projects / exim.git / blob
? search:


bdc032f35ca3d1e92a08db13b2c9a961eaed7382
[exim.git] / src / src / tls-gnu.c
1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4
5 /* Copyright (c) University of Cambridge 1995 - 2014 */
6 /* See the file NOTICE for conditions of use and distribution. */
7
8 /* Copyright (c) Phil Pennock 2012 */
9
10 /* This file provides TLS/SSL support for Exim using the GnuTLS library,
11 one of the available supported implementations. This file is #included into
12 tls.c when USE_GNUTLS has been set.
13
14 The code herein is a revamp of GnuTLS integration using the current APIs; the
15 original tls-gnu.c was based on a patch which was contributed by Nikos
16 Mavroyanopoulos. The revamp is partially a rewrite, partially cut&paste as
17 appropriate.
18
19 APIs current as of GnuTLS 2.12.18; note that the GnuTLS manual is for GnuTLS 3,
20 which is not widely deployed by OS vendors. Will note issues below, which may
21 assist in updating the code in the future. Another sources of hints is
22 mod_gnutls for Apache (SNI callback registration and handling).
23
24 Keeping client and server variables more split than before and is currently
25 the norm, in anticipation of TLS in ACL callouts.
26
27 I wanted to switch to gnutls_certificate_set_verify_function() so that
28 certificate rejection could happen during handshake where it belongs, rather
29 than being dropped afterwards, but that was introduced in 2.10.0 and Debian
30 (6.0.5) is still on 2.8.6. So for now we have to stick with sub-par behaviour.
31
32 (I wasn't looking for libraries quite that old, when updating to get rid of
33 compiler warnings of deprecated APIs. If it turns out that a lot of the rest
34 require current GnuTLS, then we'll drop support for the ancient libraries).
35 */
36
37 #include <gnutls/gnutls.h>
38 /* needed for cert checks in verification and DN extraction: */
39 #include <gnutls/x509.h>
40 /* man-page is incorrect, gnutls_rnd() is not in gnutls.h: */
41 #include <gnutls/crypto.h>
42 /* needed to disable PKCS11 autoload unless requested */
43 #if GNUTLS_VERSION_NUMBER >= 0x020c00
44 # include <gnutls/pkcs11.h>
45 #endif
46 #if GNUTLS_VERSION_NUMBER < 0x030103 && !defined(DISABLE_OCSP)
47 # warning "GnuTLS library version too old; define DISABLE_OCSP in Makefile"
48 # define DISABLE_OCSP
49 #endif
50 #if GNUTLS_VERSION_NUMBER < 0x020a00 && defined(EXPERIMENTAL_EVENT)
51 # warning "GnuTLS library version too old; tls:cert event unsupported"
52 # undef EXPERIMENTAL_EVENT
53 #endif
54 #if GNUTLS_VERSION_NUMBER >= 0x030306
55 # define SUPPORT_CA_DIR
56 #else
57 # undef SUPPORT_CA_DIR
58 #endif
59
60 #ifndef DISABLE_OCSP
61 # include <gnutls/ocsp.h>
62 #endif
63
64 /* GnuTLS 2 vs 3
65
66 GnuTLS 3 only:
67 gnutls_global_set_audit_log_function()
68
69 Changes:
70 gnutls_certificate_verify_peers2(): is new, drop the 2 for old version
71 */
72
73 /* Local static variables for GnuTLS */
74
75 /* Values for verify_requirement */
76
77 enum peer_verify_requirement
78 { VERIFY_NONE, VERIFY_OPTIONAL, VERIFY_REQUIRED };
79
80 /* This holds most state for server or client; with this, we can set up an
81 outbound TLS-enabled connection in an ACL callout, while not stomping all
82 over the TLS variables available for expansion.
83
84 Some of these correspond to variables in globals.c; those variables will
85 be set to point to content in one of these instances, as appropriate for
86 the stage of the process lifetime.
87
88 Not handled here: global tls_channelbinding_b64.
89 */
90
91 typedef struct exim_gnutls_state {
92 gnutls_session_t session;
93 gnutls_certificate_credentials_t x509_cred;
94 gnutls_priority_t priority_cache;
95 enum peer_verify_requirement verify_requirement;
96 int fd_in;
97 int fd_out;
98 BOOL peer_cert_verified;
99 BOOL trigger_sni_changes;
100 BOOL have_set_peerdn;
101 const struct host_item *host;
102 gnutls_x509_crt_t peercert;
103 uschar *peerdn;
104 uschar *ciphersuite;
105 uschar *received_sni;
106
107 const uschar *tls_certificate;
108 const uschar *tls_privatekey;
109 const uschar *tls_sni; /* client send only, not received */
110 const uschar *tls_verify_certificates;
111 const uschar *tls_crl;
112 const uschar *tls_require_ciphers;
113
114 uschar *exp_tls_certificate;
115 uschar *exp_tls_privatekey;
116 uschar *exp_tls_verify_certificates;
117 uschar *exp_tls_crl;
118 uschar *exp_tls_require_ciphers;
119 uschar *exp_tls_ocsp_file;
120 #ifdef EXPERIMENTAL_CERTNAMES
121 uschar *exp_tls_verify_cert_hostnames;
122 #endif
123 #ifdef EXPERIMENTAL_EVENT
124 uschar *event_action;
125 #endif
126
127 tls_support *tlsp; /* set in tls_init() */
128
129 uschar *xfer_buffer;
130 int xfer_buffer_lwm;
131 int xfer_buffer_hwm;
132 int xfer_eof;
133 int xfer_error;
134 } exim_gnutls_state_st;
135
136 static const exim_gnutls_state_st exim_gnutls_state_init = {
137 NULL, NULL, NULL, VERIFY_NONE, -1, -1, FALSE, FALSE, FALSE,
138 NULL, NULL, NULL, NULL,
139 NULL, NULL, NULL, NULL, NULL, NULL,
140 NULL, NULL, NULL, NULL, NULL, NULL, NULL,
141 #ifdef EXPERIMENTAL_CERTNAMES
142 NULL,
143 #endif
144 #ifdef EXPERIMENTAL_EVENT
145 NULL,
146 #endif
147 NULL,
148 NULL, 0, 0, 0, 0,
149 };
150
151 /* Not only do we have our own APIs which don't pass around state, assuming
152 it's held in globals, GnuTLS doesn't appear to let us register callback data
153 for callbacks, or as part of the session, so we have to keep a "this is the
154 context we're currently dealing with" pointer and rely upon being
155 single-threaded to keep from processing data on an inbound TLS connection while
156 talking to another TLS connection for an outbound check. This does mean that
157 there's no way for heart-beats to be responded to, for the duration of the
158 second connection.
159 XXX But see gnutls_session_get_ptr()
160 */
161
162 static exim_gnutls_state_st state_server, state_client;
163
164 /* dh_params are initialised once within the lifetime of a process using TLS;
165 if we used TLS in a long-lived daemon, we'd have to reconsider this. But we
166 don't want to repeat this. */
167
168 static gnutls_dh_params_t dh_server_params = NULL;
169
170 /* No idea how this value was chosen; preserving it. Default is 3600. */
171
172 static const int ssl_session_timeout = 200;
173
174 static const char * const exim_default_gnutls_priority = "NORMAL";
175
176 /* Guard library core initialisation */
177
178 static BOOL exim_gnutls_base_init_done = FALSE;
179
180
181 /* ------------------------------------------------------------------------ */
182 /* macros */
183
184 #define MAX_HOST_LEN 255
185
186 /* Set this to control gnutls_global_set_log_level(); values 0 to 9 will setup
187 the library logging; a value less than 0 disables the calls to set up logging
188 callbacks. */
189 #ifndef EXIM_GNUTLS_LIBRARY_LOG_LEVEL
190 # define EXIM_GNUTLS_LIBRARY_LOG_LEVEL -1
191 #endif
192
193 #ifndef EXIM_CLIENT_DH_MIN_BITS
194 # define EXIM_CLIENT_DH_MIN_BITS 1024
195 #endif
196
197 /* With GnuTLS 2.12.x+ we have gnutls_sec_param_to_pk_bits() with which we
198 can ask for a bit-strength. Without that, we stick to the constant we had
199 before, for now. */
200 #ifndef EXIM_SERVER_DH_BITS_PRE2_12
201 # define EXIM_SERVER_DH_BITS_PRE2_12 1024
202 #endif
203
204 #define exim_gnutls_err_check(Label) do { \
205 if (rc != GNUTLS_E_SUCCESS) { return tls_error((Label), gnutls_strerror(rc), host); } } while (0)
206
207 #define expand_check_tlsvar(Varname) expand_check(state->Varname, US #Varname, &state->exp_##Varname)
208
209 #if GNUTLS_VERSION_NUMBER >= 0x020c00
210 # define HAVE_GNUTLS_SESSION_CHANNEL_BINDING
211 # define HAVE_GNUTLS_SEC_PARAM_CONSTANTS
212 # define HAVE_GNUTLS_RND
213 /* The security fix we provide with the gnutls_allow_auto_pkcs11 option
214 * (4.82 PP/09) introduces a compatibility regression. The symbol simply
215 * isn't available sometimes, so this needs to become a conditional
216 * compilation; the sanest way to deal with this being a problem on
217 * older OSes is to block it in the Local/Makefile with this compiler
218 * definition */
219 # ifndef AVOID_GNUTLS_PKCS11
220 # define HAVE_GNUTLS_PKCS11
221 # endif /* AVOID_GNUTLS_PKCS11 */
222 #endif
223
224
225
226
227 /* ------------------------------------------------------------------------ */
228 /* Callback declarations */
229
230 #if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
231 static void exim_gnutls_logger_cb(int level, const char *message);
232 #endif
233
234 static int exim_sni_handling_cb(gnutls_session_t session);
235
236 #ifndef DISABLE_OCSP
237 static int server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
238 gnutls_datum_t * ocsp_response);
239 #endif
240
241
242
243 /* ------------------------------------------------------------------------ */
244 /* Static functions */
245
246 /*************************************************
247 * Handle TLS error *
248 *************************************************/
249
250 /* Called from lots of places when errors occur before actually starting to do
251 the TLS handshake, that is, while the session is still in clear. Always returns
252 DEFER for a server and FAIL for a client so that most calls can use "return
253 tls_error(...)" to do this processing and then give an appropriate return. A
254 single function is used for both server and client, because it is called from
255 some shared functions.
256
257 Argument:
258 prefix text to include in the logged error
259 msg additional error string (may be NULL)
260 usually obtained from gnutls_strerror()
261 host NULL if setting up a server;
262 the connected host if setting up a client
263
264 Returns: OK/DEFER/FAIL
265 */
266
267 static int
268 tls_error(const uschar *prefix, const char *msg, const host_item *host)
269 {
270 if (host)
271 {
272 log_write(0, LOG_MAIN, "H=%s [%s] TLS error on connection (%s)%s%s",
273 host->name, host->address, prefix, msg ? ": " : "", msg ? msg : "");
274 return FAIL;
275 }
276 else
277 {
278 uschar *conn_info = smtp_get_connection_info();
279 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0)
280 conn_info += 5;
281 /* I'd like to get separated H= here, but too hard for now */
282 log_write(0, LOG_MAIN, "TLS error on %s (%s)%s%s",
283 conn_info, prefix, msg ? ": " : "", msg ? msg : "");
284 return DEFER;
285 }
286 }
287
288
289
290
291 /*************************************************
292 * Deal with logging errors during I/O *
293 *************************************************/
294
295 /* We have to get the identity of the peer from saved data.
296
297 Argument:
298 state the current GnuTLS exim state container
299 rc the GnuTLS error code, or 0 if it's a local error
300 when text identifying read or write
301 text local error text when ec is 0
302
303 Returns: nothing
304 */
305
306 static void
307 record_io_error(exim_gnutls_state_st *state, int rc, uschar *when, uschar *text)
308 {
309 const char *msg;
310
311 if (rc == GNUTLS_E_FATAL_ALERT_RECEIVED)
312 msg = CS string_sprintf("%s: %s", US gnutls_strerror(rc),
313 US gnutls_alert_get_name(gnutls_alert_get(state->session)));
314 else
315 msg = gnutls_strerror(rc);
316
317 tls_error(when, msg, state->host);
318 }
319
320
321
322
323 /*************************************************
324 * Set various Exim expansion vars *
325 *************************************************/
326
327 #define exim_gnutls_cert_err(Label) \
328 do \
329 { \
330 if (rc != GNUTLS_E_SUCCESS) \
331 { \
332 DEBUG(D_tls) debug_printf("TLS: cert problem: %s: %s\n", \
333 (Label), gnutls_strerror(rc)); \
334 return rc; \
335 } \
336 } while (0)
337
338 static int
339 import_cert(const gnutls_datum * cert, gnutls_x509_crt_t * crtp)
340 {
341 int rc;
342
343 rc = gnutls_x509_crt_init(crtp);
344 exim_gnutls_cert_err(US"gnutls_x509_crt_init (crt)");
345
346 rc = gnutls_x509_crt_import(*crtp, cert, GNUTLS_X509_FMT_DER);
347 exim_gnutls_cert_err(US"failed to import certificate [gnutls_x509_crt_import(cert)]");
348
349 return rc;
350 }
351
352 #undef exim_gnutls_cert_err
353
354
355 /* We set various Exim global variables from the state, once a session has
356 been established. With TLS callouts, may need to change this to stack
357 variables, or just re-call it with the server state after client callout
358 has finished.
359
360 Make sure anything set here is unset in tls_getc().
361
362 Sets:
363 tls_active fd
364 tls_bits strength indicator
365 tls_certificate_verified bool indicator
366 tls_channelbinding_b64 for some SASL mechanisms
367 tls_cipher a string
368 tls_peercert pointer to library internal
369 tls_peerdn a string
370 tls_sni a (UTF-8) string
371 tls_ourcert pointer to library internal
372
373 Argument:
374 state the relevant exim_gnutls_state_st *
375 */
376
377 static void
378 extract_exim_vars_from_tls_state(exim_gnutls_state_st * state)
379 {
380 gnutls_cipher_algorithm_t cipher;
381 #ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
382 int old_pool;
383 int rc;
384 gnutls_datum_t channel;
385 #endif
386 tls_support * tlsp = state->tlsp;
387
388 tlsp->active = state->fd_out;
389
390 cipher = gnutls_cipher_get(state->session);
391 /* returns size in "bytes" */
392 tlsp->bits = gnutls_cipher_get_key_size(cipher) * 8;
393
394 tlsp->cipher = state->ciphersuite;
395
396 DEBUG(D_tls) debug_printf("cipher: %s\n", state->ciphersuite);
397
398 tlsp->certificate_verified = state->peer_cert_verified;
399
400 /* note that tls_channelbinding_b64 is not saved to the spool file, since it's
401 only available for use for authenticators while this TLS session is running. */
402
403 tls_channelbinding_b64 = NULL;
404 #ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
405 channel.data = NULL;
406 channel.size = 0;
407 rc = gnutls_session_channel_binding(state->session, GNUTLS_CB_TLS_UNIQUE, &channel);
408 if (rc) {
409 DEBUG(D_tls) debug_printf("Channel binding error: %s\n", gnutls_strerror(rc));
410 } else {
411 old_pool = store_pool;
412 store_pool = POOL_PERM;
413 tls_channelbinding_b64 = auth_b64encode(channel.data, (int)channel.size);
414 store_pool = old_pool;
415 DEBUG(D_tls) debug_printf("Have channel bindings cached for possible auth usage.\n");
416 }
417 #endif
418
419 /* peercert is set in peer_status() */
420 tlsp->peerdn = state->peerdn;
421 tlsp->sni = state->received_sni;
422
423 /* record our certificate */
424 {
425 const gnutls_datum * cert = gnutls_certificate_get_ours(state->session);
426 gnutls_x509_crt_t crt;
427
428 tlsp->ourcert = cert && import_cert(cert, &crt)==0 ? crt : NULL;
429 }
430 }
431
432
433
434
435 /*************************************************
436 * Setup up DH parameters *
437 *************************************************/
438
439 /* Generating the D-H parameters may take a long time. They only need to
440 be re-generated every so often, depending on security policy. What we do is to
441 keep these parameters in a file in the spool directory. If the file does not
442 exist, we generate them. This means that it is easy to cause a regeneration.
443
444 The new file is written as a temporary file and renamed, so that an incomplete
445 file is never present. If two processes both compute some new parameters, you
446 waste a bit of effort, but it doesn't seem worth messing around with locking to
447 prevent this.
448
449 Returns: OK/DEFER/FAIL
450 */
451
452 static int
453 init_server_dh(void)
454 {
455 int fd, rc;
456 unsigned int dh_bits;
457 gnutls_datum m;
458 uschar filename_buf[PATH_MAX];
459 uschar *filename = NULL;
460 size_t sz;
461 uschar *exp_tls_dhparam;
462 BOOL use_file_in_spool = FALSE;
463 BOOL use_fixed_file = FALSE;
464 host_item *host = NULL; /* dummy for macros */
465
466 DEBUG(D_tls) debug_printf("Initialising GnuTLS server params.\n");
467
468 rc = gnutls_dh_params_init(&dh_server_params);
469 exim_gnutls_err_check(US"gnutls_dh_params_init");
470
471 m.data = NULL;
472 m.size = 0;
473
474 if (!expand_check(tls_dhparam, US"tls_dhparam", &exp_tls_dhparam))
475 return DEFER;
476
477 if (!exp_tls_dhparam)
478 {
479 DEBUG(D_tls) debug_printf("Loading default hard-coded DH params\n");
480 m.data = US std_dh_prime_default();
481 m.size = Ustrlen(m.data);
482 }
483 else if (Ustrcmp(exp_tls_dhparam, "historic") == 0)
484 use_file_in_spool = TRUE;
485 else if (Ustrcmp(exp_tls_dhparam, "none") == 0)
486 {
487 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
488 return OK;
489 }
490 else if (exp_tls_dhparam[0] != '/')
491 {
492 m.data = US std_dh_prime_named(exp_tls_dhparam);
493 if (m.data == NULL)
494 return tls_error(US"No standard prime named", CS exp_tls_dhparam, NULL);
495 m.size = Ustrlen(m.data);
496 }
497 else
498 {
499 use_fixed_file = TRUE;
500 filename = exp_tls_dhparam;
501 }
502
503 if (m.data)
504 {
505 rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM);
506 exim_gnutls_err_check(US"gnutls_dh_params_import_pkcs3");
507 DEBUG(D_tls) debug_printf("Loaded fixed standard D-H parameters\n");
508 return OK;
509 }
510
511 #ifdef HAVE_GNUTLS_SEC_PARAM_CONSTANTS
512 /* If you change this constant, also change dh_param_fn_ext so that we can use a
513 different filename and ensure we have sufficient bits. */
514 dh_bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL);
515 if (!dh_bits)
516 return tls_error(US"gnutls_sec_param_to_pk_bits() failed", NULL, NULL);
517 DEBUG(D_tls)
518 debug_printf("GnuTLS tells us that for D-H PK, NORMAL is %d bits.\n",
519 dh_bits);
520 #else
521 dh_bits = EXIM_SERVER_DH_BITS_PRE2_12;
522 DEBUG(D_tls)
523 debug_printf("GnuTLS lacks gnutls_sec_param_to_pk_bits(), using %d bits.\n",
524 dh_bits);
525 #endif
526
527 /* Some clients have hard-coded limits. */
528 if (dh_bits > tls_dh_max_bits)
529 {
530 DEBUG(D_tls)
531 debug_printf("tls_dh_max_bits clamping override, using %d bits instead.\n",
532 tls_dh_max_bits);
533 dh_bits = tls_dh_max_bits;
534 }
535
536 if (use_file_in_spool)
537 {
538 if (!string_format(filename_buf, sizeof(filename_buf),
539 "%s/gnutls-params-%d", spool_directory, dh_bits))
540 return tls_error(US"overlong filename", NULL, NULL);
541 filename = filename_buf;
542 }
543
544 /* Open the cache file for reading and if successful, read it and set up the
545 parameters. */
546
547 fd = Uopen(filename, O_RDONLY, 0);
548 if (fd >= 0)
549 {
550 struct stat statbuf;
551 FILE *fp;
552 int saved_errno;
553
554 if (fstat(fd, &statbuf) < 0) /* EIO */
555 {
556 saved_errno = errno;
557 (void)close(fd);
558 return tls_error(US"TLS cache stat failed", strerror(saved_errno), NULL);
559 }
560 if (!S_ISREG(statbuf.st_mode))
561 {
562 (void)close(fd);
563 return tls_error(US"TLS cache not a file", NULL, NULL);
564 }
565 fp = fdopen(fd, "rb");
566 if (!fp)
567 {
568 saved_errno = errno;
569 (void)close(fd);
570 return tls_error(US"fdopen(TLS cache stat fd) failed",
571 strerror(saved_errno), NULL);
572 }
573
574 m.size = statbuf.st_size;
575 m.data = malloc(m.size);
576 if (m.data == NULL)
577 {
578 fclose(fp);
579 return tls_error(US"malloc failed", strerror(errno), NULL);
580 }
581 sz = fread(m.data, m.size, 1, fp);
582 if (!sz)
583 {
584 saved_errno = errno;
585 fclose(fp);
586 free(m.data);
587 return tls_error(US"fread failed", strerror(saved_errno), NULL);
588 }
589 fclose(fp);
590
591 rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM);
592 free(m.data);
593 exim_gnutls_err_check(US"gnutls_dh_params_import_pkcs3");
594 DEBUG(D_tls) debug_printf("read D-H parameters from file \"%s\"\n", filename);
595 }
596
597 /* If the file does not exist, fall through to compute new data and cache it.
598 If there was any other opening error, it is serious. */
599
600 else if (errno == ENOENT)
601 {
602 rc = -1;
603 DEBUG(D_tls)
604 debug_printf("D-H parameter cache file \"%s\" does not exist\n", filename);
605 }
606 else
607 return tls_error(string_open_failed(errno, "\"%s\" for reading", filename),
608 NULL, NULL);
609
610 /* If ret < 0, either the cache file does not exist, or the data it contains
611 is not useful. One particular case of this is when upgrading from an older
612 release of Exim in which the data was stored in a different format. We don't
613 try to be clever and support both formats; we just regenerate new data in this
614 case. */
615
616 if (rc < 0)
617 {
618 uschar *temp_fn;
619 unsigned int dh_bits_gen = dh_bits;
620
621 if ((PATH_MAX - Ustrlen(filename)) < 10)
622 return tls_error(US"Filename too long to generate replacement",
623 CS filename, NULL);
624
625 temp_fn = string_copy(US "%s.XXXXXXX");
626 fd = mkstemp(CS temp_fn); /* modifies temp_fn */
627 if (fd < 0)
628 return tls_error(US"Unable to open temp file", strerror(errno), NULL);
629 (void)fchown(fd, exim_uid, exim_gid); /* Probably not necessary */
630
631 /* GnuTLS overshoots!
632 * If we ask for 2236, we might get 2237 or more.
633 * But there's no way to ask GnuTLS how many bits there really are.
634 * We can ask how many bits were used in a TLS session, but that's it!
635 * The prime itself is hidden behind too much abstraction.
636 * So we ask for less, and proceed on a wing and a prayer.
637 * First attempt, subtracted 3 for 2233 and got 2240.
638 */
639 if (dh_bits >= EXIM_CLIENT_DH_MIN_BITS + 10)
640 {
641 dh_bits_gen = dh_bits - 10;
642 DEBUG(D_tls)
643 debug_printf("being paranoid about DH generation, make it '%d' bits'\n",
644 dh_bits_gen);
645 }
646
647 DEBUG(D_tls)
648 debug_printf("requesting generation of %d bit Diffie-Hellman prime ...\n",
649 dh_bits_gen);
650 rc = gnutls_dh_params_generate2(dh_server_params, dh_bits_gen);
651 exim_gnutls_err_check(US"gnutls_dh_params_generate2");
652
653 /* gnutls_dh_params_export_pkcs3() will tell us the exact size, every time,
654 and I confirmed that a NULL call to get the size first is how the GnuTLS
655 sample apps handle this. */
656
657 sz = 0;
658 m.data = NULL;
659 rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM,
660 m.data, &sz);
661 if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
662 exim_gnutls_err_check(US"gnutls_dh_params_export_pkcs3(NULL) sizing");
663 m.size = sz;
664 m.data = malloc(m.size);
665 if (m.data == NULL)
666 return tls_error(US"memory allocation failed", strerror(errno), NULL);
667 /* this will return a size 1 less than the allocation size above */
668 rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM,
669 m.data, &sz);
670 if (rc != GNUTLS_E_SUCCESS)
671 {
672 free(m.data);
673 exim_gnutls_err_check(US"gnutls_dh_params_export_pkcs3() real");
674 }
675 m.size = sz; /* shrink by 1, probably */
676
677 sz = write_to_fd_buf(fd, m.data, (size_t) m.size);
678 if (sz != m.size)
679 {
680 free(m.data);
681 return tls_error(US"TLS cache write D-H params failed",
682 strerror(errno), NULL);
683 }
684 free(m.data);
685 sz = write_to_fd_buf(fd, US"\n", 1);
686 if (sz != 1)
687 return tls_error(US"TLS cache write D-H params final newline failed",
688 strerror(errno), NULL);
689
690 rc = close(fd);
691 if (rc)
692 return tls_error(US"TLS cache write close() failed",
693 strerror(errno), NULL);
694
695 if (Urename(temp_fn, filename) < 0)
696 return tls_error(string_sprintf("failed to rename \"%s\" as \"%s\"",
697 temp_fn, filename), strerror(errno), NULL);
698
699 DEBUG(D_tls) debug_printf("wrote D-H parameters to file \"%s\"\n", filename);
700 }
701
702 DEBUG(D_tls) debug_printf("initialized server D-H parameters\n");
703 return OK;
704 }
705
706
707
708
709 /*************************************************
710 * Variables re-expanded post-SNI *
711 *************************************************/
712
713 /* Called from both server and client code, via tls_init(), and also from
714 the SNI callback after receiving an SNI, if tls_certificate includes "tls_sni".
715
716 We can tell the two apart by state->received_sni being non-NULL in callback.
717
718 The callback should not call us unless state->trigger_sni_changes is true,
719 which we are responsible for setting on the first pass through.
720
721 Arguments:
722 state exim_gnutls_state_st *
723
724 Returns: OK/DEFER/FAIL
725 */
726
727 static int
728 tls_expand_session_files(exim_gnutls_state_st *state)
729 {
730 struct stat statbuf;
731 int rc;
732 const host_item *host = state->host; /* macro should be reconsidered? */
733 uschar *saved_tls_certificate = NULL;
734 uschar *saved_tls_privatekey = NULL;
735 uschar *saved_tls_verify_certificates = NULL;
736 uschar *saved_tls_crl = NULL;
737 int cert_count;
738
739 /* We check for tls_sni *before* expansion. */
740 if (!host) /* server */
741 {
742 if (!state->received_sni)
743 {
744 if (state->tls_certificate &&
745 (Ustrstr(state->tls_certificate, US"tls_sni") ||
746 Ustrstr(state->tls_certificate, US"tls_in_sni") ||
747 Ustrstr(state->tls_certificate, US"tls_out_sni")
748 ))
749 {
750 DEBUG(D_tls) debug_printf("We will re-expand TLS session files if we receive SNI.\n");
751 state->trigger_sni_changes = TRUE;
752 }
753 }
754 else
755 {
756 /* useful for debugging */
757 saved_tls_certificate = state->exp_tls_certificate;
758 saved_tls_privatekey = state->exp_tls_privatekey;
759 saved_tls_verify_certificates = state->exp_tls_verify_certificates;
760 saved_tls_crl = state->exp_tls_crl;
761 }
762 }
763
764 rc = gnutls_certificate_allocate_credentials(&state->x509_cred);
765 exim_gnutls_err_check(US"gnutls_certificate_allocate_credentials");
766
767 /* remember: expand_check_tlsvar() is expand_check() but fiddling with
768 state members, assuming consistent naming; and expand_check() returns
769 false if expansion failed, unless expansion was forced to fail. */
770
771 /* check if we at least have a certificate, before doing expensive
772 D-H generation. */
773
774 if (!expand_check_tlsvar(tls_certificate))
775 return DEFER;
776
777 /* certificate is mandatory in server, optional in client */
778
779 if ((state->exp_tls_certificate == NULL) ||
780 (*state->exp_tls_certificate == '\0'))
781 {
782 if (!host)
783 return tls_error(US"no TLS server certificate is specified", NULL, NULL);
784 else
785 DEBUG(D_tls) debug_printf("TLS: no client certificate specified; okay\n");
786 }
787
788 if (state->tls_privatekey && !expand_check_tlsvar(tls_privatekey))
789 return DEFER;
790
791 /* tls_privatekey is optional, defaulting to same file as certificate */
792
793 if (state->tls_privatekey == NULL || *state->tls_privatekey == '\0')
794 {
795 state->tls_privatekey = state->tls_certificate;
796 state->exp_tls_privatekey = state->exp_tls_certificate;
797 }
798
799
800 if (state->exp_tls_certificate && *state->exp_tls_certificate)
801 {
802 DEBUG(D_tls) debug_printf("certificate file = %s\nkey file = %s\n",
803 state->exp_tls_certificate, state->exp_tls_privatekey);
804
805 if (state->received_sni)
806 {
807 if ((Ustrcmp(state->exp_tls_certificate, saved_tls_certificate) == 0) &&
808 (Ustrcmp(state->exp_tls_privatekey, saved_tls_privatekey) == 0))
809 {
810 DEBUG(D_tls) debug_printf("TLS SNI: cert and key unchanged\n");
811 }
812 else
813 {
814 DEBUG(D_tls) debug_printf("TLS SNI: have a changed cert/key pair.\n");
815 }
816 }
817
818 rc = gnutls_certificate_set_x509_key_file(state->x509_cred,
819 CS state->exp_tls_certificate, CS state->exp_tls_privatekey,
820 GNUTLS_X509_FMT_PEM);
821 exim_gnutls_err_check(
822 string_sprintf("cert/key setup: cert=%s key=%s",
823 state->exp_tls_certificate, state->exp_tls_privatekey));
824 DEBUG(D_tls) debug_printf("TLS: cert/key registered\n");
825 } /* tls_certificate */
826
827
828 /* Set the OCSP stapling server info */
829
830 #ifndef DISABLE_OCSP
831 if ( !host /* server */
832 && tls_ocsp_file
833 )
834 {
835 if (!expand_check(tls_ocsp_file, US"tls_ocsp_file",
836 &state->exp_tls_ocsp_file))
837 return DEFER;
838
839 /* Use the full callback method for stapling just to get observability.
840 More efficient would be to read the file once only, if it never changed
841 (due to SNI). Would need restart on file update, or watch datestamp. */
842
843 gnutls_certificate_set_ocsp_status_request_function(state->x509_cred,
844 server_ocsp_stapling_cb, state->exp_tls_ocsp_file);
845
846 DEBUG(D_tls) debug_printf("Set OCSP response file %s\n", &state->exp_tls_ocsp_file);
847 }
848 #endif
849
850
851 /* Set the trusted CAs file if one is provided, and then add the CRL if one is
852 provided. Experiment shows that, if the certificate file is empty, an unhelpful
853 error message is provided. However, if we just refrain from setting anything up
854 in that case, certificate verification fails, which seems to be the correct
855 behaviour. */
856
857 if (state->tls_verify_certificates && *state->tls_verify_certificates)
858 {
859 if (!expand_check_tlsvar(tls_verify_certificates))
860 return DEFER;
861 if (state->tls_crl && *state->tls_crl)
862 if (!expand_check_tlsvar(tls_crl))
863 return DEFER;
864
865 if (!(state->exp_tls_verify_certificates &&
866 *state->exp_tls_verify_certificates))
867 {
868 DEBUG(D_tls)
869 debug_printf("TLS: tls_verify_certificates expanded empty, ignoring\n");
870 /* With no tls_verify_certificates, we ignore tls_crl too */
871 return OK;
872 }
873 }
874 else
875 {
876 DEBUG(D_tls)
877 debug_printf("TLS: tls_verify_certificates not set or empty, ignoring\n");
878 return OK;
879 }
880
881 if (Ustat(state->exp_tls_verify_certificates, &statbuf) < 0)
882 {
883 log_write(0, LOG_MAIN|LOG_PANIC, "could not stat %s "
884 "(tls_verify_certificates): %s", state->exp_tls_verify_certificates,
885 strerror(errno));
886 return DEFER;
887 }
888
889 #ifndef SUPPORT_CA_DIR
890 /* The test suite passes in /dev/null; we could check for that path explicitly,
891 but who knows if someone has some weird FIFO which always dumps some certs, or
892 other weirdness. The thing we really want to check is that it's not a
893 directory, since while OpenSSL supports that, GnuTLS does not.
894 So s/!S_ISREG/S_ISDIR/ and change some messsaging ... */
895 if (S_ISDIR(statbuf.st_mode))
896 {
897 DEBUG(D_tls)
898 debug_printf("verify certificates path is a dir: \"%s\"\n",
899 state->exp_tls_verify_certificates);
900 log_write(0, LOG_MAIN|LOG_PANIC,
901 "tls_verify_certificates \"%s\" is a directory",
902 state->exp_tls_verify_certificates);
903 return DEFER;
904 }
905 #endif
906
907 DEBUG(D_tls) debug_printf("verify certificates = %s size=" OFF_T_FMT "\n",
908 state->exp_tls_verify_certificates, statbuf.st_size);
909
910 if (statbuf.st_size == 0)
911 {
912 DEBUG(D_tls)
913 debug_printf("cert file empty, no certs, no verification, ignoring any CRL\n");
914 return OK;
915 }
916
917 cert_count =
918
919 #ifdef SUPPORT_CA_DIR
920 (statbuf.st_mode & S_IFMT) == S_IFDIR
921 ?
922 gnutls_certificate_set_x509_trust_dir(state->x509_cred,
923 CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM)
924 :
925 #endif
926 gnutls_certificate_set_x509_trust_file(state->x509_cred,
927 CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM);
928
929 if (cert_count < 0)
930 {
931 rc = cert_count;
932 exim_gnutls_err_check(US"gnutls_certificate_set_x509_trust_file");
933 }
934 DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n", cert_count);
935
936 if (state->tls_crl && *state->tls_crl &&
937 state->exp_tls_crl && *state->exp_tls_crl)
938 {
939 DEBUG(D_tls) debug_printf("loading CRL file = %s\n", state->exp_tls_crl);
940 cert_count = gnutls_certificate_set_x509_crl_file(state->x509_cred,
941 CS state->exp_tls_crl, GNUTLS_X509_FMT_PEM);
942 if (cert_count < 0)
943 {
944 rc = cert_count;
945 exim_gnutls_err_check(US"gnutls_certificate_set_x509_crl_file");
946 }
947 DEBUG(D_tls) debug_printf("Processed %d CRLs.\n", cert_count);
948 }
949
950 return OK;
951 }
952
953
954
955
956 /*************************************************
957 * Set X.509 state variables *
958 *************************************************/
959
960 /* In GnuTLS, the registered cert/key are not replaced by a later
961 set of a cert/key, so for SNI support we need a whole new x509_cred
962 structure. Which means various other non-re-expanded pieces of state
963 need to be re-set in the new struct, so the setting logic is pulled
964 out to this.
965
966 Arguments:
967 state exim_gnutls_state_st *
968
969 Returns: OK/DEFER/FAIL
970 */
971
972 static int
973 tls_set_remaining_x509(exim_gnutls_state_st *state)
974 {
975 int rc;
976 const host_item *host = state->host; /* macro should be reconsidered? */
977
978 /* Create D-H parameters, or read them from the cache file. This function does
979 its own SMTP error messaging. This only happens for the server, TLS D-H ignores
980 client-side params. */
981
982 if (!state->host)
983 {
984 if (!dh_server_params)
985 {
986 rc = init_server_dh();
987 if (rc != OK) return rc;
988 }
989 gnutls_certificate_set_dh_params(state->x509_cred, dh_server_params);
990 }
991
992 /* Link the credentials to the session. */
993
994 rc = gnutls_credentials_set(state->session, GNUTLS_CRD_CERTIFICATE, state->x509_cred);
995 exim_gnutls_err_check(US"gnutls_credentials_set");
996
997 return OK;
998 }
999
1000 /*************************************************
1001 * Initialize for GnuTLS *
1002 *************************************************/
1003
1004 /* Called from both server and client code. In the case of a server, errors
1005 before actual TLS negotiation return DEFER.
1006
1007 Arguments:
1008 host connected host, if client; NULL if server
1009 certificate certificate file
1010 privatekey private key file
1011 sni TLS SNI to send, sometimes when client; else NULL
1012 cas CA certs file
1013 crl CRL file
1014 require_ciphers tls_require_ciphers setting
1015 caller_state returned state-info structure
1016
1017 Returns: OK/DEFER/FAIL
1018 */
1019
1020 static int
1021 tls_init(
1022 const host_item *host,
1023 const uschar *certificate,
1024 const uschar *privatekey,
1025 const uschar *sni,
1026 const uschar *cas,
1027 const uschar *crl,
1028 const uschar *require_ciphers,
1029 exim_gnutls_state_st **caller_state)
1030 {
1031 exim_gnutls_state_st *state;
1032 int rc;
1033 size_t sz;
1034 const char *errpos;
1035 uschar *p;
1036 BOOL want_default_priorities;
1037
1038 if (!exim_gnutls_base_init_done)
1039 {
1040 DEBUG(D_tls) debug_printf("GnuTLS global init required.\n");
1041
1042 #ifdef HAVE_GNUTLS_PKCS11
1043 /* By default, gnutls_global_init will init PKCS11 support in auto mode,
1044 which loads modules from a config file, which sounds good and may be wanted
1045 by some sysadmin, but also means in common configurations that GNOME keyring
1046 environment variables are used and so breaks for users calling mailq.
1047 To prevent this, we init PKCS11 first, which is the documented approach. */
1048 if (!gnutls_allow_auto_pkcs11)
1049 {
1050 rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
1051 exim_gnutls_err_check(US"gnutls_pkcs11_init");
1052 }
1053 #endif
1054
1055 rc = gnutls_global_init();
1056 exim_gnutls_err_check(US"gnutls_global_init");
1057
1058 #if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
1059 DEBUG(D_tls)
1060 {
1061 gnutls_global_set_log_function(exim_gnutls_logger_cb);
1062 /* arbitrarily chosen level; bump upto 9 for more */
1063 gnutls_global_set_log_level(EXIM_GNUTLS_LIBRARY_LOG_LEVEL);
1064 }
1065 #endif
1066
1067 exim_gnutls_base_init_done = TRUE;
1068 }
1069
1070 if (host)
1071 {
1072 state = &state_client;
1073 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
1074 state->tlsp = &tls_out;
1075 DEBUG(D_tls) debug_printf("initialising GnuTLS client session\n");
1076 rc = gnutls_init(&state->session, GNUTLS_CLIENT);
1077 }
1078 else
1079 {
1080 state = &state_server;
1081 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
1082 state->tlsp = &tls_in;
1083 DEBUG(D_tls) debug_printf("initialising GnuTLS server session\n");
1084 rc = gnutls_init(&state->session, GNUTLS_SERVER);
1085 }
1086 exim_gnutls_err_check(US"gnutls_init");
1087
1088 state->host = host;
1089
1090 state->tls_certificate = certificate;
1091 state->tls_privatekey = privatekey;
1092 state->tls_require_ciphers = require_ciphers;
1093 state->tls_sni = sni;
1094 state->tls_verify_certificates = cas;
1095 state->tls_crl = crl;
1096
1097 /* This handles the variables that might get re-expanded after TLS SNI;
1098 that's tls_certificate, tls_privatekey, tls_verify_certificates, tls_crl */
1099
1100 DEBUG(D_tls)
1101 debug_printf("Expanding various TLS configuration options for session credentials.\n");
1102 rc = tls_expand_session_files(state);
1103 if (rc != OK) return rc;
1104
1105 /* These are all other parts of the x509_cred handling, since SNI in GnuTLS
1106 requires a new structure afterwards. */
1107
1108 rc = tls_set_remaining_x509(state);
1109 if (rc != OK) return rc;
1110
1111 /* set SNI in client, only */
1112 if (host)
1113 {
1114 if (!expand_check(sni, US"tls_out_sni", &state->tlsp->sni))
1115 return DEFER;
1116 if (state->tlsp->sni && *state->tlsp->sni)
1117 {
1118 DEBUG(D_tls)
1119 debug_printf("Setting TLS client SNI to \"%s\"\n", state->tlsp->sni);
1120 sz = Ustrlen(state->tlsp->sni);
1121 rc = gnutls_server_name_set(state->session,
1122 GNUTLS_NAME_DNS, state->tlsp->sni, sz);
1123 exim_gnutls_err_check(US"gnutls_server_name_set");
1124 }
1125 }
1126 else if (state->tls_sni)
1127 DEBUG(D_tls) debug_printf("*** PROBABLY A BUG *** " \
1128 "have an SNI set for a client [%s]\n", state->tls_sni);
1129
1130 /* This is the priority string support,
1131 http://www.gnutls.org/manual/html_node/Priority-Strings.html
1132 and replaces gnutls_require_kx, gnutls_require_mac & gnutls_require_protocols.
1133 This was backwards incompatible, but means Exim no longer needs to track
1134 all algorithms and provide string forms for them. */
1135
1136 want_default_priorities = TRUE;
1137
1138 if (state->tls_require_ciphers && *state->tls_require_ciphers)
1139 {
1140 if (!expand_check_tlsvar(tls_require_ciphers))
1141 return DEFER;
1142 if (state->exp_tls_require_ciphers && *state->exp_tls_require_ciphers)
1143 {
1144 DEBUG(D_tls) debug_printf("GnuTLS session cipher/priority \"%s\"\n",
1145 state->exp_tls_require_ciphers);
1146
1147 rc = gnutls_priority_init(&state->priority_cache,
1148 CS state->exp_tls_require_ciphers, &errpos);
1149 want_default_priorities = FALSE;
1150 p = state->exp_tls_require_ciphers;
1151 }
1152 }
1153 if (want_default_priorities)
1154 {
1155 DEBUG(D_tls)
1156 debug_printf("GnuTLS using default session cipher/priority \"%s\"\n",
1157 exim_default_gnutls_priority);
1158 rc = gnutls_priority_init(&state->priority_cache,
1159 exim_default_gnutls_priority, &errpos);
1160 p = US exim_default_gnutls_priority;
1161 }
1162
1163 exim_gnutls_err_check(string_sprintf(
1164 "gnutls_priority_init(%s) failed at offset %ld, \"%.6s..\"",
1165 p, errpos - CS p, errpos));
1166
1167 rc = gnutls_priority_set(state->session, state->priority_cache);
1168 exim_gnutls_err_check(US"gnutls_priority_set");
1169
1170 gnutls_db_set_cache_expiration(state->session, ssl_session_timeout);
1171
1172 /* Reduce security in favour of increased compatibility, if the admin
1173 decides to make that trade-off. */
1174 if (gnutls_compat_mode)
1175 {
1176 #if LIBGNUTLS_VERSION_NUMBER >= 0x020104
1177 DEBUG(D_tls) debug_printf("lowering GnuTLS security, compatibility mode\n");
1178 gnutls_session_enable_compatibility_mode(state->session);
1179 #else
1180 DEBUG(D_tls) debug_printf("Unable to set gnutls_compat_mode - GnuTLS version too old\n");
1181 #endif
1182 }
1183
1184 *caller_state = state;
1185 return OK;
1186 }
1187
1188
1189
1190 /*************************************************
1191 * Extract peer information *
1192 *************************************************/
1193
1194 /* Called from both server and client code.
1195 Only this is allowed to set state->peerdn and state->have_set_peerdn
1196 and we use that to detect double-calls.
1197
1198 NOTE: the state blocks last while the TLS connection is up, which is fine
1199 for logging in the server side, but for the client side, we log after teardown
1200 in src/deliver.c. While the session is up, we can twist about states and
1201 repoint tls_* globals, but those variables used for logging or other variable
1202 expansion that happens _after_ delivery need to have a longer life-time.
1203
1204 So for those, we get the data from POOL_PERM; the re-invoke guard keeps us from
1205 doing this more than once per generation of a state context. We set them in
1206 the state context, and repoint tls_* to them. After the state goes away, the
1207 tls_* copies of the pointers remain valid and client delivery logging is happy.
1208
1209 tls_certificate_verified is a BOOL, so the tls_peerdn and tls_cipher issues
1210 don't apply.
1211
1212 Arguments:
1213 state exim_gnutls_state_st *
1214
1215 Returns: OK/DEFER/FAIL
1216 */
1217
1218 static int
1219 peer_status(exim_gnutls_state_st *state)
1220 {
1221 uschar cipherbuf[256];
1222 const gnutls_datum *cert_list;
1223 int old_pool, rc;
1224 unsigned int cert_list_size = 0;
1225 gnutls_protocol_t protocol;
1226 gnutls_cipher_algorithm_t cipher;
1227 gnutls_kx_algorithm_t kx;
1228 gnutls_mac_algorithm_t mac;
1229 gnutls_certificate_type_t ct;
1230 gnutls_x509_crt_t crt;
1231 uschar *p, *dn_buf;
1232 size_t sz;
1233
1234 if (state->have_set_peerdn)
1235 return OK;
1236 state->have_set_peerdn = TRUE;
1237
1238 state->peerdn = NULL;
1239
1240 /* tls_cipher */
1241 cipher = gnutls_cipher_get(state->session);
1242 protocol = gnutls_protocol_get_version(state->session);
1243 mac = gnutls_mac_get(state->session);
1244 kx = gnutls_kx_get(state->session);
1245
1246 string_format(cipherbuf, sizeof(cipherbuf),
1247 "%s:%s:%d",
1248 gnutls_protocol_get_name(protocol),
1249 gnutls_cipher_suite_get_name(kx, cipher, mac),
1250 (int) gnutls_cipher_get_key_size(cipher) * 8);
1251
1252 /* I don't see a way that spaces could occur, in the current GnuTLS
1253 code base, but it was a concern in the old code and perhaps older GnuTLS
1254 releases did return "TLS 1.0"; play it safe, just in case. */
1255 for (p = cipherbuf; *p != '\0'; ++p)
1256 if (isspace(*p))
1257 *p = '-';
1258 old_pool = store_pool;
1259 store_pool = POOL_PERM;
1260 state->ciphersuite = string_copy(cipherbuf);
1261 store_pool = old_pool;
1262 state->tlsp->cipher = state->ciphersuite;
1263
1264 /* tls_peerdn */
1265 cert_list = gnutls_certificate_get_peers(state->session, &cert_list_size);
1266
1267 if (cert_list == NULL || cert_list_size == 0)
1268 {
1269 DEBUG(D_tls) debug_printf("TLS: no certificate from peer (%p & %d)\n",
1270 cert_list, cert_list_size);
1271 if (state->verify_requirement >= VERIFY_REQUIRED)
1272 return tls_error(US"certificate verification failed",
1273 "no certificate received from peer", state->host);
1274 return OK;
1275 }
1276
1277 ct = gnutls_certificate_type_get(state->session);
1278 if (ct != GNUTLS_CRT_X509)
1279 {
1280 const char *ctn = gnutls_certificate_type_get_name(ct);
1281 DEBUG(D_tls)
1282 debug_printf("TLS: peer cert not X.509 but instead \"%s\"\n", ctn);
1283 if (state->verify_requirement >= VERIFY_REQUIRED)
1284 return tls_error(US"certificate verification not possible, unhandled type",
1285 ctn, state->host);
1286 return OK;
1287 }
1288
1289 #define exim_gnutls_peer_err(Label) \
1290 do { \
1291 if (rc != GNUTLS_E_SUCCESS) \
1292 { \
1293 DEBUG(D_tls) debug_printf("TLS: peer cert problem: %s: %s\n", \
1294 (Label), gnutls_strerror(rc)); \
1295 if (state->verify_requirement >= VERIFY_REQUIRED) \
1296 return tls_error((Label), gnutls_strerror(rc), state->host); \
1297 return OK; \
1298 } \
1299 } while (0)
1300
1301 rc = import_cert(&cert_list[0], &crt);
1302 exim_gnutls_peer_err(US"cert 0");
1303
1304 state->tlsp->peercert = state->peercert = crt;
1305
1306 sz = 0;
1307 rc = gnutls_x509_crt_get_dn(crt, NULL, &sz);
1308 if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
1309 {
1310 exim_gnutls_peer_err(US"getting size for cert DN failed");
1311 return FAIL; /* should not happen */
1312 }
1313 dn_buf = store_get_perm(sz);
1314 rc = gnutls_x509_crt_get_dn(crt, CS dn_buf, &sz);
1315 exim_gnutls_peer_err(US"failed to extract certificate DN [gnutls_x509_crt_get_dn(cert 0)]");
1316
1317 state->peerdn = dn_buf;
1318
1319 return OK;
1320 #undef exim_gnutls_peer_err
1321 }
1322
1323
1324
1325
1326 /*************************************************
1327 * Verify peer certificate *
1328 *************************************************/
1329
1330 /* Called from both server and client code.
1331 *Should* be using a callback registered with
1332 gnutls_certificate_set_verify_function() to fail the handshake if we dislike
1333 the peer information, but that's too new for some OSes.
1334
1335 Arguments:
1336 state exim_gnutls_state_st *
1337 error where to put an error message
1338
1339 Returns:
1340 FALSE if the session should be rejected
1341 TRUE if the cert is okay or we just don't care
1342 */
1343
1344 static BOOL
1345 verify_certificate(exim_gnutls_state_st *state, const char **error)
1346 {
1347 int rc;
1348 unsigned int verify;
1349
1350 *error = NULL;
1351
1352 if ((rc = peer_status(state)) != OK)
1353 {
1354 verify = GNUTLS_CERT_INVALID;
1355 *error = "certificate not supplied";
1356 }
1357 else
1358 rc = gnutls_certificate_verify_peers2(state->session, &verify);
1359
1360 /* Handle the result of verification. INVALID seems to be set as well
1361 as REVOKED, but leave the test for both. */
1362
1363 if (rc < 0 ||
1364 verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED)
1365 )
1366 {
1367 state->peer_cert_verified = FALSE;
1368 if (!*error)
1369 *error = verify & GNUTLS_CERT_REVOKED
1370 ? "certificate revoked" : "certificate invalid";
1371
1372 DEBUG(D_tls)
1373 debug_printf("TLS certificate verification failed (%s): peerdn=\"%s\"\n",
1374 *error, state->peerdn ? state->peerdn : US"<unset>");
1375
1376 if (state->verify_requirement >= VERIFY_REQUIRED)
1377 {
1378 gnutls_alert_send(state->session,
1379 GNUTLS_AL_FATAL, GNUTLS_A_BAD_CERTIFICATE);
1380 return FALSE;
1381 }
1382 DEBUG(D_tls)
1383 debug_printf("TLS verify failure overridden (host in tls_try_verify_hosts)\n");
1384 }
1385
1386 else
1387 {
1388 #ifdef EXPERIMENTAL_CERTNAMES
1389 if (state->exp_tls_verify_cert_hostnames)
1390 {
1391 int sep = 0;
1392 uschar * list = state->exp_tls_verify_cert_hostnames;
1393 uschar * name;
1394 while (name = string_nextinlist(&list, &sep, NULL, 0))
1395 if (gnutls_x509_crt_check_hostname(state->tlsp->peercert, CS name))
1396 break;
1397 if (!name)
1398 {
1399 DEBUG(D_tls)
1400 debug_printf("TLS certificate verification failed: cert name mismatch\n");
1401 if (state->verify_requirement >= VERIFY_REQUIRED)
1402 {
1403 gnutls_alert_send(state->session,
1404 GNUTLS_AL_FATAL, GNUTLS_A_BAD_CERTIFICATE);
1405 return FALSE;
1406 }
1407 return TRUE;
1408 }
1409 }
1410 #endif
1411 state->peer_cert_verified = TRUE;
1412 DEBUG(D_tls) debug_printf("TLS certificate verified: peerdn=\"%s\"\n",
1413 state->peerdn ? state->peerdn : US"<unset>");
1414 }
1415
1416 state->tlsp->peerdn = state->peerdn;
1417
1418 return TRUE;
1419 }
1420
1421
1422
1423
1424 /* ------------------------------------------------------------------------ */
1425 /* Callbacks */
1426
1427 /* Logging function which can be registered with
1428 * gnutls_global_set_log_function()
1429 * gnutls_global_set_log_level() 0..9
1430 */
1431 #if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
1432 static void
1433 exim_gnutls_logger_cb(int level, const char *message)
1434 {
1435 size_t len = strlen(message);
1436 if (len < 1)
1437 {
1438 DEBUG(D_tls) debug_printf("GnuTLS<%d> empty debug message\n", level);
1439 return;
1440 }
1441 DEBUG(D_tls) debug_printf("GnuTLS<%d>: %s%s", level, message,
1442 message[len-1] == '\n' ? "" : "\n");
1443 }
1444 #endif
1445
1446
1447 /* Called after client hello, should handle SNI work.
1448 This will always set tls_sni (state->received_sni) if available,
1449 and may trigger presenting different certificates,
1450 if state->trigger_sni_changes is TRUE.
1451
1452 Should be registered with
1453 gnutls_handshake_set_post_client_hello_function()
1454
1455 "This callback must return 0 on success or a gnutls error code to terminate the
1456 handshake.".
1457
1458 For inability to get SNI information, we return 0.
1459 We only return non-zero if re-setup failed.
1460 Only used for server-side TLS.
1461 */
1462
1463 static int
1464 exim_sni_handling_cb(gnutls_session_t session)
1465 {
1466 char sni_name[MAX_HOST_LEN];
1467 size_t data_len = MAX_HOST_LEN;
1468 exim_gnutls_state_st *state = &state_server;
1469 unsigned int sni_type;
1470 int rc, old_pool;
1471
1472 rc = gnutls_server_name_get(session, sni_name, &data_len, &sni_type, 0);
1473 if (rc != GNUTLS_E_SUCCESS)
1474 {
1475 DEBUG(D_tls) {
1476 if (rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
1477 debug_printf("TLS: no SNI presented in handshake.\n");
1478 else
1479 debug_printf("TLS failure: gnutls_server_name_get(): %s [%d]\n",
1480 gnutls_strerror(rc), rc);
1481 };
1482 return 0;
1483 }
1484
1485 if (sni_type != GNUTLS_NAME_DNS)
1486 {
1487 DEBUG(D_tls) debug_printf("TLS: ignoring SNI of unhandled type %u\n", sni_type);
1488 return 0;
1489 }
1490
1491 /* We now have a UTF-8 string in sni_name */
1492 old_pool = store_pool;
1493 store_pool = POOL_PERM;
1494 state->received_sni = string_copyn(US sni_name, data_len);
1495 store_pool = old_pool;
1496
1497 /* We set this one now so that variable expansions below will work */
1498 state->tlsp->sni = state->received_sni;
1499
1500 DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", sni_name,
1501 state->trigger_sni_changes ? "" : " (unused for certificate selection)");
1502
1503 if (!state->trigger_sni_changes)
1504 return 0;
1505
1506 rc = tls_expand_session_files(state);
1507 if (rc != OK)
1508 {
1509 /* If the setup of certs/etc failed before handshake, TLS would not have
1510 been offered. The best we can do now is abort. */
1511 return GNUTLS_E_APPLICATION_ERROR_MIN;
1512 }
1513
1514 rc = tls_set_remaining_x509(state);
1515 if (rc != OK) return GNUTLS_E_APPLICATION_ERROR_MIN;
1516
1517 return 0;
1518 }
1519
1520
1521
1522 #ifndef DISABLE_OCSP
1523
1524 static int
1525 server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
1526 gnutls_datum_t * ocsp_response)
1527 {
1528 int ret;
1529
1530 if ((ret = gnutls_load_file(ptr, ocsp_response)) < 0)
1531 {
1532 DEBUG(D_tls) debug_printf("Failed to load ocsp stapling file %s\n",
1533 (char *)ptr);
1534 tls_in.ocsp = OCSP_NOT_RESP;
1535 return GNUTLS_E_NO_CERTIFICATE_STATUS;
1536 }
1537
1538 tls_in.ocsp = OCSP_VFY_NOT_TRIED;
1539 return 0;
1540 }
1541
1542 #endif
1543
1544
1545 #ifdef EXPERIMENTAL_EVENT
1546 /*
1547 We use this callback to get observability and detail-level control
1548 for an exim TLS connection (either direction), raising a tls:cert event
1549 for each cert in the chain presented by the peer. Any event
1550 can deny verification.
1551
1552 Return 0 for the handshake to continue or non-zero to terminate.
1553 */
1554
1555 static int
1556 verify_cb(gnutls_session_t session)
1557 {
1558 const gnutls_datum * cert_list;
1559 unsigned int cert_list_size = 0;
1560 gnutls_x509_crt_t crt;
1561 int rc;
1562 uschar * yield;
1563 exim_gnutls_state_st * state = gnutls_session_get_ptr(session);
1564
1565 cert_list = gnutls_certificate_get_peers(session, &cert_list_size);
1566 if (cert_list)
1567 while (cert_list_size--)
1568 {
1569 rc = import_cert(&cert_list[cert_list_size], &crt);
1570 if (rc != GNUTLS_E_SUCCESS)
1571 {
1572 DEBUG(D_tls) debug_printf("TLS: peer cert problem: depth %d: %s\n",
1573 cert_list_size, gnutls_strerror(rc));
1574 break;
1575 }
1576
1577 state->tlsp->peercert = crt;
1578 if ((yield = event_raise(state->event_action,
1579 US"tls:cert", string_sprintf("%d", cert_list_size))))
1580 {
1581 log_write(0, LOG_MAIN,
1582 "SSL verify denied by event-action: depth=%d: %s",
1583 cert_list_size, yield);
1584 return 1; /* reject */
1585 }
1586 state->tlsp->peercert = NULL;
1587 }
1588
1589 return 0;
1590 }
1591
1592 #endif
1593
1594
1595
1596 /* ------------------------------------------------------------------------ */
1597 /* Exported functions */
1598
1599
1600
1601
1602 /*************************************************
1603 * Start a TLS session in a server *
1604 *************************************************/
1605
1606 /* This is called when Exim is running as a server, after having received
1607 the STARTTLS command. It must respond to that command, and then negotiate
1608 a TLS session.
1609
1610 Arguments:
1611 require_ciphers list of allowed ciphers or NULL
1612
1613 Returns: OK on success
1614 DEFER for errors before the start of the negotiation
1615 FAIL for errors during the negotation; the server can't
1616 continue running.
1617 */
1618
1619 int
1620 tls_server_start(const uschar *require_ciphers)
1621 {
1622 int rc;
1623 const char *error;
1624 exim_gnutls_state_st *state = NULL;
1625
1626 /* Check for previous activation */
1627 if (tls_in.active >= 0)
1628 {
1629 tls_error(US"STARTTLS received after TLS started", "", NULL);
1630 smtp_printf("554 Already in TLS\r\n");
1631 return FAIL;
1632 }
1633
1634 /* Initialize the library. If it fails, it will already have logged the error
1635 and sent an SMTP response. */
1636
1637 DEBUG(D_tls) debug_printf("initialising GnuTLS as a server\n");
1638
1639 rc = tls_init(NULL, tls_certificate, tls_privatekey,
1640 NULL, tls_verify_certificates, tls_crl,
1641 require_ciphers, &state);
1642 if (rc != OK) return rc;
1643
1644 /* If this is a host for which certificate verification is mandatory or
1645 optional, set up appropriately. */
1646
1647 if (verify_check_host(&tls_verify_hosts) == OK)
1648 {
1649 DEBUG(D_tls)
1650 debug_printf("TLS: a client certificate will be required.\n");
1651 state->verify_requirement = VERIFY_REQUIRED;
1652 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
1653 }
1654 else if (verify_check_host(&tls_try_verify_hosts) == OK)
1655 {
1656 DEBUG(D_tls)
1657 debug_printf("TLS: a client certificate will be requested but not required.\n");
1658 state->verify_requirement = VERIFY_OPTIONAL;
1659 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
1660 }
1661 else
1662 {
1663 DEBUG(D_tls)
1664 debug_printf("TLS: a client certificate will not be requested.\n");
1665 state->verify_requirement = VERIFY_NONE;
1666 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
1667 }
1668
1669 #ifdef EXPERIMENTAL_EVENT
1670 if (event_action)
1671 {
1672 state->event_action = event_action;
1673 gnutls_session_set_ptr(state->session, state);
1674 gnutls_certificate_set_verify_function(state->x509_cred, verify_cb);
1675 }
1676 #endif
1677
1678 /* Register SNI handling; always, even if not in tls_certificate, so that the
1679 expansion variable $tls_sni is always available. */
1680
1681 gnutls_handshake_set_post_client_hello_function(state->session,
1682 exim_sni_handling_cb);
1683
1684 /* Set context and tell client to go ahead, except in the case of TLS startup
1685 on connection, where outputting anything now upsets the clients and tends to
1686 make them disconnect. We need to have an explicit fflush() here, to force out
1687 the response. Other smtp_printf() calls do not need it, because in non-TLS
1688 mode, the fflush() happens when smtp_getc() is called. */
1689
1690 if (!state->tlsp->on_connect)
1691 {
1692 smtp_printf("220 TLS go ahead\r\n");
1693 fflush(smtp_out);
1694 }
1695
1696 /* Now negotiate the TLS session. We put our own timer on it, since it seems
1697 that the GnuTLS library doesn't. */
1698
1699 gnutls_transport_set_ptr2(state->session,
1700 (gnutls_transport_ptr)(long) fileno(smtp_in),
1701 (gnutls_transport_ptr)(long) fileno(smtp_out));
1702 state->fd_in = fileno(smtp_in);
1703 state->fd_out = fileno(smtp_out);
1704
1705 sigalrm_seen = FALSE;
1706 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
1707 do
1708 {
1709 rc = gnutls_handshake(state->session);
1710 } while ((rc == GNUTLS_E_AGAIN) ||
1711 (rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen));
1712 alarm(0);
1713
1714 if (rc != GNUTLS_E_SUCCESS)
1715 {
1716 tls_error(US"gnutls_handshake",
1717 sigalrm_seen ? "timed out" : gnutls_strerror(rc), NULL);
1718 /* It seems that, except in the case of a timeout, we have to close the
1719 connection right here; otherwise if the other end is running OpenSSL it hangs
1720 until the server times out. */
1721
1722 if (!sigalrm_seen)
1723 {
1724 (void)fclose(smtp_out);
1725 (void)fclose(smtp_in);
1726 }
1727
1728 return FAIL;
1729 }
1730
1731 DEBUG(D_tls) debug_printf("gnutls_handshake was successful\n");
1732
1733 /* Verify after the fact */
1734
1735 if ( state->verify_requirement != VERIFY_NONE
1736 && !verify_certificate(state, &error))
1737 {
1738 if (state->verify_requirement != VERIFY_OPTIONAL)
1739 {
1740 tls_error(US"certificate verification failed", error, NULL);
1741 return FAIL;
1742 }
1743 DEBUG(D_tls)
1744 debug_printf("TLS: continuing on only because verification was optional, after: %s\n",
1745 error);
1746 }
1747
1748 /* Figure out peer DN, and if authenticated, etc. */
1749
1750 rc = peer_status(state);
1751 if (rc != OK) return rc;
1752
1753 /* Sets various Exim expansion variables; always safe within server */
1754
1755 extract_exim_vars_from_tls_state(state);
1756
1757 /* TLS has been set up. Adjust the input functions to read via TLS,
1758 and initialize appropriately. */
1759
1760 state->xfer_buffer = store_malloc(ssl_xfer_buffer_size);
1761
1762 receive_getc = tls_getc;
1763 receive_ungetc = tls_ungetc;
1764 receive_feof = tls_feof;
1765 receive_ferror = tls_ferror;
1766 receive_smtp_buffered = tls_smtp_buffered;
1767
1768 return OK;
1769 }
1770
1771
1772
1773
1774 #ifdef EXPERIMENTAL_CERTNAMES
1775 static void
1776 tls_client_setup_hostname_checks(host_item * host, exim_gnutls_state_st * state,
1777 smtp_transport_options_block * ob)
1778 {
1779 if (verify_check_given_host(&ob->tls_verify_cert_hostnames, host) == OK)
1780 {
1781 state->exp_tls_verify_cert_hostnames = host->name;
1782 DEBUG(D_tls)
1783 debug_printf("TLS: server cert verification includes hostname: \"%s\".\n",
1784 state->exp_tls_verify_cert_hostnames);
1785 }
1786 }
1787 #endif
1788
1789
1790 /*************************************************
1791 * Start a TLS session in a client *
1792 *************************************************/
1793
1794 /* Called from the smtp transport after STARTTLS has been accepted.
1795
1796 Arguments:
1797 fd the fd of the connection
1798 host connected host (for messages)
1799 addr the first address (not used)
1800 tb transport (always smtp)
1801
1802 Returns: OK/DEFER/FAIL (because using common functions),
1803 but for a client, DEFER and FAIL have the same meaning
1804 */
1805
1806 int
1807 tls_client_start(int fd, host_item *host,
1808 address_item *addr ARG_UNUSED,
1809 transport_instance *tb
1810 #ifdef EXPERIMENTAL_DANE
1811 , dne_answer * unused_tlsa_dnsa
1812 #endif
1813 )
1814 {
1815 smtp_transport_options_block *ob =
1816 (smtp_transport_options_block *)tb->options_block;
1817 int rc;
1818 const char *error;
1819 exim_gnutls_state_st *state = NULL;
1820 #ifndef DISABLE_OCSP
1821 BOOL require_ocsp =
1822 verify_check_given_host(&ob->hosts_require_ocsp, host) == OK;
1823 BOOL request_ocsp = require_ocsp ? TRUE
1824 : verify_check_given_host(&ob->hosts_request_ocsp, host) == OK;
1825 #endif
1826
1827 DEBUG(D_tls) debug_printf("initialising GnuTLS as a client on fd %d\n", fd);
1828
1829 if ((rc = tls_init(host, ob->tls_certificate, ob->tls_privatekey,
1830 ob->tls_sni, ob->tls_verify_certificates, ob->tls_crl,
1831 ob->tls_require_ciphers, &state)) != OK)
1832 return rc;
1833
1834 {
1835 int dh_min_bits = ob->tls_dh_min_bits;
1836 if (dh_min_bits < EXIM_CLIENT_DH_MIN_MIN_BITS)
1837 {
1838 DEBUG(D_tls)
1839 debug_printf("WARNING: tls_dh_min_bits far too low,"
1840 " clamping %d up to %d\n",
1841 dh_min_bits, EXIM_CLIENT_DH_MIN_MIN_BITS);
1842 dh_min_bits = EXIM_CLIENT_DH_MIN_MIN_BITS;
1843 }
1844
1845 DEBUG(D_tls) debug_printf("Setting D-H prime minimum"
1846 " acceptable bits to %d\n",
1847 dh_min_bits);
1848 gnutls_dh_set_prime_bits(state->session, dh_min_bits);
1849 }
1850
1851 /* Stick to the old behaviour for compatibility if tls_verify_certificates is
1852 set but both tls_verify_hosts and tls_try_verify_hosts are unset. Check only
1853 the specified host patterns if one of them is defined */
1854
1855 if ( ( state->exp_tls_verify_certificates
1856 && !ob->tls_verify_hosts
1857 && !ob->tls_try_verify_hosts
1858 )
1859 || verify_check_given_host(&ob->tls_verify_hosts, host) == OK
1860 )
1861 {
1862 #ifdef EXPERIMENTAL_CERTNAMES
1863 tls_client_setup_hostname_checks(host, state, ob);
1864 #endif
1865 DEBUG(D_tls)
1866 debug_printf("TLS: server certificate verification required.\n");
1867 state->verify_requirement = VERIFY_REQUIRED;
1868 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
1869 }
1870 else if (verify_check_given_host(&ob->tls_try_verify_hosts, host) == OK)
1871 {
1872 #ifdef EXPERIMENTAL_CERTNAMES
1873 tls_client_setup_hostname_checks(host, state, ob);
1874 #endif
1875 DEBUG(D_tls)
1876 debug_printf("TLS: server certificate verification optional.\n");
1877 state->verify_requirement = VERIFY_OPTIONAL;
1878 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
1879 }
1880 else
1881 {
1882 DEBUG(D_tls)
1883 debug_printf("TLS: server certificate verification not required.\n");
1884 state->verify_requirement = VERIFY_NONE;
1885 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
1886 }
1887
1888 #ifndef DISABLE_OCSP
1889 /* supported since GnuTLS 3.1.3 */
1890 if (request_ocsp)
1891 {
1892 DEBUG(D_tls) debug_printf("TLS: will request OCSP stapling\n");
1893 if ((rc = gnutls_ocsp_status_request_enable_client(state->session,
1894 NULL, 0, NULL)) != OK)
1895 return tls_error(US"cert-status-req",
1896 gnutls_strerror(rc), state->host);
1897 tls_out.ocsp = OCSP_NOT_RESP;
1898 }
1899 #endif
1900
1901 #ifdef EXPERIMENTAL_EVENT
1902 if (tb->event_action)
1903 {
1904 state->event_action = tb->event_action;
1905 gnutls_session_set_ptr(state->session, state);
1906 gnutls_certificate_set_verify_function(state->x509_cred, verify_cb);
1907 }
1908 #endif
1909
1910 gnutls_transport_set_ptr(state->session, (gnutls_transport_ptr)(long) fd);
1911 state->fd_in = fd;
1912 state->fd_out = fd;
1913
1914 DEBUG(D_tls) debug_printf("about to gnutls_handshake\n");
1915 /* There doesn't seem to be a built-in timeout on connection. */
1916
1917 sigalrm_seen = FALSE;
1918 alarm(ob->command_timeout);
1919 do
1920 {
1921 rc = gnutls_handshake(state->session);
1922 } while ((rc == GNUTLS_E_AGAIN) ||
1923 (rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen));
1924 alarm(0);
1925
1926 if (rc != GNUTLS_E_SUCCESS)
1927 return tls_error(US"gnutls_handshake",
1928 sigalrm_seen ? "timed out" : gnutls_strerror(rc), state->host);
1929
1930 DEBUG(D_tls) debug_printf("gnutls_handshake was successful\n");
1931
1932 /* Verify late */
1933
1934 if (state->verify_requirement != VERIFY_NONE &&
1935 !verify_certificate(state, &error))
1936 return tls_error(US"certificate verification failed", error, state->host);
1937
1938 #ifndef DISABLE_OCSP
1939 if (require_ocsp)
1940 {
1941 DEBUG(D_tls)
1942 {
1943 gnutls_datum_t stapling;
1944 gnutls_ocsp_resp_t resp;
1945 gnutls_datum_t printed;
1946 if ( (rc= gnutls_ocsp_status_request_get(state->session, &stapling)) == 0
1947 && (rc= gnutls_ocsp_resp_init(&resp)) == 0
1948 && (rc= gnutls_ocsp_resp_import(resp, &stapling)) == 0
1949 && (rc= gnutls_ocsp_resp_print(resp, GNUTLS_OCSP_PRINT_FULL, &printed)) == 0
1950 )
1951 {
1952 debug_printf("%.4096s", printed.data);
1953 gnutls_free(printed.data);
1954 }
1955 else
1956 (void) tls_error(US"ocsp decode", gnutls_strerror(rc), state->host);
1957 }
1958
1959 if (gnutls_ocsp_status_request_is_checked(state->session, 0) == 0)
1960 {
1961 tls_out.ocsp = OCSP_FAILED;
1962 return tls_error(US"certificate status check failed", NULL, state->host);
1963 }
1964 DEBUG(D_tls) debug_printf("Passed OCSP checking\n");
1965 tls_out.ocsp = OCSP_VFIED;
1966 }
1967 #endif
1968
1969 /* Figure out peer DN, and if authenticated, etc. */
1970
1971 if ((rc = peer_status(state)) != OK)
1972 return rc;
1973
1974 /* Sets various Exim expansion variables; may need to adjust for ACL callouts */
1975
1976 extract_exim_vars_from_tls_state(state);
1977
1978 return OK;
1979 }
1980
1981
1982
1983
1984 /*************************************************
1985 * Close down a TLS session *
1986 *************************************************/
1987
1988 /* This is also called from within a delivery subprocess forked from the
1989 daemon, to shut down the TLS library, without actually doing a shutdown (which
1990 would tamper with the TLS session in the parent process).
1991
1992 Arguments: TRUE if gnutls_bye is to be called
1993 Returns: nothing
1994 */
1995
1996 void
1997 tls_close(BOOL is_server, BOOL shutdown)
1998 {
1999 exim_gnutls_state_st *state = is_server ? &state_server : &state_client;
2000
2001 if (!state->tlsp || state->tlsp->active < 0) return; /* TLS was not active */
2002
2003 if (shutdown)
2004 {
2005 DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS\n");
2006 gnutls_bye(state->session, GNUTLS_SHUT_WR);
2007 }
2008
2009 gnutls_deinit(state->session);
2010
2011 state->tlsp->active = -1;
2012 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
2013
2014 if ((state_server.session == NULL) && (state_client.session == NULL))
2015 {
2016 gnutls_global_deinit();
2017 exim_gnutls_base_init_done = FALSE;
2018 }
2019
2020 }
2021
2022
2023
2024
2025 /*************************************************
2026 * TLS version of getc *
2027 *************************************************/
2028
2029 /* This gets the next byte from the TLS input buffer. If the buffer is empty,
2030 it refills the buffer via the GnuTLS reading function.
2031 Only used by the server-side TLS.
2032
2033 This feeds DKIM and should be used for all message-body reads.
2034
2035 Arguments: none
2036 Returns: the next character or EOF
2037 */
2038
2039 int
2040 tls_getc(void)
2041 {
2042 exim_gnutls_state_st *state = &state_server;
2043 if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
2044 {
2045 ssize_t inbytes;
2046
2047 DEBUG(D_tls) debug_printf("Calling gnutls_record_recv(%p, %p, %u)\n",
2048 state->session, state->xfer_buffer, ssl_xfer_buffer_size);
2049
2050 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
2051 inbytes = gnutls_record_recv(state->session, state->xfer_buffer,
2052 ssl_xfer_buffer_size);
2053 alarm(0);
2054
2055 /* A zero-byte return appears to mean that the TLS session has been
2056 closed down, not that the socket itself has been closed down. Revert to
2057 non-TLS handling. */
2058
2059 if (inbytes == 0)
2060 {
2061 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
2062
2063 receive_getc = smtp_getc;
2064 receive_ungetc = smtp_ungetc;
2065 receive_feof = smtp_feof;
2066 receive_ferror = smtp_ferror;
2067 receive_smtp_buffered = smtp_buffered;
2068
2069 gnutls_deinit(state->session);
2070 state->session = NULL;
2071 state->tlsp->active = -1;
2072 state->tlsp->bits = 0;
2073 state->tlsp->certificate_verified = FALSE;
2074 tls_channelbinding_b64 = NULL;
2075 state->tlsp->cipher = NULL;
2076 state->tlsp->peercert = NULL;
2077 state->tlsp->peerdn = NULL;
2078
2079 return smtp_getc();
2080 }
2081
2082 /* Handle genuine errors */
2083
2084 else if (inbytes < 0)
2085 {
2086 record_io_error(state, (int) inbytes, US"recv", NULL);
2087 state->xfer_error = 1;
2088 return EOF;
2089 }
2090 #ifndef DISABLE_DKIM
2091 dkim_exim_verify_feed(state->xfer_buffer, inbytes);
2092 #endif
2093 state->xfer_buffer_hwm = (int) inbytes;
2094 state->xfer_buffer_lwm = 0;
2095 }
2096
2097 /* Something in the buffer; return next uschar */
2098
2099 return state->xfer_buffer[state->xfer_buffer_lwm++];
2100 }
2101
2102
2103
2104
2105 /*************************************************
2106 * Read bytes from TLS channel *
2107 *************************************************/
2108
2109 /* This does not feed DKIM, so if the caller uses this for reading message body,
2110 then the caller must feed DKIM.
2111
2112 Arguments:
2113 buff buffer of data
2114 len size of buffer
2115
2116 Returns: the number of bytes read
2117 -1 after a failed read
2118 */
2119
2120 int
2121 tls_read(BOOL is_server, uschar *buff, size_t len)
2122 {
2123 exim_gnutls_state_st *state = is_server ? &state_server : &state_client;
2124 ssize_t inbytes;
2125
2126 if (len > INT_MAX)
2127 len = INT_MAX;
2128
2129 if (state->xfer_buffer_lwm < state->xfer_buffer_hwm)
2130 DEBUG(D_tls)
2131 debug_printf("*** PROBABLY A BUG *** " \
2132 "tls_read() called with data in the tls_getc() buffer, %d ignored\n",
2133 state->xfer_buffer_hwm - state->xfer_buffer_lwm);
2134
2135 DEBUG(D_tls)
2136 debug_printf("Calling gnutls_record_recv(%p, %p, " SIZE_T_FMT ")\n",
2137 state->session, buff, len);
2138
2139 inbytes = gnutls_record_recv(state->session, buff, len);
2140 if (inbytes > 0) return inbytes;
2141 if (inbytes == 0)
2142 {
2143 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
2144 }
2145 else record_io_error(state, (int)inbytes, US"recv", NULL);
2146
2147 return -1;
2148 }
2149
2150
2151
2152
2153 /*************************************************
2154 * Write bytes down TLS channel *
2155 *************************************************/
2156
2157 /*
2158 Arguments:
2159 is_server channel specifier
2160 buff buffer of data
2161 len number of bytes
2162
2163 Returns: the number of bytes after a successful write,
2164 -1 after a failed write
2165 */
2166
2167 int
2168 tls_write(BOOL is_server, const uschar *buff, size_t len)
2169 {
2170 ssize_t outbytes;
2171 size_t left = len;
2172 exim_gnutls_state_st *state = is_server ? &state_server : &state_client;
2173
2174 DEBUG(D_tls) debug_printf("tls_do_write(%p, " SIZE_T_FMT ")\n", buff, left);
2175 while (left > 0)
2176 {
2177 DEBUG(D_tls) debug_printf("gnutls_record_send(SSL, %p, " SIZE_T_FMT ")\n",
2178 buff, left);
2179 outbytes = gnutls_record_send(state->session, buff, left);
2180
2181 DEBUG(D_tls) debug_printf("outbytes=" SSIZE_T_FMT "\n", outbytes);
2182 if (outbytes < 0)
2183 {
2184 record_io_error(state, outbytes, US"send", NULL);
2185 return -1;
2186 }
2187 if (outbytes == 0)
2188 {
2189 record_io_error(state, 0, US"send", US"TLS channel closed on write");
2190 return -1;
2191 }
2192
2193 left -= outbytes;
2194 buff += outbytes;
2195 }
2196
2197 if (len > INT_MAX)
2198 {
2199 DEBUG(D_tls)
2200 debug_printf("Whoops! Wrote more bytes (" SIZE_T_FMT ") than INT_MAX\n",
2201 len);
2202 len = INT_MAX;
2203 }
2204
2205 return (int) len;
2206 }
2207
2208
2209
2210
2211 /*************************************************
2212 * Random number generation *
2213 *************************************************/
2214
2215 /* Pseudo-random number generation. The result is not expected to be
2216 cryptographically strong but not so weak that someone will shoot themselves
2217 in the foot using it as a nonce in input in some email header scheme or
2218 whatever weirdness they'll twist this into. The result should handle fork()
2219 and avoid repeating sequences. OpenSSL handles that for us.
2220
2221 Arguments:
2222 max range maximum
2223 Returns a random number in range [0, max-1]
2224 */
2225
2226 #ifdef HAVE_GNUTLS_RND
2227 int
2228 vaguely_random_number(int max)
2229 {
2230 unsigned int r;
2231 int i, needed_len;
2232 uschar *p;
2233 uschar smallbuf[sizeof(r)];
2234
2235 if (max <= 1)
2236 return 0;
2237
2238 needed_len = sizeof(r);
2239 /* Don't take 8 times more entropy than needed if int is 8 octets and we were
2240 * asked for a number less than 10. */
2241 for (r = max, i = 0; r; ++i)
2242 r >>= 1;
2243 i = (i + 7) / 8;
2244 if (i < needed_len)
2245 needed_len = i;
2246
2247 i = gnutls_rnd(GNUTLS_RND_NONCE, smallbuf, needed_len);
2248 if (i < 0)
2249 {
2250 DEBUG(D_all) debug_printf("gnutls_rnd() failed, using fallback.\n");
2251 return vaguely_random_number_fallback(max);
2252 }
2253 r = 0;
2254 for (p = smallbuf; needed_len; --needed_len, ++p)
2255 {
2256 r *= 256;
2257 r += *p;
2258 }
2259
2260 /* We don't particularly care about weighted results; if someone wants
2261 * smooth distribution and cares enough then they should submit a patch then. */
2262 return r % max;
2263 }
2264 #else /* HAVE_GNUTLS_RND */
2265 int
2266 vaguely_random_number(int max)
2267 {
2268 return vaguely_random_number_fallback(max);
2269 }
2270 #endif /* HAVE_GNUTLS_RND */
2271
2272
2273
2274
2275 /*************************************************
2276 * Let tls_require_ciphers be checked at startup *
2277 *************************************************/
2278
2279 /* The tls_require_ciphers option, if set, must be something which the
2280 library can parse.
2281
2282 Returns: NULL on success, or error message
2283 */
2284
2285 uschar *
2286 tls_validate_require_cipher(void)
2287 {
2288 int rc;
2289 uschar *expciphers = NULL;
2290 gnutls_priority_t priority_cache;
2291 const char *errpos;
2292
2293 #define validate_check_rc(Label) do { \
2294 if (rc != GNUTLS_E_SUCCESS) { if (exim_gnutls_base_init_done) gnutls_global_deinit(); \
2295 return string_sprintf("%s failed: %s", (Label), gnutls_strerror(rc)); } } while (0)
2296 #define return_deinit(Label) do { gnutls_global_deinit(); return (Label); } while (0)
2297
2298 if (exim_gnutls_base_init_done)
2299 log_write(0, LOG_MAIN|LOG_PANIC,
2300 "already initialised GnuTLS, Exim developer bug");
2301
2302 #ifdef HAVE_GNUTLS_PKCS11
2303 if (!gnutls_allow_auto_pkcs11)
2304 {
2305 rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
2306 validate_check_rc(US"gnutls_pkcs11_init");
2307 }
2308 #endif
2309 rc = gnutls_global_init();
2310 validate_check_rc(US"gnutls_global_init()");
2311 exim_gnutls_base_init_done = TRUE;
2312
2313 if (!(tls_require_ciphers && *tls_require_ciphers))
2314 return_deinit(NULL);
2315
2316 if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers))
2317 return_deinit(US"failed to expand tls_require_ciphers");
2318
2319 if (!(expciphers && *expciphers))
2320 return_deinit(NULL);
2321
2322 DEBUG(D_tls)
2323 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
2324
2325 rc = gnutls_priority_init(&priority_cache, CS expciphers, &errpos);
2326 validate_check_rc(string_sprintf(
2327 "gnutls_priority_init(%s) failed at offset %ld, \"%.8s..\"",
2328 expciphers, errpos - CS expciphers, errpos));
2329
2330 #undef return_deinit
2331 #undef validate_check_rc
2332 gnutls_global_deinit();
2333
2334 return NULL;
2335 }
2336
2337
2338
2339
2340 /*************************************************
2341 * Report the library versions. *
2342 *************************************************/
2343
2344 /* See a description in tls-openssl.c for an explanation of why this exists.
2345
2346 Arguments: a FILE* to print the results to
2347 Returns: nothing
2348 */
2349
2350 void
2351 tls_version_report(FILE *f)
2352 {
2353 fprintf(f, "Library version: GnuTLS: Compile: %s\n"
2354 " Runtime: %s\n",
2355 LIBGNUTLS_VERSION,
2356 gnutls_check_version(NULL));
2357 }
2358
2359 /* vi: aw ai sw=2
2360 */
2361 /* End of tls-gnu.c */
Unnamed repository; edit this file 'description' to name the repository.