projects / exim.git / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
tidying
[exim.git] / src / src / tls-gnu.c
... / ...
CommitLineData
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
5/* Copyright (c) University of Cambridge 1995 - 2015 */
6/* See the file NOTICE for conditions of use and distribution. */
7
8/* Copyright (c) Phil Pennock 2012 */
9
10/* This file provides TLS/SSL support for Exim using the GnuTLS library,
11one of the available supported implementations. This file is #included into
12tls.c when USE_GNUTLS has been set.
13
14The code herein is a revamp of GnuTLS integration using the current APIs; the
15original tls-gnu.c was based on a patch which was contributed by Nikos
16Mavroyanopoulos. The revamp is partially a rewrite, partially cut&paste as
17appropriate.
18
19APIs current as of GnuTLS 2.12.18; note that the GnuTLS manual is for GnuTLS 3,
20which is not widely deployed by OS vendors. Will note issues below, which may
21assist in updating the code in the future. Another sources of hints is
22mod_gnutls for Apache (SNI callback registration and handling).
23
24Keeping client and server variables more split than before and is currently
25the norm, in anticipation of TLS in ACL callouts.
26
27I wanted to switch to gnutls_certificate_set_verify_function() so that
28certificate rejection could happen during handshake where it belongs, rather
29than being dropped afterwards, but that was introduced in 2.10.0 and Debian
30(6.0.5) is still on 2.8.6. So for now we have to stick with sub-par behaviour.
31
32(I wasn't looking for libraries quite that old, when updating to get rid of
33compiler warnings of deprecated APIs. If it turns out that a lot of the rest
34require current GnuTLS, then we'll drop support for the ancient libraries).
35*/
36
37#include <gnutls/gnutls.h>
38/* needed for cert checks in verification and DN extraction: */
39#include <gnutls/x509.h>
40/* man-page is incorrect, gnutls_rnd() is not in gnutls.h: */
41#include <gnutls/crypto.h>
42/* needed to disable PKCS11 autoload unless requested */
43#if GNUTLS_VERSION_NUMBER >= 0x020c00
44# include <gnutls/pkcs11.h>
45#endif
46#if GNUTLS_VERSION_NUMBER < 0x030103 && !defined(DISABLE_OCSP)
47# warning "GnuTLS library version too old; define DISABLE_OCSP in Makefile"
48# define DISABLE_OCSP
49#endif
50#if GNUTLS_VERSION_NUMBER < 0x020a00 && !defined(DISABLE_EVENT)
51# warning "GnuTLS library version too old; tls:cert event unsupported"
52# define DISABLE_EVENT
53#endif
54#if GNUTLS_VERSION_NUMBER >= 0x030306
55# define SUPPORT_CA_DIR
56#else
57# undef SUPPORT_CA_DIR
58#endif
59#if GNUTLS_VERSION_NUMBER >= 0x030014
60# define SUPPORT_SYSDEFAULT_CABUNDLE
61#endif
62
63#ifndef DISABLE_OCSP
64# include <gnutls/ocsp.h>
65#endif
66
67/* GnuTLS 2 vs 3
68
69GnuTLS 3 only:
70 gnutls_global_set_audit_log_function()
71
72Changes:
73 gnutls_certificate_verify_peers2(): is new, drop the 2 for old version
74*/
75
76/* Local static variables for GnuTLS */
77
78/* Values for verify_requirement */
79
80enum peer_verify_requirement
81 { VERIFY_NONE, VERIFY_OPTIONAL, VERIFY_REQUIRED };
82
83/* This holds most state for server or client; with this, we can set up an
84outbound TLS-enabled connection in an ACL callout, while not stomping all
85over the TLS variables available for expansion.
86
87Some of these correspond to variables in globals.c; those variables will
88be set to point to content in one of these instances, as appropriate for
89the stage of the process lifetime.
90
91Not handled here: global tls_channelbinding_b64.
92*/
93
94typedef struct exim_gnutls_state {
95 gnutls_session_t session;
96 gnutls_certificate_credentials_t x509_cred;
97 gnutls_priority_t priority_cache;
98 enum peer_verify_requirement verify_requirement;
99 int fd_in;
100 int fd_out;
101 BOOL peer_cert_verified;
102 BOOL trigger_sni_changes;
103 BOOL have_set_peerdn;
104 const struct host_item *host;
105 gnutls_x509_crt_t peercert;
106 uschar *peerdn;
107 uschar *ciphersuite;
108 uschar *received_sni;
109
110 const uschar *tls_certificate;
111 const uschar *tls_privatekey;
112 const uschar *tls_sni; /* client send only, not received */
113 const uschar *tls_verify_certificates;
114 const uschar *tls_crl;
115 const uschar *tls_require_ciphers;
116
117 uschar *exp_tls_certificate;
118 uschar *exp_tls_privatekey;
119 uschar *exp_tls_verify_certificates;
120 uschar *exp_tls_crl;
121 uschar *exp_tls_require_ciphers;
122 uschar *exp_tls_ocsp_file;
123 const uschar *exp_tls_verify_cert_hostnames;
124#ifndef DISABLE_EVENT
125 uschar *event_action;
126#endif
127
128 tls_support *tlsp; /* set in tls_init() */
129
130 uschar *xfer_buffer;
131 int xfer_buffer_lwm;
132 int xfer_buffer_hwm;
133 int xfer_eof;
134 int xfer_error;
135} exim_gnutls_state_st;
136
137static const exim_gnutls_state_st exim_gnutls_state_init = {
138 NULL, NULL, NULL, VERIFY_NONE, -1, -1, FALSE, FALSE, FALSE,
139 NULL, NULL, NULL, NULL,
140 NULL, NULL, NULL, NULL, NULL, NULL,
141 NULL, NULL, NULL, NULL, NULL, NULL, NULL,
142 NULL,
143#ifndef DISABLE_EVENT
144 NULL,
145#endif
146 NULL,
147 NULL, 0, 0, 0, 0,
148};
149
150/* Not only do we have our own APIs which don't pass around state, assuming
151it's held in globals, GnuTLS doesn't appear to let us register callback data
152for callbacks, or as part of the session, so we have to keep a "this is the
153context we're currently dealing with" pointer and rely upon being
154single-threaded to keep from processing data on an inbound TLS connection while
155talking to another TLS connection for an outbound check. This does mean that
156there's no way for heart-beats to be responded to, for the duration of the
157second connection.
158XXX But see gnutls_session_get_ptr()
159*/
160
161static exim_gnutls_state_st state_server, state_client;
162
163/* dh_params are initialised once within the lifetime of a process using TLS;
164if we used TLS in a long-lived daemon, we'd have to reconsider this. But we
165don't want to repeat this. */
166
167static gnutls_dh_params_t dh_server_params = NULL;
168
169/* No idea how this value was chosen; preserving it. Default is 3600. */
170
171static const int ssl_session_timeout = 200;
172
173static const char * const exim_default_gnutls_priority = "NORMAL";
174
175/* Guard library core initialisation */
176
177static BOOL exim_gnutls_base_init_done = FALSE;
178
179#ifndef DISABLE_OCSP
180static BOOL gnutls_buggy_ocsp = FALSE;
181#endif
182
183
184/* ------------------------------------------------------------------------ */
185/* macros */
186
187#define MAX_HOST_LEN 255
188
189/* Set this to control gnutls_global_set_log_level(); values 0 to 9 will setup
190the library logging; a value less than 0 disables the calls to set up logging
191callbacks. */
192#ifndef EXIM_GNUTLS_LIBRARY_LOG_LEVEL
193# define EXIM_GNUTLS_LIBRARY_LOG_LEVEL -1
194#endif
195
196#ifndef EXIM_CLIENT_DH_MIN_BITS
197# define EXIM_CLIENT_DH_MIN_BITS 1024
198#endif
199
200/* With GnuTLS 2.12.x+ we have gnutls_sec_param_to_pk_bits() with which we
201can ask for a bit-strength. Without that, we stick to the constant we had
202before, for now. */
203#ifndef EXIM_SERVER_DH_BITS_PRE2_12
204# define EXIM_SERVER_DH_BITS_PRE2_12 1024
205#endif
206
207#define exim_gnutls_err_check(Label) do { \
208 if (rc != GNUTLS_E_SUCCESS) { return tls_error((Label), gnutls_strerror(rc), host); } } while (0)
209
210#define expand_check_tlsvar(Varname) expand_check(state->Varname, US #Varname, &state->exp_##Varname)
211
212#if GNUTLS_VERSION_NUMBER >= 0x020c00
213# define HAVE_GNUTLS_SESSION_CHANNEL_BINDING
214# define HAVE_GNUTLS_SEC_PARAM_CONSTANTS
215# define HAVE_GNUTLS_RND
216/* The security fix we provide with the gnutls_allow_auto_pkcs11 option
217 * (4.82 PP/09) introduces a compatibility regression. The symbol simply
218 * isn't available sometimes, so this needs to become a conditional
219 * compilation; the sanest way to deal with this being a problem on
220 * older OSes is to block it in the Local/Makefile with this compiler
221 * definition */
222# ifndef AVOID_GNUTLS_PKCS11
223# define HAVE_GNUTLS_PKCS11
224# endif /* AVOID_GNUTLS_PKCS11 */
225#endif
226
227
228
229
230/* ------------------------------------------------------------------------ */
231/* Callback declarations */
232
233#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
234static void exim_gnutls_logger_cb(int level, const char *message);
235#endif
236
237static int exim_sni_handling_cb(gnutls_session_t session);
238
239#ifndef DISABLE_OCSP
240static int server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
241 gnutls_datum_t * ocsp_response);
242#endif
243
244
245
246/* ------------------------------------------------------------------------ */
247/* Static functions */
248
249/*************************************************
250* Handle TLS error *
251*************************************************/
252
253/* Called from lots of places when errors occur before actually starting to do
254the TLS handshake, that is, while the session is still in clear. Always returns
255DEFER for a server and FAIL for a client so that most calls can use "return
256tls_error(...)" to do this processing and then give an appropriate return. A
257single function is used for both server and client, because it is called from
258some shared functions.
259
260Argument:
261 prefix text to include in the logged error
262 msg additional error string (may be NULL)
263 usually obtained from gnutls_strerror()
264 host NULL if setting up a server;
265 the connected host if setting up a client
266
267Returns: OK/DEFER/FAIL
268*/
269
270static int
271tls_error(const uschar *prefix, const char *msg, const host_item *host)
272{
273if (host)
274 {
275 log_write(0, LOG_MAIN, "H=%s [%s] TLS error on connection (%s)%s%s",
276 host->name, host->address, prefix, msg ? ": " : "", msg ? msg : "");
277 return FAIL;
278 }
279else
280 {
281 uschar *conn_info = smtp_get_connection_info();
282 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0)
283 conn_info += 5;
284 /* I'd like to get separated H= here, but too hard for now */
285 log_write(0, LOG_MAIN, "TLS error on %s (%s)%s%s",
286 conn_info, prefix, msg ? ": " : "", msg ? msg : "");
287 return DEFER;
288 }
289}
290
291
292
293
294/*************************************************
295* Deal with logging errors during I/O *
296*************************************************/
297
298/* We have to get the identity of the peer from saved data.
299
300Argument:
301 state the current GnuTLS exim state container
302 rc the GnuTLS error code, or 0 if it's a local error
303 when text identifying read or write
304 text local error text when ec is 0
305
306Returns: nothing
307*/
308
309static void
310record_io_error(exim_gnutls_state_st *state, int rc, uschar *when, uschar *text)
311{
312const char *msg;
313
314if (rc == GNUTLS_E_FATAL_ALERT_RECEIVED)
315 msg = CS string_sprintf("%s: %s", US gnutls_strerror(rc),
316 US gnutls_alert_get_name(gnutls_alert_get(state->session)));
317else
318 msg = gnutls_strerror(rc);
319
320tls_error(when, msg, state->host);
321}
322
323
324
325
326/*************************************************
327* Set various Exim expansion vars *
328*************************************************/
329
330#define exim_gnutls_cert_err(Label) \
331 do \
332 { \
333 if (rc != GNUTLS_E_SUCCESS) \
334 { \
335 DEBUG(D_tls) debug_printf("TLS: cert problem: %s: %s\n", \
336 (Label), gnutls_strerror(rc)); \
337 return rc; \
338 } \
339 } while (0)
340
341static int
342import_cert(const gnutls_datum_t * cert, gnutls_x509_crt_t * crtp)
343{
344int rc;
345
346rc = gnutls_x509_crt_init(crtp);
347exim_gnutls_cert_err(US"gnutls_x509_crt_init (crt)");
348
349rc = gnutls_x509_crt_import(*crtp, cert, GNUTLS_X509_FMT_DER);
350exim_gnutls_cert_err(US"failed to import certificate [gnutls_x509_crt_import(cert)]");
351
352return rc;
353}
354
355#undef exim_gnutls_cert_err
356
357
358/* We set various Exim global variables from the state, once a session has
359been established. With TLS callouts, may need to change this to stack
360variables, or just re-call it with the server state after client callout
361has finished.
362
363Make sure anything set here is unset in tls_getc().
364
365Sets:
366 tls_active fd
367 tls_bits strength indicator
368 tls_certificate_verified bool indicator
369 tls_channelbinding_b64 for some SASL mechanisms
370 tls_cipher a string
371 tls_peercert pointer to library internal
372 tls_peerdn a string
373 tls_sni a (UTF-8) string
374 tls_ourcert pointer to library internal
375
376Argument:
377 state the relevant exim_gnutls_state_st *
378*/
379
380static void
381extract_exim_vars_from_tls_state(exim_gnutls_state_st * state)
382{
383gnutls_cipher_algorithm_t cipher;
384#ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
385int old_pool;
386int rc;
387gnutls_datum_t channel;
388#endif
389tls_support * tlsp = state->tlsp;
390
391tlsp->active = state->fd_out;
392
393cipher = gnutls_cipher_get(state->session);
394/* returns size in "bytes" */
395tlsp->bits = gnutls_cipher_get_key_size(cipher) * 8;
396
397tlsp->cipher = state->ciphersuite;
398
399DEBUG(D_tls) debug_printf("cipher: %s\n", state->ciphersuite);
400
401tlsp->certificate_verified = state->peer_cert_verified;
402
403/* note that tls_channelbinding_b64 is not saved to the spool file, since it's
404only available for use for authenticators while this TLS session is running. */
405
406tls_channelbinding_b64 = NULL;
407#ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
408channel.data = NULL;
409channel.size = 0;
410rc = gnutls_session_channel_binding(state->session, GNUTLS_CB_TLS_UNIQUE, &channel);
411if (rc) {
412 DEBUG(D_tls) debug_printf("Channel binding error: %s\n", gnutls_strerror(rc));
413} else {
414 old_pool = store_pool;
415 store_pool = POOL_PERM;
416 tls_channelbinding_b64 = auth_b64encode(channel.data, (int)channel.size);
417 store_pool = old_pool;
418 DEBUG(D_tls) debug_printf("Have channel bindings cached for possible auth usage.\n");
419}
420#endif
421
422/* peercert is set in peer_status() */
423tlsp->peerdn = state->peerdn;
424tlsp->sni = state->received_sni;
425
426/* record our certificate */
427 {
428 const gnutls_datum_t * cert = gnutls_certificate_get_ours(state->session);
429 gnutls_x509_crt_t crt;
430
431 tlsp->ourcert = cert && import_cert(cert, &crt)==0 ? crt : NULL;
432 }
433}
434
435
436
437
438/*************************************************
439* Setup up DH parameters *
440*************************************************/
441
442/* Generating the D-H parameters may take a long time. They only need to
443be re-generated every so often, depending on security policy. What we do is to
444keep these parameters in a file in the spool directory. If the file does not
445exist, we generate them. This means that it is easy to cause a regeneration.
446
447The new file is written as a temporary file and renamed, so that an incomplete
448file is never present. If two processes both compute some new parameters, you
449waste a bit of effort, but it doesn't seem worth messing around with locking to
450prevent this.
451
452Returns: OK/DEFER/FAIL
453*/
454
455static int
456init_server_dh(void)
457{
458int fd, rc;
459unsigned int dh_bits;
460gnutls_datum_t m;
461uschar filename_buf[PATH_MAX];
462uschar *filename = NULL;
463size_t sz;
464uschar *exp_tls_dhparam;
465BOOL use_file_in_spool = FALSE;
466BOOL use_fixed_file = FALSE;
467host_item *host = NULL; /* dummy for macros */
468
469DEBUG(D_tls) debug_printf("Initialising GnuTLS server params.\n");
470
471rc = gnutls_dh_params_init(&dh_server_params);
472exim_gnutls_err_check(US"gnutls_dh_params_init");
473
474m.data = NULL;
475m.size = 0;
476
477if (!expand_check(tls_dhparam, US"tls_dhparam", &exp_tls_dhparam))
478 return DEFER;
479
480if (!exp_tls_dhparam)
481 {
482 DEBUG(D_tls) debug_printf("Loading default hard-coded DH params\n");
483 m.data = US std_dh_prime_default();
484 m.size = Ustrlen(m.data);
485 }
486else if (Ustrcmp(exp_tls_dhparam, "historic") == 0)
487 use_file_in_spool = TRUE;
488else if (Ustrcmp(exp_tls_dhparam, "none") == 0)
489 {
490 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
491 return OK;
492 }
493else if (exp_tls_dhparam[0] != '/')
494 {
495 m.data = US std_dh_prime_named(exp_tls_dhparam);
496 if (m.data == NULL)
497 return tls_error(US"No standard prime named", CS exp_tls_dhparam, NULL);
498 m.size = Ustrlen(m.data);
499 }
500else
501 {
502 use_fixed_file = TRUE;
503 filename = exp_tls_dhparam;
504 }
505
506if (m.data)
507 {
508 rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM);
509 exim_gnutls_err_check(US"gnutls_dh_params_import_pkcs3");
510 DEBUG(D_tls) debug_printf("Loaded fixed standard D-H parameters\n");
511 return OK;
512 }
513
514#ifdef HAVE_GNUTLS_SEC_PARAM_CONSTANTS
515/* If you change this constant, also change dh_param_fn_ext so that we can use a
516different filename and ensure we have sufficient bits. */
517dh_bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL);
518if (!dh_bits)
519 return tls_error(US"gnutls_sec_param_to_pk_bits() failed", NULL, NULL);
520DEBUG(D_tls)
521 debug_printf("GnuTLS tells us that for D-H PK, NORMAL is %d bits.\n",
522 dh_bits);
523#else
524dh_bits = EXIM_SERVER_DH_BITS_PRE2_12;
525DEBUG(D_tls)
526 debug_printf("GnuTLS lacks gnutls_sec_param_to_pk_bits(), using %d bits.\n",
527 dh_bits);
528#endif
529
530/* Some clients have hard-coded limits. */
531if (dh_bits > tls_dh_max_bits)
532 {
533 DEBUG(D_tls)
534 debug_printf("tls_dh_max_bits clamping override, using %d bits instead.\n",
535 tls_dh_max_bits);
536 dh_bits = tls_dh_max_bits;
537 }
538
539if (use_file_in_spool)
540 {
541 if (!string_format(filename_buf, sizeof(filename_buf),
542 "%s/gnutls-params-%d", spool_directory, dh_bits))
543 return tls_error(US"overlong filename", NULL, NULL);
544 filename = filename_buf;
545 }
546
547/* Open the cache file for reading and if successful, read it and set up the
548parameters. */
549
550fd = Uopen(filename, O_RDONLY, 0);
551if (fd >= 0)
552 {
553 struct stat statbuf;
554 FILE *fp;
555 int saved_errno;
556
557 if (fstat(fd, &statbuf) < 0) /* EIO */
558 {
559 saved_errno = errno;
560 (void)close(fd);
561 return tls_error(US"TLS cache stat failed", strerror(saved_errno), NULL);
562 }
563 if (!S_ISREG(statbuf.st_mode))
564 {
565 (void)close(fd);
566 return tls_error(US"TLS cache not a file", NULL, NULL);
567 }
568 fp = fdopen(fd, "rb");
569 if (!fp)
570 {
571 saved_errno = errno;
572 (void)close(fd);
573 return tls_error(US"fdopen(TLS cache stat fd) failed",
574 strerror(saved_errno), NULL);
575 }
576
577 m.size = statbuf.st_size;
578 m.data = malloc(m.size);
579 if (m.data == NULL)
580 {
581 fclose(fp);
582 return tls_error(US"malloc failed", strerror(errno), NULL);
583 }
584 sz = fread(m.data, m.size, 1, fp);
585 if (!sz)
586 {
587 saved_errno = errno;
588 fclose(fp);
589 free(m.data);
590 return tls_error(US"fread failed", strerror(saved_errno), NULL);
591 }
592 fclose(fp);
593
594 rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM);
595 free(m.data);
596 exim_gnutls_err_check(US"gnutls_dh_params_import_pkcs3");
597 DEBUG(D_tls) debug_printf("read D-H parameters from file \"%s\"\n", filename);
598 }
599
600/* If the file does not exist, fall through to compute new data and cache it.
601If there was any other opening error, it is serious. */
602
603else if (errno == ENOENT)
604 {
605 rc = -1;
606 DEBUG(D_tls)
607 debug_printf("D-H parameter cache file \"%s\" does not exist\n", filename);
608 }
609else
610 return tls_error(string_open_failed(errno, "\"%s\" for reading", filename),
611 NULL, NULL);
612
613/* If ret < 0, either the cache file does not exist, or the data it contains
614is not useful. One particular case of this is when upgrading from an older
615release of Exim in which the data was stored in a different format. We don't
616try to be clever and support both formats; we just regenerate new data in this
617case. */
618
619if (rc < 0)
620 {
621 uschar *temp_fn;
622 unsigned int dh_bits_gen = dh_bits;
623
624 if ((PATH_MAX - Ustrlen(filename)) < 10)
625 return tls_error(US"Filename too long to generate replacement",
626 CS filename, NULL);
627
628 temp_fn = string_copy(US "%s.XXXXXXX");
629 fd = mkstemp(CS temp_fn); /* modifies temp_fn */
630 if (fd < 0)
631 return tls_error(US"Unable to open temp file", strerror(errno), NULL);
632 (void)fchown(fd, exim_uid, exim_gid); /* Probably not necessary */
633
634 /* GnuTLS overshoots!
635 * If we ask for 2236, we might get 2237 or more.
636 * But there's no way to ask GnuTLS how many bits there really are.
637 * We can ask how many bits were used in a TLS session, but that's it!
638 * The prime itself is hidden behind too much abstraction.
639 * So we ask for less, and proceed on a wing and a prayer.
640 * First attempt, subtracted 3 for 2233 and got 2240.
641 */
642 if (dh_bits >= EXIM_CLIENT_DH_MIN_BITS + 10)
643 {
644 dh_bits_gen = dh_bits - 10;
645 DEBUG(D_tls)
646 debug_printf("being paranoid about DH generation, make it '%d' bits'\n",
647 dh_bits_gen);
648 }
649
650 DEBUG(D_tls)
651 debug_printf("requesting generation of %d bit Diffie-Hellman prime ...\n",
652 dh_bits_gen);
653 rc = gnutls_dh_params_generate2(dh_server_params, dh_bits_gen);
654 exim_gnutls_err_check(US"gnutls_dh_params_generate2");
655
656 /* gnutls_dh_params_export_pkcs3() will tell us the exact size, every time,
657 and I confirmed that a NULL call to get the size first is how the GnuTLS
658 sample apps handle this. */
659
660 sz = 0;
661 m.data = NULL;
662 rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM,
663 m.data, &sz);
664 if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
665 exim_gnutls_err_check(US"gnutls_dh_params_export_pkcs3(NULL) sizing");
666 m.size = sz;
667 m.data = malloc(m.size);
668 if (m.data == NULL)
669 return tls_error(US"memory allocation failed", strerror(errno), NULL);
670 /* this will return a size 1 less than the allocation size above */
671 rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM,
672 m.data, &sz);
673 if (rc != GNUTLS_E_SUCCESS)
674 {
675 free(m.data);
676 exim_gnutls_err_check(US"gnutls_dh_params_export_pkcs3() real");
677 }
678 m.size = sz; /* shrink by 1, probably */
679
680 sz = write_to_fd_buf(fd, m.data, (size_t) m.size);
681 if (sz != m.size)
682 {
683 free(m.data);
684 return tls_error(US"TLS cache write D-H params failed",
685 strerror(errno), NULL);
686 }
687 free(m.data);
688 sz = write_to_fd_buf(fd, US"\n", 1);
689 if (sz != 1)
690 return tls_error(US"TLS cache write D-H params final newline failed",
691 strerror(errno), NULL);
692
693 rc = close(fd);
694 if (rc)
695 return tls_error(US"TLS cache write close() failed",
696 strerror(errno), NULL);
697
698 if (Urename(temp_fn, filename) < 0)
699 return tls_error(string_sprintf("failed to rename \"%s\" as \"%s\"",
700 temp_fn, filename), strerror(errno), NULL);
701
702 DEBUG(D_tls) debug_printf("wrote D-H parameters to file \"%s\"\n", filename);
703 }
704
705DEBUG(D_tls) debug_printf("initialized server D-H parameters\n");
706return OK;
707}
708
709
710
711
712/*************************************************
713* Variables re-expanded post-SNI *
714*************************************************/
715
716/* Called from both server and client code, via tls_init(), and also from
717the SNI callback after receiving an SNI, if tls_certificate includes "tls_sni".
718
719We can tell the two apart by state->received_sni being non-NULL in callback.
720
721The callback should not call us unless state->trigger_sni_changes is true,
722which we are responsible for setting on the first pass through.
723
724Arguments:
725 state exim_gnutls_state_st *
726
727Returns: OK/DEFER/FAIL
728*/
729
730static int
731tls_expand_session_files(exim_gnutls_state_st *state)
732{
733struct stat statbuf;
734int rc;
735const host_item *host = state->host; /* macro should be reconsidered? */
736uschar *saved_tls_certificate = NULL;
737uschar *saved_tls_privatekey = NULL;
738uschar *saved_tls_verify_certificates = NULL;
739uschar *saved_tls_crl = NULL;
740int cert_count;
741
742/* We check for tls_sni *before* expansion. */
743if (!host) /* server */
744 {
745 if (!state->received_sni)
746 {
747 if (state->tls_certificate &&
748 (Ustrstr(state->tls_certificate, US"tls_sni") ||
749 Ustrstr(state->tls_certificate, US"tls_in_sni") ||
750 Ustrstr(state->tls_certificate, US"tls_out_sni")
751 ))
752 {
753 DEBUG(D_tls) debug_printf("We will re-expand TLS session files if we receive SNI.\n");
754 state->trigger_sni_changes = TRUE;
755 }
756 }
757 else
758 {
759 /* useful for debugging */
760 saved_tls_certificate = state->exp_tls_certificate;
761 saved_tls_privatekey = state->exp_tls_privatekey;
762 saved_tls_verify_certificates = state->exp_tls_verify_certificates;
763 saved_tls_crl = state->exp_tls_crl;
764 }
765 }
766
767rc = gnutls_certificate_allocate_credentials(&state->x509_cred);
768exim_gnutls_err_check(US"gnutls_certificate_allocate_credentials");
769
770/* remember: expand_check_tlsvar() is expand_check() but fiddling with
771state members, assuming consistent naming; and expand_check() returns
772false if expansion failed, unless expansion was forced to fail. */
773
774/* check if we at least have a certificate, before doing expensive
775D-H generation. */
776
777if (!expand_check_tlsvar(tls_certificate))
778 return DEFER;
779
780/* certificate is mandatory in server, optional in client */
781
782if ((state->exp_tls_certificate == NULL) ||
783 (*state->exp_tls_certificate == '\0'))
784 {
785 if (!host)
786 return tls_error(US"no TLS server certificate is specified", NULL, NULL);
787 else
788 DEBUG(D_tls) debug_printf("TLS: no client certificate specified; okay\n");
789 }
790
791if (state->tls_privatekey && !expand_check_tlsvar(tls_privatekey))
792 return DEFER;
793
794/* tls_privatekey is optional, defaulting to same file as certificate */
795
796if (state->tls_privatekey == NULL || *state->tls_privatekey == '\0')
797 {
798 state->tls_privatekey = state->tls_certificate;
799 state->exp_tls_privatekey = state->exp_tls_certificate;
800 }
801
802
803if (state->exp_tls_certificate && *state->exp_tls_certificate)
804 {
805 DEBUG(D_tls) debug_printf("certificate file = %s\nkey file = %s\n",
806 state->exp_tls_certificate, state->exp_tls_privatekey);
807
808 if (state->received_sni)
809 {
810 if ((Ustrcmp(state->exp_tls_certificate, saved_tls_certificate) == 0) &&
811 (Ustrcmp(state->exp_tls_privatekey, saved_tls_privatekey) == 0))
812 {
813 DEBUG(D_tls) debug_printf("TLS SNI: cert and key unchanged\n");
814 }
815 else
816 {
817 DEBUG(D_tls) debug_printf("TLS SNI: have a changed cert/key pair.\n");
818 }
819 }
820
821 rc = gnutls_certificate_set_x509_key_file(state->x509_cred,
822 CS state->exp_tls_certificate, CS state->exp_tls_privatekey,
823 GNUTLS_X509_FMT_PEM);
824 exim_gnutls_err_check(
825 string_sprintf("cert/key setup: cert=%s key=%s",
826 state->exp_tls_certificate, state->exp_tls_privatekey));
827 DEBUG(D_tls) debug_printf("TLS: cert/key registered\n");
828 } /* tls_certificate */
829
830
831/* Set the OCSP stapling server info */
832
833#ifndef DISABLE_OCSP
834if ( !host /* server */
835 && tls_ocsp_file
836 )
837 {
838 if (gnutls_buggy_ocsp)
839 {
840 DEBUG(D_tls) debug_printf("GnuTLS library is buggy for OCSP; avoiding\n");
841 }
842 else
843 {
844 if (!expand_check(tls_ocsp_file, US"tls_ocsp_file",
845 &state->exp_tls_ocsp_file))
846 return DEFER;
847
848 /* Use the full callback method for stapling just to get observability.
849 More efficient would be to read the file once only, if it never changed
850 (due to SNI). Would need restart on file update, or watch datestamp. */
851
852 gnutls_certificate_set_ocsp_status_request_function(state->x509_cred,
853 server_ocsp_stapling_cb, state->exp_tls_ocsp_file);
854
855 DEBUG(D_tls) debug_printf("OCSP response file = %s\n", state->exp_tls_ocsp_file);
856 }
857 }
858#endif
859
860
861/* Set the trusted CAs file if one is provided, and then add the CRL if one is
862provided. Experiment shows that, if the certificate file is empty, an unhelpful
863error message is provided. However, if we just refrain from setting anything up
864in that case, certificate verification fails, which seems to be the correct
865behaviour. */
866
867if (state->tls_verify_certificates && *state->tls_verify_certificates)
868 {
869 if (!expand_check_tlsvar(tls_verify_certificates))
870 return DEFER;
871#ifndef SUPPORT_SYSDEFAULT_CABUNDLE
872 if (Ustrcmp(state->exp_tls_verify_certificates, "system") == 0)
873 state->exp_tls_verify_certificates = NULL;
874#endif
875 if (state->tls_crl && *state->tls_crl)
876 if (!expand_check_tlsvar(tls_crl))
877 return DEFER;
878
879 if (!(state->exp_tls_verify_certificates &&
880 *state->exp_tls_verify_certificates))
881 {
882 DEBUG(D_tls)
883 debug_printf("TLS: tls_verify_certificates expanded empty, ignoring\n");
884 /* With no tls_verify_certificates, we ignore tls_crl too */
885 return OK;
886 }
887 }
888else
889 {
890 DEBUG(D_tls)
891 debug_printf("TLS: tls_verify_certificates not set or empty, ignoring\n");
892 return OK;
893 }
894
895#ifdef SUPPORT_SYSDEFAULT_CABUNDLE
896if (Ustrcmp(state->exp_tls_verify_certificates, "system") == 0)
897 cert_count = gnutls_certificate_set_x509_system_trust(state->x509_cred);
898else
899#endif
900 {
901 if (Ustat(state->exp_tls_verify_certificates, &statbuf) < 0)
902 {
903 log_write(0, LOG_MAIN|LOG_PANIC, "could not stat %s "
904 "(tls_verify_certificates): %s", state->exp_tls_verify_certificates,
905 strerror(errno));
906 return DEFER;
907 }
908
909#ifndef SUPPORT_CA_DIR
910 /* The test suite passes in /dev/null; we could check for that path explicitly,
911 but who knows if someone has some weird FIFO which always dumps some certs, or
912 other weirdness. The thing we really want to check is that it's not a
913 directory, since while OpenSSL supports that, GnuTLS does not.
914 So s/!S_ISREG/S_ISDIR/ and change some messsaging ... */
915 if (S_ISDIR(statbuf.st_mode))
916 {
917 DEBUG(D_tls)
918 debug_printf("verify certificates path is a dir: \"%s\"\n",
919 state->exp_tls_verify_certificates);
920 log_write(0, LOG_MAIN|LOG_PANIC,
921 "tls_verify_certificates \"%s\" is a directory",
922 state->exp_tls_verify_certificates);
923 return DEFER;
924 }
925#endif
926
927 DEBUG(D_tls) debug_printf("verify certificates = %s size=" OFF_T_FMT "\n",
928 state->exp_tls_verify_certificates, statbuf.st_size);
929
930 if (statbuf.st_size == 0)
931 {
932 DEBUG(D_tls)
933 debug_printf("cert file empty, no certs, no verification, ignoring any CRL\n");
934 return OK;
935 }
936
937 cert_count =
938
939#ifdef SUPPORT_CA_DIR
940 (statbuf.st_mode & S_IFMT) == S_IFDIR
941 ?
942 gnutls_certificate_set_x509_trust_dir(state->x509_cred,
943 CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM)
944 :
945#endif
946 gnutls_certificate_set_x509_trust_file(state->x509_cred,
947 CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM);
948 }
949
950if (cert_count < 0)
951 {
952 rc = cert_count;
953 exim_gnutls_err_check(US"setting certificate trust");
954 }
955DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n", cert_count);
956
957if (state->tls_crl && *state->tls_crl &&
958 state->exp_tls_crl && *state->exp_tls_crl)
959 {
960 DEBUG(D_tls) debug_printf("loading CRL file = %s\n", state->exp_tls_crl);
961 cert_count = gnutls_certificate_set_x509_crl_file(state->x509_cred,
962 CS state->exp_tls_crl, GNUTLS_X509_FMT_PEM);
963 if (cert_count < 0)
964 {
965 rc = cert_count;
966 exim_gnutls_err_check(US"gnutls_certificate_set_x509_crl_file");
967 }
968 DEBUG(D_tls) debug_printf("Processed %d CRLs.\n", cert_count);
969 }
970
971return OK;
972}
973
974
975
976
977/*************************************************
978* Set X.509 state variables *
979*************************************************/
980
981/* In GnuTLS, the registered cert/key are not replaced by a later
982set of a cert/key, so for SNI support we need a whole new x509_cred
983structure. Which means various other non-re-expanded pieces of state
984need to be re-set in the new struct, so the setting logic is pulled
985out to this.
986
987Arguments:
988 state exim_gnutls_state_st *
989
990Returns: OK/DEFER/FAIL
991*/
992
993static int
994tls_set_remaining_x509(exim_gnutls_state_st *state)
995{
996int rc;
997const host_item *host = state->host; /* macro should be reconsidered? */
998
999/* Create D-H parameters, or read them from the cache file. This function does
1000its own SMTP error messaging. This only happens for the server, TLS D-H ignores
1001client-side params. */
1002
1003if (!state->host)
1004 {
1005 if (!dh_server_params)
1006 {
1007 rc = init_server_dh();
1008 if (rc != OK) return rc;
1009 }
1010 gnutls_certificate_set_dh_params(state->x509_cred, dh_server_params);
1011 }
1012
1013/* Link the credentials to the session. */
1014
1015rc = gnutls_credentials_set(state->session, GNUTLS_CRD_CERTIFICATE, state->x509_cred);
1016exim_gnutls_err_check(US"gnutls_credentials_set");
1017
1018return OK;
1019}
1020
1021/*************************************************
1022* Initialize for GnuTLS *
1023*************************************************/
1024
1025
1026#ifndef DISABLE_OCSP
1027
1028static BOOL
1029tls_is_buggy_ocsp(void)
1030{
1031const uschar * s;
1032uschar maj, mid, mic;
1033
1034s = CUS gnutls_check_version(NULL);
1035maj = atoi(CCS s);
1036if (maj == 3)
1037 {
1038 while (*s && *s != '.') s++;
1039 mid = atoi(CCS ++s);
1040 if (mid <= 2)
1041 return TRUE;
1042 else if (mid >= 5)
1043 return FALSE;
1044 else
1045 {
1046 while (*s && *s != '.') s++;
1047 mic = atoi(CCS ++s);
1048 return mic <= (mid == 3 ? 16 : 3);
1049 }
1050 }
1051return FALSE;
1052}
1053
1054#endif
1055
1056
1057/* Called from both server and client code. In the case of a server, errors
1058before actual TLS negotiation return DEFER.
1059
1060Arguments:
1061 host connected host, if client; NULL if server
1062 certificate certificate file
1063 privatekey private key file
1064 sni TLS SNI to send, sometimes when client; else NULL
1065 cas CA certs file
1066 crl CRL file
1067 require_ciphers tls_require_ciphers setting
1068 caller_state returned state-info structure
1069
1070Returns: OK/DEFER/FAIL
1071*/
1072
1073static int
1074tls_init(
1075 const host_item *host,
1076 const uschar *certificate,
1077 const uschar *privatekey,
1078 const uschar *sni,
1079 const uschar *cas,
1080 const uschar *crl,
1081 const uschar *require_ciphers,
1082 exim_gnutls_state_st **caller_state)
1083{
1084exim_gnutls_state_st *state;
1085int rc;
1086size_t sz;
1087const char *errpos;
1088uschar *p;
1089BOOL want_default_priorities;
1090
1091if (!exim_gnutls_base_init_done)
1092 {
1093 DEBUG(D_tls) debug_printf("GnuTLS global init required.\n");
1094
1095#ifdef HAVE_GNUTLS_PKCS11
1096 /* By default, gnutls_global_init will init PKCS11 support in auto mode,
1097 which loads modules from a config file, which sounds good and may be wanted
1098 by some sysadmin, but also means in common configurations that GNOME keyring
1099 environment variables are used and so breaks for users calling mailq.
1100 To prevent this, we init PKCS11 first, which is the documented approach. */
1101 if (!gnutls_allow_auto_pkcs11)
1102 {
1103 rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
1104 exim_gnutls_err_check(US"gnutls_pkcs11_init");
1105 }
1106#endif
1107
1108 rc = gnutls_global_init();
1109 exim_gnutls_err_check(US"gnutls_global_init");
1110
1111#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
1112 DEBUG(D_tls)
1113 {
1114 gnutls_global_set_log_function(exim_gnutls_logger_cb);
1115 /* arbitrarily chosen level; bump upto 9 for more */
1116 gnutls_global_set_log_level(EXIM_GNUTLS_LIBRARY_LOG_LEVEL);
1117 }
1118#endif
1119
1120#ifndef DISABLE_OCSP
1121 if (tls_ocsp_file && (gnutls_buggy_ocsp = tls_is_buggy_ocsp()))
1122 log_write(0, LOG_MAIN, "OCSP unusable with this GnuTLS library version");
1123#endif
1124
1125 exim_gnutls_base_init_done = TRUE;
1126 }
1127
1128if (host)
1129 {
1130 state = &state_client;
1131 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
1132 state->tlsp = &tls_out;
1133 DEBUG(D_tls) debug_printf("initialising GnuTLS client session\n");
1134 rc = gnutls_init(&state->session, GNUTLS_CLIENT);
1135 }
1136else
1137 {
1138 state = &state_server;
1139 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
1140 state->tlsp = &tls_in;
1141 DEBUG(D_tls) debug_printf("initialising GnuTLS server session\n");
1142 rc = gnutls_init(&state->session, GNUTLS_SERVER);
1143 }
1144exim_gnutls_err_check(US"gnutls_init");
1145
1146state->host = host;
1147
1148state->tls_certificate = certificate;
1149state->tls_privatekey = privatekey;
1150state->tls_require_ciphers = require_ciphers;
1151state->tls_sni = sni;
1152state->tls_verify_certificates = cas;
1153state->tls_crl = crl;
1154
1155/* This handles the variables that might get re-expanded after TLS SNI;
1156that's tls_certificate, tls_privatekey, tls_verify_certificates, tls_crl */
1157
1158DEBUG(D_tls)
1159 debug_printf("Expanding various TLS configuration options for session credentials.\n");
1160rc = tls_expand_session_files(state);
1161if (rc != OK) return rc;
1162
1163/* These are all other parts of the x509_cred handling, since SNI in GnuTLS
1164requires a new structure afterwards. */
1165
1166rc = tls_set_remaining_x509(state);
1167if (rc != OK) return rc;
1168
1169/* set SNI in client, only */
1170if (host)
1171 {
1172 if (!expand_check(sni, US"tls_out_sni", &state->tlsp->sni))
1173 return DEFER;
1174 if (state->tlsp->sni && *state->tlsp->sni)
1175 {
1176 DEBUG(D_tls)
1177 debug_printf("Setting TLS client SNI to \"%s\"\n", state->tlsp->sni);
1178 sz = Ustrlen(state->tlsp->sni);
1179 rc = gnutls_server_name_set(state->session,
1180 GNUTLS_NAME_DNS, state->tlsp->sni, sz);
1181 exim_gnutls_err_check(US"gnutls_server_name_set");
1182 }
1183 }
1184else if (state->tls_sni)
1185 DEBUG(D_tls) debug_printf("*** PROBABLY A BUG *** " \
1186 "have an SNI set for a client [%s]\n", state->tls_sni);
1187
1188/* This is the priority string support,
1189http://www.gnutls.org/manual/html_node/Priority-Strings.html
1190and replaces gnutls_require_kx, gnutls_require_mac & gnutls_require_protocols.
1191This was backwards incompatible, but means Exim no longer needs to track
1192all algorithms and provide string forms for them. */
1193
1194want_default_priorities = TRUE;
1195
1196if (state->tls_require_ciphers && *state->tls_require_ciphers)
1197 {
1198 if (!expand_check_tlsvar(tls_require_ciphers))
1199 return DEFER;
1200 if (state->exp_tls_require_ciphers && *state->exp_tls_require_ciphers)
1201 {
1202 DEBUG(D_tls) debug_printf("GnuTLS session cipher/priority \"%s\"\n",
1203 state->exp_tls_require_ciphers);
1204
1205 rc = gnutls_priority_init(&state->priority_cache,
1206 CS state->exp_tls_require_ciphers, &errpos);
1207 want_default_priorities = FALSE;
1208 p = state->exp_tls_require_ciphers;
1209 }
1210 }
1211if (want_default_priorities)
1212 {
1213 DEBUG(D_tls)
1214 debug_printf("GnuTLS using default session cipher/priority \"%s\"\n",
1215 exim_default_gnutls_priority);
1216 rc = gnutls_priority_init(&state->priority_cache,
1217 exim_default_gnutls_priority, &errpos);
1218 p = US exim_default_gnutls_priority;
1219 }
1220
1221exim_gnutls_err_check(string_sprintf(
1222 "gnutls_priority_init(%s) failed at offset %ld, \"%.6s..\"",
1223 p, errpos - CS p, errpos));
1224
1225rc = gnutls_priority_set(state->session, state->priority_cache);
1226exim_gnutls_err_check(US"gnutls_priority_set");
1227
1228gnutls_db_set_cache_expiration(state->session, ssl_session_timeout);
1229
1230/* Reduce security in favour of increased compatibility, if the admin
1231decides to make that trade-off. */
1232if (gnutls_compat_mode)
1233 {
1234#if LIBGNUTLS_VERSION_NUMBER >= 0x020104
1235 DEBUG(D_tls) debug_printf("lowering GnuTLS security, compatibility mode\n");
1236 gnutls_session_enable_compatibility_mode(state->session);
1237#else
1238 DEBUG(D_tls) debug_printf("Unable to set gnutls_compat_mode - GnuTLS version too old\n");
1239#endif
1240 }
1241
1242*caller_state = state;
1243return OK;
1244}
1245
1246
1247
1248/*************************************************
1249* Extract peer information *
1250*************************************************/
1251
1252/* Called from both server and client code.
1253Only this is allowed to set state->peerdn and state->have_set_peerdn
1254and we use that to detect double-calls.
1255
1256NOTE: the state blocks last while the TLS connection is up, which is fine
1257for logging in the server side, but for the client side, we log after teardown
1258in src/deliver.c. While the session is up, we can twist about states and
1259repoint tls_* globals, but those variables used for logging or other variable
1260expansion that happens _after_ delivery need to have a longer life-time.
1261
1262So for those, we get the data from POOL_PERM; the re-invoke guard keeps us from
1263doing this more than once per generation of a state context. We set them in
1264the state context, and repoint tls_* to them. After the state goes away, the
1265tls_* copies of the pointers remain valid and client delivery logging is happy.
1266
1267tls_certificate_verified is a BOOL, so the tls_peerdn and tls_cipher issues
1268don't apply.
1269
1270Arguments:
1271 state exim_gnutls_state_st *
1272
1273Returns: OK/DEFER/FAIL
1274*/
1275
1276static int
1277peer_status(exim_gnutls_state_st *state)
1278{
1279uschar cipherbuf[256];
1280const gnutls_datum_t *cert_list;
1281int old_pool, rc;
1282unsigned int cert_list_size = 0;
1283gnutls_protocol_t protocol;
1284gnutls_cipher_algorithm_t cipher;
1285gnutls_kx_algorithm_t kx;
1286gnutls_mac_algorithm_t mac;
1287gnutls_certificate_type_t ct;
1288gnutls_x509_crt_t crt;
1289uschar *p, *dn_buf;
1290size_t sz;
1291
1292if (state->have_set_peerdn)
1293 return OK;
1294state->have_set_peerdn = TRUE;
1295
1296state->peerdn = NULL;
1297
1298/* tls_cipher */
1299cipher = gnutls_cipher_get(state->session);
1300protocol = gnutls_protocol_get_version(state->session);
1301mac = gnutls_mac_get(state->session);
1302kx = gnutls_kx_get(state->session);
1303
1304string_format(cipherbuf, sizeof(cipherbuf),
1305 "%s:%s:%d",
1306 gnutls_protocol_get_name(protocol),
1307 gnutls_cipher_suite_get_name(kx, cipher, mac),
1308 (int) gnutls_cipher_get_key_size(cipher) * 8);
1309
1310/* I don't see a way that spaces could occur, in the current GnuTLS
1311code base, but it was a concern in the old code and perhaps older GnuTLS
1312releases did return "TLS 1.0"; play it safe, just in case. */
1313for (p = cipherbuf; *p != '\0'; ++p)
1314 if (isspace(*p))
1315 *p = '-';
1316old_pool = store_pool;
1317store_pool = POOL_PERM;
1318state->ciphersuite = string_copy(cipherbuf);
1319store_pool = old_pool;
1320state->tlsp->cipher = state->ciphersuite;
1321
1322/* tls_peerdn */
1323cert_list = gnutls_certificate_get_peers(state->session, &cert_list_size);
1324
1325if (cert_list == NULL || cert_list_size == 0)
1326 {
1327 DEBUG(D_tls) debug_printf("TLS: no certificate from peer (%p & %d)\n",
1328 cert_list, cert_list_size);
1329 if (state->verify_requirement >= VERIFY_REQUIRED)
1330 return tls_error(US"certificate verification failed",
1331 "no certificate received from peer", state->host);
1332 return OK;
1333 }
1334
1335ct = gnutls_certificate_type_get(state->session);
1336if (ct != GNUTLS_CRT_X509)
1337 {
1338 const char *ctn = gnutls_certificate_type_get_name(ct);
1339 DEBUG(D_tls)
1340 debug_printf("TLS: peer cert not X.509 but instead \"%s\"\n", ctn);
1341 if (state->verify_requirement >= VERIFY_REQUIRED)
1342 return tls_error(US"certificate verification not possible, unhandled type",
1343 ctn, state->host);
1344 return OK;
1345 }
1346
1347#define exim_gnutls_peer_err(Label) \
1348 do { \
1349 if (rc != GNUTLS_E_SUCCESS) \
1350 { \
1351 DEBUG(D_tls) debug_printf("TLS: peer cert problem: %s: %s\n", \
1352 (Label), gnutls_strerror(rc)); \
1353 if (state->verify_requirement >= VERIFY_REQUIRED) \
1354 return tls_error((Label), gnutls_strerror(rc), state->host); \
1355 return OK; \
1356 } \
1357 } while (0)
1358
1359rc = import_cert(&cert_list[0], &crt);
1360exim_gnutls_peer_err(US"cert 0");
1361
1362state->tlsp->peercert = state->peercert = crt;
1363
1364sz = 0;
1365rc = gnutls_x509_crt_get_dn(crt, NULL, &sz);
1366if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
1367 {
1368 exim_gnutls_peer_err(US"getting size for cert DN failed");
1369 return FAIL; /* should not happen */
1370 }
1371dn_buf = store_get_perm(sz);
1372rc = gnutls_x509_crt_get_dn(crt, CS dn_buf, &sz);
1373exim_gnutls_peer_err(US"failed to extract certificate DN [gnutls_x509_crt_get_dn(cert 0)]");
1374
1375state->peerdn = dn_buf;
1376
1377return OK;
1378#undef exim_gnutls_peer_err
1379}
1380
1381
1382
1383
1384/*************************************************
1385* Verify peer certificate *
1386*************************************************/
1387
1388/* Called from both server and client code.
1389*Should* be using a callback registered with
1390gnutls_certificate_set_verify_function() to fail the handshake if we dislike
1391the peer information, but that's too new for some OSes.
1392
1393Arguments:
1394 state exim_gnutls_state_st *
1395 error where to put an error message
1396
1397Returns:
1398 FALSE if the session should be rejected
1399 TRUE if the cert is okay or we just don't care
1400*/
1401
1402static BOOL
1403verify_certificate(exim_gnutls_state_st *state, const char **error)
1404{
1405int rc;
1406unsigned int verify;
1407
1408*error = NULL;
1409
1410if ((rc = peer_status(state)) != OK)
1411 {
1412 verify = GNUTLS_CERT_INVALID;
1413 *error = "certificate not supplied";
1414 }
1415else
1416 rc = gnutls_certificate_verify_peers2(state->session, &verify);
1417
1418/* Handle the result of verification. INVALID seems to be set as well
1419as REVOKED, but leave the test for both. */
1420
1421if (rc < 0 ||
1422 verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED)
1423 )
1424 {
1425 state->peer_cert_verified = FALSE;
1426 if (!*error)
1427 *error = verify & GNUTLS_CERT_REVOKED
1428 ? "certificate revoked" : "certificate invalid";
1429
1430 DEBUG(D_tls)
1431 debug_printf("TLS certificate verification failed (%s): peerdn=\"%s\"\n",
1432 *error, state->peerdn ? state->peerdn : US"<unset>");
1433
1434 if (state->verify_requirement >= VERIFY_REQUIRED)
1435 {
1436 gnutls_alert_send(state->session,
1437 GNUTLS_AL_FATAL, GNUTLS_A_BAD_CERTIFICATE);
1438 return FALSE;
1439 }
1440 DEBUG(D_tls)
1441 debug_printf("TLS verify failure overridden (host in tls_try_verify_hosts)\n");
1442 }
1443
1444else
1445 {
1446 if (state->exp_tls_verify_cert_hostnames)
1447 {
1448 int sep = 0;
1449 const uschar * list = state->exp_tls_verify_cert_hostnames;
1450 uschar * name;
1451 while (name = string_nextinlist(&list, &sep, NULL, 0))
1452 if (gnutls_x509_crt_check_hostname(state->tlsp->peercert, CS name))
1453 break;
1454 if (!name)
1455 {
1456 DEBUG(D_tls)
1457 debug_printf("TLS certificate verification failed: cert name mismatch\n");
1458 if (state->verify_requirement >= VERIFY_REQUIRED)
1459 {
1460 gnutls_alert_send(state->session,
1461 GNUTLS_AL_FATAL, GNUTLS_A_BAD_CERTIFICATE);
1462 return FALSE;
1463 }
1464 return TRUE;
1465 }
1466 }
1467 state->peer_cert_verified = TRUE;
1468 DEBUG(D_tls) debug_printf("TLS certificate verified: peerdn=\"%s\"\n",
1469 state->peerdn ? state->peerdn : US"<unset>");
1470 }
1471
1472state->tlsp->peerdn = state->peerdn;
1473
1474return TRUE;
1475}
1476
1477
1478
1479
1480/* ------------------------------------------------------------------------ */
1481/* Callbacks */
1482
1483/* Logging function which can be registered with
1484 * gnutls_global_set_log_function()
1485 * gnutls_global_set_log_level() 0..9
1486 */
1487#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
1488static void
1489exim_gnutls_logger_cb(int level, const char *message)
1490{
1491 size_t len = strlen(message);
1492 if (len < 1)
1493 {
1494 DEBUG(D_tls) debug_printf("GnuTLS<%d> empty debug message\n", level);
1495 return;
1496 }
1497 DEBUG(D_tls) debug_printf("GnuTLS<%d>: %s%s", level, message,
1498 message[len-1] == '\n' ? "" : "\n");
1499}
1500#endif
1501
1502
1503/* Called after client hello, should handle SNI work.
1504This will always set tls_sni (state->received_sni) if available,
1505and may trigger presenting different certificates,
1506if state->trigger_sni_changes is TRUE.
1507
1508Should be registered with
1509 gnutls_handshake_set_post_client_hello_function()
1510
1511"This callback must return 0 on success or a gnutls error code to terminate the
1512handshake.".
1513
1514For inability to get SNI information, we return 0.
1515We only return non-zero if re-setup failed.
1516Only used for server-side TLS.
1517*/
1518
1519static int
1520exim_sni_handling_cb(gnutls_session_t session)
1521{
1522char sni_name[MAX_HOST_LEN];
1523size_t data_len = MAX_HOST_LEN;
1524exim_gnutls_state_st *state = &state_server;
1525unsigned int sni_type;
1526int rc, old_pool;
1527
1528rc = gnutls_server_name_get(session, sni_name, &data_len, &sni_type, 0);
1529if (rc != GNUTLS_E_SUCCESS)
1530 {
1531 DEBUG(D_tls) {
1532 if (rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
1533 debug_printf("TLS: no SNI presented in handshake.\n");
1534 else
1535 debug_printf("TLS failure: gnutls_server_name_get(): %s [%d]\n",
1536 gnutls_strerror(rc), rc);
1537 };
1538 return 0;
1539 }
1540
1541if (sni_type != GNUTLS_NAME_DNS)
1542 {
1543 DEBUG(D_tls) debug_printf("TLS: ignoring SNI of unhandled type %u\n", sni_type);
1544 return 0;
1545 }
1546
1547/* We now have a UTF-8 string in sni_name */
1548old_pool = store_pool;
1549store_pool = POOL_PERM;
1550state->received_sni = string_copyn(US sni_name, data_len);
1551store_pool = old_pool;
1552
1553/* We set this one now so that variable expansions below will work */
1554state->tlsp->sni = state->received_sni;
1555
1556DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", sni_name,
1557 state->trigger_sni_changes ? "" : " (unused for certificate selection)");
1558
1559if (!state->trigger_sni_changes)
1560 return 0;
1561
1562rc = tls_expand_session_files(state);
1563if (rc != OK)
1564 {
1565 /* If the setup of certs/etc failed before handshake, TLS would not have
1566 been offered. The best we can do now is abort. */
1567 return GNUTLS_E_APPLICATION_ERROR_MIN;
1568 }
1569
1570rc = tls_set_remaining_x509(state);
1571if (rc != OK) return GNUTLS_E_APPLICATION_ERROR_MIN;
1572
1573return 0;
1574}
1575
1576
1577
1578#ifndef DISABLE_OCSP
1579
1580static int
1581server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
1582 gnutls_datum_t * ocsp_response)
1583{
1584int ret;
1585
1586if ((ret = gnutls_load_file(ptr, ocsp_response)) < 0)
1587 {
1588 DEBUG(D_tls) debug_printf("Failed to load ocsp stapling file %s\n",
1589 (char *)ptr);
1590 tls_in.ocsp = OCSP_NOT_RESP;
1591 return GNUTLS_E_NO_CERTIFICATE_STATUS;
1592 }
1593
1594tls_in.ocsp = OCSP_VFY_NOT_TRIED;
1595return 0;
1596}
1597
1598#endif
1599
1600
1601#ifndef DISABLE_EVENT
1602/*
1603We use this callback to get observability and detail-level control
1604for an exim TLS connection (either direction), raising a tls:cert event
1605for each cert in the chain presented by the peer. Any event
1606can deny verification.
1607
1608Return 0 for the handshake to continue or non-zero to terminate.
1609*/
1610
1611static int
1612verify_cb(gnutls_session_t session)
1613{
1614const gnutls_datum_t * cert_list;
1615unsigned int cert_list_size = 0;
1616gnutls_x509_crt_t crt;
1617int rc;
1618uschar * yield;
1619exim_gnutls_state_st * state = gnutls_session_get_ptr(session);
1620
1621cert_list = gnutls_certificate_get_peers(session, &cert_list_size);
1622if (cert_list)
1623 while (cert_list_size--)
1624 {
1625 rc = import_cert(&cert_list[cert_list_size], &crt);
1626 if (rc != GNUTLS_E_SUCCESS)
1627 {
1628 DEBUG(D_tls) debug_printf("TLS: peer cert problem: depth %d: %s\n",
1629 cert_list_size, gnutls_strerror(rc));
1630 break;
1631 }
1632
1633 state->tlsp->peercert = crt;
1634 if ((yield = event_raise(state->event_action,
1635 US"tls:cert", string_sprintf("%d", cert_list_size))))
1636 {
1637 log_write(0, LOG_MAIN,
1638 "SSL verify denied by event-action: depth=%d: %s",
1639 cert_list_size, yield);
1640 return 1; /* reject */
1641 }
1642 state->tlsp->peercert = NULL;
1643 }
1644
1645return 0;
1646}
1647
1648#endif
1649
1650
1651
1652/* ------------------------------------------------------------------------ */
1653/* Exported functions */
1654
1655
1656
1657
1658/*************************************************
1659* Start a TLS session in a server *
1660*************************************************/
1661
1662/* This is called when Exim is running as a server, after having received
1663the STARTTLS command. It must respond to that command, and then negotiate
1664a TLS session.
1665
1666Arguments:
1667 require_ciphers list of allowed ciphers or NULL
1668
1669Returns: OK on success
1670 DEFER for errors before the start of the negotiation
1671 FAIL for errors during the negotation; the server can't
1672 continue running.
1673*/
1674
1675int
1676tls_server_start(const uschar *require_ciphers)
1677{
1678int rc;
1679const char *error;
1680exim_gnutls_state_st *state = NULL;
1681
1682/* Check for previous activation */
1683if (tls_in.active >= 0)
1684 {
1685 tls_error(US"STARTTLS received after TLS started", "", NULL);
1686 smtp_printf("554 Already in TLS\r\n");
1687 return FAIL;
1688 }
1689
1690/* Initialize the library. If it fails, it will already have logged the error
1691and sent an SMTP response. */
1692
1693DEBUG(D_tls) debug_printf("initialising GnuTLS as a server\n");
1694
1695rc = tls_init(NULL, tls_certificate, tls_privatekey,
1696 NULL, tls_verify_certificates, tls_crl,
1697 require_ciphers, &state);
1698if (rc != OK) return rc;
1699
1700/* If this is a host for which certificate verification is mandatory or
1701optional, set up appropriately. */
1702
1703if (verify_check_host(&tls_verify_hosts) == OK)
1704 {
1705 DEBUG(D_tls)
1706 debug_printf("TLS: a client certificate will be required.\n");
1707 state->verify_requirement = VERIFY_REQUIRED;
1708 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
1709 }
1710else if (verify_check_host(&tls_try_verify_hosts) == OK)
1711 {
1712 DEBUG(D_tls)
1713 debug_printf("TLS: a client certificate will be requested but not required.\n");
1714 state->verify_requirement = VERIFY_OPTIONAL;
1715 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
1716 }
1717else
1718 {
1719 DEBUG(D_tls)
1720 debug_printf("TLS: a client certificate will not be requested.\n");
1721 state->verify_requirement = VERIFY_NONE;
1722 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
1723 }
1724
1725#ifndef DISABLE_EVENT
1726if (event_action)
1727 {
1728 state->event_action = event_action;
1729 gnutls_session_set_ptr(state->session, state);
1730 gnutls_certificate_set_verify_function(state->x509_cred, verify_cb);
1731 }
1732#endif
1733
1734/* Register SNI handling; always, even if not in tls_certificate, so that the
1735expansion variable $tls_sni is always available. */
1736
1737gnutls_handshake_set_post_client_hello_function(state->session,
1738 exim_sni_handling_cb);
1739
1740/* Set context and tell client to go ahead, except in the case of TLS startup
1741on connection, where outputting anything now upsets the clients and tends to
1742make them disconnect. We need to have an explicit fflush() here, to force out
1743the response. Other smtp_printf() calls do not need it, because in non-TLS
1744mode, the fflush() happens when smtp_getc() is called. */
1745
1746if (!state->tlsp->on_connect)
1747 {
1748 smtp_printf("220 TLS go ahead\r\n");
1749 fflush(smtp_out);
1750 }
1751
1752/* Now negotiate the TLS session. We put our own timer on it, since it seems
1753that the GnuTLS library doesn't. */
1754
1755gnutls_transport_set_ptr2(state->session,
1756 (gnutls_transport_ptr_t)(long) fileno(smtp_in),
1757 (gnutls_transport_ptr_t)(long) fileno(smtp_out));
1758state->fd_in = fileno(smtp_in);
1759state->fd_out = fileno(smtp_out);
1760
1761sigalrm_seen = FALSE;
1762if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
1763do
1764 {
1765 rc = gnutls_handshake(state->session);
1766 } while ((rc == GNUTLS_E_AGAIN) ||
1767 (rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen));
1768alarm(0);
1769
1770if (rc != GNUTLS_E_SUCCESS)
1771 {
1772 tls_error(US"gnutls_handshake",
1773 sigalrm_seen ? "timed out" : gnutls_strerror(rc), NULL);
1774 /* It seems that, except in the case of a timeout, we have to close the
1775 connection right here; otherwise if the other end is running OpenSSL it hangs
1776 until the server times out. */
1777
1778 if (!sigalrm_seen)
1779 {
1780 (void)fclose(smtp_out);
1781 (void)fclose(smtp_in);
1782 }
1783
1784 return FAIL;
1785 }
1786
1787DEBUG(D_tls) debug_printf("gnutls_handshake was successful\n");
1788
1789/* Verify after the fact */
1790
1791if ( state->verify_requirement != VERIFY_NONE
1792 && !verify_certificate(state, &error))
1793 {
1794 if (state->verify_requirement != VERIFY_OPTIONAL)
1795 {
1796 tls_error(US"certificate verification failed", error, NULL);
1797 return FAIL;
1798 }
1799 DEBUG(D_tls)
1800 debug_printf("TLS: continuing on only because verification was optional, after: %s\n",
1801 error);
1802 }
1803
1804/* Figure out peer DN, and if authenticated, etc. */
1805
1806rc = peer_status(state);
1807if (rc != OK) return rc;
1808
1809/* Sets various Exim expansion variables; always safe within server */
1810
1811extract_exim_vars_from_tls_state(state);
1812
1813/* TLS has been set up. Adjust the input functions to read via TLS,
1814and initialize appropriately. */
1815
1816state->xfer_buffer = store_malloc(ssl_xfer_buffer_size);
1817
1818receive_getc = tls_getc;
1819receive_ungetc = tls_ungetc;
1820receive_feof = tls_feof;
1821receive_ferror = tls_ferror;
1822receive_smtp_buffered = tls_smtp_buffered;
1823
1824return OK;
1825}
1826
1827
1828
1829
1830static void
1831tls_client_setup_hostname_checks(host_item * host, exim_gnutls_state_st * state,
1832 smtp_transport_options_block * ob)
1833{
1834if (verify_check_given_host(&ob->tls_verify_cert_hostnames, host) == OK)
1835 {
1836 state->exp_tls_verify_cert_hostnames =
1837#ifdef SUPPORT_I18N
1838 string_domain_utf8_to_alabel(host->name, NULL);
1839#else
1840 host->name;
1841#endif
1842 DEBUG(D_tls)
1843 debug_printf("TLS: server cert verification includes hostname: \"%s\".\n",
1844 state->exp_tls_verify_cert_hostnames);
1845 }
1846}
1847
1848
1849/*************************************************
1850* Start a TLS session in a client *
1851*************************************************/
1852
1853/* Called from the smtp transport after STARTTLS has been accepted.
1854
1855Arguments:
1856 fd the fd of the connection
1857 host connected host (for messages)
1858 addr the first address (not used)
1859 tb transport (always smtp)
1860
1861Returns: OK/DEFER/FAIL (because using common functions),
1862 but for a client, DEFER and FAIL have the same meaning
1863*/
1864
1865int
1866tls_client_start(int fd, host_item *host,
1867 address_item *addr ARG_UNUSED,
1868 transport_instance *tb
1869#ifdef EXPERIMENTAL_DANE
1870 , dne_answer * unused_tlsa_dnsa
1871#endif
1872 )
1873{
1874smtp_transport_options_block *ob =
1875 (smtp_transport_options_block *)tb->options_block;
1876int rc;
1877const char *error;
1878exim_gnutls_state_st *state = NULL;
1879#ifndef DISABLE_OCSP
1880BOOL require_ocsp =
1881 verify_check_given_host(&ob->hosts_require_ocsp, host) == OK;
1882BOOL request_ocsp = require_ocsp ? TRUE
1883 : verify_check_given_host(&ob->hosts_request_ocsp, host) == OK;
1884#endif
1885
1886DEBUG(D_tls) debug_printf("initialising GnuTLS as a client on fd %d\n", fd);
1887
1888if ((rc = tls_init(host, ob->tls_certificate, ob->tls_privatekey,
1889 ob->tls_sni, ob->tls_verify_certificates, ob->tls_crl,
1890 ob->tls_require_ciphers, &state)) != OK)
1891 return rc;
1892
1893 {
1894 int dh_min_bits = ob->tls_dh_min_bits;
1895 if (dh_min_bits < EXIM_CLIENT_DH_MIN_MIN_BITS)
1896 {
1897 DEBUG(D_tls)
1898 debug_printf("WARNING: tls_dh_min_bits far too low,"
1899 " clamping %d up to %d\n",
1900 dh_min_bits, EXIM_CLIENT_DH_MIN_MIN_BITS);
1901 dh_min_bits = EXIM_CLIENT_DH_MIN_MIN_BITS;
1902 }
1903
1904 DEBUG(D_tls) debug_printf("Setting D-H prime minimum"
1905 " acceptable bits to %d\n",
1906 dh_min_bits);
1907 gnutls_dh_set_prime_bits(state->session, dh_min_bits);
1908 }
1909
1910/* Stick to the old behaviour for compatibility if tls_verify_certificates is
1911set but both tls_verify_hosts and tls_try_verify_hosts are unset. Check only
1912the specified host patterns if one of them is defined */
1913
1914if ( ( state->exp_tls_verify_certificates
1915 && !ob->tls_verify_hosts
1916 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
1917 )
1918 || verify_check_given_host(&ob->tls_verify_hosts, host) == OK
1919 )
1920 {
1921 tls_client_setup_hostname_checks(host, state, ob);
1922 DEBUG(D_tls)
1923 debug_printf("TLS: server certificate verification required.\n");
1924 state->verify_requirement = VERIFY_REQUIRED;
1925 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
1926 }
1927else if (verify_check_given_host(&ob->tls_try_verify_hosts, host) == OK)
1928 {
1929 tls_client_setup_hostname_checks(host, state, ob);
1930 DEBUG(D_tls)
1931 debug_printf("TLS: server certificate verification optional.\n");
1932 state->verify_requirement = VERIFY_OPTIONAL;
1933 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
1934 }
1935else
1936 {
1937 DEBUG(D_tls)
1938 debug_printf("TLS: server certificate verification not required.\n");
1939 state->verify_requirement = VERIFY_NONE;
1940 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
1941 }
1942
1943#ifndef DISABLE_OCSP
1944 /* supported since GnuTLS 3.1.3 */
1945if (request_ocsp)
1946 {
1947 DEBUG(D_tls) debug_printf("TLS: will request OCSP stapling\n");
1948 if ((rc = gnutls_ocsp_status_request_enable_client(state->session,
1949 NULL, 0, NULL)) != OK)
1950 return tls_error(US"cert-status-req",
1951 gnutls_strerror(rc), state->host);
1952 tls_out.ocsp = OCSP_NOT_RESP;
1953 }
1954#endif
1955
1956#ifndef DISABLE_EVENT
1957if (tb->event_action)
1958 {
1959 state->event_action = tb->event_action;
1960 gnutls_session_set_ptr(state->session, state);
1961 gnutls_certificate_set_verify_function(state->x509_cred, verify_cb);
1962 }
1963#endif
1964
1965gnutls_transport_set_ptr(state->session, (gnutls_transport_ptr_t)(long) fd);
1966state->fd_in = fd;
1967state->fd_out = fd;
1968
1969DEBUG(D_tls) debug_printf("about to gnutls_handshake\n");
1970/* There doesn't seem to be a built-in timeout on connection. */
1971
1972sigalrm_seen = FALSE;
1973alarm(ob->command_timeout);
1974do
1975 {
1976 rc = gnutls_handshake(state->session);
1977 } while ((rc == GNUTLS_E_AGAIN) ||
1978 (rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen));
1979alarm(0);
1980
1981if (rc != GNUTLS_E_SUCCESS)
1982 return tls_error(US"gnutls_handshake",
1983 sigalrm_seen ? "timed out" : gnutls_strerror(rc), state->host);
1984
1985DEBUG(D_tls) debug_printf("gnutls_handshake was successful\n");
1986
1987/* Verify late */
1988
1989if (state->verify_requirement != VERIFY_NONE &&
1990 !verify_certificate(state, &error))
1991 return tls_error(US"certificate verification failed", error, state->host);
1992
1993#ifndef DISABLE_OCSP
1994if (require_ocsp)
1995 {
1996 DEBUG(D_tls)
1997 {
1998 gnutls_datum_t stapling;
1999 gnutls_ocsp_resp_t resp;
2000 gnutls_datum_t printed;
2001 if ( (rc= gnutls_ocsp_status_request_get(state->session, &stapling)) == 0
2002 && (rc= gnutls_ocsp_resp_init(&resp)) == 0
2003 && (rc= gnutls_ocsp_resp_import(resp, &stapling)) == 0
2004 && (rc= gnutls_ocsp_resp_print(resp, GNUTLS_OCSP_PRINT_FULL, &printed)) == 0
2005 )
2006 {
2007 debug_printf("%.4096s", printed.data);
2008 gnutls_free(printed.data);
2009 }
2010 else
2011 (void) tls_error(US"ocsp decode", gnutls_strerror(rc), state->host);
2012 }
2013
2014 if (gnutls_ocsp_status_request_is_checked(state->session, 0) == 0)
2015 {
2016 tls_out.ocsp = OCSP_FAILED;
2017 return tls_error(US"certificate status check failed", NULL, state->host);
2018 }
2019 DEBUG(D_tls) debug_printf("Passed OCSP checking\n");
2020 tls_out.ocsp = OCSP_VFIED;
2021 }
2022#endif
2023
2024/* Figure out peer DN, and if authenticated, etc. */
2025
2026if ((rc = peer_status(state)) != OK)
2027 return rc;
2028
2029/* Sets various Exim expansion variables; may need to adjust for ACL callouts */
2030
2031extract_exim_vars_from_tls_state(state);
2032
2033return OK;
2034}
2035
2036
2037
2038
2039/*************************************************
2040* Close down a TLS session *
2041*************************************************/
2042
2043/* This is also called from within a delivery subprocess forked from the
2044daemon, to shut down the TLS library, without actually doing a shutdown (which
2045would tamper with the TLS session in the parent process).
2046
2047Arguments: TRUE if gnutls_bye is to be called
2048Returns: nothing
2049*/
2050
2051void
2052tls_close(BOOL is_server, BOOL shutdown)
2053{
2054exim_gnutls_state_st *state = is_server ? &state_server : &state_client;
2055
2056if (!state->tlsp || state->tlsp->active < 0) return; /* TLS was not active */
2057
2058if (shutdown)
2059 {
2060 DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS\n");
2061 gnutls_bye(state->session, GNUTLS_SHUT_WR);
2062 }
2063
2064gnutls_deinit(state->session);
2065
2066state->tlsp->active = -1;
2067memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
2068
2069if ((state_server.session == NULL) && (state_client.session == NULL))
2070 {
2071 gnutls_global_deinit();
2072 exim_gnutls_base_init_done = FALSE;
2073 }
2074
2075}
2076
2077
2078
2079
2080/*************************************************
2081* TLS version of getc *
2082*************************************************/
2083
2084/* This gets the next byte from the TLS input buffer. If the buffer is empty,
2085it refills the buffer via the GnuTLS reading function.
2086Only used by the server-side TLS.
2087
2088This feeds DKIM and should be used for all message-body reads.
2089
2090Arguments: none
2091Returns: the next character or EOF
2092*/
2093
2094int
2095tls_getc(void)
2096{
2097exim_gnutls_state_st *state = &state_server;
2098if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
2099 {
2100 ssize_t inbytes;
2101
2102 DEBUG(D_tls) debug_printf("Calling gnutls_record_recv(%p, %p, %u)\n",
2103 state->session, state->xfer_buffer, ssl_xfer_buffer_size);
2104
2105 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
2106 inbytes = gnutls_record_recv(state->session, state->xfer_buffer,
2107 ssl_xfer_buffer_size);
2108 alarm(0);
2109
2110 /* A zero-byte return appears to mean that the TLS session has been
2111 closed down, not that the socket itself has been closed down. Revert to
2112 non-TLS handling. */
2113
2114 if (inbytes == 0)
2115 {
2116 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
2117
2118 receive_getc = smtp_getc;
2119 receive_ungetc = smtp_ungetc;
2120 receive_feof = smtp_feof;
2121 receive_ferror = smtp_ferror;
2122 receive_smtp_buffered = smtp_buffered;
2123
2124 gnutls_deinit(state->session);
2125 state->session = NULL;
2126 state->tlsp->active = -1;
2127 state->tlsp->bits = 0;
2128 state->tlsp->certificate_verified = FALSE;
2129 tls_channelbinding_b64 = NULL;
2130 state->tlsp->cipher = NULL;
2131 state->tlsp->peercert = NULL;
2132 state->tlsp->peerdn = NULL;
2133
2134 return smtp_getc();
2135 }
2136
2137 /* Handle genuine errors */
2138
2139 else if (inbytes < 0)
2140 {
2141 record_io_error(state, (int) inbytes, US"recv", NULL);
2142 state->xfer_error = 1;
2143 return EOF;
2144 }
2145#ifndef DISABLE_DKIM
2146 dkim_exim_verify_feed(state->xfer_buffer, inbytes);
2147#endif
2148 state->xfer_buffer_hwm = (int) inbytes;
2149 state->xfer_buffer_lwm = 0;
2150 }
2151
2152/* Something in the buffer; return next uschar */
2153
2154return state->xfer_buffer[state->xfer_buffer_lwm++];
2155}
2156
2157
2158
2159
2160/*************************************************
2161* Read bytes from TLS channel *
2162*************************************************/
2163
2164/* This does not feed DKIM, so if the caller uses this for reading message body,
2165then the caller must feed DKIM.
2166
2167Arguments:
2168 buff buffer of data
2169 len size of buffer
2170
2171Returns: the number of bytes read
2172 -1 after a failed read
2173*/
2174
2175int
2176tls_read(BOOL is_server, uschar *buff, size_t len)
2177{
2178exim_gnutls_state_st *state = is_server ? &state_server : &state_client;
2179ssize_t inbytes;
2180
2181if (len > INT_MAX)
2182 len = INT_MAX;
2183
2184if (state->xfer_buffer_lwm < state->xfer_buffer_hwm)
2185 DEBUG(D_tls)
2186 debug_printf("*** PROBABLY A BUG *** " \
2187 "tls_read() called with data in the tls_getc() buffer, %d ignored\n",
2188 state->xfer_buffer_hwm - state->xfer_buffer_lwm);
2189
2190DEBUG(D_tls)
2191 debug_printf("Calling gnutls_record_recv(%p, %p, " SIZE_T_FMT ")\n",
2192 state->session, buff, len);
2193
2194inbytes = gnutls_record_recv(state->session, buff, len);
2195if (inbytes > 0) return inbytes;
2196if (inbytes == 0)
2197 {
2198 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
2199 }
2200else record_io_error(state, (int)inbytes, US"recv", NULL);
2201
2202return -1;
2203}
2204
2205
2206
2207
2208/*************************************************
2209* Write bytes down TLS channel *
2210*************************************************/
2211
2212/*
2213Arguments:
2214 is_server channel specifier
2215 buff buffer of data
2216 len number of bytes
2217
2218Returns: the number of bytes after a successful write,
2219 -1 after a failed write
2220*/
2221
2222int
2223tls_write(BOOL is_server, const uschar *buff, size_t len)
2224{
2225ssize_t outbytes;
2226size_t left = len;
2227exim_gnutls_state_st *state = is_server ? &state_server : &state_client;
2228
2229DEBUG(D_tls) debug_printf("tls_do_write(%p, " SIZE_T_FMT ")\n", buff, left);
2230while (left > 0)
2231 {
2232 DEBUG(D_tls) debug_printf("gnutls_record_send(SSL, %p, " SIZE_T_FMT ")\n",
2233 buff, left);
2234 outbytes = gnutls_record_send(state->session, buff, left);
2235
2236 DEBUG(D_tls) debug_printf("outbytes=" SSIZE_T_FMT "\n", outbytes);
2237 if (outbytes < 0)
2238 {
2239 record_io_error(state, outbytes, US"send", NULL);
2240 return -1;
2241 }
2242 if (outbytes == 0)
2243 {
2244 record_io_error(state, 0, US"send", US"TLS channel closed on write");
2245 return -1;
2246 }
2247
2248 left -= outbytes;
2249 buff += outbytes;
2250 }
2251
2252if (len > INT_MAX)
2253 {
2254 DEBUG(D_tls)
2255 debug_printf("Whoops! Wrote more bytes (" SIZE_T_FMT ") than INT_MAX\n",
2256 len);
2257 len = INT_MAX;
2258 }
2259
2260return (int) len;
2261}
2262
2263
2264
2265
2266/*************************************************
2267* Random number generation *
2268*************************************************/
2269
2270/* Pseudo-random number generation. The result is not expected to be
2271cryptographically strong but not so weak that someone will shoot themselves
2272in the foot using it as a nonce in input in some email header scheme or
2273whatever weirdness they'll twist this into. The result should handle fork()
2274and avoid repeating sequences. OpenSSL handles that for us.
2275
2276Arguments:
2277 max range maximum
2278Returns a random number in range [0, max-1]
2279*/
2280
2281#ifdef HAVE_GNUTLS_RND
2282int
2283vaguely_random_number(int max)
2284{
2285unsigned int r;
2286int i, needed_len;
2287uschar *p;
2288uschar smallbuf[sizeof(r)];
2289
2290if (max <= 1)
2291 return 0;
2292
2293needed_len = sizeof(r);
2294/* Don't take 8 times more entropy than needed if int is 8 octets and we were
2295 * asked for a number less than 10. */
2296for (r = max, i = 0; r; ++i)
2297 r >>= 1;
2298i = (i + 7) / 8;
2299if (i < needed_len)
2300 needed_len = i;
2301
2302i = gnutls_rnd(GNUTLS_RND_NONCE, smallbuf, needed_len);
2303if (i < 0)
2304 {
2305 DEBUG(D_all) debug_printf("gnutls_rnd() failed, using fallback.\n");
2306 return vaguely_random_number_fallback(max);
2307 }
2308r = 0;
2309for (p = smallbuf; needed_len; --needed_len, ++p)
2310 {
2311 r *= 256;
2312 r += *p;
2313 }
2314
2315/* We don't particularly care about weighted results; if someone wants
2316 * smooth distribution and cares enough then they should submit a patch then. */
2317return r % max;
2318}
2319#else /* HAVE_GNUTLS_RND */
2320int
2321vaguely_random_number(int max)
2322{
2323 return vaguely_random_number_fallback(max);
2324}
2325#endif /* HAVE_GNUTLS_RND */
2326
2327
2328
2329
2330/*************************************************
2331* Let tls_require_ciphers be checked at startup *
2332*************************************************/
2333
2334/* The tls_require_ciphers option, if set, must be something which the
2335library can parse.
2336
2337Returns: NULL on success, or error message
2338*/
2339
2340uschar *
2341tls_validate_require_cipher(void)
2342{
2343int rc;
2344uschar *expciphers = NULL;
2345gnutls_priority_t priority_cache;
2346const char *errpos;
2347
2348#define validate_check_rc(Label) do { \
2349 if (rc != GNUTLS_E_SUCCESS) { if (exim_gnutls_base_init_done) gnutls_global_deinit(); \
2350 return string_sprintf("%s failed: %s", (Label), gnutls_strerror(rc)); } } while (0)
2351#define return_deinit(Label) do { gnutls_global_deinit(); return (Label); } while (0)
2352
2353if (exim_gnutls_base_init_done)
2354 log_write(0, LOG_MAIN|LOG_PANIC,
2355 "already initialised GnuTLS, Exim developer bug");
2356
2357#ifdef HAVE_GNUTLS_PKCS11
2358if (!gnutls_allow_auto_pkcs11)
2359 {
2360 rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
2361 validate_check_rc(US"gnutls_pkcs11_init");
2362 }
2363#endif
2364rc = gnutls_global_init();
2365validate_check_rc(US"gnutls_global_init()");
2366exim_gnutls_base_init_done = TRUE;
2367
2368if (!(tls_require_ciphers && *tls_require_ciphers))
2369 return_deinit(NULL);
2370
2371if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers))
2372 return_deinit(US"failed to expand tls_require_ciphers");
2373
2374if (!(expciphers && *expciphers))
2375 return_deinit(NULL);
2376
2377DEBUG(D_tls)
2378 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
2379
2380rc = gnutls_priority_init(&priority_cache, CS expciphers, &errpos);
2381validate_check_rc(string_sprintf(
2382 "gnutls_priority_init(%s) failed at offset %ld, \"%.8s..\"",
2383 expciphers, errpos - CS expciphers, errpos));
2384
2385#undef return_deinit
2386#undef validate_check_rc
2387gnutls_global_deinit();
2388
2389return NULL;
2390}
2391
2392
2393
2394
2395/*************************************************
2396* Report the library versions. *
2397*************************************************/
2398
2399/* See a description in tls-openssl.c for an explanation of why this exists.
2400
2401Arguments: a FILE* to print the results to
2402Returns: nothing
2403*/
2404
2405void
2406tls_version_report(FILE *f)
2407{
2408fprintf(f, "Library version: GnuTLS: Compile: %s\n"
2409 " Runtime: %s\n",
2410 LIBGNUTLS_VERSION,
2411 gnutls_check_version(NULL));
2412}
2413
2414/* vi: aw ai sw=2
2415*/
2416/* End of tls-gnu.c */
Unnamed repository; edit this file 'description' to name the repository.