguely_random_number_fallback(max);
3438 }
3439r = 0;
d7978c0f
JH		 3440for (uschar * p = smallbuf; needed_len; --needed_len, ++p)
3441 r = r * 256 + *p;
059ec3d9 3442
17c76198
PP		 3443/* We don't particularly care about weighted results; if someone wants
3444 * smooth distribution and cares enough then they should submit a patch then. */
3445return r % max;
059ec3d9 3446}
af3498d6
PP		 3447#else /* HAVE_GNUTLS_RND */
3448int
3449vaguely_random_number(int max)
3450{
3451 return vaguely_random_number_fallback(max);
3452}
3453#endif /* HAVE_GNUTLS_RND */
059ec3d9 3454
36f12725
NM		 3455
3456
3457
3375e053
PP		 3458/*************************************************
3459* Let tls_require_ciphers be checked at startup *
3460*************************************************/
3461
3462/* The tls_require_ciphers option, if set, must be something which the
3463library can parse.
3464
3465Returns: NULL on success, or error message
3466*/
3467
3468uschar *
3469tls_validate_require_cipher(void)
3470{
3471int rc;
3472uschar *expciphers = NULL;
3473gnutls_priority_t priority_cache;
3474const char *errpos;
cf0c6164 3475uschar * dummy_errstr;
3375e053 3476
4d2a62a3
JH		 3477#ifdef GNUTLS_AUTO_GLOBAL_INIT
3478# define validate_check_rc(Label) do { \
3479 if (rc != GNUTLS_E_SUCCESS) { if (exim_gnutls_base_init_done) \
3480 return string_sprintf("%s failed: %s", (Label), gnutls_strerror(rc)); } } while (0)
3481# define return_deinit(Label) do { return (Label); } while (0)
3482#else
3483# define validate_check_rc(Label) do { \
3375e053 3484 if (rc != GNUTLS_E_SUCCESS) { if (exim_gnutls_base_init_done) gnutls_global_deinit(); \
4d2a62a3
JH		 3485 return string_sprintf("%s failed: %s", (Label), gnutls_strerror(rc)); } } while (0)
3486# define return_deinit(Label) do { gnutls_global_deinit(); return (Label); } while (0)
3487#endif
3375e053
PP		 3488
3489if (exim_gnutls_base_init_done)
3490 log_write(0, LOG_MAIN|LOG_PANIC,
3491 "already initialised GnuTLS, Exim developer bug");
3492
9f707b89 3493#if defined(HAVE_GNUTLS_PKCS11) && !defined(GNUTLS_AUTO_PKCS11_MANUAL)
2519e60d 3494if (!gnutls_allow_auto_pkcs11)
a5f239e4
PP		 3495 {
3496 rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
3497 validate_check_rc(US"gnutls_pkcs11_init");
3498 }
3499#endif
4d2a62a3 3500#ifndef GNUTLS_AUTO_GLOBAL_INIT
3375e053
PP		 3501rc = gnutls_global_init();
3502validate_check_rc(US"gnutls_global_init()");
4d2a62a3 3503#endif
3375e053
PP		 3504exim_gnutls_base_init_done = TRUE;
3505
3506if (!(tls_require_ciphers && *tls_require_ciphers))
3507 return_deinit(NULL);
3508
cf0c6164
JH		 3509if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers,
3510 &dummy_errstr))
3375e053
PP		 3511 return_deinit(US"failed to expand tls_require_ciphers");
3512
3513if (!(expciphers && *expciphers))
3514 return_deinit(NULL);
3515
3516DEBUG(D_tls)
3517 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
3518
3519rc = gnutls_priority_init(&priority_cache, CS expciphers, &errpos);
3520validate_check_rc(string_sprintf(
3521 "gnutls_priority_init(%s) failed at offset %ld, \"%.8s..\"",
3522 expciphers, errpos - CS expciphers, errpos));
3523
3524#undef return_deinit
3525#undef validate_check_rc
4d2a62a3 3526#ifndef GNUTLS_AUTO_GLOBAL_INIT
3375e053 3527gnutls_global_deinit();
4d2a62a3 3528#endif
3375e053
PP		 3529
3530return NULL;
3531}
3532
3533
3534
3535
36f12725
NM		 3536/*************************************************
3537* Report the library versions. *
3538*************************************************/
3539
3540/* See a description in tls-openssl.c for an explanation of why this exists.
3541
3542Arguments: a FILE* to print the results to
3543Returns: nothing
3544*/
3545
3546void
3547tls_version_report(FILE *f)
3548{
754a0503
PP		 3549fprintf(f, "Library version: GnuTLS: Compile: %s\n"
3550 " Runtime: %s\n",
3551 LIBGNUTLS_VERSION,
3552 gnutls_check_version(NULL));
36f12725
NM		 3553}
3554
b10c87b3 3555#endif /*!MACRO_PREDEF*/
2b4a568d
JH		 3556/* vi: aw ai sw=2
3557*/
059ec3d9 3558/* End of tls-gnu.c */
Unnamed repository; edit this file 'description' to name the repository.