projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Docs: fix syntax
[exim.git] / src / src / tls-gnu.c
CommitLineData
059ec3d9
PH		 1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
f9ba5e22 5/* Copyright (c) University of Cambridge 1995 - 2018 */
059ec3d9
PH		 6/* See the file NOTICE for conditions of use and distribution. */
7
17c76198 8/* Copyright (c) Phil Pennock 2012 */
059ec3d9 9
17c76198
PP		 10/* This file provides TLS/SSL support for Exim using the GnuTLS library,
11one of the available supported implementations. This file is #included into
12tls.c when USE_GNUTLS has been set.
059ec3d9 13
17c76198
PP		 14The code herein is a revamp of GnuTLS integration using the current APIs; the
15original tls-gnu.c was based on a patch which was contributed by Nikos
6aa6fc9c 16Mavrogiannopoulos. The revamp is partially a rewrite, partially cut&paste as
17c76198 17appropriate.
059ec3d9 18
17c76198
PP		 19APIs current as of GnuTLS 2.12.18; note that the GnuTLS manual is for GnuTLS 3,
20which is not widely deployed by OS vendors. Will note issues below, which may
21assist in updating the code in the future. Another sources of hints is
22mod_gnutls for Apache (SNI callback registration and handling).
059ec3d9 23
17c76198
PP		 24Keeping client and server variables more split than before and is currently
25the norm, in anticipation of TLS in ACL callouts.
059ec3d9 26
17c76198
PP		 27I wanted to switch to gnutls_certificate_set_verify_function() so that
28certificate rejection could happen during handshake where it belongs, rather
29than being dropped afterwards, but that was introduced in 2.10.0 and Debian
30(6.0.5) is still on 2.8.6. So for now we have to stick with sub-par behaviour.
059ec3d9 31
17c76198
PP		 32(I wasn't looking for libraries quite that old, when updating to get rid of
33compiler warnings of deprecated APIs. If it turns out that a lot of the rest
34require current GnuTLS, then we'll drop support for the ancient libraries).
35*/
b5aea5e1 36
17c76198
PP		 37#include <gnutls/gnutls.h>
38/* needed for cert checks in verification and DN extraction: */
39#include <gnutls/x509.h>
40/* man-page is incorrect, gnutls_rnd() is not in gnutls.h: */
41#include <gnutls/crypto.h>
184384c3 42
a5f239e4
PP		 43/* needed to disable PKCS11 autoload unless requested */
44#if GNUTLS_VERSION_NUMBER >= 0x020c00
45# include <gnutls/pkcs11.h>
76075bb5 46# define SUPPORT_PARAM_TO_PK_BITS
a5f239e4 47#endif
7e07527a
JH		 48#if GNUTLS_VERSION_NUMBER < 0x030103 && !defined(DISABLE_OCSP)
49# warning "GnuTLS library version too old; define DISABLE_OCSP in Makefile"
50# define DISABLE_OCSP
51#endif
0cbf2b82 52#if GNUTLS_VERSION_NUMBER < 0x020a00 && !defined(DISABLE_EVENT)
774ef2d7 53# warning "GnuTLS library version too old; tls:cert event unsupported"
0cbf2b82 54# define DISABLE_EVENT
a7538db1 55#endif
a7fec7a7
JH		 56#if GNUTLS_VERSION_NUMBER >= 0x030306
57# define SUPPORT_CA_DIR
58#else
59# undef SUPPORT_CA_DIR
60#endif
11a04b5a 61#if GNUTLS_VERSION_NUMBER >= 0x030014
cb1d7830
JH		 62# define SUPPORT_SYSDEFAULT_CABUNDLE
63#endif
184384c3
JH		 64#if GNUTLS_VERSION_NUMBER >= 0x030104
65# define GNUTLS_CERT_VFY_STATUS_PRINT
66#endif
925ac8e4
JH		 67#if GNUTLS_VERSION_NUMBER >= 0x030109
68# define SUPPORT_CORK
69#endif
f20cfa4a
JH		 70#if GNUTLS_VERSION_NUMBER >= 0x03010a
71# define SUPPORT_GNUTLS_SESS_DESC
72#endif
73#if GNUTLS_VERSION_NUMBER >= 0x030500
74# define SUPPORT_GNUTLS_KEYLOG
75#endif
47195144
JH		 76#if GNUTLS_VERSION_NUMBER >= 0x030506 && !defined(DISABLE_OCSP)
77# define SUPPORT_SRV_OCSP_STACK
78#endif
49132a3b
JH		 79#if GNUTLS_VERSION_NUMBER >= 0x030600
80# define GNUTLS_AUTO_DHPARAMS
81#endif
be427508 82#if GNUTLS_VERSION_NUMBER >= 0x030603
e326959e 83# define EXIM_HAVE_TLS1_3
be427508 84# define SUPPORT_GNUTLS_EXT_RAW_PARSE
e326959e 85# define GNUTLS_OCSP_STATUS_REQUEST_GET2
be427508 86#endif
c0635b6d
JH		 87
88#ifdef SUPPORT_DANE
89# if GNUTLS_VERSION_NUMBER >= 0x030000
90# define DANESSL_USAGE_DANE_TA 2
91# define DANESSL_USAGE_DANE_EE 3
92# else
93# error GnuTLS version too early for DANE
94# endif
95# if GNUTLS_VERSION_NUMBER < 0x999999
96# define GNUTLS_BROKEN_DANE_VALIDATION
97# endif
899b8bbc 98#endif
7e07527a 99
43e2db44
JH		 100#ifdef EXPERIMENTAL_TLS_RESUME
101# if GNUTLS_VERSION_NUMBER < 0x030603
102# error GNUTLS version too early for session-resumption
103# endif
104#endif
105
f2de3a33 106#ifndef DISABLE_OCSP
2b4a568d
JH		 107# include <gnutls/ocsp.h>
108#endif
899b8bbc
JH		 109#ifdef SUPPORT_DANE
110# include <gnutls/dane.h>
111#endif
059ec3d9 112
f1be21cf
JH		 113#include "tls-cipher-stdname.c"
114
115
b10c87b3
JH		 116#ifdef MACRO_PREDEF
117void
118options_tls(void)
119{
120# ifdef EXPERIMENTAL_TLS_RESUME
121builtin_macro_create_var(US"_RESUME_DECODE", RESUME_DECODE_STRING );
122# endif
e326959e
JH		 123# ifdef EXIM_HAVE_TLS1_3
124builtin_macro_create(US"_HAVE_TLS1_3");
125# endif
b10c87b3
JH		 126}
127#else
128
129
17c76198 130/* GnuTLS 2 vs 3
059ec3d9 131
17c76198
PP		 132GnuTLS 3 only:
133 gnutls_global_set_audit_log_function()
059ec3d9 134
17c76198
PP		 135Changes:
136 gnutls_certificate_verify_peers2(): is new, drop the 2 for old version
137*/
059ec3d9 138
17c76198 139/* Local static variables for GnuTLS */
059ec3d9 140
17c76198 141/* Values for verify_requirement */
059ec3d9 142
e51c7be2 143enum peer_verify_requirement
899b8bbc 144 { VERIFY_NONE, VERIFY_OPTIONAL, VERIFY_REQUIRED, VERIFY_DANE };
059ec3d9 145
17c76198
PP		 146/* This holds most state for server or client; with this, we can set up an
147outbound TLS-enabled connection in an ACL callout, while not stomping all
148over the TLS variables available for expansion.
059ec3d9 149
17c76198
PP		 150Some of these correspond to variables in globals.c; those variables will
151be set to point to content in one of these instances, as appropriate for
152the stage of the process lifetime.
059ec3d9 153
389ca47a 154Not handled here: global tls_channelbinding_b64.
17c76198 155*/
059ec3d9 156
17c76198 157typedef struct exim_gnutls_state {
9d1c15ef 158 gnutls_session_t session;
17c76198 159 gnutls_certificate_credentials_t x509_cred;
9d1c15ef 160 gnutls_priority_t priority_cache;
17c76198 161 enum peer_verify_requirement verify_requirement;
9d1c15ef
JH		 162 int fd_in;
163 int fd_out;
164 BOOL peer_cert_verified;
899b8bbc 165 BOOL peer_dane_verified;
9d1c15ef
JH		 166 BOOL trigger_sni_changes;
167 BOOL have_set_peerdn;
5fd28bb8 168 const struct host_item *host; /* NULL if server */
afdb5e9c 169 gnutls_x509_crt_t peercert;
9d1c15ef
JH		 170 uschar *peerdn;
171 uschar *ciphersuite;
172 uschar *received_sni;
17c76198
PP		 173
174 const uschar *tls_certificate;
175 const uschar *tls_privatekey;
176 const uschar *tls_sni; /* client send only, not received */
177 const uschar *tls_verify_certificates;
178 const uschar *tls_crl;
179 const uschar *tls_require_ciphers;
e51c7be2 180
17c76198
PP		 181 uschar *exp_tls_certificate;
182 uschar *exp_tls_privatekey;
17c76198
PP		 183 uschar *exp_tls_verify_certificates;
184 uschar *exp_tls_crl;
185 uschar *exp_tls_require_ciphers;
55414b25 186 const uschar *exp_tls_verify_cert_hostnames;
0cbf2b82 187#ifndef DISABLE_EVENT
a7538db1
JH		 188 uschar *event_action;
189#endif
899b8bbc
JH		 190#ifdef SUPPORT_DANE
191 char * const * dane_data;
192 const int * dane_data_len;
193#endif
17c76198 194
389ca47a 195 tls_support *tlsp; /* set in tls_init() */
817d9f57 196
17c76198
PP		 197 uschar *xfer_buffer;
198 int xfer_buffer_lwm;
199 int xfer_buffer_hwm;
8b77d27a
JH		 200 BOOL xfer_eof; /*XXX never gets set! */
201 BOOL xfer_error;
17c76198
PP		 202} exim_gnutls_state_st;
203
204static const exim_gnutls_state_st exim_gnutls_state_init = {
b10c87b3 205 /* all elements not explicitly intialised here get 0/NULL/FALSE */
f2ed27cf
JH		 206 .fd_in = -1,
207 .fd_out = -1,
17c76198 208};
83da1223 209
17c76198
PP		 210/* Not only do we have our own APIs which don't pass around state, assuming
211it's held in globals, GnuTLS doesn't appear to let us register callback data
212for callbacks, or as part of the session, so we have to keep a "this is the
213context we're currently dealing with" pointer and rely upon being
214single-threaded to keep from processing data on an inbound TLS connection while
215talking to another TLS connection for an outbound check. This does mean that
216there's no way for heart-beats to be responded to, for the duration of the
a7538db1
JH		 217second connection.
218XXX But see gnutls_session_get_ptr()
219*/
059ec3d9 220
74f1a423 221static exim_gnutls_state_st state_server;
059ec3d9 222
49132a3b 223#ifndef GNUTLS_AUTO_DHPARAMS
17c76198
PP		 224/* dh_params are initialised once within the lifetime of a process using TLS;
225if we used TLS in a long-lived daemon, we'd have to reconsider this. But we
226don't want to repeat this. */
83da1223 227
17c76198 228static gnutls_dh_params_t dh_server_params = NULL;
49132a3b 229#endif
059ec3d9 230
dea4b568 231static int ssl_session_timeout = 7200; /* Two hours */
059ec3d9 232
fc243e94 233static const uschar * const exim_default_gnutls_priority = US"NORMAL";
83da1223 234
17c76198 235/* Guard library core initialisation */
83da1223 236
17c76198 237static BOOL exim_gnutls_base_init_done = FALSE;
059ec3d9 238
4fb7df6d 239#ifndef DISABLE_OCSP
9196d5bf 240static BOOL gnutls_buggy_ocsp = FALSE;
e5489333 241static BOOL exim_testharness_disable_ocsp_validity_check = FALSE;
4fb7df6d 242#endif
9196d5bf 243
b10c87b3
JH		 244#ifdef EXPERIMENTAL_TLS_RESUME
245static gnutls_datum_t server_sessticket_key;
246#endif
059ec3d9 247
17c76198
PP		 248/* ------------------------------------------------------------------------ */
249/* macros */
83da1223 250
17c76198 251#define MAX_HOST_LEN 255
83da1223 252
17c76198
PP		 253/* Set this to control gnutls_global_set_log_level(); values 0 to 9 will setup
254the library logging; a value less than 0 disables the calls to set up logging
dc6d1769
JH		 255callbacks. GNuTLS also looks for an environment variable - except not for
256setuid binaries, making it useless - "GNUTLS_DEBUG_LEVEL".
257Allegedly the testscript line "GNUTLS_DEBUG_LEVEL=9 sudo exim ..." would work,
258but the env var must be added to /etc/sudoers too. */
2c17bb02 259#ifndef EXIM_GNUTLS_LIBRARY_LOG_LEVEL
b1a4f234 260# define EXIM_GNUTLS_LIBRARY_LOG_LEVEL -1
2c17bb02 261#endif
83da1223 262
2c17bb02 263#ifndef EXIM_CLIENT_DH_MIN_BITS
a7538db1 264# define EXIM_CLIENT_DH_MIN_BITS 1024
2c17bb02 265#endif
83da1223 266
af3498d6
PP		 267/* With GnuTLS 2.12.x+ we have gnutls_sec_param_to_pk_bits() with which we
268can ask for a bit-strength. Without that, we stick to the constant we had
269before, for now. */
2c17bb02 270#ifndef EXIM_SERVER_DH_BITS_PRE2_12
a7538db1 271# define EXIM_SERVER_DH_BITS_PRE2_12 1024
2c17bb02 272#endif
af3498d6 273
cf0c6164
JH		 274#define expand_check_tlsvar(Varname, errstr) \
275 expand_check(state->Varname, US #Varname, &state->exp_##Varname, errstr)
83da1223 276
17c76198 277#if GNUTLS_VERSION_NUMBER >= 0x020c00
e51c7be2
JH		 278# define HAVE_GNUTLS_SESSION_CHANNEL_BINDING
279# define HAVE_GNUTLS_SEC_PARAM_CONSTANTS
280# define HAVE_GNUTLS_RND
2519e60d
TL		 281/* The security fix we provide with the gnutls_allow_auto_pkcs11 option
282 * (4.82 PP/09) introduces a compatibility regression. The symbol simply
283 * isn't available sometimes, so this needs to become a conditional
284 * compilation; the sanest way to deal with this being a problem on
285 * older OSes is to block it in the Local/Makefile with this compiler
286 * definition */
e51c7be2
JH		 287# ifndef AVOID_GNUTLS_PKCS11
288# define HAVE_GNUTLS_PKCS11
289# endif /* AVOID_GNUTLS_PKCS11 */
17c76198 290#endif
83da1223 291
af3498d6
PP		 292
293
294
295/* ------------------------------------------------------------------------ */
296/* Callback declarations */
297
298#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
299static void exim_gnutls_logger_cb(int level, const char *message);
300#endif
301
302static int exim_sni_handling_cb(gnutls_session_t session);
303
e5489333
JH		 304#ifdef EXPERIMENTAL_TLS_RESUME
305static int
306tls_server_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
307 unsigned incoming, const gnutls_datum_t * msg);
308#endif
af3498d6
PP		 309
310
b10c87b3
JH		 311/* Daemon one-time initialisation */
312void
313tls_daemon_init(void)
314{
315#ifdef EXPERIMENTAL_TLS_RESUME
316/* We are dependent on the GnuTLS implementation of the Session Ticket
317encryption; both the strength and the key rotation period. We hope that
318the strength at least matches that of the ciphersuite (but GnuTLS does not
319document this). */
320
321static BOOL once = FALSE;
322if (once) return;
323once = TRUE;
324gnutls_session_ticket_key_generate(&server_sessticket_key); /* >= 2.10.0 */
325if (f.running_in_test_harness) ssl_session_timeout = 6;
326#endif
327}
328
17c76198
PP		 329/* ------------------------------------------------------------------------ */
330/* Static functions */
059ec3d9
PH		 331
332/*************************************************
333* Handle TLS error *
334*************************************************/
335
336/* Called from lots of places when errors occur before actually starting to do
337the TLS handshake, that is, while the session is still in clear. Always returns
338DEFER for a server and FAIL for a client so that most calls can use "return
339tls_error(...)" to do this processing and then give an appropriate return. A
340single function is used for both server and client, because it is called from
341some shared functions.
342
343Argument:
344 prefix text to include in the logged error
7199e1ee
TF		 345 msg additional error string (may be NULL)
346 usually obtained from gnutls_strerror()
17c76198
PP		 347 host NULL if setting up a server;
348 the connected host if setting up a client
cf0c6164 349 errstr pointer to returned error string
059ec3d9
PH		 350
351Returns: OK/DEFER/FAIL
352*/
353
354static int
48224640 355tls_error(const uschar *prefix, const uschar *msg, const host_item *host,
cf0c6164 356 uschar ** errstr)
059ec3d9 357{
cf0c6164 358if (errstr)
48224640 359 *errstr = string_sprintf("(%s)%s%s", prefix, msg ? ": " : "", msg ? msg : US"");
cf0c6164 360return host ? FAIL : DEFER;
059ec3d9
PH		 361}
362
363
452a164f
JH		 364static int
365tls_error_gnu(const uschar *prefix, int err, const host_item *host,
366 uschar ** errstr)
367{
368return tls_error(prefix, US gnutls_strerror(err), host, errstr);
369}
370
371static int
372tls_error_sys(const uschar *prefix, int err, const host_item *host,
373 uschar ** errstr)
374{
375return tls_error(prefix, US strerror(err), host, errstr);
376}
059ec3d9 377
17c76198 378
059ec3d9 379/*************************************************
17c76198 380* Deal with logging errors during I/O *
059ec3d9
PH		 381*************************************************/
382
17c76198 383/* We have to get the identity of the peer from saved data.
059ec3d9 384
17c76198
PP		 385Argument:
386 state the current GnuTLS exim state container
387 rc the GnuTLS error code, or 0 if it's a local error
388 when text identifying read or write
95f52235 389 text local error text when rc is 0
059ec3d9 390
17c76198 391Returns: nothing
059ec3d9
PH		 392*/
393
17c76198
PP		 394static void
395record_io_error(exim_gnutls_state_st *state, int rc, uschar *when, uschar *text)
059ec3d9 396{
48224640 397const uschar * msg;
cf0c6164 398uschar * errstr;
059ec3d9 399
17c76198 400if (rc == GNUTLS_E_FATAL_ALERT_RECEIVED)
95f52235 401 msg = string_sprintf("A TLS fatal alert has been received: %s",
17c76198
PP		 402 US gnutls_alert_get_name(gnutls_alert_get(state->session)));
403else
48224640 404 msg = US gnutls_strerror(rc);
059ec3d9 405
cf0c6164
JH		 406(void) tls_error(when, msg, state->host, &errstr);
407
408if (state->host)
409 log_write(0, LOG_MAIN, "H=%s [%s] TLS error on connection %s",
410 state->host->name, state->host->address, errstr);
411else
412 {
413 uschar * conn_info = smtp_get_connection_info();
414 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0) conn_info += 5;
415 /* I'd like to get separated H= here, but too hard for now */
416 log_write(0, LOG_MAIN, "TLS error on %s %s", conn_info, errstr);
417 }
17c76198 418}
059ec3d9 419
059ec3d9 420
059ec3d9 421
059ec3d9 422
17c76198
PP		 423/*************************************************
424* Set various Exim expansion vars *
425*************************************************/
059ec3d9 426
e51c7be2
JH		 427#define exim_gnutls_cert_err(Label) \
428 do \
429 { \
430 if (rc != GNUTLS_E_SUCCESS) \
431 { \
432 DEBUG(D_tls) debug_printf("TLS: cert problem: %s: %s\n", \
433 (Label), gnutls_strerror(rc)); \
434 return rc; \
435 } \
436 } while (0)
9d1c15ef
JH		 437
438static int
27f19eb4 439import_cert(const gnutls_datum_t * cert, gnutls_x509_crt_t * crtp)
9d1c15ef
JH		 440{
441int rc;
442
443rc = gnutls_x509_crt_init(crtp);
444exim_gnutls_cert_err(US"gnutls_x509_crt_init (crt)");
445
446rc = gnutls_x509_crt_import(*crtp, cert, GNUTLS_X509_FMT_DER);
447exim_gnutls_cert_err(US"failed to import certificate [gnutls_x509_crt_import(cert)]");
448
449return rc;
450}
451
452#undef exim_gnutls_cert_err
453
454
17c76198
PP		 455/* We set various Exim global variables from the state, once a session has
456been established. With TLS callouts, may need to change this to stack
457variables, or just re-call it with the server state after client callout
458has finished.
059ec3d9 459
9d1c15ef 460Make sure anything set here is unset in tls_getc().
17c76198
PP		 461
462Sets:
463 tls_active fd
464 tls_bits strength indicator
465 tls_certificate_verified bool indicator
466 tls_channelbinding_b64 for some SASL mechanisms
467 tls_cipher a string
9d1c15ef 468 tls_peercert pointer to library internal
17c76198
PP		 469 tls_peerdn a string
470 tls_sni a (UTF-8) string
9d1c15ef 471 tls_ourcert pointer to library internal
17c76198
PP		 472
473Argument:
474 state the relevant exim_gnutls_state_st *
475*/
476
477static void
9d1c15ef 478extract_exim_vars_from_tls_state(exim_gnutls_state_st * state)
17c76198 479{
17c76198
PP		 480#ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
481int old_pool;
482int rc;
483gnutls_datum_t channel;
484#endif
9d1c15ef 485tls_support * tlsp = state->tlsp;
17c76198 486
74f1a423
JH		 487tlsp->active.sock = state->fd_out;
488tlsp->active.tls_ctx = state;
17c76198 489
817d9f57 490DEBUG(D_tls) debug_printf("cipher: %s\n", state->ciphersuite);
17c76198 491
9d1c15ef 492tlsp->certificate_verified = state->peer_cert_verified;
899b8bbc
JH		 493#ifdef SUPPORT_DANE
494tlsp->dane_verified = state->peer_dane_verified;
495#endif
059ec3d9 496
17c76198
PP		 497/* note that tls_channelbinding_b64 is not saved to the spool file, since it's
498only available for use for authenticators while this TLS session is running. */
499
500tls_channelbinding_b64 = NULL;
501#ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
502channel.data = NULL;
503channel.size = 0;
1f20760b
JH		 504if ((rc = gnutls_session_channel_binding(state->session, GNUTLS_CB_TLS_UNIQUE, &channel)))
505 { DEBUG(D_tls) debug_printf("Channel binding error: %s\n", gnutls_strerror(rc)); }
506else
507 {
17c76198
PP		 508 old_pool = store_pool;
509 store_pool = POOL_PERM;
1f20760b 510 tls_channelbinding_b64 = b64encode(CUS channel.data, (int)channel.size);
17c76198
PP		 511 store_pool = old_pool;
512 DEBUG(D_tls) debug_printf("Have channel bindings cached for possible auth usage.\n");
1f20760b 513 }
17c76198
PP		 514#endif
515
9d1c15ef
JH		 516/* peercert is set in peer_status() */
517tlsp->peerdn = state->peerdn;
518tlsp->sni = state->received_sni;
519
520/* record our certificate */
521 {
27f19eb4 522 const gnutls_datum_t * cert = gnutls_certificate_get_ours(state->session);
9d1c15ef
JH		 523 gnutls_x509_crt_t crt;
524
525 tlsp->ourcert = cert && import_cert(cert, &crt)==0 ? crt : NULL;
526 }
059ec3d9
PH		 527}
528
529
530
17c76198 531
49132a3b 532#ifndef GNUTLS_AUTO_DHPARAMS
059ec3d9 533/*************************************************
575643cd 534* Setup up DH parameters *
059ec3d9
PH		 535*************************************************/
536
575643cd 537/* Generating the D-H parameters may take a long time. They only need to
059ec3d9
PH		 538be re-generated every so often, depending on security policy. What we do is to
539keep these parameters in a file in the spool directory. If the file does not
540exist, we generate them. This means that it is easy to cause a regeneration.
541
542The new file is written as a temporary file and renamed, so that an incomplete
543file is never present. If two processes both compute some new parameters, you
544waste a bit of effort, but it doesn't seem worth messing around with locking to
545prevent this.
546
059ec3d9
PH		 547Returns: OK/DEFER/FAIL
548*/
549
550static int
cf0c6164 551init_server_dh(uschar ** errstr)
059ec3d9 552{
17c76198
PP		 553int fd, rc;
554unsigned int dh_bits;
49132a3b 555gnutls_datum_t m = {.data = NULL, .size = 0};
a799883d
PP		 556uschar filename_buf[PATH_MAX];
557uschar *filename = NULL;
17c76198 558size_t sz;
a799883d
PP		 559uschar *exp_tls_dhparam;
560BOOL use_file_in_spool = FALSE;
17c76198 561host_item *host = NULL; /* dummy for macros */
059ec3d9 562
17c76198 563DEBUG(D_tls) debug_printf("Initialising GnuTLS server params.\n");
059ec3d9 564
452a164f
JH		 565if ((rc = gnutls_dh_params_init(&dh_server_params)))
566 return tls_error_gnu(US"gnutls_dh_params_init", rc, host, errstr);
059ec3d9 567
cf0c6164 568if (!expand_check(tls_dhparam, US"tls_dhparam", &exp_tls_dhparam, errstr))
a799883d
PP		 569 return DEFER;
570
571if (!exp_tls_dhparam)
572 {
573 DEBUG(D_tls) debug_printf("Loading default hard-coded DH params\n");
574 m.data = US std_dh_prime_default();
575 m.size = Ustrlen(m.data);
576 }
577else if (Ustrcmp(exp_tls_dhparam, "historic") == 0)
578 use_file_in_spool = TRUE;
579else if (Ustrcmp(exp_tls_dhparam, "none") == 0)
580 {
581 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
582 return OK;
583 }
584else if (exp_tls_dhparam[0] != '/')
585 {
f5d25c2b 586 if (!(m.data = US std_dh_prime_named(exp_tls_dhparam)))
48224640 587 return tls_error(US"No standard prime named", exp_tls_dhparam, NULL, errstr);
a799883d
PP		 588 m.size = Ustrlen(m.data);
589 }
590else
a799883d 591 filename = exp_tls_dhparam;
a799883d
PP		 592
593if (m.data)
594 {
452a164f
JH		 595 if ((rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM)))
596 return tls_error_gnu(US"gnutls_dh_params_import_pkcs3", rc, host, errstr);
a799883d
PP		 597 DEBUG(D_tls) debug_printf("Loaded fixed standard D-H parameters\n");
598 return OK;
599 }
600
af3498d6
PP		 601#ifdef HAVE_GNUTLS_SEC_PARAM_CONSTANTS
602/* If you change this constant, also change dh_param_fn_ext so that we can use a
17c76198 603different filename and ensure we have sufficient bits. */
452a164f
JH		 604
605if (!(dh_bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL)))
cf0c6164 606 return tls_error(US"gnutls_sec_param_to_pk_bits() failed", NULL, NULL, errstr);
af3498d6 607DEBUG(D_tls)
b34fc30c 608 debug_printf("GnuTLS tells us that for D-H PK, NORMAL is %d bits.\n",
af3498d6
PP		 609 dh_bits);
610#else
611dh_bits = EXIM_SERVER_DH_BITS_PRE2_12;
612DEBUG(D_tls)
613 debug_printf("GnuTLS lacks gnutls_sec_param_to_pk_bits(), using %d bits.\n",
614 dh_bits);
615#endif
059ec3d9 616
3375e053
PP		 617/* Some clients have hard-coded limits. */
618if (dh_bits > tls_dh_max_bits)
619 {
620 DEBUG(D_tls)
621 debug_printf("tls_dh_max_bits clamping override, using %d bits instead.\n",
622 tls_dh_max_bits);
623 dh_bits = tls_dh_max_bits;
624 }
625
a799883d
PP		 626if (use_file_in_spool)
627 {
628 if (!string_format(filename_buf, sizeof(filename_buf),
629 "%s/gnutls-params-%d", spool_directory, dh_bits))
cf0c6164 630 return tls_error(US"overlong filename", NULL, NULL, errstr);
a799883d
PP		 631 filename = filename_buf;
632 }
059ec3d9 633
b5aea5e1 634/* Open the cache file for reading and if successful, read it and set up the
575643cd 635parameters. */
059ec3d9 636
f5d25c2b 637if ((fd = Uopen(filename, O_RDONLY, 0)) >= 0)
059ec3d9 638 {
b5aea5e1 639 struct stat statbuf;
17c76198
PP		 640 FILE *fp;
641 int saved_errno;
642
643 if (fstat(fd, &statbuf) < 0) /* EIO */
644 {
645 saved_errno = errno;
646 (void)close(fd);
452a164f 647 return tls_error_sys(US"TLS cache stat failed", saved_errno, NULL, errstr);
17c76198
PP		 648 }
649 if (!S_ISREG(statbuf.st_mode))
b5aea5e1
PH		 650 {
651 (void)close(fd);
cf0c6164 652 return tls_error(US"TLS cache not a file", NULL, NULL, errstr);
17c76198 653 }
40c90bca 654 if (!(fp = fdopen(fd, "rb")))
17c76198
PP		 655 {
656 saved_errno = errno;
657 (void)close(fd);
452a164f
JH		 658 return tls_error_sys(US"fdopen(TLS cache stat fd) failed",
659 saved_errno, NULL, errstr);
b5aea5e1 660 }
059ec3d9 661
b5aea5e1 662 m.size = statbuf.st_size;
f3ebb786 663 if (!(m.data = store_malloc(m.size)))
17c76198
PP		 664 {
665 fclose(fp);
452a164f 666 return tls_error_sys(US"malloc failed", errno, NULL, errstr);
17c76198 667 }
40c90bca 668 if (!(sz = fread(m.data, m.size, 1, fp)))
17c76198
PP		 669 {
670 saved_errno = errno;
671 fclose(fp);
f3ebb786 672 store_free(m.data);
452a164f 673 return tls_error_sys(US"fread failed", saved_errno, NULL, errstr);
17c76198
PP		 674 }
675 fclose(fp);
b5aea5e1 676
17c76198 677 rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM);
f3ebb786 678 store_free(m.data);
452a164f
JH		 679 if (rc)
680 return tls_error_gnu(US"gnutls_dh_params_import_pkcs3", rc, host, errstr);
17c76198 681 DEBUG(D_tls) debug_printf("read D-H parameters from file \"%s\"\n", filename);
b5aea5e1
PH		 682 }
683
684/* If the file does not exist, fall through to compute new data and cache it.
685If there was any other opening error, it is serious. */
686
182ad5cf
PH		 687else if (errno == ENOENT)
688 {
17c76198 689 rc = -1;
182ad5cf 690 DEBUG(D_tls)
17c76198 691 debug_printf("D-H parameter cache file \"%s\" does not exist\n", filename);
182ad5cf
PH		 692 }
693else
17c76198 694 return tls_error(string_open_failed(errno, "\"%s\" for reading", filename),
cf0c6164 695 NULL, NULL, errstr);
b5aea5e1
PH		 696
697/* If ret < 0, either the cache file does not exist, or the data it contains
698is not useful. One particular case of this is when upgrading from an older
699release of Exim in which the data was stored in a different format. We don't
700try to be clever and support both formats; we just regenerate new data in this
701case. */
702
17c76198 703if (rc < 0)
b5aea5e1 704 {
17c76198 705 uschar *temp_fn;
201f5254 706 unsigned int dh_bits_gen = dh_bits;
059ec3d9 707
17c76198
PP		 708 if ((PATH_MAX - Ustrlen(filename)) < 10)
709 return tls_error(US"Filename too long to generate replacement",
48224640 710 filename, NULL, errstr);
059ec3d9 711
48224640 712 temp_fn = string_copy(US"%s.XXXXXXX");
f5d25c2b 713 if ((fd = mkstemp(CS temp_fn)) < 0) /* modifies temp_fn */
452a164f 714 return tls_error_sys(US"Unable to open temp file", errno, NULL, errstr);
b66fecb4 715 (void)exim_chown(temp_fn, exim_uid, exim_gid); /* Probably not necessary */
059ec3d9 716
49132a3b
JH		 717 /* GnuTLS overshoots! If we ask for 2236, we might get 2237 or more. But
718 there's no way to ask GnuTLS how many bits there really are. We can ask
719 how many bits were used in a TLS session, but that's it! The prime itself
720 is hidden behind too much abstraction. So we ask for less, and proceed on
721 a wing and a prayer. First attempt, subtracted 3 for 2233 and got 2240. */
722
cae6e576 723 if (dh_bits >= EXIM_CLIENT_DH_MIN_BITS + 10)
201f5254
PP		 724 {
725 dh_bits_gen = dh_bits - 10;
726 DEBUG(D_tls)
727 debug_printf("being paranoid about DH generation, make it '%d' bits'\n",
728 dh_bits_gen);
729 }
730
731 DEBUG(D_tls)
732 debug_printf("requesting generation of %d bit Diffie-Hellman prime ...\n",
733 dh_bits_gen);
452a164f
JH		 734 if ((rc = gnutls_dh_params_generate2(dh_server_params, dh_bits_gen)))
735 return tls_error_gnu(US"gnutls_dh_params_generate2", rc, host, errstr);
17c76198
PP		 736
737 /* gnutls_dh_params_export_pkcs3() will tell us the exact size, every time,
738 and I confirmed that a NULL call to get the size first is how the GnuTLS
739 sample apps handle this. */
740
741 sz = 0;
742 m.data = NULL;
452a164f
JH		 743 if ( (rc = gnutls_dh_params_export_pkcs3(dh_server_params,
744 GNUTLS_X509_FMT_PEM, m.data, &sz))
745 && rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
746 return tls_error_gnu(US"gnutls_dh_params_export_pkcs3(NULL) sizing",
747 rc, host, errstr);
17c76198 748 m.size = sz;
f3ebb786 749 if (!(m.data = store_malloc(m.size)))
452a164f 750 return tls_error_sys(US"memory allocation failed", errno, NULL, errstr);
40c90bca 751
1f00591e 752 /* this will return a size 1 less than the allocation size above */
452a164f
JH		 753 if ((rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM,
754 m.data, &sz)))
17c76198 755 {
f3ebb786 756 store_free(m.data);
452a164f 757 return tls_error_gnu(US"gnutls_dh_params_export_pkcs3() real", rc, host, errstr);
17c76198 758 }
1f00591e 759 m.size = sz; /* shrink by 1, probably */
059ec3d9 760
f5d25c2b 761 if ((sz = write_to_fd_buf(fd, m.data, (size_t) m.size)) != m.size)
17c76198 762 {
f3ebb786 763 store_free(m.data);
452a164f
JH		 764 return tls_error_sys(US"TLS cache write D-H params failed",
765 errno, NULL, errstr);
17c76198 766 }
f3ebb786 767 store_free(m.data);
f5d25c2b 768 if ((sz = write_to_fd_buf(fd, US"\n", 1)) != 1)
452a164f
JH		 769 return tls_error_sys(US"TLS cache write D-H params final newline failed",
770 errno, NULL, errstr);
17c76198 771
f5d25c2b 772 if ((rc = close(fd)))
452a164f 773 return tls_error_sys(US"TLS cache write close() failed", errno, NULL, errstr);
059ec3d9 774
17c76198 775 if (Urename(temp_fn, filename) < 0)
452a164f
JH		 776 return tls_error_sys(string_sprintf("failed to rename \"%s\" as \"%s\"",
777 temp_fn, filename), errno, NULL, errstr);
059ec3d9 778
17c76198 779 DEBUG(D_tls) debug_printf("wrote D-H parameters to file \"%s\"\n", filename);
059ec3d9
PH		 780 }
781
17c76198 782DEBUG(D_tls) debug_printf("initialized server D-H parameters\n");
059ec3d9
PH		 783return OK;
784}
49132a3b 785#endif
059ec3d9
PH		 786
787
788
789
23bb6982
JH		 790/* Create and install a selfsigned certificate, for use in server mode */
791
792static int
cf0c6164 793tls_install_selfsign(exim_gnutls_state_st * state, uschar ** errstr)
23bb6982
JH		 794{
795gnutls_x509_crt_t cert = NULL;
796time_t now;
797gnutls_x509_privkey_t pkey = NULL;
798const uschar * where;
799int rc;
800
801where = US"initialising pkey";
802if ((rc = gnutls_x509_privkey_init(&pkey))) goto err;
803
804where = US"initialising cert";
805if ((rc = gnutls_x509_crt_init(&cert))) goto err;
806
807where = US"generating pkey";
808if ((rc = gnutls_x509_privkey_generate(pkey, GNUTLS_PK_RSA,
76075bb5 809#ifdef SUPPORT_PARAM_TO_PK_BITS
4312da48
JH		 810# ifndef GNUTLS_SEC_PARAM_MEDIUM
811# define GNUTLS_SEC_PARAM_MEDIUM GNUTLS_SEC_PARAM_HIGH
812# endif
6aac3239 813 gnutls_sec_param_to_pk_bits(GNUTLS_PK_RSA, GNUTLS_SEC_PARAM_MEDIUM),
76075bb5 814#else
6aac3239 815 2048,
76075bb5
JH		 816#endif
817 0)))
23bb6982
JH		 818 goto err;
819
820where = US"configuring cert";
1613fd68 821now = 1;
23bb6982
JH		 822if ( (rc = gnutls_x509_crt_set_version(cert, 3))
823 || (rc = gnutls_x509_crt_set_serial(cert, &now, sizeof(now)))
824 || (rc = gnutls_x509_crt_set_activation_time(cert, now = time(NULL)))
825 || (rc = gnutls_x509_crt_set_expiration_time(cert, now + 60 * 60)) /* 1 hr */
826 || (rc = gnutls_x509_crt_set_key(cert, pkey))
827
828 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
829 GNUTLS_OID_X520_COUNTRY_NAME, 0, "UK", 2))
830 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
831 GNUTLS_OID_X520_ORGANIZATION_NAME, 0, "Exim Developers", 15))
832 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
833 GNUTLS_OID_X520_COMMON_NAME, 0,
834 smtp_active_hostname, Ustrlen(smtp_active_hostname)))
835 )
836 goto err;
837
838where = US"signing cert";
839if ((rc = gnutls_x509_crt_sign(cert, cert, pkey))) goto err;
840
841where = US"installing selfsign cert";
842 /* Since: 2.4.0 */
843if ((rc = gnutls_certificate_set_x509_key(state->x509_cred, &cert, 1, pkey)))
844 goto err;
845
846rc = OK;
847
848out:
849 if (cert) gnutls_x509_crt_deinit(cert);
850 if (pkey) gnutls_x509_privkey_deinit(pkey);
851 return rc;
852
853err:
452a164f 854 rc = tls_error_gnu(where, rc, NULL, errstr);
23bb6982
JH		 855 goto out;
856}
857
858
859
860
47195144
JH		 861/* Add certificate and key, from files.
862
863Return:
864 Zero or negative: good. Negate value for certificate index if < 0.
865 Greater than zero: FAIL or DEFER code.
866*/
867
ba86e143
JH		 868static int
869tls_add_certfile(exim_gnutls_state_st * state, const host_item * host,
870 uschar * certfile, uschar * keyfile, uschar ** errstr)
871{
872int rc = gnutls_certificate_set_x509_key_file(state->x509_cred,
873 CS certfile, CS keyfile, GNUTLS_X509_FMT_PEM);
47195144 874if (rc < 0)
452a164f 875 return tls_error_gnu(
47195144 876 string_sprintf("cert/key setup: cert=%s key=%s", certfile, keyfile),
452a164f 877 rc, host, errstr);
47195144 878return -rc;
ba86e143
JH		 879}
880
881
d896cef5
JH		 882#if !defined(DISABLE_OCSP) && !defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
883/* Load an OCSP proof from file for sending by the server. Called
884on getting a status-request handshake message, for earlier versions
885of GnuTLS. */
886
887static int
888server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
889 gnutls_datum_t * ocsp_response)
890{
891int ret;
892DEBUG(D_tls) debug_printf("OCSP stapling callback: %s\n", US ptr);
893
894if ((ret = gnutls_load_file(ptr, ocsp_response)) < 0)
895 {
896 DEBUG(D_tls) debug_printf("Failed to load ocsp stapling file %s\n",
897 CS ptr);
898 tls_in.ocsp = OCSP_NOT_RESP;
899 return GNUTLS_E_NO_CERTIFICATE_STATUS;
900 }
901
902tls_in.ocsp = OCSP_VFY_NOT_TRIED;
903return 0;
904}
905#endif
906
907
be427508 908#ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
e5489333
JH		 909/* Make a note that we saw a status-request */
910static int
911tls_server_clienthello_ext(void * ctx, unsigned tls_id,
912 const unsigned char *data, unsigned size)
913{
914/* https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml */
915if (tls_id == 5) /* status_request */
916 {
e326959e 917 DEBUG(D_tls) debug_printf("Seen status_request extension from client\n");
e5489333
JH		 918 tls_in.ocsp = OCSP_NOT_RESP;
919 }
920return 0;
921}
922
923/* Callback for client-hello, on server, if we think we might serve stapled-OCSP */
924static int
925tls_server_clienthello_cb(gnutls_session_t session, unsigned int htype,
926 unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
927{
928/* Call fn for each extension seen. 3.6.3 onwards */
929return gnutls_ext_raw_parse(NULL, tls_server_clienthello_ext, msg,
930 GNUTLS_EXT_RAW_FLAG_TLS_CLIENT_HELLO);
931}
e326959e
JH		 932
933
934/* Make a note that we saw a status-response */
935static int
936tls_server_servercerts_ext(void * ctx, unsigned tls_id,
937 const unsigned char *data, unsigned size)
938{
939/* debug_printf("%s %u\n", __FUNCTION__, tls_id); */
940/* https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml */
941if (FALSE && tls_id == 5) /* status_request */
942 {
943 DEBUG(D_tls) debug_printf("Seen status_request extension\n");
944 tls_in.ocsp = exim_testharness_disable_ocsp_validity_check
945 ? OCSP_VFY_NOT_TRIED : OCSP_VFIED; /* We know that GnuTLS verifies responses */
946 }
947return 0;
948}
949
950/* Callback for certificates packet, on server, if we think we might serve stapled-OCSP */
951static int
952tls_server_servercerts_cb(gnutls_session_t session, unsigned int htype,
953 unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
954{
955/* Call fn for each extension seen. 3.6.3 onwards */
956#ifdef notdef
957/*XXX crashes */
958return gnutls_ext_raw_parse(NULL, tls_server_servercerts_ext, msg, 0);
959#endif
960}
be427508 961#endif
e5489333 962
e326959e
JH		 963/*XXX in tls1.3 the cert-status travel as an extension next to the cert, in the
964 "Handshake Protocol: Certificate" record.
965So we need to spot the Certificate handshake message, parse it and spot any status_request extension(s)
966
967This is different to tls1.2 - where it is a separate record (wireshake term) / handshake message (gnutls term).
968*/
969
727a5d25 970#if defined(EXPERIMENTAL_TLS_RESUME) || defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
e5489333
JH		 971/* Callback for certificate-status, on server. We sent stapled OCSP. */
972static int
973tls_server_certstatus_cb(gnutls_session_t session, unsigned int htype,
974 unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
975{
e326959e 976DEBUG(D_tls) debug_printf("Sending certificate-status\n"); /*XXX we get this for tls1.2 but not for 1.3 */
e5489333
JH		 977#ifdef SUPPORT_SRV_OCSP_STACK
978tls_in.ocsp = exim_testharness_disable_ocsp_validity_check
979 ? OCSP_VFY_NOT_TRIED : OCSP_VFIED; /* We know that GnuTLS verifies responses */
980#else
981tls_in.ocsp = OCSP_VFY_NOT_TRIED;
982#endif
983return 0;
984}
985
986/* Callback for handshake messages, on server */
987static int
988tls_server_hook_cb(gnutls_session_t sess, u_int htype, unsigned when,
989 unsigned incoming, const gnutls_datum_t * msg)
990{
e326959e 991/* debug_printf("%s: htype %u\n", __FUNCTION__, htype); */
e5489333
JH		 992switch (htype)
993 {
727a5d25 994# ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
e5489333
JH		 995 case GNUTLS_HANDSHAKE_CLIENT_HELLO:
996 return tls_server_clienthello_cb(sess, htype, when, incoming, msg);
e326959e
JH		 997 case GNUTLS_HANDSHAKE_CERTIFICATE_PKT:
998 return tls_server_servercerts_cb(sess, htype, when, incoming, msg);
727a5d25 999# endif
e5489333
JH		 1000 case GNUTLS_HANDSHAKE_CERTIFICATE_STATUS:
1001 return tls_server_certstatus_cb(sess, htype, when, incoming, msg);
727a5d25 1002# ifdef EXPERIMENTAL_TLS_RESUME
e5489333
JH		 1003 case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET:
1004 return tls_server_ticket_cb(sess, htype, when, incoming, msg);
727a5d25 1005# endif
e5489333
JH		 1006 default:
1007 return 0;
1008 }
1009}
727a5d25 1010#endif
e5489333
JH		 1011
1012
727a5d25 1013#if !defined(DISABLE_OCSP) && defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
e5489333
JH		 1014static void
1015tls_server_testharness_ocsp_fiddle(void)
1016{
1017extern char ** environ;
1018if (environ) for (uschar ** p = USS environ; *p; p++)
1019 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
1020 {
1021 DEBUG(D_tls) debug_printf("Permitting known bad OCSP response\n");
1022 exim_testharness_disable_ocsp_validity_check = TRUE;
1023 }
1024}
727a5d25 1025#endif
e5489333 1026
059ec3d9 1027/*************************************************
17c76198 1028* Variables re-expanded post-SNI *
059ec3d9
PH		 1029*************************************************/
1030
17c76198
PP		 1031/* Called from both server and client code, via tls_init(), and also from
1032the SNI callback after receiving an SNI, if tls_certificate includes "tls_sni".
1033
1034We can tell the two apart by state->received_sni being non-NULL in callback.
1035
1036The callback should not call us unless state->trigger_sni_changes is true,
1037which we are responsible for setting on the first pass through.
059ec3d9
PH		 1038
1039Arguments:
17c76198 1040 state exim_gnutls_state_st *
cf0c6164 1041 errstr error string pointer
059ec3d9
PH		 1042
1043Returns: OK/DEFER/FAIL
1044*/
1045
1046static int
ba86e143 1047tls_expand_session_files(exim_gnutls_state_st * state, uschar ** errstr)
059ec3d9 1048{
1365611d 1049struct stat statbuf;
059ec3d9 1050int rc;
17c76198
PP		 1051const host_item *host = state->host; /* macro should be reconsidered? */
1052uschar *saved_tls_certificate = NULL;
1053uschar *saved_tls_privatekey = NULL;
1054uschar *saved_tls_verify_certificates = NULL;
1055uschar *saved_tls_crl = NULL;
1056int cert_count;
1057
1058/* We check for tls_sni *before* expansion. */
2b4a568d 1059if (!host) /* server */
17c76198
PP		 1060 if (!state->received_sni)
1061 {
ba86e143
JH		 1062 if ( state->tls_certificate
1063 && ( Ustrstr(state->tls_certificate, US"tls_sni")
1064 || Ustrstr(state->tls_certificate, US"tls_in_sni")
1065 || Ustrstr(state->tls_certificate, US"tls_out_sni")
1066 ) )
17c76198
PP		 1067 {
1068 DEBUG(D_tls) debug_printf("We will re-expand TLS session files if we receive SNI.\n");
1069 state->trigger_sni_changes = TRUE;
1070 }
1071 }
1072 else
1073 {
1365611d 1074 /* useful for debugging */
17c76198
PP		 1075 saved_tls_certificate = state->exp_tls_certificate;
1076 saved_tls_privatekey = state->exp_tls_privatekey;
1077 saved_tls_verify_certificates = state->exp_tls_verify_certificates;
1078 saved_tls_crl = state->exp_tls_crl;
1079 }
059ec3d9 1080
452a164f
JH		 1081if ((rc = gnutls_certificate_allocate_credentials(&state->x509_cred)))
1082 return tls_error_gnu(US"gnutls_certificate_allocate_credentials",
1083 rc, host, errstr);
47195144
JH		 1084
1085#ifdef SUPPORT_SRV_OCSP_STACK
1086gnutls_certificate_set_flags(state->x509_cred, GNUTLS_CERTIFICATE_API_V2);
e326959e
JH		 1087
1088# if !defined(DISABLE_OCSP) && defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
1089if (!host && tls_ocsp_file)
1090 {
1091 if (f.running_in_test_harness)
1092 tls_server_testharness_ocsp_fiddle();
1093
1094 if (exim_testharness_disable_ocsp_validity_check)
1095 gnutls_certificate_set_flags(state->x509_cred,
1096 GNUTLS_CERTIFICATE_API_V2 | GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK);
1097 }
1098# endif
47195144 1099#endif
1365611d 1100
17c76198
PP		 1101/* remember: expand_check_tlsvar() is expand_check() but fiddling with
1102state members, assuming consistent naming; and expand_check() returns
1103false if expansion failed, unless expansion was forced to fail. */
059ec3d9 1104
17c76198
PP		 1105/* check if we at least have a certificate, before doing expensive
1106D-H generation. */
059ec3d9 1107
cf0c6164 1108if (!expand_check_tlsvar(tls_certificate, errstr))
17c76198 1109 return DEFER;
059ec3d9 1110
17c76198 1111/* certificate is mandatory in server, optional in client */
059ec3d9 1112
23bb6982
JH		 1113if ( !state->exp_tls_certificate
1114 || !*state->exp_tls_certificate
1115 )
2b4a568d 1116 if (!host)
cf0c6164 1117 return tls_install_selfsign(state, errstr);
17c76198
PP		 1118 else
1119 DEBUG(D_tls) debug_printf("TLS: no client certificate specified; okay\n");
059ec3d9 1120
cf0c6164 1121if (state->tls_privatekey && !expand_check_tlsvar(tls_privatekey, errstr))
059ec3d9
PH		 1122 return DEFER;
1123
17c76198
PP		 1124/* tls_privatekey is optional, defaulting to same file as certificate */
1125
e326959e 1126if (!state->tls_privatekey || !*state->tls_privatekey)
059ec3d9 1127 {
17c76198
PP		 1128 state->tls_privatekey = state->tls_certificate;
1129 state->exp_tls_privatekey = state->exp_tls_certificate;
059ec3d9 1130 }
c91535f3 1131
059ec3d9 1132
17c76198 1133if (state->exp_tls_certificate && *state->exp_tls_certificate)
059ec3d9
PH		 1134 {
1135 DEBUG(D_tls) debug_printf("certificate file = %s\nkey file = %s\n",
17c76198
PP		 1136 state->exp_tls_certificate, state->exp_tls_privatekey);
1137
1138 if (state->received_sni)
23bb6982
JH		 1139 if ( Ustrcmp(state->exp_tls_certificate, saved_tls_certificate) == 0
1140 && Ustrcmp(state->exp_tls_privatekey, saved_tls_privatekey) == 0
1141 )
17c76198 1142 {
b34fc30c 1143 DEBUG(D_tls) debug_printf("TLS SNI: cert and key unchanged\n");
17c76198
PP		 1144 }
1145 else
1146 {
b34fc30c 1147 DEBUG(D_tls) debug_printf("TLS SNI: have a changed cert/key pair.\n");
17c76198 1148 }
059ec3d9 1149
ba86e143
JH		 1150 if (!host) /* server */
1151 {
1152 const uschar * clist = state->exp_tls_certificate;
1153 const uschar * klist = state->exp_tls_privatekey;
47195144
JH		 1154 const uschar * olist;
1155 int csep = 0, ksep = 0, osep = 0, cnt = 0;
1156 uschar * cfile, * kfile, * ofile;
47195144 1157#ifndef DISABLE_OCSP
e326959e
JH		 1158# ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
1159 gnutls_x509_crt_fmt_t ocsp_fmt = GNUTLS_X509_FMT_DER;
1160# endif
1161
47195144
JH		 1162 if (!expand_check(tls_ocsp_file, US"tls_ocsp_file", &ofile, errstr))
1163 return DEFER;
1164 olist = ofile;
1165#endif
ba86e143
JH		 1166
1167 while (cfile = string_nextinlist(&clist, &csep, NULL, 0))
47195144 1168
ba86e143
JH		 1169 if (!(kfile = string_nextinlist(&klist, &ksep, NULL, 0)))
1170 return tls_error(US"cert/key setup: out of keys", NULL, host, errstr);
47195144 1171 else if (0 < (rc = tls_add_certfile(state, host, cfile, kfile, errstr)))
ba86e143
JH		 1172 return rc;
1173 else
47195144
JH		 1174 {
1175 int gnutls_cert_index = -rc;
e326959e
JH		 1176 DEBUG(D_tls) debug_printf("TLS: cert/key %d %s registered\n",
1177 gnutls_cert_index, cfile);
47195144
JH		 1178
1179#ifndef DISABLE_OCSP
1180 if (tls_ocsp_file)
e5489333 1181 {
e326959e 1182 /* Set the OCSP stapling server info */
47195144
JH		 1183 if (gnutls_buggy_ocsp)
1184 {
1185 DEBUG(D_tls)
1186 debug_printf("GnuTLS library is buggy for OCSP; avoiding\n");
1187 }
1188 else if ((ofile = string_nextinlist(&olist, &osep, NULL, 0)))
1189 {
e326959e
JH		 1190 DEBUG(D_tls) debug_printf("OCSP response file %d = %s\n",
1191 gnutls_cert_index, ofile);
be427508 1192# ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
e326959e 1193 if (Ustrncmp(ofile, US"PEM ", 4) == 0)
47195144 1194 {
e326959e
JH		 1195 ocsp_fmt = GNUTLS_X509_FMT_PEM;
1196 ofile += 4;
1197 }
1198 else if (Ustrncmp(ofile, US"DER ", 4) == 0)
1199 {
1200 ocsp_fmt = GNUTLS_X509_FMT_DER;
1201 ofile += 4;
1202 }
e5489333 1203
e326959e
JH		 1204 if ((rc = gnutls_certificate_set_ocsp_status_request_file2(
1205 state->x509_cred, CCS ofile, gnutls_cert_index,
1206 ocsp_fmt)) < 0)
1207 return tls_error_gnu(
1208 US"gnutls_certificate_set_ocsp_status_request_file2",
1209 rc, host, errstr);
1210 DEBUG(D_tls)
1211 debug_printf(" %d response%s loaded\n", rc, rc>1 ? "s":"");
e5489333 1212
e326959e
JH		 1213 /* Arrange callbacks for OCSP request observability */
1214
1215 gnutls_handshake_set_hook_function(state->session,
1216 GNUTLS_HANDSHAKE_ANY, GNUTLS_HOOK_POST, tls_server_hook_cb);
1217
1218# else
1219# if defined(SUPPORT_SRV_OCSP_STACK)
be427508
JH		 1220 if ((rc = gnutls_certificate_set_ocsp_status_request_function2(
1221 state->x509_cred, gnutls_cert_index,
1222 server_ocsp_stapling_cb, ofile)))
1223 return tls_error_gnu(
1224 US"gnutls_certificate_set_ocsp_status_request_function2",
1225 rc, host, errstr);
1226 else
e326959e 1227# endif
e5489333
JH		 1228 {
1229 if (cnt++ > 0)
1230 {
1231 DEBUG(D_tls)
1232 debug_printf("oops; multiple OCSP files not supported\n");
1233 break;
1234 }
d896cef5
JH		 1235 gnutls_certificate_set_ocsp_status_request_function(
1236 state->x509_cred, server_ocsp_stapling_cb, ofile);
e5489333 1237 }
e326959e 1238# endif /* SUPPORT_GNUTLS_EXT_RAW_PARSE */
47195144
JH		 1239 }
1240 else
1241 DEBUG(D_tls) debug_printf("ran out of OCSP response files in list\n");
e5489333 1242 }
fd71e7b8 1243#endif /* DISABLE_OCSP */
47195144 1244 }
ba86e143 1245 }
e5489333 1246 else /* client */
ba86e143 1247 {
47195144 1248 if (0 < (rc = tls_add_certfile(state, host,
ba86e143
JH		 1249 state->exp_tls_certificate, state->exp_tls_privatekey, errstr)))
1250 return rc;
1251 DEBUG(D_tls) debug_printf("TLS: cert/key registered\n");
1252 }
1253
b34fc30c 1254 } /* tls_certificate */
059ec3d9 1255
2b4a568d 1256
059ec3d9
PH		 1257/* Set the trusted CAs file if one is provided, and then add the CRL if one is
1258provided. Experiment shows that, if the certificate file is empty, an unhelpful
1259error message is provided. However, if we just refrain from setting anything up
1260in that case, certificate verification fails, which seems to be the correct
1261behaviour. */
1262
610ff438 1263if (state->tls_verify_certificates && *state->tls_verify_certificates)
059ec3d9 1264 {
cf0c6164 1265 if (!expand_check_tlsvar(tls_verify_certificates, errstr))
059ec3d9 1266 return DEFER;
610ff438
JH		 1267#ifndef SUPPORT_SYSDEFAULT_CABUNDLE
1268 if (Ustrcmp(state->exp_tls_verify_certificates, "system") == 0)
1269 state->exp_tls_verify_certificates = NULL;
1270#endif
17c76198 1271 if (state->tls_crl && *state->tls_crl)
cf0c6164 1272 if (!expand_check_tlsvar(tls_crl, errstr))
17c76198 1273 return DEFER;
059ec3d9 1274
1365611d
PP		 1275 if (!(state->exp_tls_verify_certificates &&
1276 *state->exp_tls_verify_certificates))
b34fc30c
PP		 1277 {
1278 DEBUG(D_tls)
1365611d
PP		 1279 debug_printf("TLS: tls_verify_certificates expanded empty, ignoring\n");
1280 /* With no tls_verify_certificates, we ignore tls_crl too */
17c76198 1281 return OK;
b34fc30c 1282 }
1365611d 1283 }
83e2f8a2
PP		 1284else
1285 {
1286 DEBUG(D_tls)
1287 debug_printf("TLS: tls_verify_certificates not set or empty, ignoring\n");
1288 return OK;
1289 }
17c76198 1290
cb1d7830
JH		 1291#ifdef SUPPORT_SYSDEFAULT_CABUNDLE
1292if (Ustrcmp(state->exp_tls_verify_certificates, "system") == 0)
1293 cert_count = gnutls_certificate_set_x509_system_trust(state->x509_cred);
1294else
1295#endif
1365611d 1296 {
cb1d7830
JH		 1297 if (Ustat(state->exp_tls_verify_certificates, &statbuf) < 0)
1298 {
d896cef5 1299 log_write(0, LOG_MAIN|LOG_PANIC, "could not stat '%s' "
cb1d7830
JH		 1300 "(tls_verify_certificates): %s", state->exp_tls_verify_certificates,
1301 strerror(errno));
1302 return DEFER;
1303 }
17c76198 1304
a7fec7a7 1305#ifndef SUPPORT_CA_DIR
cb1d7830
JH		 1306 /* The test suite passes in /dev/null; we could check for that path explicitly,
1307 but who knows if someone has some weird FIFO which always dumps some certs, or
1308 other weirdness. The thing we really want to check is that it's not a
1309 directory, since while OpenSSL supports that, GnuTLS does not.
60f914bc 1310 So s/!S_ISREG/S_ISDIR/ and change some messaging ... */
cb1d7830
JH		 1311 if (S_ISDIR(statbuf.st_mode))
1312 {
1313 DEBUG(D_tls)
1314 debug_printf("verify certificates path is a dir: \"%s\"\n",
1315 state->exp_tls_verify_certificates);
1316 log_write(0, LOG_MAIN|LOG_PANIC,
1317 "tls_verify_certificates \"%s\" is a directory",
1318 state->exp_tls_verify_certificates);
1319 return DEFER;
1320 }
a7fec7a7 1321#endif
059ec3d9 1322
cb1d7830
JH		 1323 DEBUG(D_tls) debug_printf("verify certificates = %s size=" OFF_T_FMT "\n",
1324 state->exp_tls_verify_certificates, statbuf.st_size);
059ec3d9 1325
cb1d7830
JH		 1326 if (statbuf.st_size == 0)
1327 {
1328 DEBUG(D_tls)
1329 debug_printf("cert file empty, no certs, no verification, ignoring any CRL\n");
1330 return OK;
1331 }
059ec3d9 1332
cb1d7830 1333 cert_count =
a7fec7a7
JH		 1334
1335#ifdef SUPPORT_CA_DIR
cb1d7830
JH		 1336 (statbuf.st_mode & S_IFMT) == S_IFDIR
1337 ?
1338 gnutls_certificate_set_x509_trust_dir(state->x509_cred,
1339 CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM)
1340 :
a7fec7a7 1341#endif
cb1d7830
JH		 1342 gnutls_certificate_set_x509_trust_file(state->x509_cred,
1343 CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM);
12d95aa6
JH		 1344
1345#ifdef SUPPORT_CA_DIR
1346 /* Mimic the behaviour with OpenSSL of not advertising a usable-cert list
1347 when using the directory-of-certs config model. */
1348
1349 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
1350 gnutls_certificate_send_x509_rdn_sequence(state->session, 1);
1351#endif
cb1d7830 1352 }
a7fec7a7 1353
1365611d 1354if (cert_count < 0)
452a164f
JH		 1355 return tls_error_gnu(US"setting certificate trust", cert_count, host, errstr);
1356DEBUG(D_tls)
1357 debug_printf("Added %d certificate authorities.\n", cert_count);
059ec3d9 1358
5c8cda3a
PP		 1359if (state->tls_crl && *state->tls_crl &&
1360 state->exp_tls_crl && *state->exp_tls_crl)
1365611d 1361 {
5c8cda3a 1362 DEBUG(D_tls) debug_printf("loading CRL file = %s\n", state->exp_tls_crl);
452a164f
JH		 1363 if ((cert_count = gnutls_certificate_set_x509_crl_file(state->x509_cred,
1364 CS state->exp_tls_crl, GNUTLS_X509_FMT_PEM)) < 0)
1365 return tls_error_gnu(US"gnutls_certificate_set_x509_crl_file",
1366 cert_count, host, errstr);
1367
5c8cda3a 1368 DEBUG(D_tls) debug_printf("Processed %d CRLs.\n", cert_count);
1365611d 1369 }
059ec3d9 1370
059ec3d9
PH		 1371return OK;
1372}
1373
1374
1375
1376
1365611d
PP		 1377/*************************************************
1378* Set X.509 state variables *
1379*************************************************/
1380
1381/* In GnuTLS, the registered cert/key are not replaced by a later
1382set of a cert/key, so for SNI support we need a whole new x509_cred
1383structure. Which means various other non-re-expanded pieces of state
1384need to be re-set in the new struct, so the setting logic is pulled
1385out to this.
1386
1387Arguments:
1388 state exim_gnutls_state_st *
cf0c6164 1389 errstr error string pointer
1365611d
PP		 1390
1391Returns: OK/DEFER/FAIL
1392*/
1393
1394static int
cf0c6164 1395tls_set_remaining_x509(exim_gnutls_state_st *state, uschar ** errstr)
1365611d
PP		 1396{
1397int rc;
1398const host_item *host = state->host; /* macro should be reconsidered? */
1399
49132a3b 1400#ifndef GNUTLS_AUTO_DHPARAMS
1365611d
PP		 1401/* Create D-H parameters, or read them from the cache file. This function does
1402its own SMTP error messaging. This only happens for the server, TLS D-H ignores
1403client-side params. */
1404
1405if (!state->host)
1406 {
1407 if (!dh_server_params)
452a164f 1408 if ((rc = init_server_dh(errstr)) != OK) return rc;
49132a3b
JH		 1409
1410 /* Unnecessary & discouraged with 3.6.0 or later */
1365611d
PP		 1411 gnutls_certificate_set_dh_params(state->x509_cred, dh_server_params);
1412 }
49132a3b 1413#endif
1365611d
PP		 1414
1415/* Link the credentials to the session. */
1416
452a164f
JH		 1417if ((rc = gnutls_credentials_set(state->session,
1418 GNUTLS_CRD_CERTIFICATE, state->x509_cred)))
1419 return tls_error_gnu(US"gnutls_credentials_set", rc, host, errstr);
1365611d
PP		 1420
1421return OK;
1422}
1423
059ec3d9 1424/*************************************************
17c76198 1425* Initialize for GnuTLS *
059ec3d9
PH		 1426*************************************************/
1427
9196d5bf 1428
4fb7df6d
JH		 1429#ifndef DISABLE_OCSP
1430
9196d5bf
JH		 1431static BOOL
1432tls_is_buggy_ocsp(void)
1433{
1434const uschar * s;
1435uschar maj, mid, mic;
1436
1437s = CUS gnutls_check_version(NULL);
1438maj = atoi(CCS s);
1439if (maj == 3)
1440 {
1441 while (*s && *s != '.') s++;
1442 mid = atoi(CCS ++s);
1443 if (mid <= 2)
1444 return TRUE;
1445 else if (mid >= 5)
1446 return FALSE;
1447 else
1448 {
1449 while (*s && *s != '.') s++;
1450 mic = atoi(CCS ++s);
1451 return mic <= (mid == 3 ? 16 : 3);
1452 }
1453 }
1454return FALSE;
1455}
1456
4fb7df6d 1457#endif
9196d5bf
JH		 1458
1459
17c76198
PP		 1460/* Called from both server and client code. In the case of a server, errors
1461before actual TLS negotiation return DEFER.
059ec3d9
PH		 1462
1463Arguments:
17c76198
PP		 1464 host connected host, if client; NULL if server
1465 certificate certificate file
1466 privatekey private key file
1467 sni TLS SNI to send, sometimes when client; else NULL
1468 cas CA certs file
1469 crl CRL file
1470 require_ciphers tls_require_ciphers setting
817d9f57 1471 caller_state returned state-info structure
cf0c6164 1472 errstr error string pointer
059ec3d9 1473
17c76198 1474Returns: OK/DEFER/FAIL
059ec3d9
PH		 1475*/
1476
17c76198
PP		 1477static int
1478tls_init(
1479 const host_item *host,
1480 const uschar *certificate,
1481 const uschar *privatekey,
1482 const uschar *sni,
1483 const uschar *cas,
1484 const uschar *crl,
1485 const uschar *require_ciphers,
cf0c6164 1486 exim_gnutls_state_st **caller_state,
74f1a423 1487 tls_support * tlsp,
cf0c6164 1488 uschar ** errstr)
059ec3d9 1489{
00c0dd4e 1490exim_gnutls_state_st * state;
17c76198
PP		 1491int rc;
1492size_t sz;
00c0dd4e
JH		 1493const char * errpos;
1494const uschar * p;
17c76198
PP		 1495
1496if (!exim_gnutls_base_init_done)
059ec3d9 1497 {
17c76198
PP		 1498 DEBUG(D_tls) debug_printf("GnuTLS global init required.\n");
1499
a5f239e4
PP		 1500#ifdef HAVE_GNUTLS_PKCS11
1501 /* By default, gnutls_global_init will init PKCS11 support in auto mode,
1502 which loads modules from a config file, which sounds good and may be wanted
1503 by some sysadmin, but also means in common configurations that GNOME keyring
1504 environment variables are used and so breaks for users calling mailq.
1505 To prevent this, we init PKCS11 first, which is the documented approach. */
2519e60d 1506 if (!gnutls_allow_auto_pkcs11)
452a164f
JH		 1507 if ((rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL)))
1508 return tls_error_gnu(US"gnutls_pkcs11_init", rc, host, errstr);
a5f239e4
PP		 1509#endif
1510
452a164f
JH		 1511 if ((rc = gnutls_global_init()))
1512 return tls_error_gnu(US"gnutls_global_init", rc, host, errstr);
17c76198
PP		 1513
1514#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
1515 DEBUG(D_tls)
059ec3d9 1516 {
17c76198 1517 gnutls_global_set_log_function(exim_gnutls_logger_cb);
aded2255 1518 /* arbitrarily chosen level; bump up to 9 for more */
17c76198 1519 gnutls_global_set_log_level(EXIM_GNUTLS_LIBRARY_LOG_LEVEL);
059ec3d9 1520 }
17c76198
PP		 1521#endif
1522
4fb7df6d
JH		 1523#ifndef DISABLE_OCSP
1524 if (tls_ocsp_file && (gnutls_buggy_ocsp = tls_is_buggy_ocsp()))
9196d5bf 1525 log_write(0, LOG_MAIN, "OCSP unusable with this GnuTLS library version");
4fb7df6d 1526#endif
9196d5bf 1527
17c76198 1528 exim_gnutls_base_init_done = TRUE;
059ec3d9 1529 }
059ec3d9 1530
17c76198
PP		 1531if (host)
1532 {
74f1a423
JH		 1533 /* For client-side sessions we allocate a context. This lets us run
1534 several in parallel. */
1535 int old_pool = store_pool;
1536 store_pool = POOL_PERM;
f3ebb786 1537 state = store_get(sizeof(exim_gnutls_state_st), FALSE);
74f1a423
JH		 1538 store_pool = old_pool;
1539
17c76198 1540 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
74f1a423 1541 state->tlsp = tlsp;
17c76198
PP		 1542 DEBUG(D_tls) debug_printf("initialising GnuTLS client session\n");
1543 rc = gnutls_init(&state->session, GNUTLS_CLIENT);
1544 }
1545else
1546 {
1547 state = &state_server;
1548 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
74f1a423 1549 state->tlsp = tlsp;
17c76198
PP		 1550 DEBUG(D_tls) debug_printf("initialising GnuTLS server session\n");
1551 rc = gnutls_init(&state->session, GNUTLS_SERVER);
1552 }
452a164f
JH		 1553if (rc)
1554 return tls_error_gnu(US"gnutls_init", rc, host, errstr);
059ec3d9 1555
17c76198 1556state->host = host;
059ec3d9 1557
17c76198
PP		 1558state->tls_certificate = certificate;
1559state->tls_privatekey = privatekey;
5779e6aa 1560state->tls_require_ciphers = require_ciphers;
17c76198
PP		 1561state->tls_sni = sni;
1562state->tls_verify_certificates = cas;
1563state->tls_crl = crl;
059ec3d9 1564
17c76198
PP		 1565/* This handles the variables that might get re-expanded after TLS SNI;
1566that's tls_certificate, tls_privatekey, tls_verify_certificates, tls_crl */
059ec3d9 1567
17c76198
PP		 1568DEBUG(D_tls)
1569 debug_printf("Expanding various TLS configuration options for session credentials.\n");
cf0c6164 1570if ((rc = tls_expand_session_files(state, errstr)) != OK) return rc;
059ec3d9 1571
1365611d
PP		 1572/* These are all other parts of the x509_cred handling, since SNI in GnuTLS
1573requires a new structure afterwards. */
83da1223 1574
cf0c6164 1575if ((rc = tls_set_remaining_x509(state, errstr)) != OK) return rc;
83da1223 1576
17c76198
PP		 1577/* set SNI in client, only */
1578if (host)
1579 {
cf0c6164 1580 if (!expand_check(sni, US"tls_out_sni", &state->tlsp->sni, errstr))
17c76198 1581 return DEFER;
0df4ab80 1582 if (state->tlsp->sni && *state->tlsp->sni)
17c76198
PP		 1583 {
1584 DEBUG(D_tls)
0df4ab80
JH		 1585 debug_printf("Setting TLS client SNI to \"%s\"\n", state->tlsp->sni);
1586 sz = Ustrlen(state->tlsp->sni);
452a164f
JH		 1587 if ((rc = gnutls_server_name_set(state->session,
1588 GNUTLS_NAME_DNS, state->tlsp->sni, sz)))
1589 return tls_error_gnu(US"gnutls_server_name_set", rc, host, errstr);
17c76198
PP		 1590 }
1591 }
1592else if (state->tls_sni)
1593 DEBUG(D_tls) debug_printf("*** PROBABLY A BUG *** " \
ba86e143 1594 "have an SNI set for a server [%s]\n", state->tls_sni);
83da1223 1595
17c76198 1596/* This is the priority string support,
42bfef1e 1597http://www.gnutls.org/manual/html_node/Priority-Strings.html
17c76198
PP		 1598and replaces gnutls_require_kx, gnutls_require_mac & gnutls_require_protocols.
1599This was backwards incompatible, but means Exim no longer needs to track
1600all algorithms and provide string forms for them. */
83da1223 1601
fc243e94 1602p = NULL;
17c76198 1603if (state->tls_require_ciphers && *state->tls_require_ciphers)
83da1223 1604 {
cf0c6164 1605 if (!expand_check_tlsvar(tls_require_ciphers, errstr))
17c76198
PP		 1606 return DEFER;
1607 if (state->exp_tls_require_ciphers && *state->exp_tls_require_ciphers)
83da1223 1608 {
17c76198 1609 p = state->exp_tls_require_ciphers;
fc243e94 1610 DEBUG(D_tls) debug_printf("GnuTLS session cipher/priority \"%s\"\n", p);
83da1223
PH		 1611 }
1612 }
fc243e94 1613if (!p)
17c76198 1614 {
fc243e94 1615 p = exim_default_gnutls_priority;
83e2f8a2 1616 DEBUG(D_tls)
fc243e94 1617 debug_printf("GnuTLS using default session cipher/priority \"%s\"\n", p);
17c76198 1618 }
83da1223 1619
452a164f
JH		 1620if ((rc = gnutls_priority_init(&state->priority_cache, CCS p, &errpos)))
1621 return tls_error_gnu(string_sprintf(
1622 "gnutls_priority_init(%s) failed at offset %ld, \"%.6s..\"",
1623 p, errpos - CS p, errpos),
1624 rc, host, errstr);
17c76198 1625
452a164f
JH		 1626if ((rc = gnutls_priority_set(state->session, state->priority_cache)))
1627 return tls_error_gnu(US"gnutls_priority_set", rc, host, errstr);
17c76198 1628
b10c87b3
JH		 1629/* This also sets the server ticket expiration time to the same, and
1630the STEK rotation time to 3x. */
1631
17c76198
PP		 1632gnutls_db_set_cache_expiration(state->session, ssl_session_timeout);
1633
1634/* Reduce security in favour of increased compatibility, if the admin
1635decides to make that trade-off. */
1636if (gnutls_compat_mode)
83da1223 1637 {
17c76198
PP		 1638#if LIBGNUTLS_VERSION_NUMBER >= 0x020104
1639 DEBUG(D_tls) debug_printf("lowering GnuTLS security, compatibility mode\n");
1640 gnutls_session_enable_compatibility_mode(state->session);
1641#else
1642 DEBUG(D_tls) debug_printf("Unable to set gnutls_compat_mode - GnuTLS version too old\n");
1643#endif
83da1223
PH		 1644 }
1645
17c76198 1646*caller_state = state;
17c76198 1647return OK;
83da1223
PH		 1648}
1649
1650
1651
059ec3d9 1652/*************************************************
17c76198 1653* Extract peer information *
059ec3d9
PH		 1654*************************************************/
1655
f1be21cf
JH		 1656static const uschar *
1657cipher_stdname_kcm(gnutls_kx_algorithm_t kx, gnutls_cipher_algorithm_t cipher,
1658 gnutls_mac_algorithm_t mac)
1659{
1660uschar cs_id[2];
1661gnutls_kx_algorithm_t kx_i;
1662gnutls_cipher_algorithm_t cipher_i;
1663gnutls_mac_algorithm_t mac_i;
1664
1665for (size_t i = 0;
1666 gnutls_cipher_suite_info(i, cs_id, &kx_i, &cipher_i, &mac_i, NULL);
1667 i++)
1668 if (kx_i == kx && cipher_i == cipher && mac_i == mac)
1669 return cipher_stdname(cs_id[0], cs_id[1]);
1670return NULL;
1671}
1672
1673
1674
17c76198 1675/* Called from both server and client code.
4fe99a6c
PP		 1676Only this is allowed to set state->peerdn and state->have_set_peerdn
1677and we use that to detect double-calls.
059ec3d9 1678
75fe387d
PP		 1679NOTE: the state blocks last while the TLS connection is up, which is fine
1680for logging in the server side, but for the client side, we log after teardown
1681in src/deliver.c. While the session is up, we can twist about states and
1682repoint tls_* globals, but those variables used for logging or other variable
1683expansion that happens _after_ delivery need to have a longer life-time.
1684
1685So for those, we get the data from POOL_PERM; the re-invoke guard keeps us from
1686doing this more than once per generation of a state context. We set them in
1687the state context, and repoint tls_* to them. After the state goes away, the
1688tls_* copies of the pointers remain valid and client delivery logging is happy.
1689
1690tls_certificate_verified is a BOOL, so the tls_peerdn and tls_cipher issues
1691don't apply.
1692
059ec3d9 1693Arguments:
17c76198 1694 state exim_gnutls_state_st *
cf0c6164 1695 errstr pointer to error string
059ec3d9 1696
17c76198 1697Returns: OK/DEFER/FAIL
059ec3d9
PH		 1698*/
1699
17c76198 1700static int
b10c87b3 1701peer_status(exim_gnutls_state_st * state, uschar ** errstr)
059ec3d9 1702{
b10c87b3
JH		 1703gnutls_session_t session = state->session;
1704const gnutls_datum_t * cert_list;
75fe387d 1705int old_pool, rc;
17c76198 1706unsigned int cert_list_size = 0;
4fe99a6c
PP		 1707gnutls_protocol_t protocol;
1708gnutls_cipher_algorithm_t cipher;
1709gnutls_kx_algorithm_t kx;
1710gnutls_mac_algorithm_t mac;
17c76198
PP		 1711gnutls_certificate_type_t ct;
1712gnutls_x509_crt_t crt;
b10c87b3 1713uschar * dn_buf;
17c76198 1714size_t sz;
059ec3d9 1715
4fe99a6c 1716if (state->have_set_peerdn)
17c76198 1717 return OK;
4fe99a6c 1718state->have_set_peerdn = TRUE;
059ec3d9 1719
4fe99a6c 1720state->peerdn = NULL;
059ec3d9 1721
4fe99a6c 1722/* tls_cipher */
b10c87b3
JH		 1723cipher = gnutls_cipher_get(session);
1724protocol = gnutls_protocol_get_version(session);
1725mac = gnutls_mac_get(session);
b9c6f63c
JH		 1726kx =
1727#ifdef GNUTLS_TLS1_3
1728 protocol >= GNUTLS_TLS1_3 ? 0 :
1729#endif
b10c87b3 1730 gnutls_kx_get(session);
4fe99a6c 1731
75fe387d 1732old_pool = store_pool;
f1be21cf 1733 {
b10c87b3 1734 tls_support * tlsp = state->tlsp;
f1be21cf 1735 store_pool = POOL_PERM;
d9acfc1c
JH		 1736
1737#ifdef SUPPORT_GNUTLS_SESS_DESC
1738 {
1739 gstring * g = NULL;
b10c87b3 1740 uschar * s = US gnutls_session_get_desc(session), c;
d9acfc1c
JH		 1741
1742 /* Nikos M suggests we use this by preference. It returns like:
1743 (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
1744
1745 For partial back-compat, put a colon after the TLS version, replace the
1746 )-( grouping with __, replace in-group - with _ and append the :keysize. */
1747
1748 /* debug_printf("peer_status: gnutls_session_get_desc %s\n", s); */
1749
1750 for (s++; (c = *s) && c != ')'; s++) g = string_catn(g, s, 1);
1751 g = string_catn(g, US":", 1);
1752 if (*s) s++; /* now on _ between groups */
1753 while ((c = *s))
1754 {
1755 for (*++s && ++s; (c = *s) && c != ')'; s++) g = string_catn(g, c == '-' ? US"_" : s, 1);
1756 /* now on ) closing group */
1757 if ((c = *s) && *++s == '-') g = string_catn(g, US"__", 2);
1758 /* now on _ between groups */
1759 }
1760 g = string_catn(g, US":", 1);
1761 g = string_cat(g, string_sprintf("%d", (int) gnutls_cipher_get_key_size(cipher) * 8));
1762 state->ciphersuite = string_from_gstring(g);
1763 }
1764#else
f1be21cf
JH		 1765 state->ciphersuite = string_sprintf("%s:%s:%d",
1766 gnutls_protocol_get_name(protocol),
1767 gnutls_cipher_suite_get_name(kx, cipher, mac),
1768 (int) gnutls_cipher_get_key_size(cipher) * 8);
1769
1770 /* I don't see a way that spaces could occur, in the current GnuTLS
1771 code base, but it was a concern in the old code and perhaps older GnuTLS
1772 releases did return "TLS 1.0"; play it safe, just in case. */
1773
1774 for (uschar * p = state->ciphersuite; *p; p++) if (isspace(*p)) *p = '-';
d9acfc1c
JH		 1775#endif
1776
1777/* debug_printf("peer_status: ciphersuite %s\n", state->ciphersuite); */
1778
b10c87b3
JH		 1779 tlsp->cipher = state->ciphersuite;
1780 tlsp->bits = gnutls_cipher_get_key_size(cipher) * 8;
f1be21cf 1781
b10c87b3 1782 tlsp->cipher_stdname = cipher_stdname_kcm(kx, cipher, mac);
f1be21cf 1783 }
75fe387d 1784store_pool = old_pool;
4fe99a6c
PP		 1785
1786/* tls_peerdn */
b10c87b3 1787cert_list = gnutls_certificate_get_peers(session, &cert_list_size);
83da1223 1788
f1be21cf 1789if (!cert_list || cert_list_size == 0)
17c76198 1790 {
17c76198
PP		 1791 DEBUG(D_tls) debug_printf("TLS: no certificate from peer (%p & %d)\n",
1792 cert_list, cert_list_size);
e51c7be2 1793 if (state->verify_requirement >= VERIFY_REQUIRED)
17c76198 1794 return tls_error(US"certificate verification failed",
48224640 1795 US"no certificate received from peer", state->host, errstr);
17c76198
PP		 1796 return OK;
1797 }
059ec3d9 1798
b10c87b3 1799if ((ct = gnutls_certificate_type_get(session)) != GNUTLS_CRT_X509)
059ec3d9 1800 {
95f52235 1801 const uschar * ctn = US gnutls_certificate_type_get_name(ct);
17c76198
PP		 1802 DEBUG(D_tls)
1803 debug_printf("TLS: peer cert not X.509 but instead \"%s\"\n", ctn);
e51c7be2 1804 if (state->verify_requirement >= VERIFY_REQUIRED)
17c76198 1805 return tls_error(US"certificate verification not possible, unhandled type",
cf0c6164 1806 ctn, state->host, errstr);
17c76198 1807 return OK;
83da1223 1808 }
059ec3d9 1809
e51c7be2
JH		 1810#define exim_gnutls_peer_err(Label) \
1811 do { \
1812 if (rc != GNUTLS_E_SUCCESS) \
1813 { \
1814 DEBUG(D_tls) debug_printf("TLS: peer cert problem: %s: %s\n", \
1815 (Label), gnutls_strerror(rc)); \
1816 if (state->verify_requirement >= VERIFY_REQUIRED) \
452a164f 1817 return tls_error_gnu((Label), rc, state->host, errstr); \
e51c7be2
JH		 1818 return OK; \
1819 } \
1820 } while (0)
17c76198 1821
9d1c15ef
JH		 1822rc = import_cert(&cert_list[0], &crt);
1823exim_gnutls_peer_err(US"cert 0");
1824
1825state->tlsp->peercert = state->peercert = crt;
17c76198 1826
17c76198
PP		 1827sz = 0;
1828rc = gnutls_x509_crt_get_dn(crt, NULL, &sz);
1829if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
83da1223 1830 {
17c76198
PP		 1831 exim_gnutls_peer_err(US"getting size for cert DN failed");
1832 return FAIL; /* should not happen */
059ec3d9 1833 }
f3ebb786 1834dn_buf = store_get_perm(sz, TRUE); /* tainted */
17c76198
PP		 1835rc = gnutls_x509_crt_get_dn(crt, CS dn_buf, &sz);
1836exim_gnutls_peer_err(US"failed to extract certificate DN [gnutls_x509_crt_get_dn(cert 0)]");
9d1c15ef 1837
17c76198
PP		 1838state->peerdn = dn_buf;
1839
1840return OK;
1841#undef exim_gnutls_peer_err
1842}
059ec3d9 1843
059ec3d9 1844
059ec3d9 1845
059ec3d9 1846
17c76198
PP		 1847/*************************************************
1848* Verify peer certificate *
1849*************************************************/
059ec3d9 1850
17c76198
PP		 1851/* Called from both server and client code.
1852*Should* be using a callback registered with
1853gnutls_certificate_set_verify_function() to fail the handshake if we dislike
1854the peer information, but that's too new for some OSes.
059ec3d9 1855
17c76198 1856Arguments:
899b8bbc
JH		 1857 state exim_gnutls_state_st *
1858 errstr where to put an error message
059ec3d9 1859
17c76198
PP		 1860Returns:
1861 FALSE if the session should be rejected
1862 TRUE if the cert is okay or we just don't care
1863*/
059ec3d9 1864
17c76198 1865static BOOL
28646fa9 1866verify_certificate(exim_gnutls_state_st * state, uschar ** errstr)
17c76198
PP		 1867{
1868int rc;
899b8bbc
JH		 1869uint verify;
1870
8008accd 1871DEBUG(D_tls) debug_printf("TLS: checking peer certificate\n");
cf0c6164 1872*errstr = NULL;
b10c87b3 1873rc = peer_status(state, errstr);
17c76198 1874
b10c87b3
JH		 1875if (state->verify_requirement == VERIFY_NONE)
1876 return TRUE;
1877
1878if (rc != OK || !state->peerdn)
e6060e2c 1879 {
17c76198 1880 verify = GNUTLS_CERT_INVALID;
cf0c6164 1881 *errstr = US"certificate not supplied";
17c76198
PP		 1882 }
1883else
899b8bbc
JH		 1884
1885 {
1886#ifdef SUPPORT_DANE
1887 if (state->verify_requirement == VERIFY_DANE && state->host)
1888 {
1889 /* Using dane_verify_session_crt() would be easy, as it does it all for us
1890 including talking to a DNS resolver. But we want to do that bit ourselves
1891 as the testsuite intercepts and fakes its own DNS environment. */
1892
1893 dane_state_t s;
1894 dane_query_t r;
899b8bbc 1895 uint lsize;
94c13285
JH		 1896 const gnutls_datum_t * certlist =
1897 gnutls_certificate_get_peers(state->session, &lsize);
1898 int usage = tls_out.tlsa_usage;
1899
1900# ifdef GNUTLS_BROKEN_DANE_VALIDATION
1901 /* Split the TLSA records into two sets, TA and EE selectors. Run the
1902 dane-verification separately so that we know which selector verified;
570cb1bd 1903 then we know whether to do name-verification (needed for TA but not EE). */
94c13285
JH		 1904
1905 if (usage == ((1<<DANESSL_USAGE_DANE_TA) | (1<<DANESSL_USAGE_DANE_EE)))
bd5b3f3c 1906 { /* a mixed-usage bundle */
94c13285
JH		 1907 int i, j, nrec;
1908 const char ** dd;
1909 int * ddl;
1910
1911 for(nrec = 0; state->dane_data_len[nrec]; ) nrec++;
1912 nrec++;
1913
f3ebb786
JH		 1914 dd = store_get(nrec * sizeof(uschar *), FALSE);
1915 ddl = store_get(nrec * sizeof(int), FALSE);
94c13285
JH		 1916 nrec--;
1917
1918 if ((rc = dane_state_init(&s, 0)))
1919 goto tlsa_prob;
1920
1921 for (usage = DANESSL_USAGE_DANE_EE;
1922 usage >= DANESSL_USAGE_DANE_TA; usage--)
1923 { /* take records with this usage */
1924 for (j = i = 0; i < nrec; i++)
1925 if (state->dane_data[i][0] == usage)
1926 {
1927 dd[j] = state->dane_data[i];
1928 ddl[j++] = state->dane_data_len[i];
1929 }
1930 if (j)
1931 {
1932 dd[j] = NULL;
1933 ddl[j] = 0;
1934
1935 if ((rc = dane_raw_tlsa(s, &r, (char * const *)dd, ddl, 1, 0)))
1936 goto tlsa_prob;
1937
1938 if ((rc = dane_verify_crt_raw(s, certlist, lsize,
1939 gnutls_certificate_type_get(state->session),
1940 r, 0,
1941 usage == DANESSL_USAGE_DANE_EE
1942 ? DANE_VFLAG_ONLY_CHECK_EE_USAGE : 0,
1943 &verify)))
1944 {
1945 DEBUG(D_tls)
1946 debug_printf("TLSA record problem: %s\n", dane_strerror(rc));
1947 }
1948 else if (verify == 0) /* verification passed */
1949 {
1950 usage = 1 << usage;
1951 break;
1952 }
1953 }
1954 }
899b8bbc 1955
94c13285
JH		 1956 if (rc) goto tlsa_prob;
1957 }
1958 else
1959# endif
899b8bbc 1960 {
94c13285
JH		 1961 if ( (rc = dane_state_init(&s, 0))
1962 || (rc = dane_raw_tlsa(s, &r, state->dane_data, state->dane_data_len,
1963 1, 0))
1964 || (rc = dane_verify_crt_raw(s, certlist, lsize,
1965 gnutls_certificate_type_get(state->session),
5ec37a55 1966 r, 0,
94c13285
JH		 1967# ifdef GNUTLS_BROKEN_DANE_VALIDATION
1968 usage == (1 << DANESSL_USAGE_DANE_EE)
1969 ? DANE_VFLAG_ONLY_CHECK_EE_USAGE : 0,
1970# else
1971 0,
1972# endif
1973 &verify))
1974 )
1975 goto tlsa_prob;
899b8bbc 1976 }
94c13285
JH		 1977
1978 if (verify != 0) /* verification failed */
899b8bbc
JH		 1979 {
1980 gnutls_datum_t str;
1981 (void) dane_verification_status_print(verify, &str, 0);
1982 *errstr = US str.data; /* don't bother to free */
1983 goto badcert;
1984 }
28646fa9 1985
94c13285
JH		 1986# ifdef GNUTLS_BROKEN_DANE_VALIDATION
1987 /* If a TA-mode TLSA record was used for verification we must additionally
570cb1bd 1988 verify the cert name (but not the CA chain). For EE-mode, skip it. */
28646fa9 1989
94c13285
JH		 1990 if (usage & (1 << DANESSL_USAGE_DANE_EE))
1991# endif
28646fa9 1992 {
570cb1bd 1993 state->peer_dane_verified = state->peer_cert_verified = TRUE;
28646fa9
JH		 1994 goto goodcert;
1995 }
570cb1bd
JH		 1996# ifdef GNUTLS_BROKEN_DANE_VALIDATION
1997 /* Assume that the name on the A-record is the one that should be matching
1998 the cert. An alternate view is that the domain part of the email address
1999 is also permissible. */
2000
2001 if (gnutls_x509_crt_check_hostname(state->tlsp->peercert,
2002 CS state->host->name))
2003 {
2004 state->peer_dane_verified = state->peer_cert_verified = TRUE;
2005 goto goodcert;
2006 }
2007# endif
899b8bbc 2008 }
570cb1bd 2009#endif /*SUPPORT_DANE*/
899b8bbc 2010
17c76198 2011 rc = gnutls_certificate_verify_peers2(state->session, &verify);
899b8bbc 2012 }
e6060e2c 2013
899b8bbc 2014/* Handle the result of verification. INVALID is set if any others are. */
059ec3d9 2015
28646fa9 2016if (rc < 0 || verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED))
17c76198
PP		 2017 {
2018 state->peer_cert_verified = FALSE;
cf0c6164 2019 if (!*errstr)
184384c3
JH		 2020 {
2021#ifdef GNUTLS_CERT_VFY_STATUS_PRINT
2022 DEBUG(D_tls)
2023 {
2024 gnutls_datum_t txt;
2025
2026 if (gnutls_certificate_verification_status_print(verify,
2027 gnutls_certificate_type_get(state->session), &txt, 0)
2028 == GNUTLS_E_SUCCESS)
2029 {
2030 debug_printf("%s\n", txt.data);
2031 gnutls_free(txt.data);
2032 }
2033 }
2034#endif
cf0c6164
JH		 2035 *errstr = verify & GNUTLS_CERT_REVOKED
2036 ? US"certificate revoked" : US"certificate invalid";
184384c3 2037 }
059ec3d9 2038
17c76198 2039 DEBUG(D_tls)
e51c7be2 2040 debug_printf("TLS certificate verification failed (%s): peerdn=\"%s\"\n",
cf0c6164 2041 *errstr, state->peerdn ? state->peerdn : US"<unset>");
059ec3d9 2042
e51c7be2 2043 if (state->verify_requirement >= VERIFY_REQUIRED)
899b8bbc 2044 goto badcert;
17c76198 2045 DEBUG(D_tls)
4789da3a 2046 debug_printf("TLS verify failure overridden (host in tls_try_verify_hosts)\n");
17c76198 2047 }
e51c7be2 2048
17c76198
PP		 2049else
2050 {
5fd28bb8
JH		 2051 /* Client side, check the server's certificate name versus the name on the
2052 A-record for the connection we made. What to do for server side - what name
2053 to use for client? We document that there is no such checking for server
2054 side. */
2055
2056 if ( state->exp_tls_verify_cert_hostnames
2057 && !gnutls_x509_crt_check_hostname(state->tlsp->peercert,
2058 CS state->exp_tls_verify_cert_hostnames)
2059 )
e51c7be2 2060 {
5fd28bb8
JH		 2061 DEBUG(D_tls)
2062 debug_printf("TLS certificate verification failed: cert name mismatch\n");
2063 if (state->verify_requirement >= VERIFY_REQUIRED)
2064 goto badcert;
2065 return TRUE;
e51c7be2 2066 }
5fd28bb8 2067
17c76198 2068 state->peer_cert_verified = TRUE;
e51c7be2 2069 DEBUG(D_tls) debug_printf("TLS certificate verified: peerdn=\"%s\"\n",
4fe99a6c 2070 state->peerdn ? state->peerdn : US"<unset>");
17c76198 2071 }
059ec3d9 2072
28646fa9
JH		 2073goodcert:
2074 state->tlsp->peerdn = state->peerdn;
2075 return TRUE;
899b8bbc 2076
b83314e3 2077#ifdef SUPPORT_DANE
94c13285 2078tlsa_prob:
624f33df
JH		 2079 *errstr = string_sprintf("TLSA record problem: %s",
2080 rc == DANE_E_REQUESTED_DATA_NOT_AVAILABLE ? "none usable" : dane_strerror(rc));
b83314e3
JH		 2081#endif
2082
899b8bbc
JH		 2083badcert:
2084 gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_BAD_CERTIFICATE);
2085 return FALSE;
17c76198 2086}
059ec3d9 2087
17c76198
PP		 2088
2089
2090
2091/* ------------------------------------------------------------------------ */
2092/* Callbacks */
2093
2094/* Logging function which can be registered with
2095 * gnutls_global_set_log_function()
2096 * gnutls_global_set_log_level() 0..9
2097 */
af3498d6 2098#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
059ec3d9 2099static void
17c76198 2100exim_gnutls_logger_cb(int level, const char *message)
059ec3d9 2101{
8c79eebf
PP		 2102 size_t len = strlen(message);
2103 if (len < 1)
2104 {
2105 DEBUG(D_tls) debug_printf("GnuTLS<%d> empty debug message\n", level);
2106 return;
2107 }
2108 DEBUG(D_tls) debug_printf("GnuTLS<%d>: %s%s", level, message,
2109 message[len-1] == '\n' ? "" : "\n");
17c76198 2110}
af3498d6 2111#endif
059ec3d9 2112
059ec3d9 2113
17c76198
PP		 2114/* Called after client hello, should handle SNI work.
2115This will always set tls_sni (state->received_sni) if available,
2116and may trigger presenting different certificates,
2117if state->trigger_sni_changes is TRUE.
059ec3d9 2118
17c76198
PP		 2119Should be registered with
2120 gnutls_handshake_set_post_client_hello_function()
059ec3d9 2121
17c76198
PP		 2122"This callback must return 0 on success or a gnutls error code to terminate the
2123handshake.".
059ec3d9 2124
17c76198
PP		 2125For inability to get SNI information, we return 0.
2126We only return non-zero if re-setup failed.
817d9f57 2127Only used for server-side TLS.
17c76198 2128*/
44bbabb5 2129
17c76198
PP		 2130static int
2131exim_sni_handling_cb(gnutls_session_t session)
2132{
2133char sni_name[MAX_HOST_LEN];
2134size_t data_len = MAX_HOST_LEN;
817d9f57 2135exim_gnutls_state_st *state = &state_server;
17c76198
PP		 2136unsigned int sni_type;
2137int rc, old_pool;
cf0c6164 2138uschar * dummy_errstr;
17c76198
PP		 2139
2140rc = gnutls_server_name_get(session, sni_name, &data_len, &sni_type, 0);
b34fc30c
PP		 2141if (rc != GNUTLS_E_SUCCESS)
2142 {
8775d84f 2143 DEBUG(D_tls)
b34fc30c
PP		 2144 if (rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
2145 debug_printf("TLS: no SNI presented in handshake.\n");
2146 else
2147 debug_printf("TLS failure: gnutls_server_name_get(): %s [%d]\n",
2148 gnutls_strerror(rc), rc);
b34fc30c
PP		 2149 return 0;
2150 }
2151
17c76198
PP		 2152if (sni_type != GNUTLS_NAME_DNS)
2153 {
2154 DEBUG(D_tls) debug_printf("TLS: ignoring SNI of unhandled type %u\n", sni_type);
2155 return 0;
2156 }
44bbabb5 2157
17c76198
PP		 2158/* We now have a UTF-8 string in sni_name */
2159old_pool = store_pool;
2160store_pool = POOL_PERM;
89a80675 2161state->received_sni = string_copy_taint(US sni_name, TRUE);
17c76198
PP		 2162store_pool = old_pool;
2163
2164/* We set this one now so that variable expansions below will work */
817d9f57 2165state->tlsp->sni = state->received_sni;
17c76198
PP		 2166
2167DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", sni_name,
2168 state->trigger_sni_changes ? "" : " (unused for certificate selection)");
2169
2170if (!state->trigger_sni_changes)
2171 return 0;
2172
cf0c6164 2173if ((rc = tls_expand_session_files(state, &dummy_errstr)) != OK)
17c76198
PP		 2174 {
2175 /* If the setup of certs/etc failed before handshake, TLS would not have
2176 been offered. The best we can do now is abort. */
2177 return GNUTLS_E_APPLICATION_ERROR_MIN;
2178 }
2179
cf0c6164 2180rc = tls_set_remaining_x509(state, &dummy_errstr);
1365611d
PP		 2181if (rc != OK) return GNUTLS_E_APPLICATION_ERROR_MIN;
2182
2183return 0;
059ec3d9
PH		 2184}
2185
2186
2187
0cbf2b82 2188#ifndef DISABLE_EVENT
a7538db1
JH		 2189/*
2190We use this callback to get observability and detail-level control
723fe533
JH		 2191for an exim TLS connection (either direction), raising a tls:cert event
2192for each cert in the chain presented by the peer. Any event
a7538db1
JH		 2193can deny verification.
2194
2195Return 0 for the handshake to continue or non-zero to terminate.
2196*/
2197
2198static int
723fe533 2199verify_cb(gnutls_session_t session)
a7538db1 2200{
27f19eb4 2201const gnutls_datum_t * cert_list;
a7538db1
JH		 2202unsigned int cert_list_size = 0;
2203gnutls_x509_crt_t crt;
2204int rc;
b30275b8 2205uschar * yield;
a7538db1
JH		 2206exim_gnutls_state_st * state = gnutls_session_get_ptr(session);
2207
bd5b3f3c 2208if ((cert_list = gnutls_certificate_get_peers(session, &cert_list_size)))
a7538db1
JH		 2209 while (cert_list_size--)
2210 {
bd5b3f3c 2211 if ((rc = import_cert(&cert_list[cert_list_size], &crt)) != GNUTLS_E_SUCCESS)
a7538db1
JH		 2212 {
2213 DEBUG(D_tls) debug_printf("TLS: peer cert problem: depth %d: %s\n",
2214 cert_list_size, gnutls_strerror(rc));
2215 break;
2216 }
2217
2218 state->tlsp->peercert = crt;
b30275b8
JH		 2219 if ((yield = event_raise(state->event_action,
2220 US"tls:cert", string_sprintf("%d", cert_list_size))))
a7538db1
JH		 2221 {
2222 log_write(0, LOG_MAIN,
b30275b8
JH		 2223 "SSL verify denied by event-action: depth=%d: %s",
2224 cert_list_size, yield);
a7538db1
JH		 2225 return 1; /* reject */
2226 }
2227 state->tlsp->peercert = NULL;
2228 }
2229
2230return 0;
2231}
2232
2233#endif
44662487
JH		 2234
2235
f20cfa4a
JH		 2236static gstring *
2237ddump(gnutls_datum_t * d)
2238{
2239gstring * g = string_get((d->size+1) * 2);
2240uschar * s = d->data;
2241for (unsigned i = d->size; i > 0; i--, s++)
2242 {
2243 g = string_catn(g, US "0123456789abcdef" + (*s >> 4), 1);
2244 g = string_catn(g, US "0123456789abcdef" + (*s & 0xf), 1);
2245 }
2246return g;
2247}
17c76198 2248
dc6d1769
JH		 2249static void
2250post_handshake_debug(exim_gnutls_state_st * state)
2251{
dc6d1769
JH		 2252#ifdef SUPPORT_GNUTLS_SESS_DESC
2253debug_printf("%s\n", gnutls_session_get_desc(state->session));
2254#endif
2255#ifdef SUPPORT_GNUTLS_KEYLOG
e326959e
JH		 2256
2257# ifdef EXIM_HAVE_TLS1_3
dc6d1769 2258if (gnutls_protocol_get_version(state->session) < GNUTLS_TLS1_3)
a8af957d
JH		 2259#else
2260if (TRUE)
2261#endif
dc6d1769
JH		 2262 {
2263 gnutls_datum_t c, s;
2264 gstring * gc, * gs;
2265 /* we only want the client random and the master secret */
2266 gnutls_session_get_random(state->session, &c, &s);
2267 gnutls_session_get_master_secret(state->session, &s);
2268 gc = ddump(&c);
2269 gs = ddump(&s);
2270 debug_printf("CLIENT_RANDOM %.*s %.*s\n", (int)gc->ptr, gc->s, (int)gs->ptr, gs->s);
2271 }
2272else
2273 debug_printf("To get keying info for TLS1.3 is hard:\n"
2274 " set environment variable SSLKEYLOGFILE to a filename writable by uid exim\n"
2275 " add SSLKEYLOGFILE to keep_environment in the exim config\n"
2276 " run exim as root\n"
e326959e
JH		 2277 " if using sudo, add SSLKEYLOGFILE to env_keep in /etc/sudoers\n"
2278 " (works for TLS1.2 also, and saves cut-paste into file)\n");
dc6d1769
JH		 2279#endif
2280}
2281
b10c87b3
JH		 2282
2283#ifdef EXPERIMENTAL_TLS_RESUME
2284static int
2285tls_server_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
2286 unsigned incoming, const gnutls_datum_t * msg)
2287{
2288DEBUG(D_tls) debug_printf("newticket cb\n");
2289tls_in.resumption |= RESUME_CLIENT_REQUESTED;
2290return 0;
2291}
2292
2293static void
2294tls_server_resume_prehandshake(exim_gnutls_state_st * state)
2295{
2296/* Should the server offer session resumption? */
2297tls_in.resumption = RESUME_SUPPORTED;
2298if (verify_check_host(&tls_resumption_hosts) == OK)
2299 {
2300 int rc;
2301 /* GnuTLS appears to not do ticket overlap, but does emit a fresh ticket when
2302 an offered resumption is unacceptable. We lose one resumption per ticket
2303 lifetime, and sessions cannot be indefinitely re-used. There seems to be no
2304 way (3.6.7) of changing the default number of 2 TLS1.3 tickets issued, but at
2305 least they go out in a single packet. */
2306
2307 if (!(rc = gnutls_session_ticket_enable_server(state->session,
2308 &server_sessticket_key)))
2309 tls_in.resumption |= RESUME_SERVER_TICKET;
2310 else
2311 DEBUG(D_tls)
2312 debug_printf("enabling session tickets: %s\n", US gnutls_strerror(rc));
2313
2314 /* Try to tell if we see a ticket request */
2315 gnutls_handshake_set_hook_function(state->session,
e5489333 2316 GNUTLS_HANDSHAKE_ANY, GNUTLS_HOOK_POST, tls_server_hook_cb);
b10c87b3
JH		 2317 }
2318}
2319
2320static void
2321tls_server_resume_posthandshake(exim_gnutls_state_st * state)
2322{
2323if (gnutls_session_resumption_requested(state->session))
2324 {
2325 /* This tells us the client sent a full ticket. We use a
2326 callback on session-ticket request, elsewhere, to tell
2327 if a client asked for a ticket. */
2328
2329 tls_in.resumption |= RESUME_CLIENT_SUGGESTED;
2330 DEBUG(D_tls) debug_printf("client requested resumption\n");
2331 }
2332if (gnutls_session_is_resumed(state->session))
2333 {
2334 tls_in.resumption |= RESUME_USED;
2335 DEBUG(D_tls) debug_printf("Session resumed\n");
2336 }
2337}
2338#endif
17c76198
PP		 2339/* ------------------------------------------------------------------------ */
2340/* Exported functions */
2341
2342
2343
2344
059ec3d9
PH		 2345/*************************************************
2346* Start a TLS session in a server *
2347*************************************************/
2348
2349/* This is called when Exim is running as a server, after having received
2350the STARTTLS command. It must respond to that command, and then negotiate
2351a TLS session.
2352
2353Arguments:
83da1223 2354 require_ciphers list of allowed ciphers or NULL
cf0c6164 2355 errstr pointer to error string
059ec3d9
PH		 2356
2357Returns: OK on success
2358 DEFER for errors before the start of the negotiation
4c04137d 2359 FAIL for errors during the negotiation; the server can't
059ec3d9
PH		 2360 continue running.
2361*/
2362
2363int
cf0c6164 2364tls_server_start(const uschar * require_ciphers, uschar ** errstr)
059ec3d9
PH		 2365{
2366int rc;
cf0c6164 2367exim_gnutls_state_st * state = NULL;
059ec3d9
PH		 2368
2369/* Check for previous activation */
74f1a423 2370if (tls_in.active.sock >= 0)
059ec3d9 2371 {
48224640 2372 tls_error(US"STARTTLS received after TLS started", US "", NULL, errstr);
925ac8e4 2373 smtp_printf("554 Already in TLS\r\n", FALSE);
059ec3d9
PH		 2374 return FAIL;
2375 }
2376
2377/* Initialize the library. If it fails, it will already have logged the error
2378and sent an SMTP response. */
2379
17c76198 2380DEBUG(D_tls) debug_printf("initialising GnuTLS as a server\n");
059ec3d9 2381
cf0c6164 2382if ((rc = tls_init(NULL, tls_certificate, tls_privatekey,
17c76198 2383 NULL, tls_verify_certificates, tls_crl,
74f1a423 2384 require_ciphers, &state, &tls_in, errstr)) != OK) return rc;
059ec3d9 2385
b10c87b3
JH		 2386#ifdef EXPERIMENTAL_TLS_RESUME
2387tls_server_resume_prehandshake(state);
2388#endif
2389
059ec3d9
PH		 2390/* If this is a host for which certificate verification is mandatory or
2391optional, set up appropriately. */
2392
059ec3d9 2393if (verify_check_host(&tls_verify_hosts) == OK)
17c76198 2394 {
e51c7be2
JH		 2395 DEBUG(D_tls)
2396 debug_printf("TLS: a client certificate will be required.\n");
17c76198
PP		 2397 state->verify_requirement = VERIFY_REQUIRED;
2398 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
2399 }
059ec3d9 2400else if (verify_check_host(&tls_try_verify_hosts) == OK)
17c76198 2401 {
e51c7be2
JH		 2402 DEBUG(D_tls)
2403 debug_printf("TLS: a client certificate will be requested but not required.\n");
17c76198
PP		 2404 state->verify_requirement = VERIFY_OPTIONAL;
2405 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
2406 }
2407else
2408 {
e51c7be2
JH		 2409 DEBUG(D_tls)
2410 debug_printf("TLS: a client certificate will not be requested.\n");
17c76198
PP		 2411 state->verify_requirement = VERIFY_NONE;
2412 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
2413 }
059ec3d9 2414
0cbf2b82 2415#ifndef DISABLE_EVENT
723fe533
JH		 2416if (event_action)
2417 {
2418 state->event_action = event_action;
2419 gnutls_session_set_ptr(state->session, state);
2420 gnutls_certificate_set_verify_function(state->x509_cred, verify_cb);
2421 }
2422#endif
2423
17c76198
PP		 2424/* Register SNI handling; always, even if not in tls_certificate, so that the
2425expansion variable $tls_sni is always available. */
059ec3d9 2426
17c76198
PP		 2427gnutls_handshake_set_post_client_hello_function(state->session,
2428 exim_sni_handling_cb);
059ec3d9
PH		 2429
2430/* Set context and tell client to go ahead, except in the case of TLS startup
2431on connection, where outputting anything now upsets the clients and tends to
2432make them disconnect. We need to have an explicit fflush() here, to force out
2433the response. Other smtp_printf() calls do not need it, because in non-TLS
2434mode, the fflush() happens when smtp_getc() is called. */
2435
817d9f57 2436if (!state->tlsp->on_connect)
059ec3d9 2437 {
925ac8e4 2438 smtp_printf("220 TLS go ahead\r\n", FALSE);
9d1c15ef 2439 fflush(smtp_out);
059ec3d9
PH		 2440 }
2441
2442/* Now negotiate the TLS session. We put our own timer on it, since it seems
8008accd
JH		 2443that the GnuTLS library doesn't.
2444From 3.1.0 there is gnutls_handshake_set_timeout() - but it requires you
2445to set (and clear down afterwards) up a pull-timeout callback function that does
2446a select, so we're no better off unless avoiding signals becomes an issue. */
059ec3d9 2447
17c76198 2448gnutls_transport_set_ptr2(state->session,
27f19eb4
JH		 2449 (gnutls_transport_ptr_t)(long) fileno(smtp_in),
2450 (gnutls_transport_ptr_t)(long) fileno(smtp_out));
17c76198
PP		 2451state->fd_in = fileno(smtp_in);
2452state->fd_out = fileno(smtp_out);
059ec3d9
PH		 2453
2454sigalrm_seen = FALSE;
c2a1bba0 2455if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
17c76198 2456do
17c76198 2457 rc = gnutls_handshake(state->session);
157a7880 2458while (rc == GNUTLS_E_AGAIN || rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen);
c2a1bba0 2459ALARM_CLR(0);
059ec3d9 2460
17c76198 2461if (rc != GNUTLS_E_SUCCESS)
059ec3d9 2462 {
059ec3d9
PH		 2463 /* It seems that, except in the case of a timeout, we have to close the
2464 connection right here; otherwise if the other end is running OpenSSL it hangs
2465 until the server times out. */
2466
60d10ce7 2467 if (sigalrm_seen)
ad7fc6eb 2468 {
48224640 2469 tls_error(US"gnutls_handshake", US"timed out", NULL, errstr);
ad7fc6eb
JH		 2470 gnutls_db_remove_session(state->session);
2471 }
60d10ce7 2472 else
059ec3d9 2473 {
452a164f 2474 tls_error_gnu(US"gnutls_handshake", rc, NULL, errstr);
f5d25c2b 2475 (void) gnutls_alert_send_appropriate(state->session, rc);
ad7fc6eb 2476 gnutls_deinit(state->session);
ed62aae3 2477 gnutls_certificate_free_credentials(state->x509_cred);
60d10ce7 2478 millisleep(500);
ad7fc6eb 2479 shutdown(state->fd_out, SHUT_WR);
d7978c0f 2480 for (int i = 1024; fgetc(smtp_in) != EOF && i > 0; ) i--; /* drain skt */
f1e894f3
PH		 2481 (void)fclose(smtp_out);
2482 (void)fclose(smtp_in);
60d10ce7 2483 smtp_out = smtp_in = NULL;
059ec3d9
PH		 2484 }
2485
2486 return FAIL;
2487 }
2488
b10c87b3
JH		 2489#ifdef EXPERIMENTAL_TLS_RESUME
2490tls_server_resume_posthandshake(state);
2491#endif
2492
dc6d1769 2493DEBUG(D_tls) post_handshake_debug(state);
059ec3d9 2494
17c76198
PP		 2495/* Verify after the fact */
2496
899b8bbc 2497if (!verify_certificate(state, errstr))
059ec3d9 2498 {
9d1c15ef 2499 if (state->verify_requirement != VERIFY_OPTIONAL)
17c76198 2500 {
cf0c6164 2501 (void) tls_error(US"certificate verification failed", *errstr, NULL, errstr);
9d1c15ef 2502 return FAIL;
17c76198 2503 }
9d1c15ef
JH		 2504 DEBUG(D_tls)
2505 debug_printf("TLS: continuing on only because verification was optional, after: %s\n",
cf0c6164 2506 *errstr);
059ec3d9
PH		 2507 }
2508
17c76198
PP		 2509/* Sets various Exim expansion variables; always safe within server */
2510
9d1c15ef 2511extract_exim_vars_from_tls_state(state);
059ec3d9
PH		 2512
2513/* TLS has been set up. Adjust the input functions to read via TLS,
2514and initialize appropriately. */
2515
17c76198 2516state->xfer_buffer = store_malloc(ssl_xfer_buffer_size);
059ec3d9
PH		 2517
2518receive_getc = tls_getc;
0d81dabc 2519receive_getbuf = tls_getbuf;
584e96c6 2520receive_get_cache = tls_get_cache;
059ec3d9
PH		 2521receive_ungetc = tls_ungetc;
2522receive_feof = tls_feof;
2523receive_ferror = tls_ferror;
58eb016e 2524receive_smtp_buffered = tls_smtp_buffered;
059ec3d9 2525
059ec3d9
PH		 2526return OK;
2527}
2528
2529
2530
2531
aa2a70ba
JH		 2532static void
2533tls_client_setup_hostname_checks(host_item * host, exim_gnutls_state_st * state,
2534 smtp_transport_options_block * ob)
2535{
3fb3231c 2536if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
aa2a70ba 2537 {
4af0d74a 2538 state->exp_tls_verify_cert_hostnames =
8c5d388a 2539#ifdef SUPPORT_I18N
4af0d74a
JH		 2540 string_domain_utf8_to_alabel(host->name, NULL);
2541#else
2542 host->name;
2543#endif
aa2a70ba
JH		 2544 DEBUG(D_tls)
2545 debug_printf("TLS: server cert verification includes hostname: \"%s\".\n",
2546 state->exp_tls_verify_cert_hostnames);
2547 }
2548}
aa2a70ba
JH		 2549
2550
899b8bbc
JH		 2551
2552
2553#ifdef SUPPORT_DANE
2554/* Given our list of RRs from the TLSA lookup, build a lookup block in
2555GnuTLS-DANE's preferred format. Hang it on the state str for later
2556use in DANE verification.
2557
2558We point at the dnsa data not copy it, so it must remain valid until
2559after verification is done.*/
2560
3674140c 2561static BOOL
899b8bbc
JH		 2562dane_tlsa_load(exim_gnutls_state_st * state, dns_answer * dnsa)
2563{
899b8bbc
JH		 2564dns_scan dnss;
2565int i;
2566const char ** dane_data;
2567int * dane_data_len;
2568
d7978c0f
JH		 2569i = 1;
2570for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
899b8bbc
JH		 2571 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
2572 ) if (rr->type == T_TLSA) i++;
2573
f3ebb786
JH		 2574dane_data = store_get(i * sizeof(uschar *), FALSE);
2575dane_data_len = store_get(i * sizeof(int), FALSE);
899b8bbc 2576
d7978c0f
JH		 2577i = 0;
2578for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
899b8bbc 2579 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
1b76ad22 2580 ) if (rr->type == T_TLSA && rr->size > 3)
899b8bbc
JH		 2581 {
2582 const uschar * p = rr->data;
f3ebb786 2583/*XXX need somehow to mark rr and its data as tainted. Doues this mean copying it? */
3674140c
JH		 2584 uint8_t usage = p[0], sel = p[1], type = p[2];
2585
2586 DEBUG(D_tls)
2587 debug_printf("TLSA: %d %d %d size %d\n", usage, sel, type, rr->size);
2588
94c13285
JH		 2589 if ( (usage != DANESSL_USAGE_DANE_TA && usage != DANESSL_USAGE_DANE_EE)
2590 || (sel != 0 && sel != 1)
2591 )
2592 continue;
3674140c
JH		 2593 switch(type)
2594 {
2595 case 0: /* Full: cannot check at present */
2596 break;
2597 case 1: if (rr->size != 3 + 256/8) continue; /* sha2-256 */
2598 break;
2599 case 2: if (rr->size != 3 + 512/8) continue; /* sha2-512 */
2600 break;
2601 default: continue;
2602 }
899b8bbc
JH		 2603
2604 tls_out.tlsa_usage |= 1<<usage;
48224640 2605 dane_data[i] = CS p;
899b8bbc
JH		 2606 dane_data_len[i++] = rr->size;
2607 }
3674140c
JH		 2608
2609if (!i) return FALSE;
2610
899b8bbc
JH		 2611dane_data[i] = NULL;
2612dane_data_len[i] = 0;
2613
2614state->dane_data = (char * const *)dane_data;
2615state->dane_data_len = dane_data_len;
3674140c 2616return TRUE;
899b8bbc
JH		 2617}
2618#endif
2619
2620
2621
b10c87b3
JH		 2622#ifdef EXPERIMENTAL_TLS_RESUME
2623/* On the client, get any stashed session for the given IP from hints db
2624and apply it to the ssl-connection for attempted resumption. Although
2625there is a gnutls_session_ticket_enable_client() interface it is
2626documented as unnecessary (as of 3.6.7) as "session tickets are emabled
2627by deafult". There seems to be no way to disable them, so even hosts not
2628enabled by the transport option will be sent a ticket request. We will
2629however avoid storing and retrieving session information. */
2630
2631static void
2632tls_retrieve_session(tls_support * tlsp, gnutls_session_t session,
2633 host_item * host, smtp_transport_options_block * ob)
2634{
2635tlsp->resumption = RESUME_SUPPORTED;
2636if (verify_check_given_host(CUSS &ob->tls_resumption_hosts, host) == OK)
2637 {
2638 dbdata_tls_session * dt;
2639 int len, rc;
2640 open_db dbblock, * dbm_file;
2641
2642 DEBUG(D_tls)
2643 debug_printf("check for resumable session for %s\n", host->address);
2644 tlsp->host_resumable = TRUE;
2645 tlsp->resumption |= RESUME_CLIENT_REQUESTED;
2646 if ((dbm_file = dbfn_open(US"tls", O_RDONLY, &dbblock, FALSE, FALSE)))
2647 {
dea4b568
JH		 2648 /* Key for the db is the IP. We'd like to filter the retrieved session
2649 for ticket advisory expiry, but 3.6.1 seems to give no access to that */
2650
b10c87b3
JH		 2651 if ((dt = dbfn_read_with_length(dbm_file, host->address, &len)))
2652 if (!(rc = gnutls_session_set_data(session,
2653 CUS dt->session, (size_t)len - sizeof(dbdata_tls_session))))
2654 {
2655 DEBUG(D_tls) debug_printf("good session\n");
2656 tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
2657 }
2658 else DEBUG(D_tls) debug_printf("setting session resumption data: %s\n",
2659 US gnutls_strerror(rc));
2660 dbfn_close(dbm_file);
2661 }
2662 }
2663}
2664
2665
2666static void
2667tls_save_session(tls_support * tlsp, gnutls_session_t session, const host_item * host)
2668{
2669/* TLS 1.2 - we get both the callback and the direct posthandshake call,
2670but this flag is not set until the second. TLS 1.3 it's the other way about.
2671Keep both calls as the session data cannot be extracted before handshake
2672completes. */
2673
2674if (gnutls_session_get_flags(session) & GNUTLS_SFLAGS_SESSION_TICKET)
2675 {
2676 gnutls_datum_t tkt;
2677 int rc;
2678
2679 DEBUG(D_tls) debug_printf("server offered session ticket\n");
2680 tlsp->ticket_received = TRUE;
2681 tlsp->resumption |= RESUME_SERVER_TICKET;
2682
2683 if (tlsp->host_resumable)
2684 if (!(rc = gnutls_session_get_data2(session, &tkt)))
2685 {
2686 open_db dbblock, * dbm_file;
2687 int dlen = sizeof(dbdata_tls_session) + tkt.size;
f3ebb786 2688 dbdata_tls_session * dt = store_get(dlen, TRUE);
b10c87b3
JH		 2689
2690 DEBUG(D_tls) debug_printf("session data size %u\n", (unsigned)tkt.size);
2691 memcpy(dt->session, tkt.data, tkt.size);
2692 gnutls_free(tkt.data);
2693
2694 if ((dbm_file = dbfn_open(US"tls", O_RDWR, &dbblock, FALSE, FALSE)))
2695 {
2696 /* key for the db is the IP */
2697 dbfn_delete(dbm_file, host->address);
2698 dbfn_write(dbm_file, host->address, dt, dlen);
2699 dbfn_close(dbm_file);
2700
2701 DEBUG(D_tls)
2702 debug_printf("wrote session db (len %u)\n", (unsigned)dlen);
2703 }
2704 }
2705 else DEBUG(D_tls)
2706 debug_printf("extract session data: %s\n", US gnutls_strerror(rc));
2707 }
2708}
2709
2710
2711/* With a TLS1.3 session, the ticket(s) are not seen until
2712the first data read is attempted. And there's often two of them.
2713Pick them up with this callback. We are also called for 1.2
2714but we do nothing.
2715*/
2716static int
2717tls_client_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
2718 unsigned incoming, const gnutls_datum_t * msg)
2719{
2720exim_gnutls_state_st * state = gnutls_session_get_ptr(sess);
2721tls_support * tlsp = state->tlsp;
2722
2723DEBUG(D_tls) debug_printf("newticket cb\n");
2724
2725if (!tlsp->ticket_received)
2726 tls_save_session(tlsp, sess, state->host);
2727return 0;
2728}
2729
2730
2731static void
2732tls_client_resume_prehandshake(exim_gnutls_state_st * state,
2733 tls_support * tlsp, host_item * host,
2734 smtp_transport_options_block * ob)
2735{
2736gnutls_session_set_ptr(state->session, state);
2737gnutls_handshake_set_hook_function(state->session,
2738 GNUTLS_HANDSHAKE_NEW_SESSION_TICKET, GNUTLS_HOOK_POST, tls_client_ticket_cb);
2739
2740tls_retrieve_session(tlsp, state->session, host, ob);
2741}
2742
2743static void
2744tls_client_resume_posthandshake(exim_gnutls_state_st * state,
2745 tls_support * tlsp, host_item * host)
2746{
2747if (gnutls_session_is_resumed(state->session))
2748 {
2749 DEBUG(D_tls) debug_printf("Session resumed\n");
2750 tlsp->resumption |= RESUME_USED;
2751 }
2752
2753tls_save_session(tlsp, state->session, host);
2754}
2755#endif /* EXPERIMENTAL_TLS_RESUME */
2756
2757
059ec3d9
PH		 2758/*************************************************
2759* Start a TLS session in a client *
2760*************************************************/
2761
2762/* Called from the smtp transport after STARTTLS has been accepted.
2763
2764Arguments:
c05bdbd6
JH		 2765 cctx connection context
2766 conn_args connection details
2767 cookie datum for randomness (not used)
2768 tlsp record details of channel configuration here; must be non-NULL
2769 errstr error string pointer
2770
2771Returns: TRUE for success with TLS session context set in smtp context,
2772 FALSE on error
059ec3d9
PH		 2773*/
2774
c05bdbd6
JH		 2775BOOL
2776tls_client_start(client_conn_ctx * cctx, smtp_connect_args * conn_args,
2777 void * cookie ARG_UNUSED,
2778 tls_support * tlsp, uschar ** errstr)
059ec3d9 2779{
c05bdbd6
JH		 2780host_item * host = conn_args->host; /* for msgs and option-tests */
2781transport_instance * tb = conn_args->tblock; /* always smtp or NULL */
2782smtp_transport_options_block * ob = tb
afdb5e9c
JH		 2783 ? (smtp_transport_options_block *)tb->options_block
2784 : &smtp_transport_option_defaults;
059ec3d9 2785int rc;
899b8bbc 2786exim_gnutls_state_st * state = NULL;
c05bdbd6 2787uschar * cipher_list = NULL;
74f1a423 2788
f2de3a33 2789#ifndef DISABLE_OCSP
5130845b 2790BOOL require_ocsp =
3fb3231c 2791 verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK;
44662487 2792BOOL request_ocsp = require_ocsp ? TRUE
3fb3231c 2793 : verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
2b4a568d 2794#endif
059ec3d9 2795
c05bdbd6 2796DEBUG(D_tls) debug_printf("initialising GnuTLS as a client on fd %d\n", cctx->sock);
059ec3d9 2797
5ec37a55 2798#ifdef SUPPORT_DANE
c05bdbd6
JH		 2799/* If dane is flagged, have either request or require dane for this host, and
2800a TLSA record found. Therefore, dane verify required. Which implies cert must
2801be requested and supplied, dane verify must pass, and cert verify irrelevant
2802(incl. hostnames), and (caller handled) require_tls */
2803
2804if (conn_args->dane && ob->dane_require_tls_ciphers)
5ec37a55
PP		 2805 {
2806 /* not using expand_check_tlsvar because not yet in state */
2807 if (!expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
2808 &cipher_list, errstr))
c05bdbd6 2809 return FALSE;
cf260049
JH		 2810 cipher_list = cipher_list && *cipher_list
2811 ? ob->dane_require_tls_ciphers : ob->tls_require_ciphers;
5ec37a55
PP		 2812 }
2813#endif
2814
2815if (!cipher_list)
2816 cipher_list = ob->tls_require_ciphers;
2817
74f1a423 2818if (tls_init(host, ob->tls_certificate, ob->tls_privatekey,
65867078 2819 ob->tls_sni, ob->tls_verify_certificates, ob->tls_crl,
74f1a423 2820 cipher_list, &state, tlsp, errstr) != OK)
c05bdbd6 2821 return FALSE;
059ec3d9 2822
54c90be1 2823 {
65867078
JH		 2824 int dh_min_bits = ob->tls_dh_min_bits;
2825 if (dh_min_bits < EXIM_CLIENT_DH_MIN_MIN_BITS)
2826 {
2827 DEBUG(D_tls)
2828 debug_printf("WARNING: tls_dh_min_bits far too low,"
2829 " clamping %d up to %d\n",
2830 dh_min_bits, EXIM_CLIENT_DH_MIN_MIN_BITS);
2831 dh_min_bits = EXIM_CLIENT_DH_MIN_MIN_BITS;
2832 }
54c90be1 2833
65867078
JH		 2834 DEBUG(D_tls) debug_printf("Setting D-H prime minimum"
2835 " acceptable bits to %d\n",
2836 dh_min_bits);
2837 gnutls_dh_set_prime_bits(state->session, dh_min_bits);
2838 }
83da1223 2839
94431adb 2840/* Stick to the old behaviour for compatibility if tls_verify_certificates is
2b4a568d
JH		 2841set but both tls_verify_hosts and tls_try_verify_hosts are unset. Check only
2842the specified host patterns if one of them is defined */
2843
899b8bbc 2844#ifdef SUPPORT_DANE
c05bdbd6 2845if (conn_args->dane && dane_tlsa_load(state, &conn_args->tlsa_dnsa))
899b8bbc
JH		 2846 {
2847 DEBUG(D_tls)
2848 debug_printf("TLS: server certificate DANE required.\n");
2849 state->verify_requirement = VERIFY_DANE;
2850 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
899b8bbc
JH		 2851 }
2852else
2853#endif
2854 if ( ( state->exp_tls_verify_certificates
2855 && !ob->tls_verify_hosts
2856 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
2857 )
3fb3231c 2858 || verify_check_given_host(CUSS &ob->tls_verify_hosts, host) == OK
899b8bbc 2859 )
17c76198 2860 {
aa2a70ba 2861 tls_client_setup_hostname_checks(host, state, ob);
aa2a70ba
JH		 2862 DEBUG(D_tls)
2863 debug_printf("TLS: server certificate verification required.\n");
2864 state->verify_requirement = VERIFY_REQUIRED;
52f93eed
WB		 2865 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
2866 }
3fb3231c 2867else if (verify_check_given_host(CUSS &ob->tls_try_verify_hosts, host) == OK)
52f93eed 2868 {
aa2a70ba 2869 tls_client_setup_hostname_checks(host, state, ob);
e51c7be2
JH		 2870 DEBUG(D_tls)
2871 debug_printf("TLS: server certificate verification optional.\n");
52f93eed 2872 state->verify_requirement = VERIFY_OPTIONAL;
17c76198
PP		 2873 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
2874 }
2875else
2876 {
e51c7be2
JH		 2877 DEBUG(D_tls)
2878 debug_printf("TLS: server certificate verification not required.\n");
52f93eed
WB		 2879 state->verify_requirement = VERIFY_NONE;
2880 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
17c76198 2881 }
059ec3d9 2882
f2de3a33
JH		 2883#ifndef DISABLE_OCSP
2884 /* supported since GnuTLS 3.1.3 */
44662487 2885if (request_ocsp)
9d1c15ef
JH		 2886 {
2887 DEBUG(D_tls) debug_printf("TLS: will request OCSP stapling\n");
65867078
JH		 2888 if ((rc = gnutls_ocsp_status_request_enable_client(state->session,
2889 NULL, 0, NULL)) != OK)
74f1a423 2890 {
452a164f 2891 tls_error_gnu(US"cert-status-req", rc, state->host, errstr);
c05bdbd6 2892 return FALSE;
74f1a423
JH		 2893 }
2894 tlsp->ocsp = OCSP_NOT_RESP;
9d1c15ef 2895 }
2b4a568d
JH		 2896#endif
2897
b10c87b3
JH		 2898#ifdef EXPERIMENTAL_TLS_RESUME
2899tls_client_resume_prehandshake(state, tlsp, host, ob);
2900#endif
2901
0cbf2b82 2902#ifndef DISABLE_EVENT
afdb5e9c 2903if (tb && tb->event_action)
a7538db1 2904 {
774ef2d7 2905 state->event_action = tb->event_action;
a7538db1 2906 gnutls_session_set_ptr(state->session, state);
723fe533 2907 gnutls_certificate_set_verify_function(state->x509_cred, verify_cb);
a7538db1
JH		 2908 }
2909#endif
2910
c05bdbd6
JH		 2911gnutls_transport_set_ptr(state->session, (gnutls_transport_ptr_t)(long) cctx->sock);
2912state->fd_in = cctx->sock;
2913state->fd_out = cctx->sock;
059ec3d9 2914
9d1c15ef 2915DEBUG(D_tls) debug_printf("about to gnutls_handshake\n");
059ec3d9
PH		 2916/* There doesn't seem to be a built-in timeout on connection. */
2917
2918sigalrm_seen = FALSE;
c2a1bba0 2919ALARM(ob->command_timeout);
17c76198 2920do
17c76198 2921 rc = gnutls_handshake(state->session);
f1fed05b 2922while (rc == GNUTLS_E_AGAIN || rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen);
c2a1bba0 2923ALARM_CLR(0);
059ec3d9 2924
4fe99a6c 2925if (rc != GNUTLS_E_SUCCESS)
74f1a423 2926 {
60d10ce7
JH		 2927 if (sigalrm_seen)
2928 {
2929 gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_USER_CANCELED);
48224640 2930 tls_error(US"gnutls_handshake", US"timed out", state->host, errstr);
60d10ce7
JH		 2931 }
2932 else
452a164f 2933 tls_error_gnu(US"gnutls_handshake", rc, state->host, errstr);
c05bdbd6 2934 return FALSE;
74f1a423 2935 }
4fe99a6c 2936
dc6d1769 2937DEBUG(D_tls) post_handshake_debug(state);
059ec3d9 2938
17c76198 2939/* Verify late */
059ec3d9 2940
899b8bbc 2941if (!verify_certificate(state, errstr))
74f1a423
JH		 2942 {
2943 tls_error(US"certificate verification failed", *errstr, state->host, errstr);
c05bdbd6 2944 return FALSE;
74f1a423 2945 }
059ec3d9 2946
f2de3a33 2947#ifndef DISABLE_OCSP
7a501c87 2948if (request_ocsp)
2b4a568d
JH		 2949 {
2950 DEBUG(D_tls)
2951 {
2952 gnutls_datum_t stapling;
2953 gnutls_ocsp_resp_t resp;
2954 gnutls_datum_t printed;
e326959e
JH		 2955 unsigned idx = 0;
2956
2957 for (;
2958# ifdef GNUTLS_OCSP_STATUS_REQUEST_GET2
2959 (rc = gnutls_ocsp_status_request_get2(state->session, idx, &stapling)) == 0;
2960#else
2961 (rc = gnutls_ocsp_status_request_get(state->session, &stapling)) == 0;
2962#endif
2963 idx++)
2964 if ( (rc= gnutls_ocsp_resp_init(&resp)) == 0
2965 && (rc= gnutls_ocsp_resp_import(resp, &stapling)) == 0
2966 && (rc= gnutls_ocsp_resp_print(resp, GNUTLS_OCSP_PRINT_COMPACT, &printed)) == 0
2967 )
2968 {
2969 debug_printf("%.4096s", printed.data);
2970 gnutls_free(printed.data);
2971 }
2972 else
2973 (void) tls_error_gnu(US"ocsp decode", rc, state->host, errstr);
2974 if (idx == 0 && rc)
452a164f 2975 (void) tls_error_gnu(US"ocsp decode", rc, state->host, errstr);
2b4a568d
JH		 2976 }
2977
2b4a568d 2978 if (gnutls_ocsp_status_request_is_checked(state->session, 0) == 0)
018058b2 2979 {
74f1a423
JH		 2980 tlsp->ocsp = OCSP_FAILED;
2981 tls_error(US"certificate status check failed", NULL, state->host, errstr);
7a501c87
JH		 2982 if (require_ocsp)
2983 return FALSE;
2984 }
2985 else
2986 {
2987 DEBUG(D_tls) debug_printf("Passed OCSP checking\n");
2988 tlsp->ocsp = OCSP_VFIED;
018058b2 2989 }
2b4a568d
JH		 2990 }
2991#endif
2992
b10c87b3
JH		 2993#ifdef EXPERIMENTAL_TLS_RESUME
2994tls_client_resume_posthandshake(state, tlsp, host);
2995#endif
059ec3d9 2996
4fe99a6c 2997/* Sets various Exim expansion variables; may need to adjust for ACL callouts */
059ec3d9 2998
9d1c15ef 2999extract_exim_vars_from_tls_state(state);
059ec3d9 3000
c05bdbd6
JH		 3001cctx->tls_ctx = state;
3002return TRUE;
059ec3d9
PH		 3003}
3004
3005
3006
17c76198 3007
059ec3d9 3008/*************************************************
17c76198 3009* Close down a TLS session *
059ec3d9
PH		 3010*************************************************/
3011
17c76198
PP		 3012/* This is also called from within a delivery subprocess forked from the
3013daemon, to shut down the TLS library, without actually doing a shutdown (which
3014would tamper with the TLS session in the parent process).
059ec3d9 3015
dec766a1 3016Arguments:
74f1a423 3017 ct_ctx client context pointer, or NULL for the one global server context
dec766a1 3018 shutdown 1 if TLS close-alert is to be sent,
afdb5e9c 3019 2 if also response to be waited for
dec766a1 3020
17c76198 3021Returns: nothing
059ec3d9
PH		 3022*/
3023
17c76198 3024void
74f1a423 3025tls_close(void * ct_ctx, int shutdown)
059ec3d9 3026{
74f1a423 3027exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
bd231acd 3028tls_support * tlsp = state->tlsp;
059ec3d9 3029
bd231acd 3030if (!tlsp || tlsp->active.sock < 0) return; /* TLS was not active */
17c76198
PP		 3031
3032if (shutdown)
3033 {
dec766a1
WB		 3034 DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS%s\n",
3035 shutdown > 1 ? " (with response-wait)" : "");
3036
c2a1bba0 3037 ALARM(2);
dec766a1 3038 gnutls_bye(state->session, shutdown > 1 ? GNUTLS_SHUT_RDWR : GNUTLS_SHUT_WR);
c2a1bba0 3039 ALARM_CLR(0);
17c76198
PP		 3040 }
3041
bd231acd
JH		 3042if (!ct_ctx) /* server */
3043 {
3044 receive_getc = smtp_getc;
3045 receive_getbuf = smtp_getbuf;
3046 receive_get_cache = smtp_get_cache;
3047 receive_ungetc = smtp_ungetc;
3048 receive_feof = smtp_feof;
3049 receive_ferror = smtp_ferror;
3050 receive_smtp_buffered = smtp_buffered;
3051 }
3052
17c76198 3053gnutls_deinit(state->session);
ed62aae3
HSHR		 3054gnutls_certificate_free_credentials(state->x509_cred);
3055
bd231acd
JH		 3056tlsp->active.sock = -1;
3057tlsp->active.tls_ctx = NULL;
3058/* Leave bits, peercert, cipher, peerdn, certificate_verified set, for logging */
3059tls_channelbinding_b64 = NULL;
3060
17c76198 3061
b808677c 3062if (state->xfer_buffer) store_free(state->xfer_buffer);
17c76198 3063memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
059ec3d9
PH		 3064}
3065
3066
3067
17c76198 3068
0d81dabc
JH		 3069static BOOL
3070tls_refill(unsigned lim)
3071{
3072exim_gnutls_state_st * state = &state_server;
3073ssize_t inbytes;
3074
3075DEBUG(D_tls) debug_printf("Calling gnutls_record_recv(%p, %p, %u)\n",
3076 state->session, state->xfer_buffer, ssl_xfer_buffer_size);
3077
f1fed05b 3078sigalrm_seen = FALSE;
c2a1bba0 3079if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
4896a319
AM		 3080
3081do
3082 inbytes = gnutls_record_recv(state->session, state->xfer_buffer,
3083 MIN(ssl_xfer_buffer_size, lim));
3084while (inbytes == GNUTLS_E_AGAIN);
3085
c2a1bba0 3086if (smtp_receive_timeout > 0) ALARM_CLR(0);
9723f966
JH		 3087
3088if (had_command_timeout) /* set by signal handler */
3089 smtp_command_timeout_exit(); /* does not return */
3090if (had_command_sigterm)
3091 smtp_command_sigterm_exit();
3092if (had_data_timeout)
3093 smtp_data_timeout_exit();
3094if (had_data_sigint)
3095 smtp_data_sigint_exit();
3096
3097/* Timeouts do not get this far. A zero-byte return appears to mean that the
3098TLS session has been closed down, not that the socket itself has been closed
3099down. Revert to non-TLS handling. */
0d81dabc
JH		 3100
3101if (sigalrm_seen)
3102 {
3103 DEBUG(D_tls) debug_printf("Got tls read timeout\n");
8b77d27a 3104 state->xfer_error = TRUE;
0d81dabc
JH		 3105 return FALSE;
3106 }
3107
3108else if (inbytes == 0)
3109 {
3110 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
bd231acd 3111 tls_close(NULL, TLS_NO_SHUTDOWN);
0d81dabc
JH		 3112 return FALSE;
3113 }
3114
3115/* Handle genuine errors */
3116
3117else if (inbytes < 0)
3118 {
95f52235 3119 DEBUG(D_tls) debug_printf("%s: err from gnutls_record_recv\n", __FUNCTION__);
0d81dabc 3120 record_io_error(state, (int) inbytes, US"recv", NULL);
8b77d27a 3121 state->xfer_error = TRUE;
0d81dabc
JH		 3122 return FALSE;
3123 }
3124#ifndef DISABLE_DKIM
3125dkim_exim_verify_feed(state->xfer_buffer, inbytes);
3126#endif
3127state->xfer_buffer_hwm = (int) inbytes;
3128state->xfer_buffer_lwm = 0;
3129return TRUE;
3130}
3131
059ec3d9
PH		 3132/*************************************************
3133* TLS version of getc *
3134*************************************************/
3135
3136/* This gets the next byte from the TLS input buffer. If the buffer is empty,
3137it refills the buffer via the GnuTLS reading function.
817d9f57 3138Only used by the server-side TLS.
059ec3d9 3139
17c76198
PP		 3140This feeds DKIM and should be used for all message-body reads.
3141
aded2255 3142Arguments: lim Maximum amount to read/buffer
059ec3d9
PH		 3143Returns: the next character or EOF
3144*/
3145
3146int
bd8fbe36 3147tls_getc(unsigned lim)
059ec3d9 3148{
0d81dabc 3149exim_gnutls_state_st * state = &state_server;
059ec3d9 3150
0d81dabc
JH		 3151if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
3152 if (!tls_refill(lim))
3153 return state->xfer_error ? EOF : smtp_getc(lim);
ed62aae3 3154
0d81dabc 3155/* Something in the buffer; return next uschar */
059ec3d9 3156
0d81dabc
JH		 3157return state->xfer_buffer[state->xfer_buffer_lwm++];
3158}
059ec3d9 3159
0d81dabc
JH		 3160uschar *
3161tls_getbuf(unsigned * len)
3162{
3163exim_gnutls_state_st * state = &state_server;
3164unsigned size;
3165uschar * buf;
059ec3d9 3166
0d81dabc
JH		 3167if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
3168 if (!tls_refill(*len))
059ec3d9 3169 {
0d81dabc
JH		 3170 if (!state->xfer_error) return smtp_getbuf(len);
3171 *len = 0;
3172 return NULL;
059ec3d9 3173 }
059ec3d9 3174
0d81dabc
JH		 3175if ((size = state->xfer_buffer_hwm - state->xfer_buffer_lwm) > *len)
3176 size = *len;
3177buf = &state->xfer_buffer[state->xfer_buffer_lwm];
3178state->xfer_buffer_lwm += size;
3179*len = size;
3180return buf;
059ec3d9
PH		 3181}
3182
0d81dabc 3183
584e96c6
JH		 3184void
3185tls_get_cache()
3186{
9960d1e5 3187#ifndef DISABLE_DKIM
584e96c6
JH		 3188exim_gnutls_state_st * state = &state_server;
3189int n = state->xfer_buffer_hwm - state->xfer_buffer_lwm;
3190if (n > 0)
3191 dkim_exim_verify_feed(state->xfer_buffer+state->xfer_buffer_lwm, n);
584e96c6 3192#endif
9960d1e5 3193}
584e96c6 3194
059ec3d9 3195
925ac8e4
JH		 3196BOOL
3197tls_could_read(void)
3198{
3199return state_server.xfer_buffer_lwm < state_server.xfer_buffer_hwm
3200 || gnutls_record_check_pending(state_server.session) > 0;
3201}
3202
3203
059ec3d9 3204
17c76198 3205
059ec3d9
PH		 3206/*************************************************
3207* Read bytes from TLS channel *
3208*************************************************/
3209
17c76198
PP		 3210/* This does not feed DKIM, so if the caller uses this for reading message body,
3211then the caller must feed DKIM.
817d9f57 3212
059ec3d9 3213Arguments:
74f1a423 3214 ct_ctx client context pointer, or NULL for the one global server context
059ec3d9
PH		 3215 buff buffer of data
3216 len size of buffer
3217
3218Returns: the number of bytes read
afdb5e9c 3219 -1 after a failed read, including EOF
059ec3d9
PH		 3220*/
3221
3222int
74f1a423 3223tls_read(void * ct_ctx, uschar *buff, size_t len)
059ec3d9 3224{
74f1a423 3225exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
17c76198 3226ssize_t inbytes;
059ec3d9 3227
17c76198
PP		 3228if (len > INT_MAX)
3229 len = INT_MAX;
059ec3d9 3230
17c76198
PP		 3231if (state->xfer_buffer_lwm < state->xfer_buffer_hwm)
3232 DEBUG(D_tls)
3233 debug_printf("*** PROBABLY A BUG *** " \
3234 "tls_read() called with data in the tls_getc() buffer, %d ignored\n",
3235 state->xfer_buffer_hwm - state->xfer_buffer_lwm);
3236
3237DEBUG(D_tls)
3238 debug_printf("Calling gnutls_record_recv(%p, %p, " SIZE_T_FMT ")\n",
3239 state->session, buff, len);
3240
4896a319
AM		 3241do
3242 inbytes = gnutls_record_recv(state->session, buff, len);
3243while (inbytes == GNUTLS_E_AGAIN);
3244
059ec3d9
PH		 3245if (inbytes > 0) return inbytes;
3246if (inbytes == 0)
3247 {
3248 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
3249 }
5fd28bb8 3250else
4896a319 3251 {
95f52235 3252 DEBUG(D_tls) debug_printf("%s: err from gnutls_record_recv\n", __FUNCTION__);
4896a319
AM		 3253 record_io_error(state, (int)inbytes, US"recv", NULL);
3254 }
059ec3d9
PH		 3255
3256return -1;
3257}
3258
3259
3260
17c76198 3261
059ec3d9
PH		 3262/*************************************************
3263* Write bytes down TLS channel *
3264*************************************************/
3265
3266/*
3267Arguments:
74f1a423 3268 ct_ctx client context pointer, or NULL for the one global server context
059ec3d9
PH		 3269 buff buffer of data
3270 len number of bytes
925ac8e4 3271 more more data expected soon
059ec3d9
PH		 3272
3273Returns: the number of bytes after a successful write,
3274 -1 after a failed write
3275*/
3276
3277int
74f1a423 3278tls_write(void * ct_ctx, const uschar * buff, size_t len, BOOL more)
059ec3d9 3279{
17c76198
PP		 3280ssize_t outbytes;
3281size_t left = len;
74f1a423 3282exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
925ac8e4
JH		 3283#ifdef SUPPORT_CORK
3284static BOOL corked = FALSE;
3285
3286if (more && !corked) gnutls_record_cork(state->session);
3287#endif
3288
3289DEBUG(D_tls) debug_printf("%s(%p, " SIZE_T_FMT "%s)\n", __FUNCTION__,
3290 buff, left, more ? ", more" : "");
059ec3d9 3291
059ec3d9
PH		 3292while (left > 0)
3293 {
17c76198
PP		 3294 DEBUG(D_tls) debug_printf("gnutls_record_send(SSL, %p, " SIZE_T_FMT ")\n",
3295 buff, left);
4896a319
AM		 3296
3297 do
3298 outbytes = gnutls_record_send(state->session, buff, left);
3299 while (outbytes == GNUTLS_E_AGAIN);
059ec3d9 3300
17c76198 3301 DEBUG(D_tls) debug_printf("outbytes=" SSIZE_T_FMT "\n", outbytes);
059ec3d9
PH		 3302 if (outbytes < 0)
3303 {
1b76ad22 3304 DEBUG(D_tls) debug_printf("%s: gnutls_record_send err\n", __FUNCTION__);
17c76198 3305 record_io_error(state, outbytes, US"send", NULL);
059ec3d9
PH		 3306 return -1;
3307 }
3308 if (outbytes == 0)
3309 {
17c76198 3310 record_io_error(state, 0, US"send", US"TLS channel closed on write");
059ec3d9
PH		 3311 return -1;
3312 }
3313
3314 left -= outbytes;
3315 buff += outbytes;
3316 }
3317
17c76198
PP		 3318if (len > INT_MAX)
3319 {
3320 DEBUG(D_tls)
3321 debug_printf("Whoops! Wrote more bytes (" SIZE_T_FMT ") than INT_MAX\n",
3322 len);
3323 len = INT_MAX;
3324 }
3325
925ac8e4
JH		 3326#ifdef SUPPORT_CORK
3327if (more != corked)
3328 {
3329 if (!more) (void) gnutls_record_uncork(state->session, 0);
3330 corked = more;
3331 }
3332#endif
3333
17c76198 3334return (int) len;
059ec3d9
PH		 3335}
3336
3337
3338
17c76198 3339
059ec3d9 3340/*************************************************
17c76198 3341* Random number generation *
059ec3d9
PH		 3342*************************************************/
3343
17c76198
PP		 3344/* Pseudo-random number generation. The result is not expected to be
3345cryptographically strong but not so weak that someone will shoot themselves
3346in the foot using it as a nonce in input in some email header scheme or
3347whatever weirdness they'll twist this into. The result should handle fork()
3348and avoid repeating sequences. OpenSSL handles that for us.
059ec3d9 3349
17c76198
PP		 3350Arguments:
3351 max range maximum
3352Returns a random number in range [0, max-1]
059ec3d9
PH		 3353*/
3354
af3498d6 3355#ifdef HAVE_GNUTLS_RND
17c76198
PP		 3356int
3357vaguely_random_number(int max)
059ec3d9 3358{
17c76198
PP		 3359unsigned int r;
3360int i, needed_len;
17c76198
PP		 3361uschar smallbuf[sizeof(r)];
3362
3363if (max <= 1)
3364 return 0;
3365
3366needed_len = sizeof(r);
3367/* Don't take 8 times more entropy than needed if int is 8 octets and we were
d7978c0f
JH		 3368asked for a number less than 10. */
3369
17c76198
PP		 3370for (r = max, i = 0; r; ++i)
3371 r >>= 1;
3372i = (i + 7) / 8;
3373if (i < needed_len)
3374 needed_len = i;
3375
3376i = gnutls_rnd(GNUTLS_RND_NONCE, smallbuf, needed_len);
3377if (i < 0)
059ec3d9 3378 {
17c76198
PP		 3379 DEBUG(D_all) debug_printf("gnutls_rnd() failed, using fallback.\n");
3380 return vaguely_random_number_fallback(max);
3381 }
3382r = 0;
d7978c0f
JH		 3383for (uschar * p = smallbuf; needed_len; --needed_len, ++p)
3384 r = r * 256 + *p;
059ec3d9 3385
17c76198
PP		 3386/* We don't particularly care about weighted results; if someone wants
3387 * smooth distribution and cares enough then they should submit a patch then. */
3388return r % max;
059ec3d9 3389}
af3498d6
PP		 3390#else /* HAVE_GNUTLS_RND */
3391int
3392vaguely_random_number(int max)
3393{
3394 return vaguely_random_number_fallback(max);
3395}
3396#endif /* HAVE_GNUTLS_RND */
059ec3d9 3397
36f12725
NM		 3398
3399
3400
3375e053
PP		 3401/*************************************************
3402* Let tls_require_ciphers be checked at startup *
3403*************************************************/
3404
3405/* The tls_require_ciphers option, if set, must be something which the
3406library can parse.
3407
3408Returns: NULL on success, or error message
3409*/
3410
3411uschar *
3412tls_validate_require_cipher(void)
3413{
3414int rc;
3415uschar *expciphers = NULL;
3416gnutls_priority_t priority_cache;
3417const char *errpos;
cf0c6164 3418uschar * dummy_errstr;
3375e053
PP		 3419
3420#define validate_check_rc(Label) do { \
3421 if (rc != GNUTLS_E_SUCCESS) { if (exim_gnutls_base_init_done) gnutls_global_deinit(); \
3422 return string_sprintf("%s failed: %s", (Label), gnutls_strerror(rc)); } } while (0)
3423#define return_deinit(Label) do { gnutls_global_deinit(); return (Label); } while (0)
3424
3425if (exim_gnutls_base_init_done)
3426 log_write(0, LOG_MAIN|LOG_PANIC,
3427 "already initialised GnuTLS, Exim developer bug");
3428
a5f239e4 3429#ifdef HAVE_GNUTLS_PKCS11
2519e60d 3430if (!gnutls_allow_auto_pkcs11)
a5f239e4
PP		 3431 {
3432 rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
3433 validate_check_rc(US"gnutls_pkcs11_init");
3434 }
3435#endif
3375e053
PP		 3436rc = gnutls_global_init();
3437validate_check_rc(US"gnutls_global_init()");
3438exim_gnutls_base_init_done = TRUE;
3439
3440if (!(tls_require_ciphers && *tls_require_ciphers))
3441 return_deinit(NULL);
3442
cf0c6164
JH		 3443if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers,
3444 &dummy_errstr))
3375e053
PP		 3445 return_deinit(US"failed to expand tls_require_ciphers");
3446
3447if (!(expciphers && *expciphers))
3448 return_deinit(NULL);
3449
3450DEBUG(D_tls)
3451 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
3452
3453rc = gnutls_priority_init(&priority_cache, CS expciphers, &errpos);
3454validate_check_rc(string_sprintf(
3455 "gnutls_priority_init(%s) failed at offset %ld, \"%.8s..\"",
3456 expciphers, errpos - CS expciphers, errpos));
3457
3458#undef return_deinit
3459#undef validate_check_rc
3460gnutls_global_deinit();
3461
3462return NULL;
3463}
3464
3465
3466
3467
36f12725
NM		 3468/*************************************************
3469* Report the library versions. *
3470*************************************************/
3471
3472/* See a description in tls-openssl.c for an explanation of why this exists.
3473
3474Arguments: a FILE* to print the results to
3475Returns: nothing
3476*/
3477
3478void
3479tls_version_report(FILE *f)
3480{
754a0503
PP		 3481fprintf(f, "Library version: GnuTLS: Compile: %s\n"
3482 " Runtime: %s\n",
3483 LIBGNUTLS_VERSION,
3484 gnutls_check_version(NULL));
36f12725
NM		 3485}
3486
b10c87b3 3487#endif /*!MACRO_PREDEF*/
2b4a568d
JH		 3488/* vi: aw ai sw=2
3489*/
059ec3d9 3490/* End of tls-gnu.c */
Unnamed repository; edit this file 'description' to name the repository.