projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Debug: fix coding in dnssec reporting. Bug 2205
[exim.git] / src / src / tls-gnu.c
CommitLineData
059ec3d9
PH		 1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
9242a7e8 5/* Copyright (c) University of Cambridge 1995 - 2017 */
059ec3d9
PH		 6/* See the file NOTICE for conditions of use and distribution. */
7
17c76198 8/* Copyright (c) Phil Pennock 2012 */
059ec3d9 9
17c76198
PP		 10/* This file provides TLS/SSL support for Exim using the GnuTLS library,
11one of the available supported implementations. This file is #included into
12tls.c when USE_GNUTLS has been set.
059ec3d9 13
17c76198
PP		 14The code herein is a revamp of GnuTLS integration using the current APIs; the
15original tls-gnu.c was based on a patch which was contributed by Nikos
6aa6fc9c 16Mavrogiannopoulos. The revamp is partially a rewrite, partially cut&paste as
17c76198 17appropriate.
059ec3d9 18
17c76198
PP		 19APIs current as of GnuTLS 2.12.18; note that the GnuTLS manual is for GnuTLS 3,
20which is not widely deployed by OS vendors. Will note issues below, which may
21assist in updating the code in the future. Another sources of hints is
22mod_gnutls for Apache (SNI callback registration and handling).
059ec3d9 23
17c76198
PP		 24Keeping client and server variables more split than before and is currently
25the norm, in anticipation of TLS in ACL callouts.
059ec3d9 26
17c76198
PP		 27I wanted to switch to gnutls_certificate_set_verify_function() so that
28certificate rejection could happen during handshake where it belongs, rather
29than being dropped afterwards, but that was introduced in 2.10.0 and Debian
30(6.0.5) is still on 2.8.6. So for now we have to stick with sub-par behaviour.
059ec3d9 31
17c76198
PP		 32(I wasn't looking for libraries quite that old, when updating to get rid of
33compiler warnings of deprecated APIs. If it turns out that a lot of the rest
34require current GnuTLS, then we'll drop support for the ancient libraries).
35*/
b5aea5e1 36
17c76198
PP		 37#include <gnutls/gnutls.h>
38/* needed for cert checks in verification and DN extraction: */
39#include <gnutls/x509.h>
40/* man-page is incorrect, gnutls_rnd() is not in gnutls.h: */
41#include <gnutls/crypto.h>
a5f239e4
PP		 42/* needed to disable PKCS11 autoload unless requested */
43#if GNUTLS_VERSION_NUMBER >= 0x020c00
44# include <gnutls/pkcs11.h>
76075bb5 45# define SUPPORT_PARAM_TO_PK_BITS
a5f239e4 46#endif
7e07527a
JH		 47#if GNUTLS_VERSION_NUMBER < 0x030103 && !defined(DISABLE_OCSP)
48# warning "GnuTLS library version too old; define DISABLE_OCSP in Makefile"
49# define DISABLE_OCSP
50#endif
0cbf2b82 51#if GNUTLS_VERSION_NUMBER < 0x020a00 && !defined(DISABLE_EVENT)
774ef2d7 52# warning "GnuTLS library version too old; tls:cert event unsupported"
0cbf2b82 53# define DISABLE_EVENT
a7538db1 54#endif
a7fec7a7
JH		 55#if GNUTLS_VERSION_NUMBER >= 0x030306
56# define SUPPORT_CA_DIR
57#else
58# undef SUPPORT_CA_DIR
59#endif
11a04b5a 60#if GNUTLS_VERSION_NUMBER >= 0x030014
cb1d7830
JH		 61# define SUPPORT_SYSDEFAULT_CABUNDLE
62#endif
925ac8e4
JH		 63#if GNUTLS_VERSION_NUMBER >= 0x030109
64# define SUPPORT_CORK
65#endif
7e07527a 66
f2de3a33 67#ifndef DISABLE_OCSP
2b4a568d
JH		 68# include <gnutls/ocsp.h>
69#endif
059ec3d9 70
17c76198 71/* GnuTLS 2 vs 3
059ec3d9 72
17c76198
PP		 73GnuTLS 3 only:
74 gnutls_global_set_audit_log_function()
059ec3d9 75
17c76198
PP		 76Changes:
77 gnutls_certificate_verify_peers2(): is new, drop the 2 for old version
78*/
059ec3d9 79
17c76198 80/* Local static variables for GnuTLS */
059ec3d9 81
17c76198 82/* Values for verify_requirement */
059ec3d9 83
e51c7be2 84enum peer_verify_requirement
aa2a70ba 85 { VERIFY_NONE, VERIFY_OPTIONAL, VERIFY_REQUIRED };
059ec3d9 86
17c76198
PP		 87/* This holds most state for server or client; with this, we can set up an
88outbound TLS-enabled connection in an ACL callout, while not stomping all
89over the TLS variables available for expansion.
059ec3d9 90
17c76198
PP		 91Some of these correspond to variables in globals.c; those variables will
92be set to point to content in one of these instances, as appropriate for
93the stage of the process lifetime.
059ec3d9 94
389ca47a 95Not handled here: global tls_channelbinding_b64.
17c76198 96*/
059ec3d9 97
17c76198 98typedef struct exim_gnutls_state {
9d1c15ef 99 gnutls_session_t session;
17c76198 100 gnutls_certificate_credentials_t x509_cred;
9d1c15ef 101 gnutls_priority_t priority_cache;
17c76198 102 enum peer_verify_requirement verify_requirement;
9d1c15ef
JH		 103 int fd_in;
104 int fd_out;
105 BOOL peer_cert_verified;
106 BOOL trigger_sni_changes;
107 BOOL have_set_peerdn;
17c76198 108 const struct host_item *host;
9d1c15ef
JH		 109 gnutls_x509_crt_t peercert;
110 uschar *peerdn;
111 uschar *ciphersuite;
112 uschar *received_sni;
17c76198
PP		 113
114 const uschar *tls_certificate;
115 const uschar *tls_privatekey;
116 const uschar *tls_sni; /* client send only, not received */
117 const uschar *tls_verify_certificates;
118 const uschar *tls_crl;
119 const uschar *tls_require_ciphers;
e51c7be2 120
17c76198
PP		 121 uschar *exp_tls_certificate;
122 uschar *exp_tls_privatekey;
17c76198
PP		 123 uschar *exp_tls_verify_certificates;
124 uschar *exp_tls_crl;
125 uschar *exp_tls_require_ciphers;
44662487 126 uschar *exp_tls_ocsp_file;
55414b25 127 const uschar *exp_tls_verify_cert_hostnames;
0cbf2b82 128#ifndef DISABLE_EVENT
a7538db1
JH		 129 uschar *event_action;
130#endif
17c76198 131
389ca47a 132 tls_support *tlsp; /* set in tls_init() */
817d9f57 133
17c76198
PP		 134 uschar *xfer_buffer;
135 int xfer_buffer_lwm;
136 int xfer_buffer_hwm;
137 int xfer_eof;
138 int xfer_error;
17c76198
PP		 139} exim_gnutls_state_st;
140
141static const exim_gnutls_state_st exim_gnutls_state_init = {
f2ed27cf
JH		 142 .session = NULL,
143 .x509_cred = NULL,
144 .priority_cache = NULL,
145 .verify_requirement = VERIFY_NONE,
146 .fd_in = -1,
147 .fd_out = -1,
148 .peer_cert_verified = FALSE,
149 .trigger_sni_changes =FALSE,
150 .have_set_peerdn = FALSE,
151 .host = NULL,
152 .peercert = NULL,
153 .peerdn = NULL,
154 .ciphersuite = NULL,
155 .received_sni = NULL,
156
157 .tls_certificate = NULL,
158 .tls_privatekey = NULL,
159 .tls_sni = NULL,
160 .tls_verify_certificates = NULL,
161 .tls_crl = NULL,
162 .tls_require_ciphers =NULL,
163
164 .exp_tls_certificate = NULL,
165 .exp_tls_privatekey = NULL,
166 .exp_tls_verify_certificates = NULL,
167 .exp_tls_crl = NULL,
168 .exp_tls_require_ciphers = NULL,
169 .exp_tls_ocsp_file = NULL,
170 .exp_tls_verify_cert_hostnames = NULL,
0cbf2b82 171#ifndef DISABLE_EVENT
f2ed27cf 172 .event_action = NULL,
e51c7be2 173#endif
f2ed27cf
JH		 174 .tlsp = NULL,
175
176 .xfer_buffer = NULL,
177 .xfer_buffer_lwm = 0,
178 .xfer_buffer_hwm = 0,
179 .xfer_eof = 0,
180 .xfer_error = 0,
17c76198 181};
83da1223 182
17c76198
PP		 183/* Not only do we have our own APIs which don't pass around state, assuming
184it's held in globals, GnuTLS doesn't appear to let us register callback data
185for callbacks, or as part of the session, so we have to keep a "this is the
186context we're currently dealing with" pointer and rely upon being
187single-threaded to keep from processing data on an inbound TLS connection while
188talking to another TLS connection for an outbound check. This does mean that
189there's no way for heart-beats to be responded to, for the duration of the
a7538db1
JH		 190second connection.
191XXX But see gnutls_session_get_ptr()
192*/
059ec3d9 193
17c76198 194static exim_gnutls_state_st state_server, state_client;
059ec3d9 195
17c76198
PP		 196/* dh_params are initialised once within the lifetime of a process using TLS;
197if we used TLS in a long-lived daemon, we'd have to reconsider this. But we
198don't want to repeat this. */
83da1223 199
17c76198 200static gnutls_dh_params_t dh_server_params = NULL;
059ec3d9 201
17c76198 202/* No idea how this value was chosen; preserving it. Default is 3600. */
059ec3d9 203
17c76198 204static const int ssl_session_timeout = 200;
059ec3d9 205
17c76198 206static const char * const exim_default_gnutls_priority = "NORMAL";
83da1223 207
17c76198 208/* Guard library core initialisation */
83da1223 209
17c76198 210static BOOL exim_gnutls_base_init_done = FALSE;
059ec3d9 211
4fb7df6d 212#ifndef DISABLE_OCSP
9196d5bf 213static BOOL gnutls_buggy_ocsp = FALSE;
4fb7df6d 214#endif
9196d5bf 215
059ec3d9 216
17c76198
PP		 217/* ------------------------------------------------------------------------ */
218/* macros */
83da1223 219
17c76198 220#define MAX_HOST_LEN 255
83da1223 221
17c76198
PP		 222/* Set this to control gnutls_global_set_log_level(); values 0 to 9 will setup
223the library logging; a value less than 0 disables the calls to set up logging
ef9da2ee
JH		 224callbacks. Possibly GNuTLS also looks for an environment variable
225"GNUTLS_DEBUG_LEVEL". */
2c17bb02 226#ifndef EXIM_GNUTLS_LIBRARY_LOG_LEVEL
a7538db1 227# define EXIM_GNUTLS_LIBRARY_LOG_LEVEL -1
2c17bb02 228#endif
83da1223 229
2c17bb02 230#ifndef EXIM_CLIENT_DH_MIN_BITS
a7538db1 231# define EXIM_CLIENT_DH_MIN_BITS 1024
2c17bb02 232#endif
83da1223 233
af3498d6
PP		 234/* With GnuTLS 2.12.x+ we have gnutls_sec_param_to_pk_bits() with which we
235can ask for a bit-strength. Without that, we stick to the constant we had
236before, for now. */
2c17bb02 237#ifndef EXIM_SERVER_DH_BITS_PRE2_12
a7538db1 238# define EXIM_SERVER_DH_BITS_PRE2_12 1024
2c17bb02 239#endif
af3498d6 240
17c76198 241#define exim_gnutls_err_check(Label) do { \
cf0c6164
JH		 242 if (rc != GNUTLS_E_SUCCESS) \
243 return tls_error((Label), gnutls_strerror(rc), host, errstr); \
244 } while (0)
059ec3d9 245
cf0c6164
JH		 246#define expand_check_tlsvar(Varname, errstr) \
247 expand_check(state->Varname, US #Varname, &state->exp_##Varname, errstr)
83da1223 248
17c76198 249#if GNUTLS_VERSION_NUMBER >= 0x020c00
e51c7be2
JH		 250# define HAVE_GNUTLS_SESSION_CHANNEL_BINDING
251# define HAVE_GNUTLS_SEC_PARAM_CONSTANTS
252# define HAVE_GNUTLS_RND
2519e60d
TL		 253/* The security fix we provide with the gnutls_allow_auto_pkcs11 option
254 * (4.82 PP/09) introduces a compatibility regression. The symbol simply
255 * isn't available sometimes, so this needs to become a conditional
256 * compilation; the sanest way to deal with this being a problem on
257 * older OSes is to block it in the Local/Makefile with this compiler
258 * definition */
e51c7be2
JH		 259# ifndef AVOID_GNUTLS_PKCS11
260# define HAVE_GNUTLS_PKCS11
261# endif /* AVOID_GNUTLS_PKCS11 */
17c76198 262#endif
83da1223 263
af3498d6
PP		 264
265
266
267/* ------------------------------------------------------------------------ */
268/* Callback declarations */
269
270#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
271static void exim_gnutls_logger_cb(int level, const char *message);
272#endif
273
274static int exim_sni_handling_cb(gnutls_session_t session);
275
f2de3a33 276#ifndef DISABLE_OCSP
44662487
JH		 277static int server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
278 gnutls_datum_t * ocsp_response);
279#endif
af3498d6
PP		 280
281
282
17c76198
PP		 283/* ------------------------------------------------------------------------ */
284/* Static functions */
059ec3d9
PH		 285
286/*************************************************
287* Handle TLS error *
288*************************************************/
289
290/* Called from lots of places when errors occur before actually starting to do
291the TLS handshake, that is, while the session is still in clear. Always returns
292DEFER for a server and FAIL for a client so that most calls can use "return
293tls_error(...)" to do this processing and then give an appropriate return. A
294single function is used for both server and client, because it is called from
295some shared functions.
296
297Argument:
298 prefix text to include in the logged error
7199e1ee
TF		 299 msg additional error string (may be NULL)
300 usually obtained from gnutls_strerror()
17c76198
PP		 301 host NULL if setting up a server;
302 the connected host if setting up a client
cf0c6164 303 errstr pointer to returned error string
059ec3d9
PH		 304
305Returns: OK/DEFER/FAIL
306*/
307
308static int
cf0c6164
JH		 309tls_error(const uschar *prefix, const char *msg, const host_item *host,
310 uschar ** errstr)
059ec3d9 311{
cf0c6164
JH		 312if (errstr)
313 *errstr = string_sprintf("(%s)%s%s", prefix, msg ? ": " : "", msg ? msg : "");
314return host ? FAIL : DEFER;
059ec3d9
PH		 315}
316
317
318
17c76198 319
059ec3d9 320/*************************************************
17c76198 321* Deal with logging errors during I/O *
059ec3d9
PH		 322*************************************************/
323
17c76198 324/* We have to get the identity of the peer from saved data.
059ec3d9 325
17c76198
PP		 326Argument:
327 state the current GnuTLS exim state container
328 rc the GnuTLS error code, or 0 if it's a local error
329 when text identifying read or write
330 text local error text when ec is 0
059ec3d9 331
17c76198 332Returns: nothing
059ec3d9
PH		 333*/
334
17c76198
PP		 335static void
336record_io_error(exim_gnutls_state_st *state, int rc, uschar *when, uschar *text)
059ec3d9 337{
cf0c6164
JH		 338const char * msg;
339uschar * errstr;
059ec3d9 340
17c76198
PP		 341if (rc == GNUTLS_E_FATAL_ALERT_RECEIVED)
342 msg = CS string_sprintf("%s: %s", US gnutls_strerror(rc),
343 US gnutls_alert_get_name(gnutls_alert_get(state->session)));
344else
345 msg = gnutls_strerror(rc);
059ec3d9 346
cf0c6164
JH		 347(void) tls_error(when, msg, state->host, &errstr);
348
349if (state->host)
350 log_write(0, LOG_MAIN, "H=%s [%s] TLS error on connection %s",
351 state->host->name, state->host->address, errstr);
352else
353 {
354 uschar * conn_info = smtp_get_connection_info();
355 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0) conn_info += 5;
356 /* I'd like to get separated H= here, but too hard for now */
357 log_write(0, LOG_MAIN, "TLS error on %s %s", conn_info, errstr);
358 }
17c76198 359}
059ec3d9 360
059ec3d9 361
059ec3d9 362
059ec3d9 363
17c76198
PP		 364/*************************************************
365* Set various Exim expansion vars *
366*************************************************/
059ec3d9 367
e51c7be2
JH		 368#define exim_gnutls_cert_err(Label) \
369 do \
370 { \
371 if (rc != GNUTLS_E_SUCCESS) \
372 { \
373 DEBUG(D_tls) debug_printf("TLS: cert problem: %s: %s\n", \
374 (Label), gnutls_strerror(rc)); \
375 return rc; \
376 } \
377 } while (0)
9d1c15ef
JH		 378
379static int
27f19eb4 380import_cert(const gnutls_datum_t * cert, gnutls_x509_crt_t * crtp)
9d1c15ef
JH		 381{
382int rc;
383
384rc = gnutls_x509_crt_init(crtp);
385exim_gnutls_cert_err(US"gnutls_x509_crt_init (crt)");
386
387rc = gnutls_x509_crt_import(*crtp, cert, GNUTLS_X509_FMT_DER);
388exim_gnutls_cert_err(US"failed to import certificate [gnutls_x509_crt_import(cert)]");
389
390return rc;
391}
392
393#undef exim_gnutls_cert_err
394
395
17c76198
PP		 396/* We set various Exim global variables from the state, once a session has
397been established. With TLS callouts, may need to change this to stack
398variables, or just re-call it with the server state after client callout
399has finished.
059ec3d9 400
9d1c15ef 401Make sure anything set here is unset in tls_getc().
17c76198
PP		 402
403Sets:
404 tls_active fd
405 tls_bits strength indicator
406 tls_certificate_verified bool indicator
407 tls_channelbinding_b64 for some SASL mechanisms
408 tls_cipher a string
9d1c15ef 409 tls_peercert pointer to library internal
17c76198
PP		 410 tls_peerdn a string
411 tls_sni a (UTF-8) string
9d1c15ef 412 tls_ourcert pointer to library internal
17c76198
PP		 413
414Argument:
415 state the relevant exim_gnutls_state_st *
416*/
417
418static void
9d1c15ef 419extract_exim_vars_from_tls_state(exim_gnutls_state_st * state)
17c76198 420{
17c76198 421gnutls_cipher_algorithm_t cipher;
17c76198
PP		 422#ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
423int old_pool;
424int rc;
425gnutls_datum_t channel;
426#endif
9d1c15ef 427tls_support * tlsp = state->tlsp;
17c76198 428
9d1c15ef 429tlsp->active = state->fd_out;
17c76198
PP		 430
431cipher = gnutls_cipher_get(state->session);
432/* returns size in "bytes" */
9d1c15ef 433tlsp->bits = gnutls_cipher_get_key_size(cipher) * 8;
17c76198 434
9d1c15ef 435tlsp->cipher = state->ciphersuite;
17c76198 436
817d9f57 437DEBUG(D_tls) debug_printf("cipher: %s\n", state->ciphersuite);
17c76198 438
9d1c15ef 439tlsp->certificate_verified = state->peer_cert_verified;
059ec3d9 440
17c76198
PP		 441/* note that tls_channelbinding_b64 is not saved to the spool file, since it's
442only available for use for authenticators while this TLS session is running. */
443
444tls_channelbinding_b64 = NULL;
445#ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
446channel.data = NULL;
447channel.size = 0;
448rc = gnutls_session_channel_binding(state->session, GNUTLS_CB_TLS_UNIQUE, &channel);
449if (rc) {
450 DEBUG(D_tls) debug_printf("Channel binding error: %s\n", gnutls_strerror(rc));
451} else {
452 old_pool = store_pool;
453 store_pool = POOL_PERM;
f4d091fb 454 tls_channelbinding_b64 = b64encode(channel.data, (int)channel.size);
17c76198
PP		 455 store_pool = old_pool;
456 DEBUG(D_tls) debug_printf("Have channel bindings cached for possible auth usage.\n");
457}
458#endif
459
9d1c15ef
JH		 460/* peercert is set in peer_status() */
461tlsp->peerdn = state->peerdn;
462tlsp->sni = state->received_sni;
463
464/* record our certificate */
465 {
27f19eb4 466 const gnutls_datum_t * cert = gnutls_certificate_get_ours(state->session);
9d1c15ef
JH		 467 gnutls_x509_crt_t crt;
468
469 tlsp->ourcert = cert && import_cert(cert, &crt)==0 ? crt : NULL;
470 }
059ec3d9
PH		 471}
472
473
474
17c76198 475
059ec3d9 476/*************************************************
575643cd 477* Setup up DH parameters *
059ec3d9
PH		 478*************************************************/
479
575643cd 480/* Generating the D-H parameters may take a long time. They only need to
059ec3d9
PH		 481be re-generated every so often, depending on security policy. What we do is to
482keep these parameters in a file in the spool directory. If the file does not
483exist, we generate them. This means that it is easy to cause a regeneration.
484
485The new file is written as a temporary file and renamed, so that an incomplete
486file is never present. If two processes both compute some new parameters, you
487waste a bit of effort, but it doesn't seem worth messing around with locking to
488prevent this.
489
059ec3d9
PH		 490Returns: OK/DEFER/FAIL
491*/
492
493static int
cf0c6164 494init_server_dh(uschar ** errstr)
059ec3d9 495{
17c76198
PP		 496int fd, rc;
497unsigned int dh_bits;
27f19eb4 498gnutls_datum_t m;
a799883d
PP		 499uschar filename_buf[PATH_MAX];
500uschar *filename = NULL;
17c76198 501size_t sz;
a799883d
PP		 502uschar *exp_tls_dhparam;
503BOOL use_file_in_spool = FALSE;
504BOOL use_fixed_file = FALSE;
17c76198 505host_item *host = NULL; /* dummy for macros */
059ec3d9 506
17c76198 507DEBUG(D_tls) debug_printf("Initialising GnuTLS server params.\n");
059ec3d9 508
17c76198
PP		 509rc = gnutls_dh_params_init(&dh_server_params);
510exim_gnutls_err_check(US"gnutls_dh_params_init");
059ec3d9 511
a799883d
PP		 512m.data = NULL;
513m.size = 0;
514
cf0c6164 515if (!expand_check(tls_dhparam, US"tls_dhparam", &exp_tls_dhparam, errstr))
a799883d
PP		 516 return DEFER;
517
518if (!exp_tls_dhparam)
519 {
520 DEBUG(D_tls) debug_printf("Loading default hard-coded DH params\n");
521 m.data = US std_dh_prime_default();
522 m.size = Ustrlen(m.data);
523 }
524else if (Ustrcmp(exp_tls_dhparam, "historic") == 0)
525 use_file_in_spool = TRUE;
526else if (Ustrcmp(exp_tls_dhparam, "none") == 0)
527 {
528 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
529 return OK;
530 }
531else if (exp_tls_dhparam[0] != '/')
532 {
f5d25c2b 533 if (!(m.data = US std_dh_prime_named(exp_tls_dhparam)))
cf0c6164 534 return tls_error(US"No standard prime named", CS exp_tls_dhparam, NULL, errstr);
a799883d
PP		 535 m.size = Ustrlen(m.data);
536 }
537else
538 {
539 use_fixed_file = TRUE;
540 filename = exp_tls_dhparam;
541 }
542
543if (m.data)
544 {
545 rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM);
546 exim_gnutls_err_check(US"gnutls_dh_params_import_pkcs3");
547 DEBUG(D_tls) debug_printf("Loaded fixed standard D-H parameters\n");
548 return OK;
549 }
550
af3498d6
PP		 551#ifdef HAVE_GNUTLS_SEC_PARAM_CONSTANTS
552/* If you change this constant, also change dh_param_fn_ext so that we can use a
17c76198
PP		 553different filename and ensure we have sufficient bits. */
554dh_bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL);
555if (!dh_bits)
cf0c6164 556 return tls_error(US"gnutls_sec_param_to_pk_bits() failed", NULL, NULL, errstr);
af3498d6 557DEBUG(D_tls)
b34fc30c 558 debug_printf("GnuTLS tells us that for D-H PK, NORMAL is %d bits.\n",
af3498d6
PP		 559 dh_bits);
560#else
561dh_bits = EXIM_SERVER_DH_BITS_PRE2_12;
562DEBUG(D_tls)
563 debug_printf("GnuTLS lacks gnutls_sec_param_to_pk_bits(), using %d bits.\n",
564 dh_bits);
565#endif
059ec3d9 566
3375e053
PP		 567/* Some clients have hard-coded limits. */
568if (dh_bits > tls_dh_max_bits)
569 {
570 DEBUG(D_tls)
571 debug_printf("tls_dh_max_bits clamping override, using %d bits instead.\n",
572 tls_dh_max_bits);
573 dh_bits = tls_dh_max_bits;
574 }
575
a799883d
PP		 576if (use_file_in_spool)
577 {
578 if (!string_format(filename_buf, sizeof(filename_buf),
579 "%s/gnutls-params-%d", spool_directory, dh_bits))
cf0c6164 580 return tls_error(US"overlong filename", NULL, NULL, errstr);
a799883d
PP		 581 filename = filename_buf;
582 }
059ec3d9 583
b5aea5e1 584/* Open the cache file for reading and if successful, read it and set up the
575643cd 585parameters. */
059ec3d9 586
f5d25c2b 587if ((fd = Uopen(filename, O_RDONLY, 0)) >= 0)
059ec3d9 588 {
b5aea5e1 589 struct stat statbuf;
17c76198
PP		 590 FILE *fp;
591 int saved_errno;
592
593 if (fstat(fd, &statbuf) < 0) /* EIO */
594 {
595 saved_errno = errno;
596 (void)close(fd);
cf0c6164 597 return tls_error(US"TLS cache stat failed", strerror(saved_errno), NULL, errstr);
17c76198
PP		 598 }
599 if (!S_ISREG(statbuf.st_mode))
b5aea5e1
PH		 600 {
601 (void)close(fd);
cf0c6164 602 return tls_error(US"TLS cache not a file", NULL, NULL, errstr);
17c76198 603 }
40c90bca 604 if (!(fp = fdopen(fd, "rb")))
17c76198
PP		 605 {
606 saved_errno = errno;
607 (void)close(fd);
608 return tls_error(US"fdopen(TLS cache stat fd) failed",
cf0c6164 609 strerror(saved_errno), NULL, errstr);
b5aea5e1 610 }
059ec3d9 611
b5aea5e1 612 m.size = statbuf.st_size;
40c90bca 613 if (!(m.data = malloc(m.size)))
17c76198
PP		 614 {
615 fclose(fp);
cf0c6164 616 return tls_error(US"malloc failed", strerror(errno), NULL, errstr);
17c76198 617 }
40c90bca 618 if (!(sz = fread(m.data, m.size, 1, fp)))
17c76198
PP		 619 {
620 saved_errno = errno;
621 fclose(fp);
622 free(m.data);
cf0c6164 623 return tls_error(US"fread failed", strerror(saved_errno), NULL, errstr);
17c76198
PP		 624 }
625 fclose(fp);
b5aea5e1 626
17c76198 627 rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM);
b5aea5e1 628 free(m.data);
17c76198
PP		 629 exim_gnutls_err_check(US"gnutls_dh_params_import_pkcs3");
630 DEBUG(D_tls) debug_printf("read D-H parameters from file \"%s\"\n", filename);
b5aea5e1
PH		 631 }
632
633/* If the file does not exist, fall through to compute new data and cache it.
634If there was any other opening error, it is serious. */
635
182ad5cf
PH		 636else if (errno == ENOENT)
637 {
17c76198 638 rc = -1;
182ad5cf 639 DEBUG(D_tls)
17c76198 640 debug_printf("D-H parameter cache file \"%s\" does not exist\n", filename);
182ad5cf
PH		 641 }
642else
17c76198 643 return tls_error(string_open_failed(errno, "\"%s\" for reading", filename),
cf0c6164 644 NULL, NULL, errstr);
b5aea5e1
PH		 645
646/* If ret < 0, either the cache file does not exist, or the data it contains
647is not useful. One particular case of this is when upgrading from an older
648release of Exim in which the data was stored in a different format. We don't
649try to be clever and support both formats; we just regenerate new data in this
650case. */
651
17c76198 652if (rc < 0)
b5aea5e1 653 {
17c76198 654 uschar *temp_fn;
201f5254 655 unsigned int dh_bits_gen = dh_bits;
059ec3d9 656
17c76198
PP		 657 if ((PATH_MAX - Ustrlen(filename)) < 10)
658 return tls_error(US"Filename too long to generate replacement",
cf0c6164 659 CS filename, NULL, errstr);
059ec3d9 660
17c76198 661 temp_fn = string_copy(US "%s.XXXXXXX");
f5d25c2b 662 if ((fd = mkstemp(CS temp_fn)) < 0) /* modifies temp_fn */
cf0c6164 663 return tls_error(US"Unable to open temp file", strerror(errno), NULL, errstr);
059ec3d9
PH		 664 (void)fchown(fd, exim_uid, exim_gid); /* Probably not necessary */
665
201f5254
PP		 666 /* GnuTLS overshoots!
667 * If we ask for 2236, we might get 2237 or more.
668 * But there's no way to ask GnuTLS how many bits there really are.
669 * We can ask how many bits were used in a TLS session, but that's it!
670 * The prime itself is hidden behind too much abstraction.
671 * So we ask for less, and proceed on a wing and a prayer.
672 * First attempt, subtracted 3 for 2233 and got 2240.
673 */
cae6e576 674 if (dh_bits >= EXIM_CLIENT_DH_MIN_BITS + 10)
201f5254
PP		 675 {
676 dh_bits_gen = dh_bits - 10;
677 DEBUG(D_tls)
678 debug_printf("being paranoid about DH generation, make it '%d' bits'\n",
679 dh_bits_gen);
680 }
681
682 DEBUG(D_tls)
683 debug_printf("requesting generation of %d bit Diffie-Hellman prime ...\n",
684 dh_bits_gen);
685 rc = gnutls_dh_params_generate2(dh_server_params, dh_bits_gen);
17c76198
PP		 686 exim_gnutls_err_check(US"gnutls_dh_params_generate2");
687
688 /* gnutls_dh_params_export_pkcs3() will tell us the exact size, every time,
689 and I confirmed that a NULL call to get the size first is how the GnuTLS
690 sample apps handle this. */
691
692 sz = 0;
693 m.data = NULL;
694 rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM,
695 m.data, &sz);
696 if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
697 exim_gnutls_err_check(US"gnutls_dh_params_export_pkcs3(NULL) sizing");
698 m.size = sz;
40c90bca 699 if (!(m.data = malloc(m.size)))
cf0c6164 700 return tls_error(US"memory allocation failed", strerror(errno), NULL, errstr);
40c90bca 701
1f00591e 702 /* this will return a size 1 less than the allocation size above */
17c76198 703 rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM,
1f00591e 704 m.data, &sz);
17c76198
PP		 705 if (rc != GNUTLS_E_SUCCESS)
706 {
707 free(m.data);
708 exim_gnutls_err_check(US"gnutls_dh_params_export_pkcs3() real");
709 }
1f00591e 710 m.size = sz; /* shrink by 1, probably */
059ec3d9 711
f5d25c2b 712 if ((sz = write_to_fd_buf(fd, m.data, (size_t) m.size)) != m.size)
17c76198
PP		 713 {
714 free(m.data);
715 return tls_error(US"TLS cache write D-H params failed",
cf0c6164 716 strerror(errno), NULL, errstr);
17c76198 717 }
b5aea5e1 718 free(m.data);
f5d25c2b 719 if ((sz = write_to_fd_buf(fd, US"\n", 1)) != 1)
17c76198 720 return tls_error(US"TLS cache write D-H params final newline failed",
cf0c6164 721 strerror(errno), NULL, errstr);
17c76198 722
f5d25c2b 723 if ((rc = close(fd)))
cf0c6164 724 return tls_error(US"TLS cache write close() failed", strerror(errno), NULL, errstr);
059ec3d9 725
17c76198
PP		 726 if (Urename(temp_fn, filename) < 0)
727 return tls_error(string_sprintf("failed to rename \"%s\" as \"%s\"",
cf0c6164 728 temp_fn, filename), strerror(errno), NULL, errstr);
059ec3d9 729
17c76198 730 DEBUG(D_tls) debug_printf("wrote D-H parameters to file \"%s\"\n", filename);
059ec3d9
PH		 731 }
732
17c76198 733DEBUG(D_tls) debug_printf("initialized server D-H parameters\n");
059ec3d9
PH		 734return OK;
735}
736
737
738
739
23bb6982
JH		 740/* Create and install a selfsigned certificate, for use in server mode */
741
742static int
cf0c6164 743tls_install_selfsign(exim_gnutls_state_st * state, uschar ** errstr)
23bb6982
JH		 744{
745gnutls_x509_crt_t cert = NULL;
746time_t now;
747gnutls_x509_privkey_t pkey = NULL;
748const uschar * where;
749int rc;
750
751where = US"initialising pkey";
752if ((rc = gnutls_x509_privkey_init(&pkey))) goto err;
753
754where = US"initialising cert";
755if ((rc = gnutls_x509_crt_init(&cert))) goto err;
756
757where = US"generating pkey";
758if ((rc = gnutls_x509_privkey_generate(pkey, GNUTLS_PK_RSA,
76075bb5 759#ifdef SUPPORT_PARAM_TO_PK_BITS
23bb6982 760 gnutls_sec_param_to_pk_bits(GNUTLS_PK_RSA, GNUTLS_SEC_PARAM_LOW),
76075bb5
JH		 761#else
762 1024,
763#endif
764 0)))
23bb6982
JH		 765 goto err;
766
767where = US"configuring cert";
768now = 0;
769if ( (rc = gnutls_x509_crt_set_version(cert, 3))
770 || (rc = gnutls_x509_crt_set_serial(cert, &now, sizeof(now)))
771 || (rc = gnutls_x509_crt_set_activation_time(cert, now = time(NULL)))
772 || (rc = gnutls_x509_crt_set_expiration_time(cert, now + 60 * 60)) /* 1 hr */
773 || (rc = gnutls_x509_crt_set_key(cert, pkey))
774
775 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
776 GNUTLS_OID_X520_COUNTRY_NAME, 0, "UK", 2))
777 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
778 GNUTLS_OID_X520_ORGANIZATION_NAME, 0, "Exim Developers", 15))
779 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
780 GNUTLS_OID_X520_COMMON_NAME, 0,
781 smtp_active_hostname, Ustrlen(smtp_active_hostname)))
782 )
783 goto err;
784
785where = US"signing cert";
786if ((rc = gnutls_x509_crt_sign(cert, cert, pkey))) goto err;
787
788where = US"installing selfsign cert";
789 /* Since: 2.4.0 */
790if ((rc = gnutls_certificate_set_x509_key(state->x509_cred, &cert, 1, pkey)))
791 goto err;
792
793rc = OK;
794
795out:
796 if (cert) gnutls_x509_crt_deinit(cert);
797 if (pkey) gnutls_x509_privkey_deinit(pkey);
798 return rc;
799
800err:
cf0c6164 801 rc = tls_error(where, gnutls_strerror(rc), NULL, errstr);
23bb6982
JH		 802 goto out;
803}
804
805
806
807
ba86e143
JH		 808static int
809tls_add_certfile(exim_gnutls_state_st * state, const host_item * host,
810 uschar * certfile, uschar * keyfile, uschar ** errstr)
811{
812int rc = gnutls_certificate_set_x509_key_file(state->x509_cred,
813 CS certfile, CS keyfile, GNUTLS_X509_FMT_PEM);
814exim_gnutls_err_check(
815 string_sprintf("cert/key setup: cert=%s key=%s", certfile, keyfile));
816return OK;
817}
818
819
059ec3d9 820/*************************************************
17c76198 821* Variables re-expanded post-SNI *
059ec3d9
PH		 822*************************************************/
823
17c76198
PP		 824/* Called from both server and client code, via tls_init(), and also from
825the SNI callback after receiving an SNI, if tls_certificate includes "tls_sni".
826
827We can tell the two apart by state->received_sni being non-NULL in callback.
828
829The callback should not call us unless state->trigger_sni_changes is true,
830which we are responsible for setting on the first pass through.
059ec3d9
PH		 831
832Arguments:
17c76198 833 state exim_gnutls_state_st *
cf0c6164 834 errstr error string pointer
059ec3d9
PH		 835
836Returns: OK/DEFER/FAIL
837*/
838
839static int
ba86e143 840tls_expand_session_files(exim_gnutls_state_st * state, uschar ** errstr)
059ec3d9 841{
1365611d 842struct stat statbuf;
059ec3d9 843int rc;
17c76198
PP		 844const host_item *host = state->host; /* macro should be reconsidered? */
845uschar *saved_tls_certificate = NULL;
846uschar *saved_tls_privatekey = NULL;
847uschar *saved_tls_verify_certificates = NULL;
848uschar *saved_tls_crl = NULL;
849int cert_count;
850
851/* We check for tls_sni *before* expansion. */
2b4a568d 852if (!host) /* server */
17c76198
PP		 853 if (!state->received_sni)
854 {
ba86e143
JH		 855 if ( state->tls_certificate
856 && ( Ustrstr(state->tls_certificate, US"tls_sni")
857 || Ustrstr(state->tls_certificate, US"tls_in_sni")
858 || Ustrstr(state->tls_certificate, US"tls_out_sni")
859 ) )
17c76198
PP		 860 {
861 DEBUG(D_tls) debug_printf("We will re-expand TLS session files if we receive SNI.\n");
862 state->trigger_sni_changes = TRUE;
863 }
864 }
865 else
866 {
1365611d 867 /* useful for debugging */
17c76198
PP		 868 saved_tls_certificate = state->exp_tls_certificate;
869 saved_tls_privatekey = state->exp_tls_privatekey;
870 saved_tls_verify_certificates = state->exp_tls_verify_certificates;
871 saved_tls_crl = state->exp_tls_crl;
872 }
059ec3d9 873
1365611d
PP		 874rc = gnutls_certificate_allocate_credentials(&state->x509_cred);
875exim_gnutls_err_check(US"gnutls_certificate_allocate_credentials");
876
17c76198
PP		 877/* remember: expand_check_tlsvar() is expand_check() but fiddling with
878state members, assuming consistent naming; and expand_check() returns
879false if expansion failed, unless expansion was forced to fail. */
059ec3d9 880
17c76198
PP		 881/* check if we at least have a certificate, before doing expensive
882D-H generation. */
059ec3d9 883
cf0c6164 884if (!expand_check_tlsvar(tls_certificate, errstr))
17c76198 885 return DEFER;
059ec3d9 886
17c76198 887/* certificate is mandatory in server, optional in client */
059ec3d9 888
23bb6982
JH		 889if ( !state->exp_tls_certificate
890 || !*state->exp_tls_certificate
891 )
2b4a568d 892 if (!host)
cf0c6164 893 return tls_install_selfsign(state, errstr);
17c76198
PP		 894 else
895 DEBUG(D_tls) debug_printf("TLS: no client certificate specified; okay\n");
059ec3d9 896
cf0c6164 897if (state->tls_privatekey && !expand_check_tlsvar(tls_privatekey, errstr))
059ec3d9
PH		 898 return DEFER;
899
17c76198
PP		 900/* tls_privatekey is optional, defaulting to same file as certificate */
901
902if (state->tls_privatekey == NULL || *state->tls_privatekey == '\0')
059ec3d9 903 {
17c76198
PP		 904 state->tls_privatekey = state->tls_certificate;
905 state->exp_tls_privatekey = state->exp_tls_certificate;
059ec3d9 906 }
c91535f3 907
059ec3d9 908
17c76198 909if (state->exp_tls_certificate && *state->exp_tls_certificate)
059ec3d9
PH		 910 {
911 DEBUG(D_tls) debug_printf("certificate file = %s\nkey file = %s\n",
17c76198
PP		 912 state->exp_tls_certificate, state->exp_tls_privatekey);
913
914 if (state->received_sni)
23bb6982
JH		 915 if ( Ustrcmp(state->exp_tls_certificate, saved_tls_certificate) == 0
916 && Ustrcmp(state->exp_tls_privatekey, saved_tls_privatekey) == 0
917 )
17c76198 918 {
b34fc30c 919 DEBUG(D_tls) debug_printf("TLS SNI: cert and key unchanged\n");
17c76198
PP		 920 }
921 else
922 {
b34fc30c 923 DEBUG(D_tls) debug_printf("TLS SNI: have a changed cert/key pair.\n");
17c76198 924 }
059ec3d9 925
ba86e143
JH		 926 if (!host) /* server */
927 {
928 const uschar * clist = state->exp_tls_certificate;
929 const uschar * klist = state->exp_tls_privatekey;
930 int csep = 0, ksep = 0;
931 uschar * cfile, * kfile;
932
933 while (cfile = string_nextinlist(&clist, &csep, NULL, 0))
934 if (!(kfile = string_nextinlist(&klist, &ksep, NULL, 0)))
935 return tls_error(US"cert/key setup: out of keys", NULL, host, errstr);
936 else if ((rc = tls_add_certfile(state, host, cfile, kfile, errstr)))
937 return rc;
938 else
939 DEBUG(D_tls) debug_printf("TLS: cert/key %s registered\n", cfile);
940 }
941 else
942 {
943 if ((rc = tls_add_certfile(state, host,
944 state->exp_tls_certificate, state->exp_tls_privatekey, errstr)))
945 return rc;
946 DEBUG(D_tls) debug_printf("TLS: cert/key registered\n");
947 }
948
b34fc30c 949 } /* tls_certificate */
059ec3d9 950
2b4a568d
JH		 951
952/* Set the OCSP stapling server info */
953
f2de3a33 954#ifndef DISABLE_OCSP
2b4a568d
JH		 955if ( !host /* server */
956 && tls_ocsp_file
957 )
958 {
9196d5bf
JH		 959 if (gnutls_buggy_ocsp)
960 {
961 DEBUG(D_tls) debug_printf("GnuTLS library is buggy for OCSP; avoiding\n");
962 }
963 else
964 {
965 if (!expand_check(tls_ocsp_file, US"tls_ocsp_file",
cf0c6164 966 &state->exp_tls_ocsp_file, errstr))
9196d5bf 967 return DEFER;
2b4a568d 968
9196d5bf
JH		 969 /* Use the full callback method for stapling just to get observability.
970 More efficient would be to read the file once only, if it never changed
971 (due to SNI). Would need restart on file update, or watch datestamp. */
44662487 972
9196d5bf
JH		 973 gnutls_certificate_set_ocsp_status_request_function(state->x509_cred,
974 server_ocsp_stapling_cb, state->exp_tls_ocsp_file);
2b4a568d 975
9196d5bf
JH		 976 DEBUG(D_tls) debug_printf("OCSP response file = %s\n", state->exp_tls_ocsp_file);
977 }
2b4a568d
JH		 978 }
979#endif
980
981
059ec3d9
PH		 982/* Set the trusted CAs file if one is provided, and then add the CRL if one is
983provided. Experiment shows that, if the certificate file is empty, an unhelpful
984error message is provided. However, if we just refrain from setting anything up
985in that case, certificate verification fails, which seems to be the correct
986behaviour. */
987
610ff438 988if (state->tls_verify_certificates && *state->tls_verify_certificates)
059ec3d9 989 {
cf0c6164 990 if (!expand_check_tlsvar(tls_verify_certificates, errstr))
059ec3d9 991 return DEFER;
610ff438
JH		 992#ifndef SUPPORT_SYSDEFAULT_CABUNDLE
993 if (Ustrcmp(state->exp_tls_verify_certificates, "system") == 0)
994 state->exp_tls_verify_certificates = NULL;
995#endif
17c76198 996 if (state->tls_crl && *state->tls_crl)
cf0c6164 997 if (!expand_check_tlsvar(tls_crl, errstr))
17c76198 998 return DEFER;
059ec3d9 999
1365611d
PP		 1000 if (!(state->exp_tls_verify_certificates &&
1001 *state->exp_tls_verify_certificates))
b34fc30c
PP		 1002 {
1003 DEBUG(D_tls)
1365611d
PP		 1004 debug_printf("TLS: tls_verify_certificates expanded empty, ignoring\n");
1005 /* With no tls_verify_certificates, we ignore tls_crl too */
17c76198 1006 return OK;
b34fc30c 1007 }
1365611d 1008 }
83e2f8a2
PP		 1009else
1010 {
1011 DEBUG(D_tls)
1012 debug_printf("TLS: tls_verify_certificates not set or empty, ignoring\n");
1013 return OK;
1014 }
17c76198 1015
cb1d7830
JH		 1016#ifdef SUPPORT_SYSDEFAULT_CABUNDLE
1017if (Ustrcmp(state->exp_tls_verify_certificates, "system") == 0)
1018 cert_count = gnutls_certificate_set_x509_system_trust(state->x509_cred);
1019else
1020#endif
1365611d 1021 {
cb1d7830
JH		 1022 if (Ustat(state->exp_tls_verify_certificates, &statbuf) < 0)
1023 {
1024 log_write(0, LOG_MAIN|LOG_PANIC, "could not stat %s "
1025 "(tls_verify_certificates): %s", state->exp_tls_verify_certificates,
1026 strerror(errno));
1027 return DEFER;
1028 }
17c76198 1029
a7fec7a7 1030#ifndef SUPPORT_CA_DIR
cb1d7830
JH		 1031 /* The test suite passes in /dev/null; we could check for that path explicitly,
1032 but who knows if someone has some weird FIFO which always dumps some certs, or
1033 other weirdness. The thing we really want to check is that it's not a
1034 directory, since while OpenSSL supports that, GnuTLS does not.
60f914bc 1035 So s/!S_ISREG/S_ISDIR/ and change some messaging ... */
cb1d7830
JH		 1036 if (S_ISDIR(statbuf.st_mode))
1037 {
1038 DEBUG(D_tls)
1039 debug_printf("verify certificates path is a dir: \"%s\"\n",
1040 state->exp_tls_verify_certificates);
1041 log_write(0, LOG_MAIN|LOG_PANIC,
1042 "tls_verify_certificates \"%s\" is a directory",
1043 state->exp_tls_verify_certificates);
1044 return DEFER;
1045 }
a7fec7a7 1046#endif
059ec3d9 1047
cb1d7830
JH		 1048 DEBUG(D_tls) debug_printf("verify certificates = %s size=" OFF_T_FMT "\n",
1049 state->exp_tls_verify_certificates, statbuf.st_size);
059ec3d9 1050
cb1d7830
JH		 1051 if (statbuf.st_size == 0)
1052 {
1053 DEBUG(D_tls)
1054 debug_printf("cert file empty, no certs, no verification, ignoring any CRL\n");
1055 return OK;
1056 }
059ec3d9 1057
cb1d7830 1058 cert_count =
a7fec7a7
JH		 1059
1060#ifdef SUPPORT_CA_DIR
cb1d7830
JH		 1061 (statbuf.st_mode & S_IFMT) == S_IFDIR
1062 ?
1063 gnutls_certificate_set_x509_trust_dir(state->x509_cred,
1064 CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM)
1065 :
a7fec7a7 1066#endif
cb1d7830
JH		 1067 gnutls_certificate_set_x509_trust_file(state->x509_cred,
1068 CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM);
1069 }
a7fec7a7 1070
1365611d
PP		 1071if (cert_count < 0)
1072 {
1073 rc = cert_count;
cb1d7830 1074 exim_gnutls_err_check(US"setting certificate trust");
1365611d
PP		 1075 }
1076DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n", cert_count);
059ec3d9 1077
5c8cda3a
PP		 1078if (state->tls_crl && *state->tls_crl &&
1079 state->exp_tls_crl && *state->exp_tls_crl)
1365611d 1080 {
5c8cda3a
PP		 1081 DEBUG(D_tls) debug_printf("loading CRL file = %s\n", state->exp_tls_crl);
1082 cert_count = gnutls_certificate_set_x509_crl_file(state->x509_cred,
1083 CS state->exp_tls_crl, GNUTLS_X509_FMT_PEM);
1084 if (cert_count < 0)
1365611d 1085 {
5c8cda3a 1086 rc = cert_count;
1365611d
PP		 1087 exim_gnutls_err_check(US"gnutls_certificate_set_x509_crl_file");
1088 }
5c8cda3a 1089 DEBUG(D_tls) debug_printf("Processed %d CRLs.\n", cert_count);
1365611d 1090 }
059ec3d9 1091
059ec3d9
PH		 1092return OK;
1093}
1094
1095
1096
1097
1365611d
PP		 1098/*************************************************
1099* Set X.509 state variables *
1100*************************************************/
1101
1102/* In GnuTLS, the registered cert/key are not replaced by a later
1103set of a cert/key, so for SNI support we need a whole new x509_cred
1104structure. Which means various other non-re-expanded pieces of state
1105need to be re-set in the new struct, so the setting logic is pulled
1106out to this.
1107
1108Arguments:
1109 state exim_gnutls_state_st *
cf0c6164 1110 errstr error string pointer
1365611d
PP		 1111
1112Returns: OK/DEFER/FAIL
1113*/
1114
1115static int
cf0c6164 1116tls_set_remaining_x509(exim_gnutls_state_st *state, uschar ** errstr)
1365611d
PP		 1117{
1118int rc;
1119const host_item *host = state->host; /* macro should be reconsidered? */
1120
1121/* Create D-H parameters, or read them from the cache file. This function does
1122its own SMTP error messaging. This only happens for the server, TLS D-H ignores
1123client-side params. */
1124
1125if (!state->host)
1126 {
1127 if (!dh_server_params)
1128 {
cf0c6164 1129 rc = init_server_dh(errstr);
1365611d
PP		 1130 if (rc != OK) return rc;
1131 }
1132 gnutls_certificate_set_dh_params(state->x509_cred, dh_server_params);
1133 }
1134
1135/* Link the credentials to the session. */
1136
1137rc = gnutls_credentials_set(state->session, GNUTLS_CRD_CERTIFICATE, state->x509_cred);
1138exim_gnutls_err_check(US"gnutls_credentials_set");
1139
1140return OK;
1141}
1142
059ec3d9 1143/*************************************************
17c76198 1144* Initialize for GnuTLS *
059ec3d9
PH		 1145*************************************************/
1146
9196d5bf 1147
4fb7df6d
JH		 1148#ifndef DISABLE_OCSP
1149
9196d5bf
JH		 1150static BOOL
1151tls_is_buggy_ocsp(void)
1152{
1153const uschar * s;
1154uschar maj, mid, mic;
1155
1156s = CUS gnutls_check_version(NULL);
1157maj = atoi(CCS s);
1158if (maj == 3)
1159 {
1160 while (*s && *s != '.') s++;
1161 mid = atoi(CCS ++s);
1162 if (mid <= 2)
1163 return TRUE;
1164 else if (mid >= 5)
1165 return FALSE;
1166 else
1167 {
1168 while (*s && *s != '.') s++;
1169 mic = atoi(CCS ++s);
1170 return mic <= (mid == 3 ? 16 : 3);
1171 }
1172 }
1173return FALSE;
1174}
1175
4fb7df6d 1176#endif
9196d5bf
JH		 1177
1178
17c76198
PP		 1179/* Called from both server and client code. In the case of a server, errors
1180before actual TLS negotiation return DEFER.
059ec3d9
PH		 1181
1182Arguments:
17c76198
PP		 1183 host connected host, if client; NULL if server
1184 certificate certificate file
1185 privatekey private key file
1186 sni TLS SNI to send, sometimes when client; else NULL
1187 cas CA certs file
1188 crl CRL file
1189 require_ciphers tls_require_ciphers setting
817d9f57 1190 caller_state returned state-info structure
cf0c6164 1191 errstr error string pointer
059ec3d9 1192
17c76198 1193Returns: OK/DEFER/FAIL
059ec3d9
PH		 1194*/
1195
17c76198
PP		 1196static int
1197tls_init(
1198 const host_item *host,
1199 const uschar *certificate,
1200 const uschar *privatekey,
1201 const uschar *sni,
1202 const uschar *cas,
1203 const uschar *crl,
1204 const uschar *require_ciphers,
cf0c6164
JH		 1205 exim_gnutls_state_st **caller_state,
1206 uschar ** errstr)
059ec3d9 1207{
17c76198
PP		 1208exim_gnutls_state_st *state;
1209int rc;
1210size_t sz;
1211const char *errpos;
1212uschar *p;
1213BOOL want_default_priorities;
1214
1215if (!exim_gnutls_base_init_done)
059ec3d9 1216 {
17c76198
PP		 1217 DEBUG(D_tls) debug_printf("GnuTLS global init required.\n");
1218
a5f239e4
PP		 1219#ifdef HAVE_GNUTLS_PKCS11
1220 /* By default, gnutls_global_init will init PKCS11 support in auto mode,
1221 which loads modules from a config file, which sounds good and may be wanted
1222 by some sysadmin, but also means in common configurations that GNOME keyring
1223 environment variables are used and so breaks for users calling mailq.
1224 To prevent this, we init PKCS11 first, which is the documented approach. */
2519e60d 1225 if (!gnutls_allow_auto_pkcs11)
a5f239e4
PP		 1226 {
1227 rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
1228 exim_gnutls_err_check(US"gnutls_pkcs11_init");
1229 }
1230#endif
1231
17c76198
PP		 1232 rc = gnutls_global_init();
1233 exim_gnutls_err_check(US"gnutls_global_init");
1234
1235#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
1236 DEBUG(D_tls)
059ec3d9 1237 {
17c76198
PP		 1238 gnutls_global_set_log_function(exim_gnutls_logger_cb);
1239 /* arbitrarily chosen level; bump upto 9 for more */
1240 gnutls_global_set_log_level(EXIM_GNUTLS_LIBRARY_LOG_LEVEL);
059ec3d9 1241 }
17c76198
PP		 1242#endif
1243
4fb7df6d
JH		 1244#ifndef DISABLE_OCSP
1245 if (tls_ocsp_file && (gnutls_buggy_ocsp = tls_is_buggy_ocsp()))
9196d5bf 1246 log_write(0, LOG_MAIN, "OCSP unusable with this GnuTLS library version");
4fb7df6d 1247#endif
9196d5bf 1248
17c76198 1249 exim_gnutls_base_init_done = TRUE;
059ec3d9 1250 }
059ec3d9 1251
17c76198
PP		 1252if (host)
1253 {
1254 state = &state_client;
1255 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
817d9f57 1256 state->tlsp = &tls_out;
17c76198
PP		 1257 DEBUG(D_tls) debug_printf("initialising GnuTLS client session\n");
1258 rc = gnutls_init(&state->session, GNUTLS_CLIENT);
1259 }
1260else
1261 {
1262 state = &state_server;
1263 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
817d9f57 1264 state->tlsp = &tls_in;
17c76198
PP		 1265 DEBUG(D_tls) debug_printf("initialising GnuTLS server session\n");
1266 rc = gnutls_init(&state->session, GNUTLS_SERVER);
1267 }
1268exim_gnutls_err_check(US"gnutls_init");
059ec3d9 1269
17c76198 1270state->host = host;
059ec3d9 1271
17c76198
PP		 1272state->tls_certificate = certificate;
1273state->tls_privatekey = privatekey;
5779e6aa 1274state->tls_require_ciphers = require_ciphers;
17c76198
PP		 1275state->tls_sni = sni;
1276state->tls_verify_certificates = cas;
1277state->tls_crl = crl;
059ec3d9 1278
17c76198
PP		 1279/* This handles the variables that might get re-expanded after TLS SNI;
1280that's tls_certificate, tls_privatekey, tls_verify_certificates, tls_crl */
059ec3d9 1281
17c76198
PP		 1282DEBUG(D_tls)
1283 debug_printf("Expanding various TLS configuration options for session credentials.\n");
cf0c6164 1284if ((rc = tls_expand_session_files(state, errstr)) != OK) return rc;
059ec3d9 1285
1365611d
PP		 1286/* These are all other parts of the x509_cred handling, since SNI in GnuTLS
1287requires a new structure afterwards. */
83da1223 1288
cf0c6164 1289if ((rc = tls_set_remaining_x509(state, errstr)) != OK) return rc;
83da1223 1290
17c76198
PP		 1291/* set SNI in client, only */
1292if (host)
1293 {
cf0c6164 1294 if (!expand_check(sni, US"tls_out_sni", &state->tlsp->sni, errstr))
17c76198 1295 return DEFER;
0df4ab80 1296 if (state->tlsp->sni && *state->tlsp->sni)
17c76198
PP		 1297 {
1298 DEBUG(D_tls)
0df4ab80
JH		 1299 debug_printf("Setting TLS client SNI to \"%s\"\n", state->tlsp->sni);
1300 sz = Ustrlen(state->tlsp->sni);
17c76198 1301 rc = gnutls_server_name_set(state->session,
0df4ab80 1302 GNUTLS_NAME_DNS, state->tlsp->sni, sz);
17c76198
PP		 1303 exim_gnutls_err_check(US"gnutls_server_name_set");
1304 }
1305 }
1306else if (state->tls_sni)
1307 DEBUG(D_tls) debug_printf("*** PROBABLY A BUG *** " \
ba86e143 1308 "have an SNI set for a server [%s]\n", state->tls_sni);
83da1223 1309
17c76198 1310/* This is the priority string support,
42bfef1e 1311http://www.gnutls.org/manual/html_node/Priority-Strings.html
17c76198
PP		 1312and replaces gnutls_require_kx, gnutls_require_mac & gnutls_require_protocols.
1313This was backwards incompatible, but means Exim no longer needs to track
1314all algorithms and provide string forms for them. */
83da1223 1315
17c76198 1316want_default_priorities = TRUE;
83da1223 1317
17c76198 1318if (state->tls_require_ciphers && *state->tls_require_ciphers)
83da1223 1319 {
cf0c6164 1320 if (!expand_check_tlsvar(tls_require_ciphers, errstr))
17c76198
PP		 1321 return DEFER;
1322 if (state->exp_tls_require_ciphers && *state->exp_tls_require_ciphers)
83da1223 1323 {
17c76198
PP		 1324 DEBUG(D_tls) debug_printf("GnuTLS session cipher/priority \"%s\"\n",
1325 state->exp_tls_require_ciphers);
1326
1327 rc = gnutls_priority_init(&state->priority_cache,
1328 CS state->exp_tls_require_ciphers, &errpos);
1329 want_default_priorities = FALSE;
1330 p = state->exp_tls_require_ciphers;
83da1223
PH		 1331 }
1332 }
17c76198
PP		 1333if (want_default_priorities)
1334 {
83e2f8a2
PP		 1335 DEBUG(D_tls)
1336 debug_printf("GnuTLS using default session cipher/priority \"%s\"\n",
1337 exim_default_gnutls_priority);
17c76198
PP		 1338 rc = gnutls_priority_init(&state->priority_cache,
1339 exim_default_gnutls_priority, &errpos);
1340 p = US exim_default_gnutls_priority;
1341 }
83da1223 1342
17c76198
PP		 1343exim_gnutls_err_check(string_sprintf(
1344 "gnutls_priority_init(%s) failed at offset %ld, \"%.6s..\"",
1345 p, errpos - CS p, errpos));
1346
1347rc = gnutls_priority_set(state->session, state->priority_cache);
1348exim_gnutls_err_check(US"gnutls_priority_set");
1349
1350gnutls_db_set_cache_expiration(state->session, ssl_session_timeout);
1351
1352/* Reduce security in favour of increased compatibility, if the admin
1353decides to make that trade-off. */
1354if (gnutls_compat_mode)
83da1223 1355 {
17c76198
PP		 1356#if LIBGNUTLS_VERSION_NUMBER >= 0x020104
1357 DEBUG(D_tls) debug_printf("lowering GnuTLS security, compatibility mode\n");
1358 gnutls_session_enable_compatibility_mode(state->session);
1359#else
1360 DEBUG(D_tls) debug_printf("Unable to set gnutls_compat_mode - GnuTLS version too old\n");
1361#endif
83da1223
PH		 1362 }
1363
17c76198 1364*caller_state = state;
17c76198 1365return OK;
83da1223
PH		 1366}
1367
1368
1369
059ec3d9 1370/*************************************************
17c76198 1371* Extract peer information *
059ec3d9
PH		 1372*************************************************/
1373
17c76198 1374/* Called from both server and client code.
4fe99a6c
PP		 1375Only this is allowed to set state->peerdn and state->have_set_peerdn
1376and we use that to detect double-calls.
059ec3d9 1377
75fe387d
PP		 1378NOTE: the state blocks last while the TLS connection is up, which is fine
1379for logging in the server side, but for the client side, we log after teardown
1380in src/deliver.c. While the session is up, we can twist about states and
1381repoint tls_* globals, but those variables used for logging or other variable
1382expansion that happens _after_ delivery need to have a longer life-time.
1383
1384So for those, we get the data from POOL_PERM; the re-invoke guard keeps us from
1385doing this more than once per generation of a state context. We set them in
1386the state context, and repoint tls_* to them. After the state goes away, the
1387tls_* copies of the pointers remain valid and client delivery logging is happy.
1388
1389tls_certificate_verified is a BOOL, so the tls_peerdn and tls_cipher issues
1390don't apply.
1391
059ec3d9 1392Arguments:
17c76198 1393 state exim_gnutls_state_st *
cf0c6164 1394 errstr pointer to error string
059ec3d9 1395
17c76198 1396Returns: OK/DEFER/FAIL
059ec3d9
PH		 1397*/
1398
17c76198 1399static int
cf0c6164 1400peer_status(exim_gnutls_state_st *state, uschar ** errstr)
059ec3d9 1401{
75fe387d 1402uschar cipherbuf[256];
27f19eb4 1403const gnutls_datum_t *cert_list;
75fe387d 1404int old_pool, rc;
17c76198 1405unsigned int cert_list_size = 0;
4fe99a6c
PP		 1406gnutls_protocol_t protocol;
1407gnutls_cipher_algorithm_t cipher;
1408gnutls_kx_algorithm_t kx;
1409gnutls_mac_algorithm_t mac;
17c76198
PP		 1410gnutls_certificate_type_t ct;
1411gnutls_x509_crt_t crt;
4fe99a6c 1412uschar *p, *dn_buf;
17c76198 1413size_t sz;
059ec3d9 1414
4fe99a6c 1415if (state->have_set_peerdn)
17c76198 1416 return OK;
4fe99a6c 1417state->have_set_peerdn = TRUE;
059ec3d9 1418
4fe99a6c 1419state->peerdn = NULL;
059ec3d9 1420
4fe99a6c
PP		 1421/* tls_cipher */
1422cipher = gnutls_cipher_get(state->session);
1423protocol = gnutls_protocol_get_version(state->session);
1424mac = gnutls_mac_get(state->session);
1425kx = gnutls_kx_get(state->session);
1426
75fe387d 1427string_format(cipherbuf, sizeof(cipherbuf),
4fe99a6c
PP		 1428 "%s:%s:%d",
1429 gnutls_protocol_get_name(protocol),
1430 gnutls_cipher_suite_get_name(kx, cipher, mac),
1431 (int) gnutls_cipher_get_key_size(cipher) * 8);
1432
1433/* I don't see a way that spaces could occur, in the current GnuTLS
1434code base, but it was a concern in the old code and perhaps older GnuTLS
1435releases did return "TLS 1.0"; play it safe, just in case. */
75fe387d 1436for (p = cipherbuf; *p != '\0'; ++p)
4fe99a6c
PP		 1437 if (isspace(*p))
1438 *p = '-';
75fe387d
PP		 1439old_pool = store_pool;
1440store_pool = POOL_PERM;
1441state->ciphersuite = string_copy(cipherbuf);
1442store_pool = old_pool;
817d9f57 1443state->tlsp->cipher = state->ciphersuite;
4fe99a6c
PP		 1444
1445/* tls_peerdn */
17c76198 1446cert_list = gnutls_certificate_get_peers(state->session, &cert_list_size);
83da1223 1447
17c76198
PP		 1448if (cert_list == NULL || cert_list_size == 0)
1449 {
17c76198
PP		 1450 DEBUG(D_tls) debug_printf("TLS: no certificate from peer (%p & %d)\n",
1451 cert_list, cert_list_size);
e51c7be2 1452 if (state->verify_requirement >= VERIFY_REQUIRED)
17c76198 1453 return tls_error(US"certificate verification failed",
cf0c6164 1454 "no certificate received from peer", state->host, errstr);
17c76198
PP		 1455 return OK;
1456 }
059ec3d9 1457
17c76198
PP		 1458ct = gnutls_certificate_type_get(state->session);
1459if (ct != GNUTLS_CRT_X509)
059ec3d9 1460 {
17c76198 1461 const char *ctn = gnutls_certificate_type_get_name(ct);
17c76198
PP		 1462 DEBUG(D_tls)
1463 debug_printf("TLS: peer cert not X.509 but instead \"%s\"\n", ctn);
e51c7be2 1464 if (state->verify_requirement >= VERIFY_REQUIRED)
17c76198 1465 return tls_error(US"certificate verification not possible, unhandled type",
cf0c6164 1466 ctn, state->host, errstr);
17c76198 1467 return OK;
83da1223 1468 }
059ec3d9 1469
e51c7be2
JH		 1470#define exim_gnutls_peer_err(Label) \
1471 do { \
1472 if (rc != GNUTLS_E_SUCCESS) \
1473 { \
1474 DEBUG(D_tls) debug_printf("TLS: peer cert problem: %s: %s\n", \
1475 (Label), gnutls_strerror(rc)); \
1476 if (state->verify_requirement >= VERIFY_REQUIRED) \
cf0c6164 1477 return tls_error((Label), gnutls_strerror(rc), state->host, errstr); \
e51c7be2
JH		 1478 return OK; \
1479 } \
1480 } while (0)
17c76198 1481
9d1c15ef
JH		 1482rc = import_cert(&cert_list[0], &crt);
1483exim_gnutls_peer_err(US"cert 0");
1484
1485state->tlsp->peercert = state->peercert = crt;
17c76198 1486
17c76198
PP		 1487sz = 0;
1488rc = gnutls_x509_crt_get_dn(crt, NULL, &sz);
1489if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
83da1223 1490 {
17c76198
PP		 1491 exim_gnutls_peer_err(US"getting size for cert DN failed");
1492 return FAIL; /* should not happen */
059ec3d9 1493 }
17c76198
PP		 1494dn_buf = store_get_perm(sz);
1495rc = gnutls_x509_crt_get_dn(crt, CS dn_buf, &sz);
1496exim_gnutls_peer_err(US"failed to extract certificate DN [gnutls_x509_crt_get_dn(cert 0)]");
9d1c15ef 1497
17c76198
PP		 1498state->peerdn = dn_buf;
1499
1500return OK;
1501#undef exim_gnutls_peer_err
1502}
059ec3d9 1503
059ec3d9 1504
059ec3d9 1505
059ec3d9 1506
17c76198
PP		 1507/*************************************************
1508* Verify peer certificate *
1509*************************************************/
059ec3d9 1510
17c76198
PP		 1511/* Called from both server and client code.
1512*Should* be using a callback registered with
1513gnutls_certificate_set_verify_function() to fail the handshake if we dislike
1514the peer information, but that's too new for some OSes.
059ec3d9 1515
17c76198
PP		 1516Arguments:
1517 state exim_gnutls_state_st *
cf0c6164 1518 errstr where to put an error message
059ec3d9 1519
17c76198
PP		 1520Returns:
1521 FALSE if the session should be rejected
1522 TRUE if the cert is okay or we just don't care
1523*/
059ec3d9 1524
17c76198 1525static BOOL
cf0c6164 1526verify_certificate(exim_gnutls_state_st *state, uschar ** errstr)
17c76198
PP		 1527{
1528int rc;
1529unsigned int verify;
1530
cf0c6164 1531*errstr = NULL;
17c76198 1532
cf0c6164 1533if ((rc = peer_status(state, errstr)) != OK)
e6060e2c 1534 {
17c76198 1535 verify = GNUTLS_CERT_INVALID;
cf0c6164 1536 *errstr = US"certificate not supplied";
17c76198
PP		 1537 }
1538else
17c76198 1539 rc = gnutls_certificate_verify_peers2(state->session, &verify);
e6060e2c 1540
17c76198
PP		 1541/* Handle the result of verification. INVALID seems to be set as well
1542as REVOKED, but leave the test for both. */
059ec3d9 1543
e51c7be2
JH		 1544if (rc < 0 ||
1545 verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED)
1546 )
17c76198
PP		 1547 {
1548 state->peer_cert_verified = FALSE;
cf0c6164
JH		 1549 if (!*errstr)
1550 *errstr = verify & GNUTLS_CERT_REVOKED
1551 ? US"certificate revoked" : US"certificate invalid";
059ec3d9 1552
17c76198 1553 DEBUG(D_tls)
e51c7be2 1554 debug_printf("TLS certificate verification failed (%s): peerdn=\"%s\"\n",
cf0c6164 1555 *errstr, state->peerdn ? state->peerdn : US"<unset>");
059ec3d9 1556
e51c7be2 1557 if (state->verify_requirement >= VERIFY_REQUIRED)
17c76198 1558 {
e51c7be2
JH		 1559 gnutls_alert_send(state->session,
1560 GNUTLS_AL_FATAL, GNUTLS_A_BAD_CERTIFICATE);
17c76198
PP		 1561 return FALSE;
1562 }
1563 DEBUG(D_tls)
4789da3a 1564 debug_printf("TLS verify failure overridden (host in tls_try_verify_hosts)\n");
17c76198 1565 }
e51c7be2 1566
17c76198
PP		 1567else
1568 {
aa2a70ba 1569 if (state->exp_tls_verify_cert_hostnames)
e51c7be2
JH		 1570 {
1571 int sep = 0;
55414b25 1572 const uschar * list = state->exp_tls_verify_cert_hostnames;
e51c7be2 1573 uschar * name;
76075bb5 1574 while ((name = string_nextinlist(&list, &sep, NULL, 0)))
e51c7be2
JH		 1575 if (gnutls_x509_crt_check_hostname(state->tlsp->peercert, CS name))
1576 break;
1577 if (!name)
1578 {
1579 DEBUG(D_tls)
1580 debug_printf("TLS certificate verification failed: cert name mismatch\n");
aa2a70ba
JH		 1581 if (state->verify_requirement >= VERIFY_REQUIRED)
1582 {
1583 gnutls_alert_send(state->session,
1584 GNUTLS_AL_FATAL, GNUTLS_A_BAD_CERTIFICATE);
1585 return FALSE;
1586 }
1587 return TRUE;
e51c7be2
JH		 1588 }
1589 }
17c76198 1590 state->peer_cert_verified = TRUE;
e51c7be2 1591 DEBUG(D_tls) debug_printf("TLS certificate verified: peerdn=\"%s\"\n",
4fe99a6c 1592 state->peerdn ? state->peerdn : US"<unset>");
17c76198 1593 }
059ec3d9 1594
817d9f57 1595state->tlsp->peerdn = state->peerdn;
059ec3d9 1596
17c76198
PP		 1597return TRUE;
1598}
059ec3d9 1599
17c76198
PP		 1600
1601
1602
1603/* ------------------------------------------------------------------------ */
1604/* Callbacks */
1605
1606/* Logging function which can be registered with
1607 * gnutls_global_set_log_function()
1608 * gnutls_global_set_log_level() 0..9
1609 */
af3498d6 1610#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
059ec3d9 1611static void
17c76198 1612exim_gnutls_logger_cb(int level, const char *message)
059ec3d9 1613{
8c79eebf
PP		 1614 size_t len = strlen(message);
1615 if (len < 1)
1616 {
1617 DEBUG(D_tls) debug_printf("GnuTLS<%d> empty debug message\n", level);
1618 return;
1619 }
1620 DEBUG(D_tls) debug_printf("GnuTLS<%d>: %s%s", level, message,
1621 message[len-1] == '\n' ? "" : "\n");
17c76198 1622}
af3498d6 1623#endif
059ec3d9 1624
059ec3d9 1625
17c76198
PP		 1626/* Called after client hello, should handle SNI work.
1627This will always set tls_sni (state->received_sni) if available,
1628and may trigger presenting different certificates,
1629if state->trigger_sni_changes is TRUE.
059ec3d9 1630
17c76198
PP		 1631Should be registered with
1632 gnutls_handshake_set_post_client_hello_function()
059ec3d9 1633
17c76198
PP		 1634"This callback must return 0 on success or a gnutls error code to terminate the
1635handshake.".
059ec3d9 1636
17c76198
PP		 1637For inability to get SNI information, we return 0.
1638We only return non-zero if re-setup failed.
817d9f57 1639Only used for server-side TLS.
17c76198 1640*/
44bbabb5 1641
17c76198
PP		 1642static int
1643exim_sni_handling_cb(gnutls_session_t session)
1644{
1645char sni_name[MAX_HOST_LEN];
1646size_t data_len = MAX_HOST_LEN;
817d9f57 1647exim_gnutls_state_st *state = &state_server;
17c76198
PP		 1648unsigned int sni_type;
1649int rc, old_pool;
cf0c6164 1650uschar * dummy_errstr;
17c76198
PP		 1651
1652rc = gnutls_server_name_get(session, sni_name, &data_len, &sni_type, 0);
b34fc30c
PP		 1653if (rc != GNUTLS_E_SUCCESS)
1654 {
1655 DEBUG(D_tls) {
1656 if (rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
1657 debug_printf("TLS: no SNI presented in handshake.\n");
1658 else
1659 debug_printf("TLS failure: gnutls_server_name_get(): %s [%d]\n",
1660 gnutls_strerror(rc), rc);
cf0c6164 1661 }
b34fc30c
PP		 1662 return 0;
1663 }
1664
17c76198
PP		 1665if (sni_type != GNUTLS_NAME_DNS)
1666 {
1667 DEBUG(D_tls) debug_printf("TLS: ignoring SNI of unhandled type %u\n", sni_type);
1668 return 0;
1669 }
44bbabb5 1670
17c76198
PP		 1671/* We now have a UTF-8 string in sni_name */
1672old_pool = store_pool;
1673store_pool = POOL_PERM;
1674state->received_sni = string_copyn(US sni_name, data_len);
1675store_pool = old_pool;
1676
1677/* We set this one now so that variable expansions below will work */
817d9f57 1678state->tlsp->sni = state->received_sni;
17c76198
PP		 1679
1680DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", sni_name,
1681 state->trigger_sni_changes ? "" : " (unused for certificate selection)");
1682
1683if (!state->trigger_sni_changes)
1684 return 0;
1685
cf0c6164 1686if ((rc = tls_expand_session_files(state, &dummy_errstr)) != OK)
17c76198
PP		 1687 {
1688 /* If the setup of certs/etc failed before handshake, TLS would not have
1689 been offered. The best we can do now is abort. */
1690 return GNUTLS_E_APPLICATION_ERROR_MIN;
1691 }
1692
cf0c6164 1693rc = tls_set_remaining_x509(state, &dummy_errstr);
1365611d
PP		 1694if (rc != OK) return GNUTLS_E_APPLICATION_ERROR_MIN;
1695
1696return 0;
059ec3d9
PH		 1697}
1698
1699
1700
f2de3a33 1701#ifndef DISABLE_OCSP
44662487
JH		 1702
1703static int
1704server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
1705 gnutls_datum_t * ocsp_response)
1706{
1707int ret;
1708
44662487
JH		 1709if ((ret = gnutls_load_file(ptr, ocsp_response)) < 0)
1710 {
1711 DEBUG(D_tls) debug_printf("Failed to load ocsp stapling file %s\n",
5903c6ff 1712 CS ptr);
018058b2 1713 tls_in.ocsp = OCSP_NOT_RESP;
44662487
JH		 1714 return GNUTLS_E_NO_CERTIFICATE_STATUS;
1715 }
1716
018058b2 1717tls_in.ocsp = OCSP_VFY_NOT_TRIED;
44662487
JH		 1718return 0;
1719}
1720
1721#endif
1722
1723
0cbf2b82 1724#ifndef DISABLE_EVENT
a7538db1
JH		 1725/*
1726We use this callback to get observability and detail-level control
723fe533
JH		 1727for an exim TLS connection (either direction), raising a tls:cert event
1728for each cert in the chain presented by the peer. Any event
a7538db1
JH		 1729can deny verification.
1730
1731Return 0 for the handshake to continue or non-zero to terminate.
1732*/
1733
1734static int
723fe533 1735verify_cb(gnutls_session_t session)
a7538db1 1736{
27f19eb4 1737const gnutls_datum_t * cert_list;
a7538db1
JH		 1738unsigned int cert_list_size = 0;
1739gnutls_x509_crt_t crt;
1740int rc;
b30275b8 1741uschar * yield;
a7538db1
JH		 1742exim_gnutls_state_st * state = gnutls_session_get_ptr(session);
1743
1744cert_list = gnutls_certificate_get_peers(session, &cert_list_size);
1745if (cert_list)
1746 while (cert_list_size--)
1747 {
1748 rc = import_cert(&cert_list[cert_list_size], &crt);
1749 if (rc != GNUTLS_E_SUCCESS)
1750 {
1751 DEBUG(D_tls) debug_printf("TLS: peer cert problem: depth %d: %s\n",
1752 cert_list_size, gnutls_strerror(rc));
1753 break;
1754 }
1755
1756 state->tlsp->peercert = crt;
b30275b8
JH		 1757 if ((yield = event_raise(state->event_action,
1758 US"tls:cert", string_sprintf("%d", cert_list_size))))
a7538db1
JH		 1759 {
1760 log_write(0, LOG_MAIN,
b30275b8
JH		 1761 "SSL verify denied by event-action: depth=%d: %s",
1762 cert_list_size, yield);
a7538db1
JH		 1763 return 1; /* reject */
1764 }
1765 state->tlsp->peercert = NULL;
1766 }
1767
1768return 0;
1769}
1770
1771#endif
44662487
JH		 1772
1773
17c76198
PP		 1774
1775/* ------------------------------------------------------------------------ */
1776/* Exported functions */
1777
1778
1779
1780
059ec3d9
PH		 1781/*************************************************
1782* Start a TLS session in a server *
1783*************************************************/
1784
1785/* This is called when Exim is running as a server, after having received
1786the STARTTLS command. It must respond to that command, and then negotiate
1787a TLS session.
1788
1789Arguments:
83da1223 1790 require_ciphers list of allowed ciphers or NULL
cf0c6164 1791 errstr pointer to error string
059ec3d9
PH		 1792
1793Returns: OK on success
1794 DEFER for errors before the start of the negotiation
4c04137d 1795 FAIL for errors during the negotiation; the server can't
059ec3d9
PH		 1796 continue running.
1797*/
1798
1799int
cf0c6164 1800tls_server_start(const uschar * require_ciphers, uschar ** errstr)
059ec3d9
PH		 1801{
1802int rc;
cf0c6164 1803exim_gnutls_state_st * state = NULL;
059ec3d9
PH		 1804
1805/* Check for previous activation */
817d9f57 1806if (tls_in.active >= 0)
059ec3d9 1807 {
cf0c6164 1808 tls_error(US"STARTTLS received after TLS started", "", NULL, errstr);
925ac8e4 1809 smtp_printf("554 Already in TLS\r\n", FALSE);
059ec3d9
PH		 1810 return FAIL;
1811 }
1812
1813/* Initialize the library. If it fails, it will already have logged the error
1814and sent an SMTP response. */
1815
17c76198 1816DEBUG(D_tls) debug_printf("initialising GnuTLS as a server\n");
059ec3d9 1817
cf0c6164 1818if ((rc = tls_init(NULL, tls_certificate, tls_privatekey,
17c76198 1819 NULL, tls_verify_certificates, tls_crl,
cf0c6164 1820 require_ciphers, &state, errstr)) != OK) return rc;
059ec3d9 1821
059ec3d9
PH		 1822/* If this is a host for which certificate verification is mandatory or
1823optional, set up appropriately. */
1824
059ec3d9 1825if (verify_check_host(&tls_verify_hosts) == OK)
17c76198 1826 {
e51c7be2
JH		 1827 DEBUG(D_tls)
1828 debug_printf("TLS: a client certificate will be required.\n");
17c76198
PP		 1829 state->verify_requirement = VERIFY_REQUIRED;
1830 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
1831 }
059ec3d9 1832else if (verify_check_host(&tls_try_verify_hosts) == OK)
17c76198 1833 {
e51c7be2
JH		 1834 DEBUG(D_tls)
1835 debug_printf("TLS: a client certificate will be requested but not required.\n");
17c76198
PP		 1836 state->verify_requirement = VERIFY_OPTIONAL;
1837 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
1838 }
1839else
1840 {
e51c7be2
JH		 1841 DEBUG(D_tls)
1842 debug_printf("TLS: a client certificate will not be requested.\n");
17c76198
PP		 1843 state->verify_requirement = VERIFY_NONE;
1844 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
1845 }
059ec3d9 1846
0cbf2b82 1847#ifndef DISABLE_EVENT
723fe533
JH		 1848if (event_action)
1849 {
1850 state->event_action = event_action;
1851 gnutls_session_set_ptr(state->session, state);
1852 gnutls_certificate_set_verify_function(state->x509_cred, verify_cb);
1853 }
1854#endif
1855
17c76198
PP		 1856/* Register SNI handling; always, even if not in tls_certificate, so that the
1857expansion variable $tls_sni is always available. */
059ec3d9 1858
17c76198
PP		 1859gnutls_handshake_set_post_client_hello_function(state->session,
1860 exim_sni_handling_cb);
059ec3d9
PH		 1861
1862/* Set context and tell client to go ahead, except in the case of TLS startup
1863on connection, where outputting anything now upsets the clients and tends to
1864make them disconnect. We need to have an explicit fflush() here, to force out
1865the response. Other smtp_printf() calls do not need it, because in non-TLS
1866mode, the fflush() happens when smtp_getc() is called. */
1867
817d9f57 1868if (!state->tlsp->on_connect)
059ec3d9 1869 {
925ac8e4 1870 smtp_printf("220 TLS go ahead\r\n", FALSE);
9d1c15ef 1871 fflush(smtp_out);
059ec3d9
PH		 1872 }
1873
1874/* Now negotiate the TLS session. We put our own timer on it, since it seems
1875that the GnuTLS library doesn't. */
1876
17c76198 1877gnutls_transport_set_ptr2(state->session,
27f19eb4
JH		 1878 (gnutls_transport_ptr_t)(long) fileno(smtp_in),
1879 (gnutls_transport_ptr_t)(long) fileno(smtp_out));
17c76198
PP		 1880state->fd_in = fileno(smtp_in);
1881state->fd_out = fileno(smtp_out);
059ec3d9
PH		 1882
1883sigalrm_seen = FALSE;
1884if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
17c76198 1885do
17c76198 1886 rc = gnutls_handshake(state->session);
157a7880 1887while (rc == GNUTLS_E_AGAIN || rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen);
059ec3d9
PH		 1888alarm(0);
1889
17c76198 1890if (rc != GNUTLS_E_SUCCESS)
059ec3d9 1891 {
059ec3d9
PH		 1892 /* It seems that, except in the case of a timeout, we have to close the
1893 connection right here; otherwise if the other end is running OpenSSL it hangs
1894 until the server times out. */
1895
60d10ce7 1896 if (sigalrm_seen)
ad7fc6eb 1897 {
cf0c6164 1898 tls_error(US"gnutls_handshake", "timed out", NULL, errstr);
ad7fc6eb
JH		 1899 gnutls_db_remove_session(state->session);
1900 }
60d10ce7 1901 else
059ec3d9 1902 {
cf0c6164 1903 tls_error(US"gnutls_handshake", gnutls_strerror(rc), NULL, errstr);
f5d25c2b 1904 (void) gnutls_alert_send_appropriate(state->session, rc);
ad7fc6eb 1905 gnutls_deinit(state->session);
ed62aae3 1906 gnutls_certificate_free_credentials(state->x509_cred);
60d10ce7 1907 millisleep(500);
ad7fc6eb 1908 shutdown(state->fd_out, SHUT_WR);
60d10ce7 1909 for (rc = 1024; fgetc(smtp_in) != EOF && rc > 0; ) rc--; /* drain skt */
f1e894f3
PH		 1910 (void)fclose(smtp_out);
1911 (void)fclose(smtp_in);
60d10ce7 1912 smtp_out = smtp_in = NULL;
059ec3d9
PH		 1913 }
1914
1915 return FAIL;
1916 }
1917
1918DEBUG(D_tls) debug_printf("gnutls_handshake was successful\n");
1919
17c76198
PP		 1920/* Verify after the fact */
1921
9d1c15ef 1922if ( state->verify_requirement != VERIFY_NONE
cf0c6164 1923 && !verify_certificate(state, errstr))
059ec3d9 1924 {
9d1c15ef 1925 if (state->verify_requirement != VERIFY_OPTIONAL)
17c76198 1926 {
cf0c6164 1927 (void) tls_error(US"certificate verification failed", *errstr, NULL, errstr);
9d1c15ef 1928 return FAIL;
17c76198 1929 }
9d1c15ef
JH		 1930 DEBUG(D_tls)
1931 debug_printf("TLS: continuing on only because verification was optional, after: %s\n",
cf0c6164 1932 *errstr);
059ec3d9
PH		 1933 }
1934
17c76198
PP		 1935/* Figure out peer DN, and if authenticated, etc. */
1936
cf0c6164 1937if ((rc = peer_status(state, NULL)) != OK) return rc;
17c76198
PP		 1938
1939/* Sets various Exim expansion variables; always safe within server */
1940
9d1c15ef 1941extract_exim_vars_from_tls_state(state);
059ec3d9
PH		 1942
1943/* TLS has been set up. Adjust the input functions to read via TLS,
1944and initialize appropriately. */
1945
17c76198 1946state->xfer_buffer = store_malloc(ssl_xfer_buffer_size);
059ec3d9
PH		 1947
1948receive_getc = tls_getc;
0d81dabc 1949receive_getbuf = tls_getbuf;
584e96c6 1950receive_get_cache = tls_get_cache;
059ec3d9
PH		 1951receive_ungetc = tls_ungetc;
1952receive_feof = tls_feof;
1953receive_ferror = tls_ferror;
58eb016e 1954receive_smtp_buffered = tls_smtp_buffered;
059ec3d9 1955
059ec3d9
PH		 1956return OK;
1957}
1958
1959
1960
1961
aa2a70ba
JH		 1962static void
1963tls_client_setup_hostname_checks(host_item * host, exim_gnutls_state_st * state,
1964 smtp_transport_options_block * ob)
1965{
5130845b 1966if (verify_check_given_host(&ob->tls_verify_cert_hostnames, host) == OK)
aa2a70ba 1967 {
4af0d74a 1968 state->exp_tls_verify_cert_hostnames =
8c5d388a 1969#ifdef SUPPORT_I18N
4af0d74a
JH		 1970 string_domain_utf8_to_alabel(host->name, NULL);
1971#else
1972 host->name;
1973#endif
aa2a70ba
JH		 1974 DEBUG(D_tls)
1975 debug_printf("TLS: server cert verification includes hostname: \"%s\".\n",
1976 state->exp_tls_verify_cert_hostnames);
1977 }
1978}
aa2a70ba
JH		 1979
1980
059ec3d9
PH		 1981/*************************************************
1982* Start a TLS session in a client *
1983*************************************************/
1984
1985/* Called from the smtp transport after STARTTLS has been accepted.
1986
1987Arguments:
1988 fd the fd of the connection
1989 host connected host (for messages)
83da1223 1990 addr the first address (not used)
a7538db1 1991 tb transport (always smtp)
059ec3d9 1992
cf0c6164
JH		 1993 errstr error string pointer
1994
059ec3d9
PH		 1995Returns: OK/DEFER/FAIL (because using common functions),
1996 but for a client, DEFER and FAIL have the same meaning
1997*/
1998
1999int
17c76198 2000tls_client_start(int fd, host_item *host,
f5d78688 2001 address_item *addr ARG_UNUSED,
cf0c6164 2002 transport_instance * tb,
0e66b3b6 2003#ifdef EXPERIMENTAL_DANE
cf0c6164 2004 dns_answer * tlsa_dnsa ARG_UNUSED,
0e66b3b6 2005#endif
cf0c6164 2006 uschar ** errstr)
059ec3d9 2007{
a7538db1
JH		 2008smtp_transport_options_block *ob =
2009 (smtp_transport_options_block *)tb->options_block;
059ec3d9 2010int rc;
17c76198 2011exim_gnutls_state_st *state = NULL;
f2de3a33 2012#ifndef DISABLE_OCSP
5130845b
JH		 2013BOOL require_ocsp =
2014 verify_check_given_host(&ob->hosts_require_ocsp, host) == OK;
44662487 2015BOOL request_ocsp = require_ocsp ? TRUE
5130845b 2016 : verify_check_given_host(&ob->hosts_request_ocsp, host) == OK;
2b4a568d 2017#endif
059ec3d9 2018
17c76198 2019DEBUG(D_tls) debug_printf("initialising GnuTLS as a client on fd %d\n", fd);
059ec3d9 2020
65867078
JH		 2021if ((rc = tls_init(host, ob->tls_certificate, ob->tls_privatekey,
2022 ob->tls_sni, ob->tls_verify_certificates, ob->tls_crl,
cf0c6164 2023 ob->tls_require_ciphers, &state, errstr)) != OK)
2b4a568d 2024 return rc;
059ec3d9 2025
54c90be1 2026 {
65867078
JH		 2027 int dh_min_bits = ob->tls_dh_min_bits;
2028 if (dh_min_bits < EXIM_CLIENT_DH_MIN_MIN_BITS)
2029 {
2030 DEBUG(D_tls)
2031 debug_printf("WARNING: tls_dh_min_bits far too low,"
2032 " clamping %d up to %d\n",
2033 dh_min_bits, EXIM_CLIENT_DH_MIN_MIN_BITS);
2034 dh_min_bits = EXIM_CLIENT_DH_MIN_MIN_BITS;
2035 }
54c90be1 2036
65867078
JH		 2037 DEBUG(D_tls) debug_printf("Setting D-H prime minimum"
2038 " acceptable bits to %d\n",
2039 dh_min_bits);
2040 gnutls_dh_set_prime_bits(state->session, dh_min_bits);
2041 }
83da1223 2042
94431adb 2043/* Stick to the old behaviour for compatibility if tls_verify_certificates is
2b4a568d
JH		 2044set but both tls_verify_hosts and tls_try_verify_hosts are unset. Check only
2045the specified host patterns if one of them is defined */
2046
aa2a70ba
JH		 2047if ( ( state->exp_tls_verify_certificates
2048 && !ob->tls_verify_hosts
610ff438 2049 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
aa2a70ba 2050 )
5130845b 2051 || verify_check_given_host(&ob->tls_verify_hosts, host) == OK
2b4a568d 2052 )
17c76198 2053 {
aa2a70ba 2054 tls_client_setup_hostname_checks(host, state, ob);
aa2a70ba
JH		 2055 DEBUG(D_tls)
2056 debug_printf("TLS: server certificate verification required.\n");
2057 state->verify_requirement = VERIFY_REQUIRED;
52f93eed
WB		 2058 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
2059 }
5130845b 2060else if (verify_check_given_host(&ob->tls_try_verify_hosts, host) == OK)
52f93eed 2061 {
aa2a70ba 2062 tls_client_setup_hostname_checks(host, state, ob);
e51c7be2
JH		 2063 DEBUG(D_tls)
2064 debug_printf("TLS: server certificate verification optional.\n");
52f93eed 2065 state->verify_requirement = VERIFY_OPTIONAL;
17c76198
PP		 2066 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
2067 }
2068else
2069 {
e51c7be2
JH		 2070 DEBUG(D_tls)
2071 debug_printf("TLS: server certificate verification not required.\n");
52f93eed
WB		 2072 state->verify_requirement = VERIFY_NONE;
2073 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
17c76198 2074 }
059ec3d9 2075
f2de3a33
JH		 2076#ifndef DISABLE_OCSP
2077 /* supported since GnuTLS 3.1.3 */
44662487 2078if (request_ocsp)
9d1c15ef
JH		 2079 {
2080 DEBUG(D_tls) debug_printf("TLS: will request OCSP stapling\n");
65867078
JH		 2081 if ((rc = gnutls_ocsp_status_request_enable_client(state->session,
2082 NULL, 0, NULL)) != OK)
9d1c15ef 2083 return tls_error(US"cert-status-req",
cf0c6164 2084 gnutls_strerror(rc), state->host, errstr);
44662487 2085 tls_out.ocsp = OCSP_NOT_RESP;
9d1c15ef 2086 }
2b4a568d
JH		 2087#endif
2088
0cbf2b82 2089#ifndef DISABLE_EVENT
774ef2d7 2090if (tb->event_action)
a7538db1 2091 {
774ef2d7 2092 state->event_action = tb->event_action;
a7538db1 2093 gnutls_session_set_ptr(state->session, state);
723fe533 2094 gnutls_certificate_set_verify_function(state->x509_cred, verify_cb);
a7538db1
JH		 2095 }
2096#endif
2097
27f19eb4 2098gnutls_transport_set_ptr(state->session, (gnutls_transport_ptr_t)(long) fd);
17c76198
PP		 2099state->fd_in = fd;
2100state->fd_out = fd;
059ec3d9 2101
9d1c15ef 2102DEBUG(D_tls) debug_printf("about to gnutls_handshake\n");
059ec3d9
PH		 2103/* There doesn't seem to be a built-in timeout on connection. */
2104
2105sigalrm_seen = FALSE;
65867078 2106alarm(ob->command_timeout);
17c76198
PP		 2107do
2108 {
2109 rc = gnutls_handshake(state->session);
619b2b25
PP		 2110 } while ((rc == GNUTLS_E_AGAIN) ||
2111 (rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen));
059ec3d9
PH		 2112alarm(0);
2113
4fe99a6c 2114if (rc != GNUTLS_E_SUCCESS)
60d10ce7
JH		 2115 if (sigalrm_seen)
2116 {
2117 gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_USER_CANCELED);
cf0c6164 2118 return tls_error(US"gnutls_handshake", "timed out", state->host, errstr);
60d10ce7
JH		 2119 }
2120 else
cf0c6164 2121 return tls_error(US"gnutls_handshake", gnutls_strerror(rc), state->host, errstr);
4fe99a6c 2122
17c76198 2123DEBUG(D_tls) debug_printf("gnutls_handshake was successful\n");
059ec3d9 2124
17c76198 2125/* Verify late */
059ec3d9 2126
17c76198 2127if (state->verify_requirement != VERIFY_NONE &&
cf0c6164
JH		 2128 !verify_certificate(state, errstr))
2129 return tls_error(US"certificate verification failed", *errstr, state->host, errstr);
059ec3d9 2130
f2de3a33 2131#ifndef DISABLE_OCSP
2b4a568d
JH		 2132if (require_ocsp)
2133 {
2134 DEBUG(D_tls)
2135 {
2136 gnutls_datum_t stapling;
2137 gnutls_ocsp_resp_t resp;
2138 gnutls_datum_t printed;
2139 if ( (rc= gnutls_ocsp_status_request_get(state->session, &stapling)) == 0
2140 && (rc= gnutls_ocsp_resp_init(&resp)) == 0
2141 && (rc= gnutls_ocsp_resp_import(resp, &stapling)) == 0
2142 && (rc= gnutls_ocsp_resp_print(resp, GNUTLS_OCSP_PRINT_FULL, &printed)) == 0
2143 )
2144 {
65867078 2145 debug_printf("%.4096s", printed.data);
2b4a568d
JH		 2146 gnutls_free(printed.data);
2147 }
2148 else
cf0c6164 2149 (void) tls_error(US"ocsp decode", gnutls_strerror(rc), state->host, errstr);
2b4a568d
JH		 2150 }
2151
2b4a568d 2152 if (gnutls_ocsp_status_request_is_checked(state->session, 0) == 0)
018058b2
JH		 2153 {
2154 tls_out.ocsp = OCSP_FAILED;
cf0c6164 2155 return tls_error(US"certificate status check failed", NULL, state->host, errstr);
018058b2 2156 }
2b4a568d 2157 DEBUG(D_tls) debug_printf("Passed OCSP checking\n");
44662487 2158 tls_out.ocsp = OCSP_VFIED;
2b4a568d
JH		 2159 }
2160#endif
2161
17c76198 2162/* Figure out peer DN, and if authenticated, etc. */
059ec3d9 2163
cf0c6164 2164if ((rc = peer_status(state, errstr)) != OK)
2b4a568d 2165 return rc;
059ec3d9 2166
4fe99a6c 2167/* Sets various Exim expansion variables; may need to adjust for ACL callouts */
059ec3d9 2168
9d1c15ef 2169extract_exim_vars_from_tls_state(state);
059ec3d9 2170
059ec3d9
PH		 2171return OK;
2172}
2173
2174
2175
17c76198 2176
059ec3d9 2177/*************************************************
17c76198 2178* Close down a TLS session *
059ec3d9
PH		 2179*************************************************/
2180
17c76198
PP		 2181/* This is also called from within a delivery subprocess forked from the
2182daemon, to shut down the TLS library, without actually doing a shutdown (which
2183would tamper with the TLS session in the parent process).
059ec3d9 2184
17c76198
PP		 2185Arguments: TRUE if gnutls_bye is to be called
2186Returns: nothing
059ec3d9
PH		 2187*/
2188
17c76198 2189void
817d9f57 2190tls_close(BOOL is_server, BOOL shutdown)
059ec3d9 2191{
817d9f57 2192exim_gnutls_state_st *state = is_server ? &state_server : &state_client;
059ec3d9 2193
389ca47a 2194if (!state->tlsp || state->tlsp->active < 0) return; /* TLS was not active */
17c76198
PP		 2195
2196if (shutdown)
2197 {
f5723109 2198 DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS\n");
17c76198
PP		 2199 gnutls_bye(state->session, GNUTLS_SHUT_WR);
2200 }
2201
2202gnutls_deinit(state->session);
ed62aae3
HSHR		 2203gnutls_certificate_free_credentials(state->x509_cred);
2204
17c76198 2205
389ca47a 2206state->tlsp->active = -1;
17c76198
PP		 2207memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
2208
2209if ((state_server.session == NULL) && (state_client.session == NULL))
2210 {
2211 gnutls_global_deinit();
2212 exim_gnutls_base_init_done = FALSE;
2213 }
059ec3d9
PH		 2214}
2215
2216
2217
17c76198 2218
0d81dabc
JH		 2219static BOOL
2220tls_refill(unsigned lim)
2221{
2222exim_gnutls_state_st * state = &state_server;
2223ssize_t inbytes;
2224
2225DEBUG(D_tls) debug_printf("Calling gnutls_record_recv(%p, %p, %u)\n",
2226 state->session, state->xfer_buffer, ssl_xfer_buffer_size);
2227
2228if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
2229inbytes = gnutls_record_recv(state->session, state->xfer_buffer,
2230 MIN(ssl_xfer_buffer_size, lim));
2231alarm(0);
2232
2233/* Timeouts do not get this far; see command_timeout_handler().
2234 A zero-byte return appears to mean that the TLS session has been
2235 closed down, not that the socket itself has been closed down. Revert to
2236 non-TLS handling. */
2237
2238if (sigalrm_seen)
2239 {
2240 DEBUG(D_tls) debug_printf("Got tls read timeout\n");
2241 state->xfer_error = 1;
2242 return FALSE;
2243 }
2244
2245else if (inbytes == 0)
2246 {
2247 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
2248
2249 receive_getc = smtp_getc;
2250 receive_getbuf = smtp_getbuf;
2251 receive_get_cache = smtp_get_cache;
2252 receive_ungetc = smtp_ungetc;
2253 receive_feof = smtp_feof;
2254 receive_ferror = smtp_ferror;
2255 receive_smtp_buffered = smtp_buffered;
2256
2257 gnutls_deinit(state->session);
2258 gnutls_certificate_free_credentials(state->x509_cred);
2259
2260 state->session = NULL;
2261 state->tlsp->active = -1;
2262 state->tlsp->bits = 0;
2263 state->tlsp->certificate_verified = FALSE;
2264 tls_channelbinding_b64 = NULL;
2265 state->tlsp->cipher = NULL;
2266 state->tlsp->peercert = NULL;
2267 state->tlsp->peerdn = NULL;
2268
2269 return FALSE;
2270 }
2271
2272/* Handle genuine errors */
2273
2274else if (inbytes < 0)
2275 {
2276 record_io_error(state, (int) inbytes, US"recv", NULL);
2277 state->xfer_error = 1;
2278 return FALSE;
2279 }
2280#ifndef DISABLE_DKIM
2281dkim_exim_verify_feed(state->xfer_buffer, inbytes);
2282#endif
2283state->xfer_buffer_hwm = (int) inbytes;
2284state->xfer_buffer_lwm = 0;
2285return TRUE;
2286}
2287
059ec3d9
PH		 2288/*************************************************
2289* TLS version of getc *
2290*************************************************/
2291
2292/* This gets the next byte from the TLS input buffer. If the buffer is empty,
2293it refills the buffer via the GnuTLS reading function.
817d9f57 2294Only used by the server-side TLS.
059ec3d9 2295
17c76198
PP		 2296This feeds DKIM and should be used for all message-body reads.
2297
bd8fbe36 2298Arguments: lim Maximum amount to read/bufffer
059ec3d9
PH		 2299Returns: the next character or EOF
2300*/
2301
2302int
bd8fbe36 2303tls_getc(unsigned lim)
059ec3d9 2304{
0d81dabc 2305exim_gnutls_state_st * state = &state_server;
059ec3d9 2306
0d81dabc
JH		 2307if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
2308 if (!tls_refill(lim))
2309 return state->xfer_error ? EOF : smtp_getc(lim);
ed62aae3 2310
0d81dabc 2311/* Something in the buffer; return next uschar */
059ec3d9 2312
0d81dabc
JH		 2313return state->xfer_buffer[state->xfer_buffer_lwm++];
2314}
059ec3d9 2315
0d81dabc
JH		 2316uschar *
2317tls_getbuf(unsigned * len)
2318{
2319exim_gnutls_state_st * state = &state_server;
2320unsigned size;
2321uschar * buf;
059ec3d9 2322
0d81dabc
JH		 2323if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
2324 if (!tls_refill(*len))
059ec3d9 2325 {
0d81dabc
JH		 2326 if (!state->xfer_error) return smtp_getbuf(len);
2327 *len = 0;
2328 return NULL;
059ec3d9 2329 }
059ec3d9 2330
0d81dabc
JH		 2331if ((size = state->xfer_buffer_hwm - state->xfer_buffer_lwm) > *len)
2332 size = *len;
2333buf = &state->xfer_buffer[state->xfer_buffer_lwm];
2334state->xfer_buffer_lwm += size;
2335*len = size;
2336return buf;
059ec3d9
PH		 2337}
2338
0d81dabc 2339
584e96c6
JH		 2340void
2341tls_get_cache()
2342{
9960d1e5 2343#ifndef DISABLE_DKIM
584e96c6
JH		 2344exim_gnutls_state_st * state = &state_server;
2345int n = state->xfer_buffer_hwm - state->xfer_buffer_lwm;
2346if (n > 0)
2347 dkim_exim_verify_feed(state->xfer_buffer+state->xfer_buffer_lwm, n);
584e96c6 2348#endif
9960d1e5 2349}
584e96c6 2350
059ec3d9 2351
925ac8e4
JH		 2352BOOL
2353tls_could_read(void)
2354{
2355return state_server.xfer_buffer_lwm < state_server.xfer_buffer_hwm
2356 || gnutls_record_check_pending(state_server.session) > 0;
2357}
2358
2359
059ec3d9 2360
17c76198 2361
059ec3d9
PH		 2362/*************************************************
2363* Read bytes from TLS channel *
2364*************************************************/
2365
17c76198
PP		 2366/* This does not feed DKIM, so if the caller uses this for reading message body,
2367then the caller must feed DKIM.
817d9f57 2368
059ec3d9
PH		 2369Arguments:
2370 buff buffer of data
2371 len size of buffer
2372
2373Returns: the number of bytes read
2374 -1 after a failed read
2375*/
2376
2377int
817d9f57 2378tls_read(BOOL is_server, uschar *buff, size_t len)
059ec3d9 2379{
817d9f57 2380exim_gnutls_state_st *state = is_server ? &state_server : &state_client;
17c76198 2381ssize_t inbytes;
059ec3d9 2382
17c76198
PP		 2383if (len > INT_MAX)
2384 len = INT_MAX;
059ec3d9 2385
17c76198
PP		 2386if (state->xfer_buffer_lwm < state->xfer_buffer_hwm)
2387 DEBUG(D_tls)
2388 debug_printf("*** PROBABLY A BUG *** " \
2389 "tls_read() called with data in the tls_getc() buffer, %d ignored\n",
2390 state->xfer_buffer_hwm - state->xfer_buffer_lwm);
2391
2392DEBUG(D_tls)
2393 debug_printf("Calling gnutls_record_recv(%p, %p, " SIZE_T_FMT ")\n",
2394 state->session, buff, len);
2395
2396inbytes = gnutls_record_recv(state->session, buff, len);
059ec3d9
PH		 2397if (inbytes > 0) return inbytes;
2398if (inbytes == 0)
2399 {
2400 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
2401 }
17c76198 2402else record_io_error(state, (int)inbytes, US"recv", NULL);
059ec3d9
PH		 2403
2404return -1;
2405}
2406
2407
2408
17c76198 2409
059ec3d9
PH		 2410/*************************************************
2411* Write bytes down TLS channel *
2412*************************************************/
2413
2414/*
2415Arguments:
817d9f57 2416 is_server channel specifier
059ec3d9
PH		 2417 buff buffer of data
2418 len number of bytes
925ac8e4 2419 more more data expected soon
059ec3d9
PH		 2420
2421Returns: the number of bytes after a successful write,
2422 -1 after a failed write
2423*/
2424
2425int
925ac8e4 2426tls_write(BOOL is_server, const uschar *buff, size_t len, BOOL more)
059ec3d9 2427{
17c76198
PP		 2428ssize_t outbytes;
2429size_t left = len;
817d9f57 2430exim_gnutls_state_st *state = is_server ? &state_server : &state_client;
925ac8e4
JH		 2431#ifdef SUPPORT_CORK
2432static BOOL corked = FALSE;
2433
2434if (more && !corked) gnutls_record_cork(state->session);
2435#endif
2436
2437DEBUG(D_tls) debug_printf("%s(%p, " SIZE_T_FMT "%s)\n", __FUNCTION__,
2438 buff, left, more ? ", more" : "");
059ec3d9 2439
059ec3d9
PH		 2440while (left > 0)
2441 {
17c76198
PP		 2442 DEBUG(D_tls) debug_printf("gnutls_record_send(SSL, %p, " SIZE_T_FMT ")\n",
2443 buff, left);
2444 outbytes = gnutls_record_send(state->session, buff, left);
059ec3d9 2445
17c76198 2446 DEBUG(D_tls) debug_printf("outbytes=" SSIZE_T_FMT "\n", outbytes);
059ec3d9
PH		 2447 if (outbytes < 0)
2448 {
17c76198 2449 record_io_error(state, outbytes, US"send", NULL);
059ec3d9
PH		 2450 return -1;
2451 }
2452 if (outbytes == 0)
2453 {
17c76198 2454 record_io_error(state, 0, US"send", US"TLS channel closed on write");
059ec3d9
PH		 2455 return -1;
2456 }
2457
2458 left -= outbytes;
2459 buff += outbytes;
2460 }
2461
17c76198
PP		 2462if (len > INT_MAX)
2463 {
2464 DEBUG(D_tls)
2465 debug_printf("Whoops! Wrote more bytes (" SIZE_T_FMT ") than INT_MAX\n",
2466 len);
2467 len = INT_MAX;
2468 }
2469
925ac8e4
JH		 2470#ifdef SUPPORT_CORK
2471if (more != corked)
2472 {
2473 if (!more) (void) gnutls_record_uncork(state->session, 0);
2474 corked = more;
2475 }
2476#endif
2477
17c76198 2478return (int) len;
059ec3d9
PH		 2479}
2480
2481
2482
17c76198 2483
059ec3d9 2484/*************************************************
17c76198 2485* Random number generation *
059ec3d9
PH		 2486*************************************************/
2487
17c76198
PP		 2488/* Pseudo-random number generation. The result is not expected to be
2489cryptographically strong but not so weak that someone will shoot themselves
2490in the foot using it as a nonce in input in some email header scheme or
2491whatever weirdness they'll twist this into. The result should handle fork()
2492and avoid repeating sequences. OpenSSL handles that for us.
059ec3d9 2493
17c76198
PP		 2494Arguments:
2495 max range maximum
2496Returns a random number in range [0, max-1]
059ec3d9
PH		 2497*/
2498
af3498d6 2499#ifdef HAVE_GNUTLS_RND
17c76198
PP		 2500int
2501vaguely_random_number(int max)
059ec3d9 2502{
17c76198
PP		 2503unsigned int r;
2504int i, needed_len;
2505uschar *p;
2506uschar smallbuf[sizeof(r)];
2507
2508if (max <= 1)
2509 return 0;
2510
2511needed_len = sizeof(r);
2512/* Don't take 8 times more entropy than needed if int is 8 octets and we were
2513 * asked for a number less than 10. */
2514for (r = max, i = 0; r; ++i)
2515 r >>= 1;
2516i = (i + 7) / 8;
2517if (i < needed_len)
2518 needed_len = i;
2519
2520i = gnutls_rnd(GNUTLS_RND_NONCE, smallbuf, needed_len);
2521if (i < 0)
059ec3d9 2522 {
17c76198
PP		 2523 DEBUG(D_all) debug_printf("gnutls_rnd() failed, using fallback.\n");
2524 return vaguely_random_number_fallback(max);
2525 }
2526r = 0;
2527for (p = smallbuf; needed_len; --needed_len, ++p)
2528 {
2529 r *= 256;
2530 r += *p;
059ec3d9
PH		 2531 }
2532
17c76198
PP		 2533/* We don't particularly care about weighted results; if someone wants
2534 * smooth distribution and cares enough then they should submit a patch then. */
2535return r % max;
059ec3d9 2536}
af3498d6
PP		 2537#else /* HAVE_GNUTLS_RND */
2538int
2539vaguely_random_number(int max)
2540{
2541 return vaguely_random_number_fallback(max);
2542}
2543#endif /* HAVE_GNUTLS_RND */
059ec3d9 2544
36f12725
NM		 2545
2546
2547
3375e053
PP		 2548/*************************************************
2549* Let tls_require_ciphers be checked at startup *
2550*************************************************/
2551
2552/* The tls_require_ciphers option, if set, must be something which the
2553library can parse.
2554
2555Returns: NULL on success, or error message
2556*/
2557
2558uschar *
2559tls_validate_require_cipher(void)
2560{
2561int rc;
2562uschar *expciphers = NULL;
2563gnutls_priority_t priority_cache;
2564const char *errpos;
cf0c6164 2565uschar * dummy_errstr;
3375e053
PP		 2566
2567#define validate_check_rc(Label) do { \
2568 if (rc != GNUTLS_E_SUCCESS) { if (exim_gnutls_base_init_done) gnutls_global_deinit(); \
2569 return string_sprintf("%s failed: %s", (Label), gnutls_strerror(rc)); } } while (0)
2570#define return_deinit(Label) do { gnutls_global_deinit(); return (Label); } while (0)
2571
2572if (exim_gnutls_base_init_done)
2573 log_write(0, LOG_MAIN|LOG_PANIC,
2574 "already initialised GnuTLS, Exim developer bug");
2575
a5f239e4 2576#ifdef HAVE_GNUTLS_PKCS11
2519e60d 2577if (!gnutls_allow_auto_pkcs11)
a5f239e4
PP		 2578 {
2579 rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
2580 validate_check_rc(US"gnutls_pkcs11_init");
2581 }
2582#endif
3375e053
PP		 2583rc = gnutls_global_init();
2584validate_check_rc(US"gnutls_global_init()");
2585exim_gnutls_base_init_done = TRUE;
2586
2587if (!(tls_require_ciphers && *tls_require_ciphers))
2588 return_deinit(NULL);
2589
cf0c6164
JH		 2590if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers,
2591 &dummy_errstr))
3375e053
PP		 2592 return_deinit(US"failed to expand tls_require_ciphers");
2593
2594if (!(expciphers && *expciphers))
2595 return_deinit(NULL);
2596
2597DEBUG(D_tls)
2598 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
2599
2600rc = gnutls_priority_init(&priority_cache, CS expciphers, &errpos);
2601validate_check_rc(string_sprintf(
2602 "gnutls_priority_init(%s) failed at offset %ld, \"%.8s..\"",
2603 expciphers, errpos - CS expciphers, errpos));
2604
2605#undef return_deinit
2606#undef validate_check_rc
2607gnutls_global_deinit();
2608
2609return NULL;
2610}
2611
2612
2613
2614
36f12725
NM		 2615/*************************************************
2616* Report the library versions. *
2617*************************************************/
2618
2619/* See a description in tls-openssl.c for an explanation of why this exists.
2620
2621Arguments: a FILE* to print the results to
2622Returns: nothing
2623*/
2624
2625void
2626tls_version_report(FILE *f)
2627{
754a0503
PP		 2628fprintf(f, "Library version: GnuTLS: Compile: %s\n"
2629 " Runtime: %s\n",
2630 LIBGNUTLS_VERSION,
2631 gnutls_check_version(NULL));
36f12725
NM		 2632}
2633
2b4a568d
JH		 2634/* vi: aw ai sw=2
2635*/
059ec3d9 2636/* End of tls-gnu.c */
Unnamed repository; edit this file 'description' to name the repository.