projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Testsuite: more TLSv1.3 handling
[exim.git] / src / src / tls-gnu.c
CommitLineData
059ec3d9
PH		 1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
f9ba5e22 5/* Copyright (c) University of Cambridge 1995 - 2018 */
059ec3d9
PH		 6/* See the file NOTICE for conditions of use and distribution. */
7
17c76198 8/* Copyright (c) Phil Pennock 2012 */
059ec3d9 9
17c76198
PP		 10/* This file provides TLS/SSL support for Exim using the GnuTLS library,
11one of the available supported implementations. This file is #included into
12tls.c when USE_GNUTLS has been set.
059ec3d9 13
17c76198
PP		 14The code herein is a revamp of GnuTLS integration using the current APIs; the
15original tls-gnu.c was based on a patch which was contributed by Nikos
6aa6fc9c 16Mavrogiannopoulos. The revamp is partially a rewrite, partially cut&paste as
17c76198 17appropriate.
059ec3d9 18
17c76198
PP		 19APIs current as of GnuTLS 2.12.18; note that the GnuTLS manual is for GnuTLS 3,
20which is not widely deployed by OS vendors. Will note issues below, which may
21assist in updating the code in the future. Another sources of hints is
22mod_gnutls for Apache (SNI callback registration and handling).
059ec3d9 23
17c76198
PP		 24Keeping client and server variables more split than before and is currently
25the norm, in anticipation of TLS in ACL callouts.
059ec3d9 26
17c76198
PP		 27I wanted to switch to gnutls_certificate_set_verify_function() so that
28certificate rejection could happen during handshake where it belongs, rather
29than being dropped afterwards, but that was introduced in 2.10.0 and Debian
30(6.0.5) is still on 2.8.6. So for now we have to stick with sub-par behaviour.
059ec3d9 31
17c76198
PP		 32(I wasn't looking for libraries quite that old, when updating to get rid of
33compiler warnings of deprecated APIs. If it turns out that a lot of the rest
34require current GnuTLS, then we'll drop support for the ancient libraries).
35*/
b5aea5e1 36
17c76198
PP		 37#include <gnutls/gnutls.h>
38/* needed for cert checks in verification and DN extraction: */
39#include <gnutls/x509.h>
40/* man-page is incorrect, gnutls_rnd() is not in gnutls.h: */
41#include <gnutls/crypto.h>
a5f239e4
PP		 42/* needed to disable PKCS11 autoload unless requested */
43#if GNUTLS_VERSION_NUMBER >= 0x020c00
44# include <gnutls/pkcs11.h>
76075bb5 45# define SUPPORT_PARAM_TO_PK_BITS
a5f239e4 46#endif
7e07527a
JH		 47#if GNUTLS_VERSION_NUMBER < 0x030103 && !defined(DISABLE_OCSP)
48# warning "GnuTLS library version too old; define DISABLE_OCSP in Makefile"
49# define DISABLE_OCSP
50#endif
0cbf2b82 51#if GNUTLS_VERSION_NUMBER < 0x020a00 && !defined(DISABLE_EVENT)
774ef2d7 52# warning "GnuTLS library version too old; tls:cert event unsupported"
0cbf2b82 53# define DISABLE_EVENT
a7538db1 54#endif
a7fec7a7
JH		 55#if GNUTLS_VERSION_NUMBER >= 0x030306
56# define SUPPORT_CA_DIR
57#else
58# undef SUPPORT_CA_DIR
59#endif
11a04b5a 60#if GNUTLS_VERSION_NUMBER >= 0x030014
cb1d7830
JH		 61# define SUPPORT_SYSDEFAULT_CABUNDLE
62#endif
925ac8e4
JH		 63#if GNUTLS_VERSION_NUMBER >= 0x030109
64# define SUPPORT_CORK
65#endif
47195144
JH		 66#if GNUTLS_VERSION_NUMBER >= 0x030506 && !defined(DISABLE_OCSP)
67# define SUPPORT_SRV_OCSP_STACK
68#endif
c0635b6d
JH		 69
70#ifdef SUPPORT_DANE
71# if GNUTLS_VERSION_NUMBER >= 0x030000
72# define DANESSL_USAGE_DANE_TA 2
73# define DANESSL_USAGE_DANE_EE 3
74# else
75# error GnuTLS version too early for DANE
76# endif
77# if GNUTLS_VERSION_NUMBER < 0x999999
78# define GNUTLS_BROKEN_DANE_VALIDATION
79# endif
899b8bbc 80#endif
7e07527a 81
f2de3a33 82#ifndef DISABLE_OCSP
2b4a568d
JH		 83# include <gnutls/ocsp.h>
84#endif
899b8bbc
JH		 85#ifdef SUPPORT_DANE
86# include <gnutls/dane.h>
87#endif
059ec3d9 88
17c76198 89/* GnuTLS 2 vs 3
059ec3d9 90
17c76198
PP		 91GnuTLS 3 only:
92 gnutls_global_set_audit_log_function()
059ec3d9 93
17c76198
PP		 94Changes:
95 gnutls_certificate_verify_peers2(): is new, drop the 2 for old version
96*/
059ec3d9 97
17c76198 98/* Local static variables for GnuTLS */
059ec3d9 99
17c76198 100/* Values for verify_requirement */
059ec3d9 101
e51c7be2 102enum peer_verify_requirement
899b8bbc 103 { VERIFY_NONE, VERIFY_OPTIONAL, VERIFY_REQUIRED, VERIFY_DANE };
059ec3d9 104
17c76198
PP		 105/* This holds most state for server or client; with this, we can set up an
106outbound TLS-enabled connection in an ACL callout, while not stomping all
107over the TLS variables available for expansion.
059ec3d9 108
17c76198
PP		 109Some of these correspond to variables in globals.c; those variables will
110be set to point to content in one of these instances, as appropriate for
111the stage of the process lifetime.
059ec3d9 112
389ca47a 113Not handled here: global tls_channelbinding_b64.
17c76198 114*/
059ec3d9 115
17c76198 116typedef struct exim_gnutls_state {
9d1c15ef 117 gnutls_session_t session;
17c76198 118 gnutls_certificate_credentials_t x509_cred;
9d1c15ef 119 gnutls_priority_t priority_cache;
17c76198 120 enum peer_verify_requirement verify_requirement;
9d1c15ef
JH		 121 int fd_in;
122 int fd_out;
123 BOOL peer_cert_verified;
899b8bbc 124 BOOL peer_dane_verified;
9d1c15ef
JH		 125 BOOL trigger_sni_changes;
126 BOOL have_set_peerdn;
5fd28bb8 127 const struct host_item *host; /* NULL if server */
afdb5e9c 128 gnutls_x509_crt_t peercert;
9d1c15ef
JH		 129 uschar *peerdn;
130 uschar *ciphersuite;
131 uschar *received_sni;
17c76198
PP		 132
133 const uschar *tls_certificate;
134 const uschar *tls_privatekey;
135 const uschar *tls_sni; /* client send only, not received */
136 const uschar *tls_verify_certificates;
137 const uschar *tls_crl;
138 const uschar *tls_require_ciphers;
e51c7be2 139
17c76198
PP		 140 uschar *exp_tls_certificate;
141 uschar *exp_tls_privatekey;
17c76198
PP		 142 uschar *exp_tls_verify_certificates;
143 uschar *exp_tls_crl;
144 uschar *exp_tls_require_ciphers;
55414b25 145 const uschar *exp_tls_verify_cert_hostnames;
0cbf2b82 146#ifndef DISABLE_EVENT
a7538db1
JH		 147 uschar *event_action;
148#endif
899b8bbc
JH		 149#ifdef SUPPORT_DANE
150 char * const * dane_data;
151 const int * dane_data_len;
152#endif
17c76198 153
389ca47a 154 tls_support *tlsp; /* set in tls_init() */
817d9f57 155
17c76198
PP		 156 uschar *xfer_buffer;
157 int xfer_buffer_lwm;
158 int xfer_buffer_hwm;
8b77d27a
JH		 159 BOOL xfer_eof; /*XXX never gets set! */
160 BOOL xfer_error;
17c76198
PP		 161} exim_gnutls_state_st;
162
163static const exim_gnutls_state_st exim_gnutls_state_init = {
f2ed27cf
JH		 164 .session = NULL,
165 .x509_cred = NULL,
166 .priority_cache = NULL,
167 .verify_requirement = VERIFY_NONE,
168 .fd_in = -1,
169 .fd_out = -1,
170 .peer_cert_verified = FALSE,
899b8bbc 171 .peer_dane_verified = FALSE,
f2ed27cf
JH		 172 .trigger_sni_changes =FALSE,
173 .have_set_peerdn = FALSE,
174 .host = NULL,
175 .peercert = NULL,
176 .peerdn = NULL,
177 .ciphersuite = NULL,
178 .received_sni = NULL,
179
180 .tls_certificate = NULL,
181 .tls_privatekey = NULL,
182 .tls_sni = NULL,
183 .tls_verify_certificates = NULL,
184 .tls_crl = NULL,
185 .tls_require_ciphers =NULL,
186
187 .exp_tls_certificate = NULL,
188 .exp_tls_privatekey = NULL,
189 .exp_tls_verify_certificates = NULL,
190 .exp_tls_crl = NULL,
191 .exp_tls_require_ciphers = NULL,
f2ed27cf 192 .exp_tls_verify_cert_hostnames = NULL,
0cbf2b82 193#ifndef DISABLE_EVENT
f2ed27cf 194 .event_action = NULL,
e51c7be2 195#endif
f2ed27cf
JH		 196 .tlsp = NULL,
197
198 .xfer_buffer = NULL,
199 .xfer_buffer_lwm = 0,
200 .xfer_buffer_hwm = 0,
8b77d27a
JH		 201 .xfer_eof = FALSE,
202 .xfer_error = FALSE,
17c76198 203};
83da1223 204
17c76198
PP		 205/* Not only do we have our own APIs which don't pass around state, assuming
206it's held in globals, GnuTLS doesn't appear to let us register callback data
207for callbacks, or as part of the session, so we have to keep a "this is the
208context we're currently dealing with" pointer and rely upon being
209single-threaded to keep from processing data on an inbound TLS connection while
210talking to another TLS connection for an outbound check. This does mean that
211there's no way for heart-beats to be responded to, for the duration of the
a7538db1
JH		 212second connection.
213XXX But see gnutls_session_get_ptr()
214*/
059ec3d9 215
74f1a423 216static exim_gnutls_state_st state_server;
059ec3d9 217
17c76198
PP		 218/* dh_params are initialised once within the lifetime of a process using TLS;
219if we used TLS in a long-lived daemon, we'd have to reconsider this. But we
220don't want to repeat this. */
83da1223 221
17c76198 222static gnutls_dh_params_t dh_server_params = NULL;
059ec3d9 223
17c76198 224/* No idea how this value was chosen; preserving it. Default is 3600. */
059ec3d9 225
17c76198 226static const int ssl_session_timeout = 200;
059ec3d9 227
17c76198 228static const char * const exim_default_gnutls_priority = "NORMAL";
83da1223 229
17c76198 230/* Guard library core initialisation */
83da1223 231
17c76198 232static BOOL exim_gnutls_base_init_done = FALSE;
059ec3d9 233
4fb7df6d 234#ifndef DISABLE_OCSP
9196d5bf 235static BOOL gnutls_buggy_ocsp = FALSE;
4fb7df6d 236#endif
9196d5bf 237
059ec3d9 238
17c76198
PP		 239/* ------------------------------------------------------------------------ */
240/* macros */
83da1223 241
17c76198 242#define MAX_HOST_LEN 255
83da1223 243
17c76198
PP		 244/* Set this to control gnutls_global_set_log_level(); values 0 to 9 will setup
245the library logging; a value less than 0 disables the calls to set up logging
ef9da2ee
JH		 246callbacks. Possibly GNuTLS also looks for an environment variable
247"GNUTLS_DEBUG_LEVEL". */
2c17bb02 248#ifndef EXIM_GNUTLS_LIBRARY_LOG_LEVEL
a7538db1 249# define EXIM_GNUTLS_LIBRARY_LOG_LEVEL -1
2c17bb02 250#endif
83da1223 251
2c17bb02 252#ifndef EXIM_CLIENT_DH_MIN_BITS
a7538db1 253# define EXIM_CLIENT_DH_MIN_BITS 1024
2c17bb02 254#endif
83da1223 255
af3498d6
PP		 256/* With GnuTLS 2.12.x+ we have gnutls_sec_param_to_pk_bits() with which we
257can ask for a bit-strength. Without that, we stick to the constant we had
258before, for now. */
2c17bb02 259#ifndef EXIM_SERVER_DH_BITS_PRE2_12
a7538db1 260# define EXIM_SERVER_DH_BITS_PRE2_12 1024
2c17bb02 261#endif
af3498d6 262
47195144
JH		 263#define exim_gnutls_err_check(rc, Label) do { \
264 if ((rc) != GNUTLS_E_SUCCESS) \
cf0c6164
JH		 265 return tls_error((Label), gnutls_strerror(rc), host, errstr); \
266 } while (0)
059ec3d9 267
cf0c6164
JH		 268#define expand_check_tlsvar(Varname, errstr) \
269 expand_check(state->Varname, US #Varname, &state->exp_##Varname, errstr)
83da1223 270
17c76198 271#if GNUTLS_VERSION_NUMBER >= 0x020c00
e51c7be2
JH		 272# define HAVE_GNUTLS_SESSION_CHANNEL_BINDING
273# define HAVE_GNUTLS_SEC_PARAM_CONSTANTS
274# define HAVE_GNUTLS_RND
2519e60d
TL		 275/* The security fix we provide with the gnutls_allow_auto_pkcs11 option
276 * (4.82 PP/09) introduces a compatibility regression. The symbol simply
277 * isn't available sometimes, so this needs to become a conditional
278 * compilation; the sanest way to deal with this being a problem on
279 * older OSes is to block it in the Local/Makefile with this compiler
280 * definition */
e51c7be2
JH		 281# ifndef AVOID_GNUTLS_PKCS11
282# define HAVE_GNUTLS_PKCS11
283# endif /* AVOID_GNUTLS_PKCS11 */
17c76198 284#endif
83da1223 285
af3498d6
PP		 286
287
288
289/* ------------------------------------------------------------------------ */
290/* Callback declarations */
291
292#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
293static void exim_gnutls_logger_cb(int level, const char *message);
294#endif
295
296static int exim_sni_handling_cb(gnutls_session_t session);
297
f2de3a33 298#ifndef DISABLE_OCSP
44662487
JH		 299static int server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
300 gnutls_datum_t * ocsp_response);
301#endif
af3498d6
PP		 302
303
304
17c76198
PP		 305/* ------------------------------------------------------------------------ */
306/* Static functions */
059ec3d9
PH		 307
308/*************************************************
309* Handle TLS error *
310*************************************************/
311
312/* Called from lots of places when errors occur before actually starting to do
313the TLS handshake, that is, while the session is still in clear. Always returns
314DEFER for a server and FAIL for a client so that most calls can use "return
315tls_error(...)" to do this processing and then give an appropriate return. A
316single function is used for both server and client, because it is called from
317some shared functions.
318
319Argument:
320 prefix text to include in the logged error
7199e1ee
TF		 321 msg additional error string (may be NULL)
322 usually obtained from gnutls_strerror()
17c76198
PP		 323 host NULL if setting up a server;
324 the connected host if setting up a client
cf0c6164 325 errstr pointer to returned error string
059ec3d9
PH		 326
327Returns: OK/DEFER/FAIL
328*/
329
330static int
cf0c6164
JH		 331tls_error(const uschar *prefix, const char *msg, const host_item *host,
332 uschar ** errstr)
059ec3d9 333{
cf0c6164
JH		 334if (errstr)
335 *errstr = string_sprintf("(%s)%s%s", prefix, msg ? ": " : "", msg ? msg : "");
336return host ? FAIL : DEFER;
059ec3d9
PH		 337}
338
339
340
17c76198 341
059ec3d9 342/*************************************************
17c76198 343* Deal with logging errors during I/O *
059ec3d9
PH		 344*************************************************/
345
17c76198 346/* We have to get the identity of the peer from saved data.
059ec3d9 347
17c76198
PP		 348Argument:
349 state the current GnuTLS exim state container
350 rc the GnuTLS error code, or 0 if it's a local error
351 when text identifying read or write
352 text local error text when ec is 0
059ec3d9 353
17c76198 354Returns: nothing
059ec3d9
PH		 355*/
356
17c76198
PP		 357static void
358record_io_error(exim_gnutls_state_st *state, int rc, uschar *when, uschar *text)
059ec3d9 359{
cf0c6164
JH		 360const char * msg;
361uschar * errstr;
059ec3d9 362
17c76198
PP		 363if (rc == GNUTLS_E_FATAL_ALERT_RECEIVED)
364 msg = CS string_sprintf("%s: %s", US gnutls_strerror(rc),
365 US gnutls_alert_get_name(gnutls_alert_get(state->session)));
366else
367 msg = gnutls_strerror(rc);
059ec3d9 368
cf0c6164
JH		 369(void) tls_error(when, msg, state->host, &errstr);
370
371if (state->host)
372 log_write(0, LOG_MAIN, "H=%s [%s] TLS error on connection %s",
373 state->host->name, state->host->address, errstr);
374else
375 {
376 uschar * conn_info = smtp_get_connection_info();
377 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0) conn_info += 5;
378 /* I'd like to get separated H= here, but too hard for now */
379 log_write(0, LOG_MAIN, "TLS error on %s %s", conn_info, errstr);
380 }
17c76198 381}
059ec3d9 382
059ec3d9 383
059ec3d9 384
059ec3d9 385
17c76198
PP		 386/*************************************************
387* Set various Exim expansion vars *
388*************************************************/
059ec3d9 389
e51c7be2
JH		 390#define exim_gnutls_cert_err(Label) \
391 do \
392 { \
393 if (rc != GNUTLS_E_SUCCESS) \
394 { \
395 DEBUG(D_tls) debug_printf("TLS: cert problem: %s: %s\n", \
396 (Label), gnutls_strerror(rc)); \
397 return rc; \
398 } \
399 } while (0)
9d1c15ef
JH		 400
401static int
27f19eb4 402import_cert(const gnutls_datum_t * cert, gnutls_x509_crt_t * crtp)
9d1c15ef
JH		 403{
404int rc;
405
406rc = gnutls_x509_crt_init(crtp);
407exim_gnutls_cert_err(US"gnutls_x509_crt_init (crt)");
408
409rc = gnutls_x509_crt_import(*crtp, cert, GNUTLS_X509_FMT_DER);
410exim_gnutls_cert_err(US"failed to import certificate [gnutls_x509_crt_import(cert)]");
411
412return rc;
413}
414
415#undef exim_gnutls_cert_err
416
417
17c76198
PP		 418/* We set various Exim global variables from the state, once a session has
419been established. With TLS callouts, may need to change this to stack
420variables, or just re-call it with the server state after client callout
421has finished.
059ec3d9 422
9d1c15ef 423Make sure anything set here is unset in tls_getc().
17c76198
PP		 424
425Sets:
426 tls_active fd
427 tls_bits strength indicator
428 tls_certificate_verified bool indicator
429 tls_channelbinding_b64 for some SASL mechanisms
430 tls_cipher a string
9d1c15ef 431 tls_peercert pointer to library internal
17c76198
PP		 432 tls_peerdn a string
433 tls_sni a (UTF-8) string
9d1c15ef 434 tls_ourcert pointer to library internal
17c76198
PP		 435
436Argument:
437 state the relevant exim_gnutls_state_st *
438*/
439
440static void
9d1c15ef 441extract_exim_vars_from_tls_state(exim_gnutls_state_st * state)
17c76198 442{
17c76198 443gnutls_cipher_algorithm_t cipher;
17c76198
PP		 444#ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
445int old_pool;
446int rc;
447gnutls_datum_t channel;
448#endif
9d1c15ef 449tls_support * tlsp = state->tlsp;
17c76198 450
74f1a423
JH		 451tlsp->active.sock = state->fd_out;
452tlsp->active.tls_ctx = state;
17c76198
PP		 453
454cipher = gnutls_cipher_get(state->session);
455/* returns size in "bytes" */
9d1c15ef 456tlsp->bits = gnutls_cipher_get_key_size(cipher) * 8;
17c76198 457
9d1c15ef 458tlsp->cipher = state->ciphersuite;
17c76198 459
817d9f57 460DEBUG(D_tls) debug_printf("cipher: %s\n", state->ciphersuite);
17c76198 461
9d1c15ef 462tlsp->certificate_verified = state->peer_cert_verified;
899b8bbc
JH		 463#ifdef SUPPORT_DANE
464tlsp->dane_verified = state->peer_dane_verified;
465#endif
059ec3d9 466
17c76198
PP		 467/* note that tls_channelbinding_b64 is not saved to the spool file, since it's
468only available for use for authenticators while this TLS session is running. */
469
470tls_channelbinding_b64 = NULL;
471#ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
472channel.data = NULL;
473channel.size = 0;
474rc = gnutls_session_channel_binding(state->session, GNUTLS_CB_TLS_UNIQUE, &channel);
475if (rc) {
476 DEBUG(D_tls) debug_printf("Channel binding error: %s\n", gnutls_strerror(rc));
477} else {
478 old_pool = store_pool;
479 store_pool = POOL_PERM;
f4d091fb 480 tls_channelbinding_b64 = b64encode(channel.data, (int)channel.size);
17c76198
PP		 481 store_pool = old_pool;
482 DEBUG(D_tls) debug_printf("Have channel bindings cached for possible auth usage.\n");
483}
484#endif
485
9d1c15ef
JH		 486/* peercert is set in peer_status() */
487tlsp->peerdn = state->peerdn;
488tlsp->sni = state->received_sni;
489
490/* record our certificate */
491 {
27f19eb4 492 const gnutls_datum_t * cert = gnutls_certificate_get_ours(state->session);
9d1c15ef
JH		 493 gnutls_x509_crt_t crt;
494
495 tlsp->ourcert = cert && import_cert(cert, &crt)==0 ? crt : NULL;
496 }
059ec3d9
PH		 497}
498
499
500
17c76198 501
059ec3d9 502/*************************************************
575643cd 503* Setup up DH parameters *
059ec3d9
PH		 504*************************************************/
505
575643cd 506/* Generating the D-H parameters may take a long time. They only need to
059ec3d9
PH		 507be re-generated every so often, depending on security policy. What we do is to
508keep these parameters in a file in the spool directory. If the file does not
509exist, we generate them. This means that it is easy to cause a regeneration.
510
511The new file is written as a temporary file and renamed, so that an incomplete
512file is never present. If two processes both compute some new parameters, you
513waste a bit of effort, but it doesn't seem worth messing around with locking to
514prevent this.
515
059ec3d9
PH		 516Returns: OK/DEFER/FAIL
517*/
518
519static int
cf0c6164 520init_server_dh(uschar ** errstr)
059ec3d9 521{
17c76198
PP		 522int fd, rc;
523unsigned int dh_bits;
27f19eb4 524gnutls_datum_t m;
a799883d
PP		 525uschar filename_buf[PATH_MAX];
526uschar *filename = NULL;
17c76198 527size_t sz;
a799883d
PP		 528uschar *exp_tls_dhparam;
529BOOL use_file_in_spool = FALSE;
530BOOL use_fixed_file = FALSE;
17c76198 531host_item *host = NULL; /* dummy for macros */
059ec3d9 532
17c76198 533DEBUG(D_tls) debug_printf("Initialising GnuTLS server params.\n");
059ec3d9 534
17c76198 535rc = gnutls_dh_params_init(&dh_server_params);
47195144 536exim_gnutls_err_check(rc, US"gnutls_dh_params_init");
059ec3d9 537
a799883d
PP		 538m.data = NULL;
539m.size = 0;
540
cf0c6164 541if (!expand_check(tls_dhparam, US"tls_dhparam", &exp_tls_dhparam, errstr))
a799883d
PP		 542 return DEFER;
543
544if (!exp_tls_dhparam)
545 {
546 DEBUG(D_tls) debug_printf("Loading default hard-coded DH params\n");
547 m.data = US std_dh_prime_default();
548 m.size = Ustrlen(m.data);
549 }
550else if (Ustrcmp(exp_tls_dhparam, "historic") == 0)
551 use_file_in_spool = TRUE;
552else if (Ustrcmp(exp_tls_dhparam, "none") == 0)
553 {
554 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
555 return OK;
556 }
557else if (exp_tls_dhparam[0] != '/')
558 {
f5d25c2b 559 if (!(m.data = US std_dh_prime_named(exp_tls_dhparam)))
cf0c6164 560 return tls_error(US"No standard prime named", CS exp_tls_dhparam, NULL, errstr);
a799883d
PP		 561 m.size = Ustrlen(m.data);
562 }
563else
564 {
565 use_fixed_file = TRUE;
566 filename = exp_tls_dhparam;
567 }
568
569if (m.data)
570 {
571 rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM);
47195144 572 exim_gnutls_err_check(rc, US"gnutls_dh_params_import_pkcs3");
a799883d
PP		 573 DEBUG(D_tls) debug_printf("Loaded fixed standard D-H parameters\n");
574 return OK;
575 }
576
af3498d6
PP		 577#ifdef HAVE_GNUTLS_SEC_PARAM_CONSTANTS
578/* If you change this constant, also change dh_param_fn_ext so that we can use a
17c76198
PP		 579different filename and ensure we have sufficient bits. */
580dh_bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL);
581if (!dh_bits)
cf0c6164 582 return tls_error(US"gnutls_sec_param_to_pk_bits() failed", NULL, NULL, errstr);
af3498d6 583DEBUG(D_tls)
b34fc30c 584 debug_printf("GnuTLS tells us that for D-H PK, NORMAL is %d bits.\n",
af3498d6
PP		 585 dh_bits);
586#else
587dh_bits = EXIM_SERVER_DH_BITS_PRE2_12;
588DEBUG(D_tls)
589 debug_printf("GnuTLS lacks gnutls_sec_param_to_pk_bits(), using %d bits.\n",
590 dh_bits);
591#endif
059ec3d9 592
3375e053
PP		 593/* Some clients have hard-coded limits. */
594if (dh_bits > tls_dh_max_bits)
595 {
596 DEBUG(D_tls)
597 debug_printf("tls_dh_max_bits clamping override, using %d bits instead.\n",
598 tls_dh_max_bits);
599 dh_bits = tls_dh_max_bits;
600 }
601
a799883d
PP		 602if (use_file_in_spool)
603 {
604 if (!string_format(filename_buf, sizeof(filename_buf),
605 "%s/gnutls-params-%d", spool_directory, dh_bits))
cf0c6164 606 return tls_error(US"overlong filename", NULL, NULL, errstr);
a799883d
PP		 607 filename = filename_buf;
608 }
059ec3d9 609
b5aea5e1 610/* Open the cache file for reading and if successful, read it and set up the
575643cd 611parameters. */
059ec3d9 612
f5d25c2b 613if ((fd = Uopen(filename, O_RDONLY, 0)) >= 0)
059ec3d9 614 {
b5aea5e1 615 struct stat statbuf;
17c76198
PP		 616 FILE *fp;
617 int saved_errno;
618
619 if (fstat(fd, &statbuf) < 0) /* EIO */
620 {
621 saved_errno = errno;
622 (void)close(fd);
cf0c6164 623 return tls_error(US"TLS cache stat failed", strerror(saved_errno), NULL, errstr);
17c76198
PP		 624 }
625 if (!S_ISREG(statbuf.st_mode))
b5aea5e1
PH		 626 {
627 (void)close(fd);
cf0c6164 628 return tls_error(US"TLS cache not a file", NULL, NULL, errstr);
17c76198 629 }
40c90bca 630 if (!(fp = fdopen(fd, "rb")))
17c76198
PP		 631 {
632 saved_errno = errno;
633 (void)close(fd);
634 return tls_error(US"fdopen(TLS cache stat fd) failed",
cf0c6164 635 strerror(saved_errno), NULL, errstr);
b5aea5e1 636 }
059ec3d9 637
b5aea5e1 638 m.size = statbuf.st_size;
40c90bca 639 if (!(m.data = malloc(m.size)))
17c76198
PP		 640 {
641 fclose(fp);
cf0c6164 642 return tls_error(US"malloc failed", strerror(errno), NULL, errstr);
17c76198 643 }
40c90bca 644 if (!(sz = fread(m.data, m.size, 1, fp)))
17c76198
PP		 645 {
646 saved_errno = errno;
647 fclose(fp);
648 free(m.data);
cf0c6164 649 return tls_error(US"fread failed", strerror(saved_errno), NULL, errstr);
17c76198
PP		 650 }
651 fclose(fp);
b5aea5e1 652
17c76198 653 rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM);
b5aea5e1 654 free(m.data);
47195144 655 exim_gnutls_err_check(rc, US"gnutls_dh_params_import_pkcs3");
17c76198 656 DEBUG(D_tls) debug_printf("read D-H parameters from file \"%s\"\n", filename);
b5aea5e1
PH		 657 }
658
659/* If the file does not exist, fall through to compute new data and cache it.
660If there was any other opening error, it is serious. */
661
182ad5cf
PH		 662else if (errno == ENOENT)
663 {
17c76198 664 rc = -1;
182ad5cf 665 DEBUG(D_tls)
17c76198 666 debug_printf("D-H parameter cache file \"%s\" does not exist\n", filename);
182ad5cf
PH		 667 }
668else
17c76198 669 return tls_error(string_open_failed(errno, "\"%s\" for reading", filename),
cf0c6164 670 NULL, NULL, errstr);
b5aea5e1
PH		 671
672/* If ret < 0, either the cache file does not exist, or the data it contains
673is not useful. One particular case of this is when upgrading from an older
674release of Exim in which the data was stored in a different format. We don't
675try to be clever and support both formats; we just regenerate new data in this
676case. */
677
17c76198 678if (rc < 0)
b5aea5e1 679 {
17c76198 680 uschar *temp_fn;
201f5254 681 unsigned int dh_bits_gen = dh_bits;
059ec3d9 682
17c76198
PP		 683 if ((PATH_MAX - Ustrlen(filename)) < 10)
684 return tls_error(US"Filename too long to generate replacement",
cf0c6164 685 CS filename, NULL, errstr);
059ec3d9 686
17c76198 687 temp_fn = string_copy(US "%s.XXXXXXX");
f5d25c2b 688 if ((fd = mkstemp(CS temp_fn)) < 0) /* modifies temp_fn */
cf0c6164 689 return tls_error(US"Unable to open temp file", strerror(errno), NULL, errstr);
059ec3d9
PH		 690 (void)fchown(fd, exim_uid, exim_gid); /* Probably not necessary */
691
201f5254
PP		 692 /* GnuTLS overshoots!
693 * If we ask for 2236, we might get 2237 or more.
694 * But there's no way to ask GnuTLS how many bits there really are.
695 * We can ask how many bits were used in a TLS session, but that's it!
696 * The prime itself is hidden behind too much abstraction.
697 * So we ask for less, and proceed on a wing and a prayer.
698 * First attempt, subtracted 3 for 2233 and got 2240.
699 */
cae6e576 700 if (dh_bits >= EXIM_CLIENT_DH_MIN_BITS + 10)
201f5254
PP		 701 {
702 dh_bits_gen = dh_bits - 10;
703 DEBUG(D_tls)
704 debug_printf("being paranoid about DH generation, make it '%d' bits'\n",
705 dh_bits_gen);
706 }
707
708 DEBUG(D_tls)
709 debug_printf("requesting generation of %d bit Diffie-Hellman prime ...\n",
710 dh_bits_gen);
711 rc = gnutls_dh_params_generate2(dh_server_params, dh_bits_gen);
47195144 712 exim_gnutls_err_check(rc, US"gnutls_dh_params_generate2");
17c76198
PP		 713
714 /* gnutls_dh_params_export_pkcs3() will tell us the exact size, every time,
715 and I confirmed that a NULL call to get the size first is how the GnuTLS
716 sample apps handle this. */
717
718 sz = 0;
719 m.data = NULL;
720 rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM,
721 m.data, &sz);
722 if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
47195144 723 exim_gnutls_err_check(rc, US"gnutls_dh_params_export_pkcs3(NULL) sizing");
17c76198 724 m.size = sz;
40c90bca 725 if (!(m.data = malloc(m.size)))
cf0c6164 726 return tls_error(US"memory allocation failed", strerror(errno), NULL, errstr);
40c90bca 727
1f00591e 728 /* this will return a size 1 less than the allocation size above */
17c76198 729 rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM,
1f00591e 730 m.data, &sz);
17c76198
PP		 731 if (rc != GNUTLS_E_SUCCESS)
732 {
733 free(m.data);
47195144 734 exim_gnutls_err_check(rc, US"gnutls_dh_params_export_pkcs3() real");
17c76198 735 }
1f00591e 736 m.size = sz; /* shrink by 1, probably */
059ec3d9 737
f5d25c2b 738 if ((sz = write_to_fd_buf(fd, m.data, (size_t) m.size)) != m.size)
17c76198
PP		 739 {
740 free(m.data);
741 return tls_error(US"TLS cache write D-H params failed",
cf0c6164 742 strerror(errno), NULL, errstr);
17c76198 743 }
b5aea5e1 744 free(m.data);
f5d25c2b 745 if ((sz = write_to_fd_buf(fd, US"\n", 1)) != 1)
17c76198 746 return tls_error(US"TLS cache write D-H params final newline failed",
cf0c6164 747 strerror(errno), NULL, errstr);
17c76198 748
f5d25c2b 749 if ((rc = close(fd)))
cf0c6164 750 return tls_error(US"TLS cache write close() failed", strerror(errno), NULL, errstr);
059ec3d9 751
17c76198
PP		 752 if (Urename(temp_fn, filename) < 0)
753 return tls_error(string_sprintf("failed to rename \"%s\" as \"%s\"",
cf0c6164 754 temp_fn, filename), strerror(errno), NULL, errstr);
059ec3d9 755
17c76198 756 DEBUG(D_tls) debug_printf("wrote D-H parameters to file \"%s\"\n", filename);
059ec3d9
PH		 757 }
758
17c76198 759DEBUG(D_tls) debug_printf("initialized server D-H parameters\n");
059ec3d9
PH		 760return OK;
761}
762
763
764
765
23bb6982
JH		 766/* Create and install a selfsigned certificate, for use in server mode */
767
768static int
cf0c6164 769tls_install_selfsign(exim_gnutls_state_st * state, uschar ** errstr)
23bb6982
JH		 770{
771gnutls_x509_crt_t cert = NULL;
772time_t now;
773gnutls_x509_privkey_t pkey = NULL;
774const uschar * where;
775int rc;
776
777where = US"initialising pkey";
778if ((rc = gnutls_x509_privkey_init(&pkey))) goto err;
779
780where = US"initialising cert";
781if ((rc = gnutls_x509_crt_init(&cert))) goto err;
782
783where = US"generating pkey";
784if ((rc = gnutls_x509_privkey_generate(pkey, GNUTLS_PK_RSA,
76075bb5 785#ifdef SUPPORT_PARAM_TO_PK_BITS
23bb6982 786 gnutls_sec_param_to_pk_bits(GNUTLS_PK_RSA, GNUTLS_SEC_PARAM_LOW),
76075bb5
JH		 787#else
788 1024,
789#endif
790 0)))
23bb6982
JH		 791 goto err;
792
793where = US"configuring cert";
1613fd68 794now = 1;
23bb6982
JH		 795if ( (rc = gnutls_x509_crt_set_version(cert, 3))
796 || (rc = gnutls_x509_crt_set_serial(cert, &now, sizeof(now)))
797 || (rc = gnutls_x509_crt_set_activation_time(cert, now = time(NULL)))
798 || (rc = gnutls_x509_crt_set_expiration_time(cert, now + 60 * 60)) /* 1 hr */
799 || (rc = gnutls_x509_crt_set_key(cert, pkey))
800
801 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
802 GNUTLS_OID_X520_COUNTRY_NAME, 0, "UK", 2))
803 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
804 GNUTLS_OID_X520_ORGANIZATION_NAME, 0, "Exim Developers", 15))
805 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
806 GNUTLS_OID_X520_COMMON_NAME, 0,
807 smtp_active_hostname, Ustrlen(smtp_active_hostname)))
808 )
809 goto err;
810
811where = US"signing cert";
812if ((rc = gnutls_x509_crt_sign(cert, cert, pkey))) goto err;
813
814where = US"installing selfsign cert";
815 /* Since: 2.4.0 */
816if ((rc = gnutls_certificate_set_x509_key(state->x509_cred, &cert, 1, pkey)))
817 goto err;
818
819rc = OK;
820
821out:
822 if (cert) gnutls_x509_crt_deinit(cert);
823 if (pkey) gnutls_x509_privkey_deinit(pkey);
824 return rc;
825
826err:
cf0c6164 827 rc = tls_error(where, gnutls_strerror(rc), NULL, errstr);
23bb6982
JH		 828 goto out;
829}
830
831
832
833
47195144
JH		 834/* Add certificate and key, from files.
835
836Return:
837 Zero or negative: good. Negate value for certificate index if < 0.
838 Greater than zero: FAIL or DEFER code.
839*/
840
ba86e143
JH		 841static int
842tls_add_certfile(exim_gnutls_state_st * state, const host_item * host,
843 uschar * certfile, uschar * keyfile, uschar ** errstr)
844{
845int rc = gnutls_certificate_set_x509_key_file(state->x509_cred,
846 CS certfile, CS keyfile, GNUTLS_X509_FMT_PEM);
47195144
JH		 847if (rc < 0)
848 return tls_error(
849 string_sprintf("cert/key setup: cert=%s key=%s", certfile, keyfile),
850 gnutls_strerror(rc), host, errstr);
851return -rc;
ba86e143
JH		 852}
853
854
059ec3d9 855/*************************************************
17c76198 856* Variables re-expanded post-SNI *
059ec3d9
PH		 857*************************************************/
858
17c76198
PP		 859/* Called from both server and client code, via tls_init(), and also from
860the SNI callback after receiving an SNI, if tls_certificate includes "tls_sni".
861
862We can tell the two apart by state->received_sni being non-NULL in callback.
863
864The callback should not call us unless state->trigger_sni_changes is true,
865which we are responsible for setting on the first pass through.
059ec3d9
PH		 866
867Arguments:
17c76198 868 state exim_gnutls_state_st *
cf0c6164 869 errstr error string pointer
059ec3d9
PH		 870
871Returns: OK/DEFER/FAIL
872*/
873
874static int
ba86e143 875tls_expand_session_files(exim_gnutls_state_st * state, uschar ** errstr)
059ec3d9 876{
1365611d 877struct stat statbuf;
059ec3d9 878int rc;
17c76198
PP		 879const host_item *host = state->host; /* macro should be reconsidered? */
880uschar *saved_tls_certificate = NULL;
881uschar *saved_tls_privatekey = NULL;
882uschar *saved_tls_verify_certificates = NULL;
883uschar *saved_tls_crl = NULL;
884int cert_count;
885
886/* We check for tls_sni *before* expansion. */
2b4a568d 887if (!host) /* server */
17c76198
PP		 888 if (!state->received_sni)
889 {
ba86e143
JH		 890 if ( state->tls_certificate
891 && ( Ustrstr(state->tls_certificate, US"tls_sni")
892 || Ustrstr(state->tls_certificate, US"tls_in_sni")
893 || Ustrstr(state->tls_certificate, US"tls_out_sni")
894 ) )
17c76198
PP		 895 {
896 DEBUG(D_tls) debug_printf("We will re-expand TLS session files if we receive SNI.\n");
897 state->trigger_sni_changes = TRUE;
898 }
899 }
900 else
901 {
1365611d 902 /* useful for debugging */
17c76198
PP		 903 saved_tls_certificate = state->exp_tls_certificate;
904 saved_tls_privatekey = state->exp_tls_privatekey;
905 saved_tls_verify_certificates = state->exp_tls_verify_certificates;
906 saved_tls_crl = state->exp_tls_crl;
907 }
059ec3d9 908
1365611d 909rc = gnutls_certificate_allocate_credentials(&state->x509_cred);
47195144
JH		 910exim_gnutls_err_check(rc, US"gnutls_certificate_allocate_credentials");
911
912#ifdef SUPPORT_SRV_OCSP_STACK
913gnutls_certificate_set_flags(state->x509_cred, GNUTLS_CERTIFICATE_API_V2);
914#endif
1365611d 915
17c76198
PP		 916/* remember: expand_check_tlsvar() is expand_check() but fiddling with
917state members, assuming consistent naming; and expand_check() returns
918false if expansion failed, unless expansion was forced to fail. */
059ec3d9 919
17c76198
PP		 920/* check if we at least have a certificate, before doing expensive
921D-H generation. */
059ec3d9 922
cf0c6164 923if (!expand_check_tlsvar(tls_certificate, errstr))
17c76198 924 return DEFER;
059ec3d9 925
17c76198 926/* certificate is mandatory in server, optional in client */
059ec3d9 927
23bb6982
JH		 928if ( !state->exp_tls_certificate
929 || !*state->exp_tls_certificate
930 )
2b4a568d 931 if (!host)
cf0c6164 932 return tls_install_selfsign(state, errstr);
17c76198
PP		 933 else
934 DEBUG(D_tls) debug_printf("TLS: no client certificate specified; okay\n");
059ec3d9 935
cf0c6164 936if (state->tls_privatekey && !expand_check_tlsvar(tls_privatekey, errstr))
059ec3d9
PH		 937 return DEFER;
938
17c76198
PP		 939/* tls_privatekey is optional, defaulting to same file as certificate */
940
941if (state->tls_privatekey == NULL || *state->tls_privatekey == '\0')
059ec3d9 942 {
17c76198
PP		 943 state->tls_privatekey = state->tls_certificate;
944 state->exp_tls_privatekey = state->exp_tls_certificate;
059ec3d9 945 }
c91535f3 946
059ec3d9 947
17c76198 948if (state->exp_tls_certificate && *state->exp_tls_certificate)
059ec3d9
PH		 949 {
950 DEBUG(D_tls) debug_printf("certificate file = %s\nkey file = %s\n",
17c76198
PP		 951 state->exp_tls_certificate, state->exp_tls_privatekey);
952
953 if (state->received_sni)
23bb6982
JH		 954 if ( Ustrcmp(state->exp_tls_certificate, saved_tls_certificate) == 0
955 && Ustrcmp(state->exp_tls_privatekey, saved_tls_privatekey) == 0
956 )
17c76198 957 {
b34fc30c 958 DEBUG(D_tls) debug_printf("TLS SNI: cert and key unchanged\n");
17c76198
PP		 959 }
960 else
961 {
b34fc30c 962 DEBUG(D_tls) debug_printf("TLS SNI: have a changed cert/key pair.\n");
17c76198 963 }
059ec3d9 964
ba86e143
JH		 965 if (!host) /* server */
966 {
967 const uschar * clist = state->exp_tls_certificate;
968 const uschar * klist = state->exp_tls_privatekey;
47195144
JH		 969 const uschar * olist;
970 int csep = 0, ksep = 0, osep = 0, cnt = 0;
971 uschar * cfile, * kfile, * ofile;
972
973#ifndef DISABLE_OCSP
974 if (!expand_check(tls_ocsp_file, US"tls_ocsp_file", &ofile, errstr))
975 return DEFER;
976 olist = ofile;
977#endif
ba86e143
JH		 978
979 while (cfile = string_nextinlist(&clist, &csep, NULL, 0))
47195144 980
ba86e143
JH		 981 if (!(kfile = string_nextinlist(&klist, &ksep, NULL, 0)))
982 return tls_error(US"cert/key setup: out of keys", NULL, host, errstr);
47195144 983 else if (0 < (rc = tls_add_certfile(state, host, cfile, kfile, errstr)))
ba86e143
JH		 984 return rc;
985 else
47195144
JH		 986 {
987 int gnutls_cert_index = -rc;
ba86e143 988 DEBUG(D_tls) debug_printf("TLS: cert/key %s registered\n", cfile);
47195144
JH		 989
990 /* Set the OCSP stapling server info */
991
992#ifndef DISABLE_OCSP
993 if (tls_ocsp_file)
994 if (gnutls_buggy_ocsp)
995 {
996 DEBUG(D_tls)
997 debug_printf("GnuTLS library is buggy for OCSP; avoiding\n");
998 }
999 else if ((ofile = string_nextinlist(&olist, &osep, NULL, 0)))
1000 {
1001 /* Use the full callback method for stapling just to get
1002 observability. More efficient would be to read the file once only,
1003 if it never changed (due to SNI). Would need restart on file update,
1004 or watch datestamp. */
1005
1006# ifdef SUPPORT_SRV_OCSP_STACK
1007 rc = gnutls_certificate_set_ocsp_status_request_function2(
1008 state->x509_cred, gnutls_cert_index,
1009 server_ocsp_stapling_cb, ofile);
1010
1011 exim_gnutls_err_check(rc,
1012 US"gnutls_certificate_set_ocsp_status_request_function2");
1013# else
1014 if (cnt++ > 0)
1015 {
1016 DEBUG(D_tls)
1017 debug_printf("oops; multiple OCSP files not supported\n");
1018 break;
1019 }
1020 gnutls_certificate_set_ocsp_status_request_function(
1021 state->x509_cred, server_ocsp_stapling_cb, ofile);
1022# endif
1023
1024 DEBUG(D_tls) debug_printf("OCSP response file = %s\n", ofile);
1025 }
1026 else
1027 DEBUG(D_tls) debug_printf("ran out of OCSP response files in list\n");
1028#endif
1029 }
ba86e143
JH		 1030 }
1031 else
1032 {
47195144 1033 if (0 < (rc = tls_add_certfile(state, host,
ba86e143
JH		 1034 state->exp_tls_certificate, state->exp_tls_privatekey, errstr)))
1035 return rc;
1036 DEBUG(D_tls) debug_printf("TLS: cert/key registered\n");
1037 }
1038
b34fc30c 1039 } /* tls_certificate */
059ec3d9 1040
2b4a568d 1041
059ec3d9
PH		 1042/* Set the trusted CAs file if one is provided, and then add the CRL if one is
1043provided. Experiment shows that, if the certificate file is empty, an unhelpful
1044error message is provided. However, if we just refrain from setting anything up
1045in that case, certificate verification fails, which seems to be the correct
1046behaviour. */
1047
610ff438 1048if (state->tls_verify_certificates && *state->tls_verify_certificates)
059ec3d9 1049 {
cf0c6164 1050 if (!expand_check_tlsvar(tls_verify_certificates, errstr))
059ec3d9 1051 return DEFER;
610ff438
JH		 1052#ifndef SUPPORT_SYSDEFAULT_CABUNDLE
1053 if (Ustrcmp(state->exp_tls_verify_certificates, "system") == 0)
1054 state->exp_tls_verify_certificates = NULL;
1055#endif
17c76198 1056 if (state->tls_crl && *state->tls_crl)
cf0c6164 1057 if (!expand_check_tlsvar(tls_crl, errstr))
17c76198 1058 return DEFER;
059ec3d9 1059
1365611d
PP		 1060 if (!(state->exp_tls_verify_certificates &&
1061 *state->exp_tls_verify_certificates))
b34fc30c
PP		 1062 {
1063 DEBUG(D_tls)
1365611d
PP		 1064 debug_printf("TLS: tls_verify_certificates expanded empty, ignoring\n");
1065 /* With no tls_verify_certificates, we ignore tls_crl too */
17c76198 1066 return OK;
b34fc30c 1067 }
1365611d 1068 }
83e2f8a2
PP		 1069else
1070 {
1071 DEBUG(D_tls)
1072 debug_printf("TLS: tls_verify_certificates not set or empty, ignoring\n");
1073 return OK;
1074 }
17c76198 1075
cb1d7830
JH		 1076#ifdef SUPPORT_SYSDEFAULT_CABUNDLE
1077if (Ustrcmp(state->exp_tls_verify_certificates, "system") == 0)
1078 cert_count = gnutls_certificate_set_x509_system_trust(state->x509_cred);
1079else
1080#endif
1365611d 1081 {
cb1d7830
JH		 1082 if (Ustat(state->exp_tls_verify_certificates, &statbuf) < 0)
1083 {
1084 log_write(0, LOG_MAIN|LOG_PANIC, "could not stat %s "
1085 "(tls_verify_certificates): %s", state->exp_tls_verify_certificates,
1086 strerror(errno));
1087 return DEFER;
1088 }
17c76198 1089
a7fec7a7 1090#ifndef SUPPORT_CA_DIR
cb1d7830
JH		 1091 /* The test suite passes in /dev/null; we could check for that path explicitly,
1092 but who knows if someone has some weird FIFO which always dumps some certs, or
1093 other weirdness. The thing we really want to check is that it's not a
1094 directory, since while OpenSSL supports that, GnuTLS does not.
60f914bc 1095 So s/!S_ISREG/S_ISDIR/ and change some messaging ... */
cb1d7830
JH		 1096 if (S_ISDIR(statbuf.st_mode))
1097 {
1098 DEBUG(D_tls)
1099 debug_printf("verify certificates path is a dir: \"%s\"\n",
1100 state->exp_tls_verify_certificates);
1101 log_write(0, LOG_MAIN|LOG_PANIC,
1102 "tls_verify_certificates \"%s\" is a directory",
1103 state->exp_tls_verify_certificates);
1104 return DEFER;
1105 }
a7fec7a7 1106#endif
059ec3d9 1107
cb1d7830
JH		 1108 DEBUG(D_tls) debug_printf("verify certificates = %s size=" OFF_T_FMT "\n",
1109 state->exp_tls_verify_certificates, statbuf.st_size);
059ec3d9 1110
cb1d7830
JH		 1111 if (statbuf.st_size == 0)
1112 {
1113 DEBUG(D_tls)
1114 debug_printf("cert file empty, no certs, no verification, ignoring any CRL\n");
1115 return OK;
1116 }
059ec3d9 1117
cb1d7830 1118 cert_count =
a7fec7a7
JH		 1119
1120#ifdef SUPPORT_CA_DIR
cb1d7830
JH		 1121 (statbuf.st_mode & S_IFMT) == S_IFDIR
1122 ?
1123 gnutls_certificate_set_x509_trust_dir(state->x509_cred,
1124 CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM)
1125 :
a7fec7a7 1126#endif
cb1d7830
JH		 1127 gnutls_certificate_set_x509_trust_file(state->x509_cred,
1128 CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM);
1129 }
a7fec7a7 1130
1365611d
PP		 1131if (cert_count < 0)
1132 {
1133 rc = cert_count;
47195144 1134 exim_gnutls_err_check(rc, US"setting certificate trust");
1365611d
PP		 1135 }
1136DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n", cert_count);
059ec3d9 1137
5c8cda3a
PP		 1138if (state->tls_crl && *state->tls_crl &&
1139 state->exp_tls_crl && *state->exp_tls_crl)
1365611d 1140 {
5c8cda3a
PP		 1141 DEBUG(D_tls) debug_printf("loading CRL file = %s\n", state->exp_tls_crl);
1142 cert_count = gnutls_certificate_set_x509_crl_file(state->x509_cred,
1143 CS state->exp_tls_crl, GNUTLS_X509_FMT_PEM);
1144 if (cert_count < 0)
1365611d 1145 {
5c8cda3a 1146 rc = cert_count;
47195144 1147 exim_gnutls_err_check(rc, US"gnutls_certificate_set_x509_crl_file");
1365611d 1148 }
5c8cda3a 1149 DEBUG(D_tls) debug_printf("Processed %d CRLs.\n", cert_count);
1365611d 1150 }
059ec3d9 1151
059ec3d9
PH		 1152return OK;
1153}
1154
1155
1156
1157
1365611d
PP		 1158/*************************************************
1159* Set X.509 state variables *
1160*************************************************/
1161
1162/* In GnuTLS, the registered cert/key are not replaced by a later
1163set of a cert/key, so for SNI support we need a whole new x509_cred
1164structure. Which means various other non-re-expanded pieces of state
1165need to be re-set in the new struct, so the setting logic is pulled
1166out to this.
1167
1168Arguments:
1169 state exim_gnutls_state_st *
cf0c6164 1170 errstr error string pointer
1365611d
PP		 1171
1172Returns: OK/DEFER/FAIL
1173*/
1174
1175static int
cf0c6164 1176tls_set_remaining_x509(exim_gnutls_state_st *state, uschar ** errstr)
1365611d
PP		 1177{
1178int rc;
1179const host_item *host = state->host; /* macro should be reconsidered? */
1180
1181/* Create D-H parameters, or read them from the cache file. This function does
1182its own SMTP error messaging. This only happens for the server, TLS D-H ignores
1183client-side params. */
1184
1185if (!state->host)
1186 {
1187 if (!dh_server_params)
1188 {
cf0c6164 1189 rc = init_server_dh(errstr);
1365611d
PP		 1190 if (rc != OK) return rc;
1191 }
1192 gnutls_certificate_set_dh_params(state->x509_cred, dh_server_params);
1193 }
1194
1195/* Link the credentials to the session. */
1196
1197rc = gnutls_credentials_set(state->session, GNUTLS_CRD_CERTIFICATE, state->x509_cred);
47195144 1198exim_gnutls_err_check(rc, US"gnutls_credentials_set");
1365611d
PP		 1199
1200return OK;
1201}
1202
059ec3d9 1203/*************************************************
17c76198 1204* Initialize for GnuTLS *
059ec3d9
PH		 1205*************************************************/
1206
9196d5bf 1207
4fb7df6d
JH		 1208#ifndef DISABLE_OCSP
1209
9196d5bf
JH		 1210static BOOL
1211tls_is_buggy_ocsp(void)
1212{
1213const uschar * s;
1214uschar maj, mid, mic;
1215
1216s = CUS gnutls_check_version(NULL);
1217maj = atoi(CCS s);
1218if (maj == 3)
1219 {
1220 while (*s && *s != '.') s++;
1221 mid = atoi(CCS ++s);
1222 if (mid <= 2)
1223 return TRUE;
1224 else if (mid >= 5)
1225 return FALSE;
1226 else
1227 {
1228 while (*s && *s != '.') s++;
1229 mic = atoi(CCS ++s);
1230 return mic <= (mid == 3 ? 16 : 3);
1231 }
1232 }
1233return FALSE;
1234}
1235
4fb7df6d 1236#endif
9196d5bf
JH		 1237
1238
17c76198
PP		 1239/* Called from both server and client code. In the case of a server, errors
1240before actual TLS negotiation return DEFER.
059ec3d9
PH		 1241
1242Arguments:
17c76198
PP		 1243 host connected host, if client; NULL if server
1244 certificate certificate file
1245 privatekey private key file
1246 sni TLS SNI to send, sometimes when client; else NULL
1247 cas CA certs file
1248 crl CRL file
1249 require_ciphers tls_require_ciphers setting
817d9f57 1250 caller_state returned state-info structure
cf0c6164 1251 errstr error string pointer
059ec3d9 1252
17c76198 1253Returns: OK/DEFER/FAIL
059ec3d9
PH		 1254*/
1255
17c76198
PP		 1256static int
1257tls_init(
1258 const host_item *host,
1259 const uschar *certificate,
1260 const uschar *privatekey,
1261 const uschar *sni,
1262 const uschar *cas,
1263 const uschar *crl,
1264 const uschar *require_ciphers,
cf0c6164 1265 exim_gnutls_state_st **caller_state,
74f1a423 1266 tls_support * tlsp,
cf0c6164 1267 uschar ** errstr)
059ec3d9 1268{
17c76198
PP		 1269exim_gnutls_state_st *state;
1270int rc;
1271size_t sz;
1272const char *errpos;
1273uschar *p;
1274BOOL want_default_priorities;
1275
1276if (!exim_gnutls_base_init_done)
059ec3d9 1277 {
17c76198
PP		 1278 DEBUG(D_tls) debug_printf("GnuTLS global init required.\n");
1279
a5f239e4
PP		 1280#ifdef HAVE_GNUTLS_PKCS11
1281 /* By default, gnutls_global_init will init PKCS11 support in auto mode,
1282 which loads modules from a config file, which sounds good and may be wanted
1283 by some sysadmin, but also means in common configurations that GNOME keyring
1284 environment variables are used and so breaks for users calling mailq.
1285 To prevent this, we init PKCS11 first, which is the documented approach. */
2519e60d 1286 if (!gnutls_allow_auto_pkcs11)
a5f239e4
PP		 1287 {
1288 rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
47195144 1289 exim_gnutls_err_check(rc, US"gnutls_pkcs11_init");
a5f239e4
PP		 1290 }
1291#endif
1292
17c76198 1293 rc = gnutls_global_init();
47195144 1294 exim_gnutls_err_check(rc, US"gnutls_global_init");
17c76198
PP		 1295
1296#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
1297 DEBUG(D_tls)
059ec3d9 1298 {
17c76198
PP		 1299 gnutls_global_set_log_function(exim_gnutls_logger_cb);
1300 /* arbitrarily chosen level; bump upto 9 for more */
1301 gnutls_global_set_log_level(EXIM_GNUTLS_LIBRARY_LOG_LEVEL);
059ec3d9 1302 }
17c76198
PP		 1303#endif
1304
4fb7df6d
JH		 1305#ifndef DISABLE_OCSP
1306 if (tls_ocsp_file && (gnutls_buggy_ocsp = tls_is_buggy_ocsp()))
9196d5bf 1307 log_write(0, LOG_MAIN, "OCSP unusable with this GnuTLS library version");
4fb7df6d 1308#endif
9196d5bf 1309
17c76198 1310 exim_gnutls_base_init_done = TRUE;
059ec3d9 1311 }
059ec3d9 1312
17c76198
PP		 1313if (host)
1314 {
74f1a423
JH		 1315 /* For client-side sessions we allocate a context. This lets us run
1316 several in parallel. */
1317 int old_pool = store_pool;
1318 store_pool = POOL_PERM;
1319 state = store_get(sizeof(exim_gnutls_state_st));
1320 store_pool = old_pool;
1321
17c76198 1322 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
74f1a423 1323 state->tlsp = tlsp;
17c76198
PP		 1324 DEBUG(D_tls) debug_printf("initialising GnuTLS client session\n");
1325 rc = gnutls_init(&state->session, GNUTLS_CLIENT);
1326 }
1327else
1328 {
1329 state = &state_server;
1330 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
74f1a423 1331 state->tlsp = tlsp;
17c76198
PP		 1332 DEBUG(D_tls) debug_printf("initialising GnuTLS server session\n");
1333 rc = gnutls_init(&state->session, GNUTLS_SERVER);
1334 }
47195144 1335exim_gnutls_err_check(rc, US"gnutls_init");
059ec3d9 1336
17c76198 1337state->host = host;
059ec3d9 1338
17c76198
PP		 1339state->tls_certificate = certificate;
1340state->tls_privatekey = privatekey;
5779e6aa 1341state->tls_require_ciphers = require_ciphers;
17c76198
PP		 1342state->tls_sni = sni;
1343state->tls_verify_certificates = cas;
1344state->tls_crl = crl;
059ec3d9 1345
17c76198
PP		 1346/* This handles the variables that might get re-expanded after TLS SNI;
1347that's tls_certificate, tls_privatekey, tls_verify_certificates, tls_crl */
059ec3d9 1348
17c76198
PP		 1349DEBUG(D_tls)
1350 debug_printf("Expanding various TLS configuration options for session credentials.\n");
cf0c6164 1351if ((rc = tls_expand_session_files(state, errstr)) != OK) return rc;
059ec3d9 1352
1365611d
PP		 1353/* These are all other parts of the x509_cred handling, since SNI in GnuTLS
1354requires a new structure afterwards. */
83da1223 1355
cf0c6164 1356if ((rc = tls_set_remaining_x509(state, errstr)) != OK) return rc;
83da1223 1357
17c76198
PP		 1358/* set SNI in client, only */
1359if (host)
1360 {
cf0c6164 1361 if (!expand_check(sni, US"tls_out_sni", &state->tlsp->sni, errstr))
17c76198 1362 return DEFER;
0df4ab80 1363 if (state->tlsp->sni && *state->tlsp->sni)
17c76198
PP		 1364 {
1365 DEBUG(D_tls)
0df4ab80
JH		 1366 debug_printf("Setting TLS client SNI to \"%s\"\n", state->tlsp->sni);
1367 sz = Ustrlen(state->tlsp->sni);
17c76198 1368 rc = gnutls_server_name_set(state->session,
0df4ab80 1369 GNUTLS_NAME_DNS, state->tlsp->sni, sz);
47195144 1370 exim_gnutls_err_check(rc, US"gnutls_server_name_set");
17c76198
PP		 1371 }
1372 }
1373else if (state->tls_sni)
1374 DEBUG(D_tls) debug_printf("*** PROBABLY A BUG *** " \
ba86e143 1375 "have an SNI set for a server [%s]\n", state->tls_sni);
83da1223 1376
17c76198 1377/* This is the priority string support,
42bfef1e 1378http://www.gnutls.org/manual/html_node/Priority-Strings.html
17c76198
PP		 1379and replaces gnutls_require_kx, gnutls_require_mac & gnutls_require_protocols.
1380This was backwards incompatible, but means Exim no longer needs to track
1381all algorithms and provide string forms for them. */
83da1223 1382
17c76198 1383want_default_priorities = TRUE;
83da1223 1384
17c76198 1385if (state->tls_require_ciphers && *state->tls_require_ciphers)
83da1223 1386 {
cf0c6164 1387 if (!expand_check_tlsvar(tls_require_ciphers, errstr))
17c76198
PP		 1388 return DEFER;
1389 if (state->exp_tls_require_ciphers && *state->exp_tls_require_ciphers)
83da1223 1390 {
17c76198
PP		 1391 DEBUG(D_tls) debug_printf("GnuTLS session cipher/priority \"%s\"\n",
1392 state->exp_tls_require_ciphers);
1393
1394 rc = gnutls_priority_init(&state->priority_cache,
1395 CS state->exp_tls_require_ciphers, &errpos);
1396 want_default_priorities = FALSE;
1397 p = state->exp_tls_require_ciphers;
83da1223
PH		 1398 }
1399 }
17c76198
PP		 1400if (want_default_priorities)
1401 {
83e2f8a2
PP		 1402 DEBUG(D_tls)
1403 debug_printf("GnuTLS using default session cipher/priority \"%s\"\n",
1404 exim_default_gnutls_priority);
17c76198
PP		 1405 rc = gnutls_priority_init(&state->priority_cache,
1406 exim_default_gnutls_priority, &errpos);
1407 p = US exim_default_gnutls_priority;
1408 }
83da1223 1409
47195144 1410exim_gnutls_err_check(rc, string_sprintf(
17c76198
PP		 1411 "gnutls_priority_init(%s) failed at offset %ld, \"%.6s..\"",
1412 p, errpos - CS p, errpos));
1413
1414rc = gnutls_priority_set(state->session, state->priority_cache);
47195144 1415exim_gnutls_err_check(rc, US"gnutls_priority_set");
17c76198
PP		 1416
1417gnutls_db_set_cache_expiration(state->session, ssl_session_timeout);
1418
1419/* Reduce security in favour of increased compatibility, if the admin
1420decides to make that trade-off. */
1421if (gnutls_compat_mode)
83da1223 1422 {
17c76198
PP		 1423#if LIBGNUTLS_VERSION_NUMBER >= 0x020104
1424 DEBUG(D_tls) debug_printf("lowering GnuTLS security, compatibility mode\n");
1425 gnutls_session_enable_compatibility_mode(state->session);
1426#else
1427 DEBUG(D_tls) debug_printf("Unable to set gnutls_compat_mode - GnuTLS version too old\n");
1428#endif
83da1223
PH		 1429 }
1430
17c76198 1431*caller_state = state;
17c76198 1432return OK;
83da1223
PH		 1433}
1434
1435
1436
059ec3d9 1437/*************************************************
17c76198 1438* Extract peer information *
059ec3d9
PH		 1439*************************************************/
1440
17c76198 1441/* Called from both server and client code.
4fe99a6c
PP		 1442Only this is allowed to set state->peerdn and state->have_set_peerdn
1443and we use that to detect double-calls.
059ec3d9 1444
75fe387d
PP		 1445NOTE: the state blocks last while the TLS connection is up, which is fine
1446for logging in the server side, but for the client side, we log after teardown
1447in src/deliver.c. While the session is up, we can twist about states and
1448repoint tls_* globals, but those variables used for logging or other variable
1449expansion that happens _after_ delivery need to have a longer life-time.
1450
1451So for those, we get the data from POOL_PERM; the re-invoke guard keeps us from
1452doing this more than once per generation of a state context. We set them in
1453the state context, and repoint tls_* to them. After the state goes away, the
1454tls_* copies of the pointers remain valid and client delivery logging is happy.
1455
1456tls_certificate_verified is a BOOL, so the tls_peerdn and tls_cipher issues
1457don't apply.
1458
059ec3d9 1459Arguments:
17c76198 1460 state exim_gnutls_state_st *
cf0c6164 1461 errstr pointer to error string
059ec3d9 1462
17c76198 1463Returns: OK/DEFER/FAIL
059ec3d9
PH		 1464*/
1465
17c76198 1466static int
cf0c6164 1467peer_status(exim_gnutls_state_st *state, uschar ** errstr)
059ec3d9 1468{
75fe387d 1469uschar cipherbuf[256];
27f19eb4 1470const gnutls_datum_t *cert_list;
75fe387d 1471int old_pool, rc;
17c76198 1472unsigned int cert_list_size = 0;
4fe99a6c
PP		 1473gnutls_protocol_t protocol;
1474gnutls_cipher_algorithm_t cipher;
1475gnutls_kx_algorithm_t kx;
1476gnutls_mac_algorithm_t mac;
17c76198
PP		 1477gnutls_certificate_type_t ct;
1478gnutls_x509_crt_t crt;
4fe99a6c 1479uschar *p, *dn_buf;
17c76198 1480size_t sz;
059ec3d9 1481
4fe99a6c 1482if (state->have_set_peerdn)
17c76198 1483 return OK;
4fe99a6c 1484state->have_set_peerdn = TRUE;
059ec3d9 1485
4fe99a6c 1486state->peerdn = NULL;
059ec3d9 1487
4fe99a6c
PP		 1488/* tls_cipher */
1489cipher = gnutls_cipher_get(state->session);
1490protocol = gnutls_protocol_get_version(state->session);
1491mac = gnutls_mac_get(state->session);
1492kx = gnutls_kx_get(state->session);
1493
75fe387d 1494string_format(cipherbuf, sizeof(cipherbuf),
4fe99a6c
PP		 1495 "%s:%s:%d",
1496 gnutls_protocol_get_name(protocol),
1497 gnutls_cipher_suite_get_name(kx, cipher, mac),
1498 (int) gnutls_cipher_get_key_size(cipher) * 8);
1499
1500/* I don't see a way that spaces could occur, in the current GnuTLS
1501code base, but it was a concern in the old code and perhaps older GnuTLS
1502releases did return "TLS 1.0"; play it safe, just in case. */
75fe387d 1503for (p = cipherbuf; *p != '\0'; ++p)
4fe99a6c
PP		 1504 if (isspace(*p))
1505 *p = '-';
75fe387d
PP		 1506old_pool = store_pool;
1507store_pool = POOL_PERM;
1508state->ciphersuite = string_copy(cipherbuf);
1509store_pool = old_pool;
817d9f57 1510state->tlsp->cipher = state->ciphersuite;
4fe99a6c
PP		 1511
1512/* tls_peerdn */
17c76198 1513cert_list = gnutls_certificate_get_peers(state->session, &cert_list_size);
83da1223 1514
17c76198
PP		 1515if (cert_list == NULL || cert_list_size == 0)
1516 {
17c76198
PP		 1517 DEBUG(D_tls) debug_printf("TLS: no certificate from peer (%p & %d)\n",
1518 cert_list, cert_list_size);
e51c7be2 1519 if (state->verify_requirement >= VERIFY_REQUIRED)
17c76198 1520 return tls_error(US"certificate verification failed",
cf0c6164 1521 "no certificate received from peer", state->host, errstr);
17c76198
PP		 1522 return OK;
1523 }
059ec3d9 1524
17c76198
PP		 1525ct = gnutls_certificate_type_get(state->session);
1526if (ct != GNUTLS_CRT_X509)
059ec3d9 1527 {
17c76198 1528 const char *ctn = gnutls_certificate_type_get_name(ct);
17c76198
PP		 1529 DEBUG(D_tls)
1530 debug_printf("TLS: peer cert not X.509 but instead \"%s\"\n", ctn);
e51c7be2 1531 if (state->verify_requirement >= VERIFY_REQUIRED)
17c76198 1532 return tls_error(US"certificate verification not possible, unhandled type",
cf0c6164 1533 ctn, state->host, errstr);
17c76198 1534 return OK;
83da1223 1535 }
059ec3d9 1536
e51c7be2
JH		 1537#define exim_gnutls_peer_err(Label) \
1538 do { \
1539 if (rc != GNUTLS_E_SUCCESS) \
1540 { \
1541 DEBUG(D_tls) debug_printf("TLS: peer cert problem: %s: %s\n", \
1542 (Label), gnutls_strerror(rc)); \
1543 if (state->verify_requirement >= VERIFY_REQUIRED) \
cf0c6164 1544 return tls_error((Label), gnutls_strerror(rc), state->host, errstr); \
e51c7be2
JH		 1545 return OK; \
1546 } \
1547 } while (0)
17c76198 1548
9d1c15ef
JH		 1549rc = import_cert(&cert_list[0], &crt);
1550exim_gnutls_peer_err(US"cert 0");
1551
1552state->tlsp->peercert = state->peercert = crt;
17c76198 1553
17c76198
PP		 1554sz = 0;
1555rc = gnutls_x509_crt_get_dn(crt, NULL, &sz);
1556if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
83da1223 1557 {
17c76198
PP		 1558 exim_gnutls_peer_err(US"getting size for cert DN failed");
1559 return FAIL; /* should not happen */
059ec3d9 1560 }
17c76198
PP		 1561dn_buf = store_get_perm(sz);
1562rc = gnutls_x509_crt_get_dn(crt, CS dn_buf, &sz);
1563exim_gnutls_peer_err(US"failed to extract certificate DN [gnutls_x509_crt_get_dn(cert 0)]");
9d1c15ef 1564
17c76198
PP		 1565state->peerdn = dn_buf;
1566
1567return OK;
1568#undef exim_gnutls_peer_err
1569}
059ec3d9 1570
059ec3d9 1571
059ec3d9 1572
059ec3d9 1573
17c76198
PP		 1574/*************************************************
1575* Verify peer certificate *
1576*************************************************/
059ec3d9 1577
17c76198
PP		 1578/* Called from both server and client code.
1579*Should* be using a callback registered with
1580gnutls_certificate_set_verify_function() to fail the handshake if we dislike
1581the peer information, but that's too new for some OSes.
059ec3d9 1582
17c76198 1583Arguments:
899b8bbc
JH		 1584 state exim_gnutls_state_st *
1585 errstr where to put an error message
059ec3d9 1586
17c76198
PP		 1587Returns:
1588 FALSE if the session should be rejected
1589 TRUE if the cert is okay or we just don't care
1590*/
059ec3d9 1591
17c76198 1592static BOOL
28646fa9 1593verify_certificate(exim_gnutls_state_st * state, uschar ** errstr)
17c76198
PP		 1594{
1595int rc;
899b8bbc
JH		 1596uint verify;
1597
1598if (state->verify_requirement == VERIFY_NONE)
1599 return TRUE;
17c76198 1600
8008accd 1601DEBUG(D_tls) debug_printf("TLS: checking peer certificate\n");
cf0c6164 1602*errstr = NULL;
17c76198 1603
cf0c6164 1604if ((rc = peer_status(state, errstr)) != OK)
e6060e2c 1605 {
17c76198 1606 verify = GNUTLS_CERT_INVALID;
cf0c6164 1607 *errstr = US"certificate not supplied";
17c76198
PP		 1608 }
1609else
899b8bbc
JH		 1610
1611 {
1612#ifdef SUPPORT_DANE
1613 if (state->verify_requirement == VERIFY_DANE && state->host)
1614 {
1615 /* Using dane_verify_session_crt() would be easy, as it does it all for us
1616 including talking to a DNS resolver. But we want to do that bit ourselves
1617 as the testsuite intercepts and fakes its own DNS environment. */
1618
1619 dane_state_t s;
1620 dane_query_t r;
899b8bbc 1621 uint lsize;
94c13285
JH		 1622 const gnutls_datum_t * certlist =
1623 gnutls_certificate_get_peers(state->session, &lsize);
1624 int usage = tls_out.tlsa_usage;
1625
1626# ifdef GNUTLS_BROKEN_DANE_VALIDATION
1627 /* Split the TLSA records into two sets, TA and EE selectors. Run the
1628 dane-verification separately so that we know which selector verified;
570cb1bd 1629 then we know whether to do name-verification (needed for TA but not EE). */
94c13285
JH		 1630
1631 if (usage == ((1<<DANESSL_USAGE_DANE_TA) | (1<<DANESSL_USAGE_DANE_EE)))
bd5b3f3c 1632 { /* a mixed-usage bundle */
94c13285
JH		 1633 int i, j, nrec;
1634 const char ** dd;
1635 int * ddl;
1636
1637 for(nrec = 0; state->dane_data_len[nrec]; ) nrec++;
1638 nrec++;
1639
1640 dd = store_get(nrec * sizeof(uschar *));
1641 ddl = store_get(nrec * sizeof(int));
1642 nrec--;
1643
1644 if ((rc = dane_state_init(&s, 0)))
1645 goto tlsa_prob;
1646
1647 for (usage = DANESSL_USAGE_DANE_EE;
1648 usage >= DANESSL_USAGE_DANE_TA; usage--)
1649 { /* take records with this usage */
1650 for (j = i = 0; i < nrec; i++)
1651 if (state->dane_data[i][0] == usage)
1652 {
1653 dd[j] = state->dane_data[i];
1654 ddl[j++] = state->dane_data_len[i];
1655 }
1656 if (j)
1657 {
1658 dd[j] = NULL;
1659 ddl[j] = 0;
1660
1661 if ((rc = dane_raw_tlsa(s, &r, (char * const *)dd, ddl, 1, 0)))
1662 goto tlsa_prob;
1663
1664 if ((rc = dane_verify_crt_raw(s, certlist, lsize,
1665 gnutls_certificate_type_get(state->session),
1666 r, 0,
1667 usage == DANESSL_USAGE_DANE_EE
1668 ? DANE_VFLAG_ONLY_CHECK_EE_USAGE : 0,
1669 &verify)))
1670 {
1671 DEBUG(D_tls)
1672 debug_printf("TLSA record problem: %s\n", dane_strerror(rc));
1673 }
1674 else if (verify == 0) /* verification passed */
1675 {
1676 usage = 1 << usage;
1677 break;
1678 }
1679 }
1680 }
899b8bbc 1681
94c13285
JH		 1682 if (rc) goto tlsa_prob;
1683 }
1684 else
1685# endif
899b8bbc 1686 {
94c13285
JH		 1687 if ( (rc = dane_state_init(&s, 0))
1688 || (rc = dane_raw_tlsa(s, &r, state->dane_data, state->dane_data_len,
1689 1, 0))
1690 || (rc = dane_verify_crt_raw(s, certlist, lsize,
1691 gnutls_certificate_type_get(state->session),
5ec37a55 1692 r, 0,
94c13285
JH		 1693# ifdef GNUTLS_BROKEN_DANE_VALIDATION
1694 usage == (1 << DANESSL_USAGE_DANE_EE)
1695 ? DANE_VFLAG_ONLY_CHECK_EE_USAGE : 0,
1696# else
1697 0,
1698# endif
1699 &verify))
1700 )
1701 goto tlsa_prob;
899b8bbc 1702 }
94c13285
JH		 1703
1704 if (verify != 0) /* verification failed */
899b8bbc
JH		 1705 {
1706 gnutls_datum_t str;
1707 (void) dane_verification_status_print(verify, &str, 0);
1708 *errstr = US str.data; /* don't bother to free */
1709 goto badcert;
1710 }
28646fa9 1711
94c13285
JH		 1712# ifdef GNUTLS_BROKEN_DANE_VALIDATION
1713 /* If a TA-mode TLSA record was used for verification we must additionally
570cb1bd 1714 verify the cert name (but not the CA chain). For EE-mode, skip it. */
28646fa9 1715
94c13285
JH		 1716 if (usage & (1 << DANESSL_USAGE_DANE_EE))
1717# endif
28646fa9 1718 {
570cb1bd 1719 state->peer_dane_verified = state->peer_cert_verified = TRUE;
28646fa9
JH		 1720 goto goodcert;
1721 }
570cb1bd
JH		 1722# ifdef GNUTLS_BROKEN_DANE_VALIDATION
1723 /* Assume that the name on the A-record is the one that should be matching
1724 the cert. An alternate view is that the domain part of the email address
1725 is also permissible. */
1726
1727 if (gnutls_x509_crt_check_hostname(state->tlsp->peercert,
1728 CS state->host->name))
1729 {
1730 state->peer_dane_verified = state->peer_cert_verified = TRUE;
1731 goto goodcert;
1732 }
1733# endif
899b8bbc 1734 }
570cb1bd 1735#endif /*SUPPORT_DANE*/
899b8bbc 1736
17c76198 1737 rc = gnutls_certificate_verify_peers2(state->session, &verify);
899b8bbc 1738 }
e6060e2c 1739
899b8bbc 1740/* Handle the result of verification. INVALID is set if any others are. */
059ec3d9 1741
28646fa9 1742if (rc < 0 || verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED))
17c76198
PP		 1743 {
1744 state->peer_cert_verified = FALSE;
cf0c6164
JH		 1745 if (!*errstr)
1746 *errstr = verify & GNUTLS_CERT_REVOKED
1747 ? US"certificate revoked" : US"certificate invalid";
059ec3d9 1748
17c76198 1749 DEBUG(D_tls)
e51c7be2 1750 debug_printf("TLS certificate verification failed (%s): peerdn=\"%s\"\n",
cf0c6164 1751 *errstr, state->peerdn ? state->peerdn : US"<unset>");
059ec3d9 1752
e51c7be2 1753 if (state->verify_requirement >= VERIFY_REQUIRED)
899b8bbc 1754 goto badcert;
17c76198 1755 DEBUG(D_tls)
4789da3a 1756 debug_printf("TLS verify failure overridden (host in tls_try_verify_hosts)\n");
17c76198 1757 }
e51c7be2 1758
17c76198
PP		 1759else
1760 {
5fd28bb8
JH		 1761 /* Client side, check the server's certificate name versus the name on the
1762 A-record for the connection we made. What to do for server side - what name
1763 to use for client? We document that there is no such checking for server
1764 side. */
1765
1766 if ( state->exp_tls_verify_cert_hostnames
1767 && !gnutls_x509_crt_check_hostname(state->tlsp->peercert,
1768 CS state->exp_tls_verify_cert_hostnames)
1769 )
e51c7be2 1770 {
5fd28bb8
JH		 1771 DEBUG(D_tls)
1772 debug_printf("TLS certificate verification failed: cert name mismatch\n");
1773 if (state->verify_requirement >= VERIFY_REQUIRED)
1774 goto badcert;
1775 return TRUE;
e51c7be2 1776 }
5fd28bb8 1777
17c76198 1778 state->peer_cert_verified = TRUE;
e51c7be2 1779 DEBUG(D_tls) debug_printf("TLS certificate verified: peerdn=\"%s\"\n",
4fe99a6c 1780 state->peerdn ? state->peerdn : US"<unset>");
17c76198 1781 }
059ec3d9 1782
28646fa9
JH		 1783goodcert:
1784 state->tlsp->peerdn = state->peerdn;
1785 return TRUE;
899b8bbc 1786
b83314e3 1787#ifdef SUPPORT_DANE
94c13285 1788tlsa_prob:
624f33df
JH		 1789 *errstr = string_sprintf("TLSA record problem: %s",
1790 rc == DANE_E_REQUESTED_DATA_NOT_AVAILABLE ? "none usable" : dane_strerror(rc));
b83314e3
JH		 1791#endif
1792
899b8bbc
JH		 1793badcert:
1794 gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_BAD_CERTIFICATE);
1795 return FALSE;
17c76198 1796}
059ec3d9 1797
17c76198
PP		 1798
1799
1800
1801/* ------------------------------------------------------------------------ */
1802/* Callbacks */
1803
1804/* Logging function which can be registered with
1805 * gnutls_global_set_log_function()
1806 * gnutls_global_set_log_level() 0..9
1807 */
af3498d6 1808#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
059ec3d9 1809static void
17c76198 1810exim_gnutls_logger_cb(int level, const char *message)
059ec3d9 1811{
8c79eebf
PP		 1812 size_t len = strlen(message);
1813 if (len < 1)
1814 {
1815 DEBUG(D_tls) debug_printf("GnuTLS<%d> empty debug message\n", level);
1816 return;
1817 }
1818 DEBUG(D_tls) debug_printf("GnuTLS<%d>: %s%s", level, message,
1819 message[len-1] == '\n' ? "" : "\n");
17c76198 1820}
af3498d6 1821#endif
059ec3d9 1822
059ec3d9 1823
17c76198
PP		 1824/* Called after client hello, should handle SNI work.
1825This will always set tls_sni (state->received_sni) if available,
1826and may trigger presenting different certificates,
1827if state->trigger_sni_changes is TRUE.
059ec3d9 1828
17c76198
PP		 1829Should be registered with
1830 gnutls_handshake_set_post_client_hello_function()
059ec3d9 1831
17c76198
PP		 1832"This callback must return 0 on success or a gnutls error code to terminate the
1833handshake.".
059ec3d9 1834
17c76198
PP		 1835For inability to get SNI information, we return 0.
1836We only return non-zero if re-setup failed.
817d9f57 1837Only used for server-side TLS.
17c76198 1838*/
44bbabb5 1839
17c76198
PP		 1840static int
1841exim_sni_handling_cb(gnutls_session_t session)
1842{
1843char sni_name[MAX_HOST_LEN];
1844size_t data_len = MAX_HOST_LEN;
817d9f57 1845exim_gnutls_state_st *state = &state_server;
17c76198
PP		 1846unsigned int sni_type;
1847int rc, old_pool;
cf0c6164 1848uschar * dummy_errstr;
17c76198
PP		 1849
1850rc = gnutls_server_name_get(session, sni_name, &data_len, &sni_type, 0);
b34fc30c
PP		 1851if (rc != GNUTLS_E_SUCCESS)
1852 {
1853 DEBUG(D_tls) {
1854 if (rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
1855 debug_printf("TLS: no SNI presented in handshake.\n");
1856 else
1857 debug_printf("TLS failure: gnutls_server_name_get(): %s [%d]\n",
1858 gnutls_strerror(rc), rc);
cf0c6164 1859 }
b34fc30c
PP		 1860 return 0;
1861 }
1862
17c76198
PP		 1863if (sni_type != GNUTLS_NAME_DNS)
1864 {
1865 DEBUG(D_tls) debug_printf("TLS: ignoring SNI of unhandled type %u\n", sni_type);
1866 return 0;
1867 }
44bbabb5 1868
17c76198
PP		 1869/* We now have a UTF-8 string in sni_name */
1870old_pool = store_pool;
1871store_pool = POOL_PERM;
1872state->received_sni = string_copyn(US sni_name, data_len);
1873store_pool = old_pool;
1874
1875/* We set this one now so that variable expansions below will work */
817d9f57 1876state->tlsp->sni = state->received_sni;
17c76198
PP		 1877
1878DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", sni_name,
1879 state->trigger_sni_changes ? "" : " (unused for certificate selection)");
1880
1881if (!state->trigger_sni_changes)
1882 return 0;
1883
cf0c6164 1884if ((rc = tls_expand_session_files(state, &dummy_errstr)) != OK)
17c76198
PP		 1885 {
1886 /* If the setup of certs/etc failed before handshake, TLS would not have
1887 been offered. The best we can do now is abort. */
1888 return GNUTLS_E_APPLICATION_ERROR_MIN;
1889 }
1890
cf0c6164 1891rc = tls_set_remaining_x509(state, &dummy_errstr);
1365611d
PP		 1892if (rc != OK) return GNUTLS_E_APPLICATION_ERROR_MIN;
1893
1894return 0;
059ec3d9
PH		 1895}
1896
1897
1898
f2de3a33 1899#ifndef DISABLE_OCSP
44662487
JH		 1900
1901static int
1902server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
1903 gnutls_datum_t * ocsp_response)
1904{
1905int ret;
47195144 1906DEBUG(D_tls) debug_printf("OCSP stapling callback: %s\n", US ptr);
44662487 1907
44662487
JH		 1908if ((ret = gnutls_load_file(ptr, ocsp_response)) < 0)
1909 {
1910 DEBUG(D_tls) debug_printf("Failed to load ocsp stapling file %s\n",
5903c6ff 1911 CS ptr);
018058b2 1912 tls_in.ocsp = OCSP_NOT_RESP;
44662487
JH		 1913 return GNUTLS_E_NO_CERTIFICATE_STATUS;
1914 }
1915
018058b2 1916tls_in.ocsp = OCSP_VFY_NOT_TRIED;
44662487
JH		 1917return 0;
1918}
1919
1920#endif
1921
1922
0cbf2b82 1923#ifndef DISABLE_EVENT
a7538db1
JH		 1924/*
1925We use this callback to get observability and detail-level control
723fe533
JH		 1926for an exim TLS connection (either direction), raising a tls:cert event
1927for each cert in the chain presented by the peer. Any event
a7538db1
JH		 1928can deny verification.
1929
1930Return 0 for the handshake to continue or non-zero to terminate.
1931*/
1932
1933static int
723fe533 1934verify_cb(gnutls_session_t session)
a7538db1 1935{
27f19eb4 1936const gnutls_datum_t * cert_list;
a7538db1
JH		 1937unsigned int cert_list_size = 0;
1938gnutls_x509_crt_t crt;
1939int rc;
b30275b8 1940uschar * yield;
a7538db1
JH		 1941exim_gnutls_state_st * state = gnutls_session_get_ptr(session);
1942
bd5b3f3c 1943if ((cert_list = gnutls_certificate_get_peers(session, &cert_list_size)))
a7538db1
JH		 1944 while (cert_list_size--)
1945 {
bd5b3f3c 1946 if ((rc = import_cert(&cert_list[cert_list_size], &crt)) != GNUTLS_E_SUCCESS)
a7538db1
JH		 1947 {
1948 DEBUG(D_tls) debug_printf("TLS: peer cert problem: depth %d: %s\n",
1949 cert_list_size, gnutls_strerror(rc));
1950 break;
1951 }
1952
1953 state->tlsp->peercert = crt;
b30275b8
JH		 1954 if ((yield = event_raise(state->event_action,
1955 US"tls:cert", string_sprintf("%d", cert_list_size))))
a7538db1
JH		 1956 {
1957 log_write(0, LOG_MAIN,
b30275b8
JH		 1958 "SSL verify denied by event-action: depth=%d: %s",
1959 cert_list_size, yield);
a7538db1
JH		 1960 return 1; /* reject */
1961 }
1962 state->tlsp->peercert = NULL;
1963 }
1964
1965return 0;
1966}
1967
1968#endif
44662487
JH		 1969
1970
17c76198
PP		 1971
1972/* ------------------------------------------------------------------------ */
1973/* Exported functions */
1974
1975
1976
1977
059ec3d9
PH		 1978/*************************************************
1979* Start a TLS session in a server *
1980*************************************************/
1981
1982/* This is called when Exim is running as a server, after having received
1983the STARTTLS command. It must respond to that command, and then negotiate
1984a TLS session.
1985
1986Arguments:
83da1223 1987 require_ciphers list of allowed ciphers or NULL
cf0c6164 1988 errstr pointer to error string
059ec3d9
PH		 1989
1990Returns: OK on success
1991 DEFER for errors before the start of the negotiation
4c04137d 1992 FAIL for errors during the negotiation; the server can't
059ec3d9
PH		 1993 continue running.
1994*/
1995
1996int
cf0c6164 1997tls_server_start(const uschar * require_ciphers, uschar ** errstr)
059ec3d9
PH		 1998{
1999int rc;
cf0c6164 2000exim_gnutls_state_st * state = NULL;
059ec3d9
PH		 2001
2002/* Check for previous activation */
74f1a423 2003if (tls_in.active.sock >= 0)
059ec3d9 2004 {
cf0c6164 2005 tls_error(US"STARTTLS received after TLS started", "", NULL, errstr);
925ac8e4 2006 smtp_printf("554 Already in TLS\r\n", FALSE);
059ec3d9
PH		 2007 return FAIL;
2008 }
2009
2010/* Initialize the library. If it fails, it will already have logged the error
2011and sent an SMTP response. */
2012
17c76198 2013DEBUG(D_tls) debug_printf("initialising GnuTLS as a server\n");
059ec3d9 2014
cf0c6164 2015if ((rc = tls_init(NULL, tls_certificate, tls_privatekey,
17c76198 2016 NULL, tls_verify_certificates, tls_crl,
74f1a423 2017 require_ciphers, &state, &tls_in, errstr)) != OK) return rc;
059ec3d9 2018
059ec3d9
PH		 2019/* If this is a host for which certificate verification is mandatory or
2020optional, set up appropriately. */
2021
059ec3d9 2022if (verify_check_host(&tls_verify_hosts) == OK)
17c76198 2023 {
e51c7be2
JH		 2024 DEBUG(D_tls)
2025 debug_printf("TLS: a client certificate will be required.\n");
17c76198
PP		 2026 state->verify_requirement = VERIFY_REQUIRED;
2027 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
2028 }
059ec3d9 2029else if (verify_check_host(&tls_try_verify_hosts) == OK)
17c76198 2030 {
e51c7be2
JH		 2031 DEBUG(D_tls)
2032 debug_printf("TLS: a client certificate will be requested but not required.\n");
17c76198
PP		 2033 state->verify_requirement = VERIFY_OPTIONAL;
2034 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
2035 }
2036else
2037 {
e51c7be2
JH		 2038 DEBUG(D_tls)
2039 debug_printf("TLS: a client certificate will not be requested.\n");
17c76198
PP		 2040 state->verify_requirement = VERIFY_NONE;
2041 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
2042 }
059ec3d9 2043
0cbf2b82 2044#ifndef DISABLE_EVENT
723fe533
JH		 2045if (event_action)
2046 {
2047 state->event_action = event_action;
2048 gnutls_session_set_ptr(state->session, state);
2049 gnutls_certificate_set_verify_function(state->x509_cred, verify_cb);
2050 }
2051#endif
2052
17c76198
PP		 2053/* Register SNI handling; always, even if not in tls_certificate, so that the
2054expansion variable $tls_sni is always available. */
059ec3d9 2055
17c76198
PP		 2056gnutls_handshake_set_post_client_hello_function(state->session,
2057 exim_sni_handling_cb);
059ec3d9
PH		 2058
2059/* Set context and tell client to go ahead, except in the case of TLS startup
2060on connection, where outputting anything now upsets the clients and tends to
2061make them disconnect. We need to have an explicit fflush() here, to force out
2062the response. Other smtp_printf() calls do not need it, because in non-TLS
2063mode, the fflush() happens when smtp_getc() is called. */
2064
817d9f57 2065if (!state->tlsp->on_connect)
059ec3d9 2066 {
925ac8e4 2067 smtp_printf("220 TLS go ahead\r\n", FALSE);
9d1c15ef 2068 fflush(smtp_out);
059ec3d9
PH		 2069 }
2070
2071/* Now negotiate the TLS session. We put our own timer on it, since it seems
8008accd
JH		 2072that the GnuTLS library doesn't.
2073From 3.1.0 there is gnutls_handshake_set_timeout() - but it requires you
2074to set (and clear down afterwards) up a pull-timeout callback function that does
2075a select, so we're no better off unless avoiding signals becomes an issue. */
059ec3d9 2076
17c76198 2077gnutls_transport_set_ptr2(state->session,
27f19eb4
JH		 2078 (gnutls_transport_ptr_t)(long) fileno(smtp_in),
2079 (gnutls_transport_ptr_t)(long) fileno(smtp_out));
17c76198
PP		 2080state->fd_in = fileno(smtp_in);
2081state->fd_out = fileno(smtp_out);
059ec3d9
PH		 2082
2083sigalrm_seen = FALSE;
2084if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
17c76198 2085do
17c76198 2086 rc = gnutls_handshake(state->session);
157a7880 2087while (rc == GNUTLS_E_AGAIN || rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen);
059ec3d9
PH		 2088alarm(0);
2089
17c76198 2090if (rc != GNUTLS_E_SUCCESS)
059ec3d9 2091 {
059ec3d9
PH		 2092 /* It seems that, except in the case of a timeout, we have to close the
2093 connection right here; otherwise if the other end is running OpenSSL it hangs
2094 until the server times out. */
2095
60d10ce7 2096 if (sigalrm_seen)
ad7fc6eb 2097 {
cf0c6164 2098 tls_error(US"gnutls_handshake", "timed out", NULL, errstr);
ad7fc6eb
JH		 2099 gnutls_db_remove_session(state->session);
2100 }
60d10ce7 2101 else
059ec3d9 2102 {
cf0c6164 2103 tls_error(US"gnutls_handshake", gnutls_strerror(rc), NULL, errstr);
f5d25c2b 2104 (void) gnutls_alert_send_appropriate(state->session, rc);
ad7fc6eb 2105 gnutls_deinit(state->session);
ed62aae3 2106 gnutls_certificate_free_credentials(state->x509_cred);
60d10ce7 2107 millisleep(500);
ad7fc6eb 2108 shutdown(state->fd_out, SHUT_WR);
60d10ce7 2109 for (rc = 1024; fgetc(smtp_in) != EOF && rc > 0; ) rc--; /* drain skt */
f1e894f3
PH		 2110 (void)fclose(smtp_out);
2111 (void)fclose(smtp_in);
60d10ce7 2112 smtp_out = smtp_in = NULL;
059ec3d9
PH		 2113 }
2114
2115 return FAIL;
2116 }
2117
2118DEBUG(D_tls) debug_printf("gnutls_handshake was successful\n");
2119
17c76198
PP		 2120/* Verify after the fact */
2121
899b8bbc 2122if (!verify_certificate(state, errstr))
059ec3d9 2123 {
9d1c15ef 2124 if (state->verify_requirement != VERIFY_OPTIONAL)
17c76198 2125 {
cf0c6164 2126 (void) tls_error(US"certificate verification failed", *errstr, NULL, errstr);
9d1c15ef 2127 return FAIL;
17c76198 2128 }
9d1c15ef
JH		 2129 DEBUG(D_tls)
2130 debug_printf("TLS: continuing on only because verification was optional, after: %s\n",
cf0c6164 2131 *errstr);
059ec3d9
PH		 2132 }
2133
17c76198
PP		 2134/* Figure out peer DN, and if authenticated, etc. */
2135
cf0c6164 2136if ((rc = peer_status(state, NULL)) != OK) return rc;
17c76198
PP		 2137
2138/* Sets various Exim expansion variables; always safe within server */
2139
9d1c15ef 2140extract_exim_vars_from_tls_state(state);
059ec3d9
PH		 2141
2142/* TLS has been set up. Adjust the input functions to read via TLS,
2143and initialize appropriately. */
2144
17c76198 2145state->xfer_buffer = store_malloc(ssl_xfer_buffer_size);
059ec3d9
PH		 2146
2147receive_getc = tls_getc;
0d81dabc 2148receive_getbuf = tls_getbuf;
584e96c6 2149receive_get_cache = tls_get_cache;
059ec3d9
PH		 2150receive_ungetc = tls_ungetc;
2151receive_feof = tls_feof;
2152receive_ferror = tls_ferror;
58eb016e 2153receive_smtp_buffered = tls_smtp_buffered;
059ec3d9 2154
059ec3d9
PH		 2155return OK;
2156}
2157
2158
2159
2160
aa2a70ba
JH		 2161static void
2162tls_client_setup_hostname_checks(host_item * host, exim_gnutls_state_st * state,
2163 smtp_transport_options_block * ob)
2164{
3fb3231c 2165if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
aa2a70ba 2166 {
4af0d74a 2167 state->exp_tls_verify_cert_hostnames =
8c5d388a 2168#ifdef SUPPORT_I18N
4af0d74a
JH		 2169 string_domain_utf8_to_alabel(host->name, NULL);
2170#else
2171 host->name;
2172#endif
aa2a70ba
JH		 2173 DEBUG(D_tls)
2174 debug_printf("TLS: server cert verification includes hostname: \"%s\".\n",
2175 state->exp_tls_verify_cert_hostnames);
2176 }
2177}
aa2a70ba
JH		 2178
2179
899b8bbc
JH		 2180
2181
2182#ifdef SUPPORT_DANE
2183/* Given our list of RRs from the TLSA lookup, build a lookup block in
2184GnuTLS-DANE's preferred format. Hang it on the state str for later
2185use in DANE verification.
2186
2187We point at the dnsa data not copy it, so it must remain valid until
2188after verification is done.*/
2189
3674140c 2190static BOOL
899b8bbc
JH		 2191dane_tlsa_load(exim_gnutls_state_st * state, dns_answer * dnsa)
2192{
2193dns_record * rr;
2194dns_scan dnss;
2195int i;
2196const char ** dane_data;
2197int * dane_data_len;
2198
2199for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS), i = 1;
2200 rr;
2201 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
2202 ) if (rr->type == T_TLSA) i++;
2203
2204dane_data = store_get(i * sizeof(uschar *));
2205dane_data_len = store_get(i * sizeof(int));
2206
2207for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS), i = 0;
2208 rr;
2209 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
1b76ad22 2210 ) if (rr->type == T_TLSA && rr->size > 3)
899b8bbc
JH		 2211 {
2212 const uschar * p = rr->data;
3674140c
JH		 2213 uint8_t usage = p[0], sel = p[1], type = p[2];
2214
2215 DEBUG(D_tls)
2216 debug_printf("TLSA: %d %d %d size %d\n", usage, sel, type, rr->size);
2217
94c13285
JH		 2218 if ( (usage != DANESSL_USAGE_DANE_TA && usage != DANESSL_USAGE_DANE_EE)
2219 || (sel != 0 && sel != 1)
2220 )
2221 continue;
3674140c
JH		 2222 switch(type)
2223 {
2224 case 0: /* Full: cannot check at present */
2225 break;
2226 case 1: if (rr->size != 3 + 256/8) continue; /* sha2-256 */
2227 break;
2228 case 2: if (rr->size != 3 + 512/8) continue; /* sha2-512 */
2229 break;
2230 default: continue;
2231 }
899b8bbc
JH		 2232
2233 tls_out.tlsa_usage |= 1<<usage;
2234 dane_data[i] = p;
2235 dane_data_len[i++] = rr->size;
2236 }
3674140c
JH		 2237
2238if (!i) return FALSE;
2239
899b8bbc
JH		 2240dane_data[i] = NULL;
2241dane_data_len[i] = 0;
2242
2243state->dane_data = (char * const *)dane_data;
2244state->dane_data_len = dane_data_len;
3674140c 2245return TRUE;
899b8bbc
JH		 2246}
2247#endif
2248
2249
2250
059ec3d9
PH		 2251/*************************************************
2252* Start a TLS session in a client *
2253*************************************************/
2254
2255/* Called from the smtp transport after STARTTLS has been accepted.
2256
2257Arguments:
2258 fd the fd of the connection
afdb5e9c 2259 host connected host (for messages and option-tests)
83da1223 2260 addr the first address (not used)
a7538db1 2261 tb transport (always smtp)
899b8bbc
JH		 2262 tlsa_dnsa non-NULL, either request or require dane for this host, and
2263 a TLSA record found. Therefore, dane verify required.
2264 Which implies cert must be requested and supplied, dane
2265 verify must pass, and cert verify irrelevant (incl.
2266 hostnames), and (caller handled) require_tls
74f1a423 2267 tlsp record details of channel configuration
cf0c6164
JH		 2268 errstr error string pointer
2269
74f1a423 2270Returns: Pointer to TLS session context, or NULL on error
059ec3d9
PH		 2271*/
2272
74f1a423 2273void *
17c76198 2274tls_client_start(int fd, host_item *host,
f5d78688 2275 address_item *addr ARG_UNUSED,
cf0c6164 2276 transport_instance * tb,
c0635b6d 2277#ifdef SUPPORT_DANE
899b8bbc 2278 dns_answer * tlsa_dnsa,
0e66b3b6 2279#endif
74f1a423 2280 tls_support * tlsp, uschar ** errstr)
059ec3d9 2281{
afdb5e9c
JH		 2282smtp_transport_options_block *ob = tb
2283 ? (smtp_transport_options_block *)tb->options_block
2284 : &smtp_transport_option_defaults;
059ec3d9 2285int rc;
899b8bbc 2286exim_gnutls_state_st * state = NULL;
5ec37a55 2287uschar *cipher_list = NULL;
74f1a423 2288
f2de3a33 2289#ifndef DISABLE_OCSP
5130845b 2290BOOL require_ocsp =
3fb3231c 2291 verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK;
44662487 2292BOOL request_ocsp = require_ocsp ? TRUE
3fb3231c 2293 : verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
2b4a568d 2294#endif
059ec3d9 2295
17c76198 2296DEBUG(D_tls) debug_printf("initialising GnuTLS as a client on fd %d\n", fd);
059ec3d9 2297
5ec37a55 2298#ifdef SUPPORT_DANE
cf260049 2299if (tlsa_dnsa && ob->dane_require_tls_ciphers)
5ec37a55
PP		 2300 {
2301 /* not using expand_check_tlsvar because not yet in state */
2302 if (!expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
2303 &cipher_list, errstr))
74f1a423 2304 return NULL;
cf260049
JH		 2305 cipher_list = cipher_list && *cipher_list
2306 ? ob->dane_require_tls_ciphers : ob->tls_require_ciphers;
5ec37a55
PP		 2307 }
2308#endif
2309
2310if (!cipher_list)
2311 cipher_list = ob->tls_require_ciphers;
2312
74f1a423 2313if (tls_init(host, ob->tls_certificate, ob->tls_privatekey,
65867078 2314 ob->tls_sni, ob->tls_verify_certificates, ob->tls_crl,
74f1a423
JH		 2315 cipher_list, &state, tlsp, errstr) != OK)
2316 return NULL;
059ec3d9 2317
54c90be1 2318 {
65867078
JH		 2319 int dh_min_bits = ob->tls_dh_min_bits;
2320 if (dh_min_bits < EXIM_CLIENT_DH_MIN_MIN_BITS)
2321 {
2322 DEBUG(D_tls)
2323 debug_printf("WARNING: tls_dh_min_bits far too low,"
2324 " clamping %d up to %d\n",
2325 dh_min_bits, EXIM_CLIENT_DH_MIN_MIN_BITS);
2326 dh_min_bits = EXIM_CLIENT_DH_MIN_MIN_BITS;
2327 }
54c90be1 2328
65867078
JH		 2329 DEBUG(D_tls) debug_printf("Setting D-H prime minimum"
2330 " acceptable bits to %d\n",
2331 dh_min_bits);
2332 gnutls_dh_set_prime_bits(state->session, dh_min_bits);
2333 }
83da1223 2334
94431adb 2335/* Stick to the old behaviour for compatibility if tls_verify_certificates is
2b4a568d
JH		 2336set but both tls_verify_hosts and tls_try_verify_hosts are unset. Check only
2337the specified host patterns if one of them is defined */
2338
899b8bbc 2339#ifdef SUPPORT_DANE
3674140c 2340if (tlsa_dnsa && dane_tlsa_load(state, tlsa_dnsa))
899b8bbc
JH		 2341 {
2342 DEBUG(D_tls)
2343 debug_printf("TLS: server certificate DANE required.\n");
2344 state->verify_requirement = VERIFY_DANE;
2345 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
899b8bbc
JH		 2346 }
2347else
2348#endif
2349 if ( ( state->exp_tls_verify_certificates
2350 && !ob->tls_verify_hosts
2351 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
2352 )
3fb3231c 2353 || verify_check_given_host(CUSS &ob->tls_verify_hosts, host) == OK
899b8bbc 2354 )
17c76198 2355 {
aa2a70ba 2356 tls_client_setup_hostname_checks(host, state, ob);
aa2a70ba
JH		 2357 DEBUG(D_tls)
2358 debug_printf("TLS: server certificate verification required.\n");
2359 state->verify_requirement = VERIFY_REQUIRED;
52f93eed
WB		 2360 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
2361 }
3fb3231c 2362else if (verify_check_given_host(CUSS &ob->tls_try_verify_hosts, host) == OK)
52f93eed 2363 {
aa2a70ba 2364 tls_client_setup_hostname_checks(host, state, ob);
e51c7be2
JH		 2365 DEBUG(D_tls)
2366 debug_printf("TLS: server certificate verification optional.\n");
52f93eed 2367 state->verify_requirement = VERIFY_OPTIONAL;
17c76198
PP		 2368 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
2369 }
2370else
2371 {
e51c7be2
JH		 2372 DEBUG(D_tls)
2373 debug_printf("TLS: server certificate verification not required.\n");
52f93eed
WB		 2374 state->verify_requirement = VERIFY_NONE;
2375 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
17c76198 2376 }
059ec3d9 2377
f2de3a33
JH		 2378#ifndef DISABLE_OCSP
2379 /* supported since GnuTLS 3.1.3 */
44662487 2380if (request_ocsp)
9d1c15ef
JH		 2381 {
2382 DEBUG(D_tls) debug_printf("TLS: will request OCSP stapling\n");
65867078
JH		 2383 if ((rc = gnutls_ocsp_status_request_enable_client(state->session,
2384 NULL, 0, NULL)) != OK)
74f1a423
JH		 2385 {
2386 tls_error(US"cert-status-req", gnutls_strerror(rc), state->host, errstr);
2387 return NULL;
2388 }
2389 tlsp->ocsp = OCSP_NOT_RESP;
9d1c15ef 2390 }
2b4a568d
JH		 2391#endif
2392
0cbf2b82 2393#ifndef DISABLE_EVENT
afdb5e9c 2394if (tb && tb->event_action)
a7538db1 2395 {
774ef2d7 2396 state->event_action = tb->event_action;
a7538db1 2397 gnutls_session_set_ptr(state->session, state);
723fe533 2398 gnutls_certificate_set_verify_function(state->x509_cred, verify_cb);
a7538db1
JH		 2399 }
2400#endif
2401
27f19eb4 2402gnutls_transport_set_ptr(state->session, (gnutls_transport_ptr_t)(long) fd);
17c76198
PP		 2403state->fd_in = fd;
2404state->fd_out = fd;
059ec3d9 2405
9d1c15ef 2406DEBUG(D_tls) debug_printf("about to gnutls_handshake\n");
059ec3d9
PH		 2407/* There doesn't seem to be a built-in timeout on connection. */
2408
2409sigalrm_seen = FALSE;
65867078 2410alarm(ob->command_timeout);
17c76198 2411do
17c76198 2412 rc = gnutls_handshake(state->session);
f1fed05b 2413while (rc == GNUTLS_E_AGAIN || rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen);
059ec3d9
PH		 2414alarm(0);
2415
4fe99a6c 2416if (rc != GNUTLS_E_SUCCESS)
74f1a423 2417 {
60d10ce7
JH		 2418 if (sigalrm_seen)
2419 {
2420 gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_USER_CANCELED);
74f1a423 2421 tls_error(US"gnutls_handshake", "timed out", state->host, errstr);
60d10ce7
JH		 2422 }
2423 else
74f1a423
JH		 2424 tls_error(US"gnutls_handshake", gnutls_strerror(rc), state->host, errstr);
2425 return NULL;
2426 }
4fe99a6c 2427
17c76198 2428DEBUG(D_tls) debug_printf("gnutls_handshake was successful\n");
059ec3d9 2429
17c76198 2430/* Verify late */
059ec3d9 2431
899b8bbc 2432if (!verify_certificate(state, errstr))
74f1a423
JH		 2433 {
2434 tls_error(US"certificate verification failed", *errstr, state->host, errstr);
2435 return NULL;
2436 }
059ec3d9 2437
f2de3a33 2438#ifndef DISABLE_OCSP
2b4a568d
JH		 2439if (require_ocsp)
2440 {
2441 DEBUG(D_tls)
2442 {
2443 gnutls_datum_t stapling;
2444 gnutls_ocsp_resp_t resp;
2445 gnutls_datum_t printed;
2446 if ( (rc= gnutls_ocsp_status_request_get(state->session, &stapling)) == 0
2447 && (rc= gnutls_ocsp_resp_init(&resp)) == 0
2448 && (rc= gnutls_ocsp_resp_import(resp, &stapling)) == 0
2449 && (rc= gnutls_ocsp_resp_print(resp, GNUTLS_OCSP_PRINT_FULL, &printed)) == 0
2450 )
2451 {
65867078 2452 debug_printf("%.4096s", printed.data);
2b4a568d
JH		 2453 gnutls_free(printed.data);
2454 }
2455 else
cf0c6164 2456 (void) tls_error(US"ocsp decode", gnutls_strerror(rc), state->host, errstr);
2b4a568d
JH		 2457 }
2458
2b4a568d 2459 if (gnutls_ocsp_status_request_is_checked(state->session, 0) == 0)
018058b2 2460 {
74f1a423
JH		 2461 tlsp->ocsp = OCSP_FAILED;
2462 tls_error(US"certificate status check failed", NULL, state->host, errstr);
2463 return NULL;
018058b2 2464 }
2b4a568d 2465 DEBUG(D_tls) debug_printf("Passed OCSP checking\n");
74f1a423 2466 tlsp->ocsp = OCSP_VFIED;
2b4a568d
JH		 2467 }
2468#endif
2469
17c76198 2470/* Figure out peer DN, and if authenticated, etc. */
059ec3d9 2471
74f1a423
JH		 2472if (peer_status(state, errstr) != OK)
2473 return NULL;
059ec3d9 2474
4fe99a6c 2475/* Sets various Exim expansion variables; may need to adjust for ACL callouts */
059ec3d9 2476
9d1c15ef 2477extract_exim_vars_from_tls_state(state);
059ec3d9 2478
74f1a423 2479return state;
059ec3d9
PH		 2480}
2481
2482
2483
17c76198 2484
059ec3d9 2485/*************************************************
17c76198 2486* Close down a TLS session *
059ec3d9
PH		 2487*************************************************/
2488
17c76198
PP		 2489/* This is also called from within a delivery subprocess forked from the
2490daemon, to shut down the TLS library, without actually doing a shutdown (which
2491would tamper with the TLS session in the parent process).
059ec3d9 2492
dec766a1 2493Arguments:
74f1a423 2494 ct_ctx client context pointer, or NULL for the one global server context
dec766a1 2495 shutdown 1 if TLS close-alert is to be sent,
afdb5e9c 2496 2 if also response to be waited for
dec766a1 2497
17c76198 2498Returns: nothing
059ec3d9
PH		 2499*/
2500
17c76198 2501void
74f1a423 2502tls_close(void * ct_ctx, int shutdown)
059ec3d9 2503{
74f1a423 2504exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
059ec3d9 2505
74f1a423 2506if (!state->tlsp || state->tlsp->active.sock < 0) return; /* TLS was not active */
17c76198
PP		 2507
2508if (shutdown)
2509 {
dec766a1
WB		 2510 DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS%s\n",
2511 shutdown > 1 ? " (with response-wait)" : "");
2512
2513 alarm(2);
2514 gnutls_bye(state->session, shutdown > 1 ? GNUTLS_SHUT_RDWR : GNUTLS_SHUT_WR);
2515 alarm(0);
17c76198
PP		 2516 }
2517
2518gnutls_deinit(state->session);
ed62aae3
HSHR		 2519gnutls_certificate_free_credentials(state->x509_cred);
2520
17c76198 2521
74f1a423
JH		 2522state->tlsp->active.sock = -1;
2523state->tlsp->active.tls_ctx = NULL;
b808677c 2524if (state->xfer_buffer) store_free(state->xfer_buffer);
17c76198 2525memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
059ec3d9
PH		 2526}
2527
2528
2529
17c76198 2530
0d81dabc
JH		 2531static BOOL
2532tls_refill(unsigned lim)
2533{
2534exim_gnutls_state_st * state = &state_server;
2535ssize_t inbytes;
2536
2537DEBUG(D_tls) debug_printf("Calling gnutls_record_recv(%p, %p, %u)\n",
2538 state->session, state->xfer_buffer, ssl_xfer_buffer_size);
2539
f1fed05b 2540sigalrm_seen = FALSE;
0d81dabc
JH		 2541if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
2542inbytes = gnutls_record_recv(state->session, state->xfer_buffer,
2543 MIN(ssl_xfer_buffer_size, lim));
9723f966
JH		 2544if (smtp_receive_timeout > 0) alarm(0);
2545
2546if (had_command_timeout) /* set by signal handler */
2547 smtp_command_timeout_exit(); /* does not return */
2548if (had_command_sigterm)
2549 smtp_command_sigterm_exit();
2550if (had_data_timeout)
2551 smtp_data_timeout_exit();
2552if (had_data_sigint)
2553 smtp_data_sigint_exit();
2554
2555/* Timeouts do not get this far. A zero-byte return appears to mean that the
2556TLS session has been closed down, not that the socket itself has been closed
2557down. Revert to non-TLS handling. */
0d81dabc
JH		 2558
2559if (sigalrm_seen)
2560 {
2561 DEBUG(D_tls) debug_printf("Got tls read timeout\n");
8b77d27a 2562 state->xfer_error = TRUE;
0d81dabc
JH		 2563 return FALSE;
2564 }
2565
2566else if (inbytes == 0)
2567 {
2568 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
2569
2570 receive_getc = smtp_getc;
2571 receive_getbuf = smtp_getbuf;
2572 receive_get_cache = smtp_get_cache;
2573 receive_ungetc = smtp_ungetc;
2574 receive_feof = smtp_feof;
2575 receive_ferror = smtp_ferror;
2576 receive_smtp_buffered = smtp_buffered;
2577
2578 gnutls_deinit(state->session);
2579 gnutls_certificate_free_credentials(state->x509_cred);
2580
2581 state->session = NULL;
74f1a423
JH		 2582 state->tlsp->active.sock = -1;
2583 state->tlsp->active.tls_ctx = NULL;
0d81dabc
JH		 2584 state->tlsp->bits = 0;
2585 state->tlsp->certificate_verified = FALSE;
2586 tls_channelbinding_b64 = NULL;
2587 state->tlsp->cipher = NULL;
2588 state->tlsp->peercert = NULL;
2589 state->tlsp->peerdn = NULL;
2590
2591 return FALSE;
2592 }
2593
2594/* Handle genuine errors */
2595
2596else if (inbytes < 0)
2597 {
5fd28bb8 2598debug_printf("%s: err from gnutls_record_recv(\n", __FUNCTION__);
0d81dabc 2599 record_io_error(state, (int) inbytes, US"recv", NULL);
8b77d27a 2600 state->xfer_error = TRUE;
0d81dabc
JH		 2601 return FALSE;
2602 }
2603#ifndef DISABLE_DKIM
2604dkim_exim_verify_feed(state->xfer_buffer, inbytes);
2605#endif
2606state->xfer_buffer_hwm = (int) inbytes;
2607state->xfer_buffer_lwm = 0;
2608return TRUE;
2609}
2610
059ec3d9
PH		 2611/*************************************************
2612* TLS version of getc *
2613*************************************************/
2614
2615/* This gets the next byte from the TLS input buffer. If the buffer is empty,
2616it refills the buffer via the GnuTLS reading function.
817d9f57 2617Only used by the server-side TLS.
059ec3d9 2618
17c76198
PP		 2619This feeds DKIM and should be used for all message-body reads.
2620
bd8fbe36 2621Arguments: lim Maximum amount to read/bufffer
059ec3d9
PH		 2622Returns: the next character or EOF
2623*/
2624
2625int
bd8fbe36 2626tls_getc(unsigned lim)
059ec3d9 2627{
0d81dabc 2628exim_gnutls_state_st * state = &state_server;
059ec3d9 2629
0d81dabc
JH		 2630if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
2631 if (!tls_refill(lim))
2632 return state->xfer_error ? EOF : smtp_getc(lim);
ed62aae3 2633
0d81dabc 2634/* Something in the buffer; return next uschar */
059ec3d9 2635
0d81dabc
JH		 2636return state->xfer_buffer[state->xfer_buffer_lwm++];
2637}
059ec3d9 2638
0d81dabc
JH		 2639uschar *
2640tls_getbuf(unsigned * len)
2641{
2642exim_gnutls_state_st * state = &state_server;
2643unsigned size;
2644uschar * buf;
059ec3d9 2645
0d81dabc
JH		 2646if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
2647 if (!tls_refill(*len))
059ec3d9 2648 {
0d81dabc
JH		 2649 if (!state->xfer_error) return smtp_getbuf(len);
2650 *len = 0;
2651 return NULL;
059ec3d9 2652 }
059ec3d9 2653
0d81dabc
JH		 2654if ((size = state->xfer_buffer_hwm - state->xfer_buffer_lwm) > *len)
2655 size = *len;
2656buf = &state->xfer_buffer[state->xfer_buffer_lwm];
2657state->xfer_buffer_lwm += size;
2658*len = size;
2659return buf;
059ec3d9
PH		 2660}
2661
0d81dabc 2662
584e96c6
JH		 2663void
2664tls_get_cache()
2665{
9960d1e5 2666#ifndef DISABLE_DKIM
584e96c6
JH		 2667exim_gnutls_state_st * state = &state_server;
2668int n = state->xfer_buffer_hwm - state->xfer_buffer_lwm;
2669if (n > 0)
2670 dkim_exim_verify_feed(state->xfer_buffer+state->xfer_buffer_lwm, n);
584e96c6 2671#endif
9960d1e5 2672}
584e96c6 2673
059ec3d9 2674
925ac8e4
JH		 2675BOOL
2676tls_could_read(void)
2677{
2678return state_server.xfer_buffer_lwm < state_server.xfer_buffer_hwm
2679 || gnutls_record_check_pending(state_server.session) > 0;
2680}
2681
2682
059ec3d9 2683
17c76198 2684
059ec3d9
PH		 2685/*************************************************
2686* Read bytes from TLS channel *
2687*************************************************/
2688
17c76198
PP		 2689/* This does not feed DKIM, so if the caller uses this for reading message body,
2690then the caller must feed DKIM.
817d9f57 2691
059ec3d9 2692Arguments:
74f1a423 2693 ct_ctx client context pointer, or NULL for the one global server context
059ec3d9
PH		 2694 buff buffer of data
2695 len size of buffer
2696
2697Returns: the number of bytes read
afdb5e9c 2698 -1 after a failed read, including EOF
059ec3d9
PH		 2699*/
2700
2701int
74f1a423 2702tls_read(void * ct_ctx, uschar *buff, size_t len)
059ec3d9 2703{
74f1a423 2704exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
17c76198 2705ssize_t inbytes;
059ec3d9 2706
17c76198
PP		 2707if (len > INT_MAX)
2708 len = INT_MAX;
059ec3d9 2709
17c76198
PP		 2710if (state->xfer_buffer_lwm < state->xfer_buffer_hwm)
2711 DEBUG(D_tls)
2712 debug_printf("*** PROBABLY A BUG *** " \
2713 "tls_read() called with data in the tls_getc() buffer, %d ignored\n",
2714 state->xfer_buffer_hwm - state->xfer_buffer_lwm);
2715
2716DEBUG(D_tls)
2717 debug_printf("Calling gnutls_record_recv(%p, %p, " SIZE_T_FMT ")\n",
2718 state->session, buff, len);
2719
2720inbytes = gnutls_record_recv(state->session, buff, len);
059ec3d9
PH		 2721if (inbytes > 0) return inbytes;
2722if (inbytes == 0)
2723 {
2724 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
2725 }
5fd28bb8
JH		 2726else
2727{
2728debug_printf("%s: err from gnutls_record_recv(\n", __FUNCTION__);
2729record_io_error(state, (int)inbytes, US"recv", NULL);
2730}
059ec3d9
PH		 2731
2732return -1;
2733}
2734
2735
2736
17c76198 2737
059ec3d9
PH		 2738/*************************************************
2739* Write bytes down TLS channel *
2740*************************************************/
2741
2742/*
2743Arguments:
74f1a423 2744 ct_ctx client context pointer, or NULL for the one global server context
059ec3d9
PH		 2745 buff buffer of data
2746 len number of bytes
925ac8e4 2747 more more data expected soon
059ec3d9
PH		 2748
2749Returns: the number of bytes after a successful write,
2750 -1 after a failed write
2751*/
2752
2753int
74f1a423 2754tls_write(void * ct_ctx, const uschar * buff, size_t len, BOOL more)
059ec3d9 2755{
17c76198
PP		 2756ssize_t outbytes;
2757size_t left = len;
74f1a423 2758exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
925ac8e4
JH		 2759#ifdef SUPPORT_CORK
2760static BOOL corked = FALSE;
2761
2762if (more && !corked) gnutls_record_cork(state->session);
2763#endif
2764
2765DEBUG(D_tls) debug_printf("%s(%p, " SIZE_T_FMT "%s)\n", __FUNCTION__,
2766 buff, left, more ? ", more" : "");
059ec3d9 2767
059ec3d9
PH		 2768while (left > 0)
2769 {
17c76198
PP		 2770 DEBUG(D_tls) debug_printf("gnutls_record_send(SSL, %p, " SIZE_T_FMT ")\n",
2771 buff, left);
2772 outbytes = gnutls_record_send(state->session, buff, left);
059ec3d9 2773
17c76198 2774 DEBUG(D_tls) debug_printf("outbytes=" SSIZE_T_FMT "\n", outbytes);
059ec3d9
PH		 2775 if (outbytes < 0)
2776 {
1b76ad22 2777 DEBUG(D_tls) debug_printf("%s: gnutls_record_send err\n", __FUNCTION__);
17c76198 2778 record_io_error(state, outbytes, US"send", NULL);
059ec3d9
PH		 2779 return -1;
2780 }
2781 if (outbytes == 0)
2782 {
17c76198 2783 record_io_error(state, 0, US"send", US"TLS channel closed on write");
059ec3d9
PH		 2784 return -1;
2785 }
2786
2787 left -= outbytes;
2788 buff += outbytes;
2789 }
2790
17c76198
PP		 2791if (len > INT_MAX)
2792 {
2793 DEBUG(D_tls)
2794 debug_printf("Whoops! Wrote more bytes (" SIZE_T_FMT ") than INT_MAX\n",
2795 len);
2796 len = INT_MAX;
2797 }
2798
925ac8e4
JH		 2799#ifdef SUPPORT_CORK
2800if (more != corked)
2801 {
2802 if (!more) (void) gnutls_record_uncork(state->session, 0);
2803 corked = more;
2804 }
2805#endif
2806
17c76198 2807return (int) len;
059ec3d9
PH		 2808}
2809
2810
2811
17c76198 2812
059ec3d9 2813/*************************************************
17c76198 2814* Random number generation *
059ec3d9
PH		 2815*************************************************/
2816
17c76198
PP		 2817/* Pseudo-random number generation. The result is not expected to be
2818cryptographically strong but not so weak that someone will shoot themselves
2819in the foot using it as a nonce in input in some email header scheme or
2820whatever weirdness they'll twist this into. The result should handle fork()
2821and avoid repeating sequences. OpenSSL handles that for us.
059ec3d9 2822
17c76198
PP		 2823Arguments:
2824 max range maximum
2825Returns a random number in range [0, max-1]
059ec3d9
PH		 2826*/
2827
af3498d6 2828#ifdef HAVE_GNUTLS_RND
17c76198
PP		 2829int
2830vaguely_random_number(int max)
059ec3d9 2831{
17c76198
PP		 2832unsigned int r;
2833int i, needed_len;
2834uschar *p;
2835uschar smallbuf[sizeof(r)];
2836
2837if (max <= 1)
2838 return 0;
2839
2840needed_len = sizeof(r);
2841/* Don't take 8 times more entropy than needed if int is 8 octets and we were
2842 * asked for a number less than 10. */
2843for (r = max, i = 0; r; ++i)
2844 r >>= 1;
2845i = (i + 7) / 8;
2846if (i < needed_len)
2847 needed_len = i;
2848
2849i = gnutls_rnd(GNUTLS_RND_NONCE, smallbuf, needed_len);
2850if (i < 0)
059ec3d9 2851 {
17c76198
PP		 2852 DEBUG(D_all) debug_printf("gnutls_rnd() failed, using fallback.\n");
2853 return vaguely_random_number_fallback(max);
2854 }
2855r = 0;
2856for (p = smallbuf; needed_len; --needed_len, ++p)
2857 {
2858 r *= 256;
2859 r += *p;
059ec3d9
PH		 2860 }
2861
17c76198
PP		 2862/* We don't particularly care about weighted results; if someone wants
2863 * smooth distribution and cares enough then they should submit a patch then. */
2864return r % max;
059ec3d9 2865}
af3498d6
PP		 2866#else /* HAVE_GNUTLS_RND */
2867int
2868vaguely_random_number(int max)
2869{
2870 return vaguely_random_number_fallback(max);
2871}
2872#endif /* HAVE_GNUTLS_RND */
059ec3d9 2873
36f12725
NM		 2874
2875
2876
3375e053
PP		 2877/*************************************************
2878* Let tls_require_ciphers be checked at startup *
2879*************************************************/
2880
2881/* The tls_require_ciphers option, if set, must be something which the
2882library can parse.
2883
2884Returns: NULL on success, or error message
2885*/
2886
2887uschar *
2888tls_validate_require_cipher(void)
2889{
2890int rc;
2891uschar *expciphers = NULL;
2892gnutls_priority_t priority_cache;
2893const char *errpos;
cf0c6164 2894uschar * dummy_errstr;
3375e053
PP		 2895
2896#define validate_check_rc(Label) do { \
2897 if (rc != GNUTLS_E_SUCCESS) { if (exim_gnutls_base_init_done) gnutls_global_deinit(); \
2898 return string_sprintf("%s failed: %s", (Label), gnutls_strerror(rc)); } } while (0)
2899#define return_deinit(Label) do { gnutls_global_deinit(); return (Label); } while (0)
2900
2901if (exim_gnutls_base_init_done)
2902 log_write(0, LOG_MAIN|LOG_PANIC,
2903 "already initialised GnuTLS, Exim developer bug");
2904
a5f239e4 2905#ifdef HAVE_GNUTLS_PKCS11
2519e60d 2906if (!gnutls_allow_auto_pkcs11)
a5f239e4
PP		 2907 {
2908 rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
2909 validate_check_rc(US"gnutls_pkcs11_init");
2910 }
2911#endif
3375e053
PP		 2912rc = gnutls_global_init();
2913validate_check_rc(US"gnutls_global_init()");
2914exim_gnutls_base_init_done = TRUE;
2915
2916if (!(tls_require_ciphers && *tls_require_ciphers))
2917 return_deinit(NULL);
2918
cf0c6164
JH		 2919if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers,
2920 &dummy_errstr))
3375e053
PP		 2921 return_deinit(US"failed to expand tls_require_ciphers");
2922
2923if (!(expciphers && *expciphers))
2924 return_deinit(NULL);
2925
2926DEBUG(D_tls)
2927 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
2928
2929rc = gnutls_priority_init(&priority_cache, CS expciphers, &errpos);
2930validate_check_rc(string_sprintf(
2931 "gnutls_priority_init(%s) failed at offset %ld, \"%.8s..\"",
2932 expciphers, errpos - CS expciphers, errpos));
2933
2934#undef return_deinit
2935#undef validate_check_rc
2936gnutls_global_deinit();
2937
2938return NULL;
2939}
2940
2941
2942
2943
36f12725
NM		 2944/*************************************************
2945* Report the library versions. *
2946*************************************************/
2947
2948/* See a description in tls-openssl.c for an explanation of why this exists.
2949
2950Arguments: a FILE* to print the results to
2951Returns: nothing
2952*/
2953
2954void
2955tls_version_report(FILE *f)
2956{
754a0503
PP		 2957fprintf(f, "Library version: GnuTLS: Compile: %s\n"
2958 " Runtime: %s\n",
2959 LIBGNUTLS_VERSION,
2960 gnutls_check_version(NULL));
36f12725
NM		 2961}
2962
2b4a568d
JH		 2963/* vi: aw ai sw=2
2964*/
059ec3d9 2965/* End of tls-gnu.c */
Unnamed repository; edit this file 'description' to name the repository.