projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
OpenSSL: fix bulid on older library versions
[exim.git] / src / src / tls-gnu.c
CommitLineData
059ec3d9
PH		 1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
f9ba5e22 5/* Copyright (c) University of Cambridge 1995 - 2018 */
059ec3d9
PH		 6/* See the file NOTICE for conditions of use and distribution. */
7
17c76198 8/* Copyright (c) Phil Pennock 2012 */
059ec3d9 9
17c76198
PP		 10/* This file provides TLS/SSL support for Exim using the GnuTLS library,
11one of the available supported implementations. This file is #included into
12tls.c when USE_GNUTLS has been set.
059ec3d9 13
17c76198
PP		 14The code herein is a revamp of GnuTLS integration using the current APIs; the
15original tls-gnu.c was based on a patch which was contributed by Nikos
6aa6fc9c 16Mavrogiannopoulos. The revamp is partially a rewrite, partially cut&paste as
17c76198 17appropriate.
059ec3d9 18
17c76198
PP		 19APIs current as of GnuTLS 2.12.18; note that the GnuTLS manual is for GnuTLS 3,
20which is not widely deployed by OS vendors. Will note issues below, which may
21assist in updating the code in the future. Another sources of hints is
22mod_gnutls for Apache (SNI callback registration and handling).
059ec3d9 23
17c76198
PP		 24Keeping client and server variables more split than before and is currently
25the norm, in anticipation of TLS in ACL callouts.
059ec3d9 26
17c76198
PP		 27I wanted to switch to gnutls_certificate_set_verify_function() so that
28certificate rejection could happen during handshake where it belongs, rather
29than being dropped afterwards, but that was introduced in 2.10.0 and Debian
30(6.0.5) is still on 2.8.6. So for now we have to stick with sub-par behaviour.
059ec3d9 31
17c76198
PP		 32(I wasn't looking for libraries quite that old, when updating to get rid of
33compiler warnings of deprecated APIs. If it turns out that a lot of the rest
34require current GnuTLS, then we'll drop support for the ancient libraries).
35*/
b5aea5e1 36
17c76198
PP		 37#include <gnutls/gnutls.h>
38/* needed for cert checks in verification and DN extraction: */
39#include <gnutls/x509.h>
40/* man-page is incorrect, gnutls_rnd() is not in gnutls.h: */
41#include <gnutls/crypto.h>
184384c3 42
a5f239e4
PP		 43/* needed to disable PKCS11 autoload unless requested */
44#if GNUTLS_VERSION_NUMBER >= 0x020c00
45# include <gnutls/pkcs11.h>
76075bb5 46# define SUPPORT_PARAM_TO_PK_BITS
a5f239e4 47#endif
7e07527a
JH		 48#if GNUTLS_VERSION_NUMBER < 0x030103 && !defined(DISABLE_OCSP)
49# warning "GnuTLS library version too old; define DISABLE_OCSP in Makefile"
50# define DISABLE_OCSP
51#endif
0cbf2b82 52#if GNUTLS_VERSION_NUMBER < 0x020a00 && !defined(DISABLE_EVENT)
774ef2d7 53# warning "GnuTLS library version too old; tls:cert event unsupported"
0cbf2b82 54# define DISABLE_EVENT
a7538db1 55#endif
c1cea16d
JH		 56#if GNUTLS_VERSION_NUMBER >= 0x030000
57# define SUPPORT_SELFSIGN /* Uncertain what version is first usable but 2.12.23 is not */
58#endif
a7fec7a7
JH		 59#if GNUTLS_VERSION_NUMBER >= 0x030306
60# define SUPPORT_CA_DIR
61#else
62# undef SUPPORT_CA_DIR
63#endif
11a04b5a 64#if GNUTLS_VERSION_NUMBER >= 0x030014
cb1d7830
JH		 65# define SUPPORT_SYSDEFAULT_CABUNDLE
66#endif
184384c3
JH		 67#if GNUTLS_VERSION_NUMBER >= 0x030104
68# define GNUTLS_CERT_VFY_STATUS_PRINT
69#endif
925ac8e4
JH		 70#if GNUTLS_VERSION_NUMBER >= 0x030109
71# define SUPPORT_CORK
72#endif
f20cfa4a
JH		 73#if GNUTLS_VERSION_NUMBER >= 0x03010a
74# define SUPPORT_GNUTLS_SESS_DESC
75#endif
4d2a62a3
JH		 76#if GNUTLS_VERSION_NUMBER >= 0x030300
77# define GNUTLS_AUTO_GLOBAL_INIT
9f707b89 78# define GNUTLS_AUTO_PKCS11_MANUAL
4d2a62a3 79#endif
97277c1f
JH		 80#if (GNUTLS_VERSION_NUMBER >= 0x030404) \
81 || (GNUTLS_VERSION_NUMBER >= 0x030311) && (GNUTLS_VERSION_NUMBER & 0xffff00 == 0x030300)
82# ifndef DISABLE_OCSP
83# define EXIM_HAVE_OCSP
84# endif
85#endif
f20cfa4a
JH		 86#if GNUTLS_VERSION_NUMBER >= 0x030500
87# define SUPPORT_GNUTLS_KEYLOG
88#endif
47195144
JH		 89#if GNUTLS_VERSION_NUMBER >= 0x030506 && !defined(DISABLE_OCSP)
90# define SUPPORT_SRV_OCSP_STACK
91#endif
49132a3b
JH		 92#if GNUTLS_VERSION_NUMBER >= 0x030600
93# define GNUTLS_AUTO_DHPARAMS
94#endif
be427508 95#if GNUTLS_VERSION_NUMBER >= 0x030603
e326959e 96# define EXIM_HAVE_TLS1_3
be427508 97# define SUPPORT_GNUTLS_EXT_RAW_PARSE
e326959e 98# define GNUTLS_OCSP_STATUS_REQUEST_GET2
be427508 99#endif
c0635b6d
JH		 100
101#ifdef SUPPORT_DANE
102# if GNUTLS_VERSION_NUMBER >= 0x030000
103# define DANESSL_USAGE_DANE_TA 2
104# define DANESSL_USAGE_DANE_EE 3
105# else
106# error GnuTLS version too early for DANE
107# endif
108# if GNUTLS_VERSION_NUMBER < 0x999999
109# define GNUTLS_BROKEN_DANE_VALIDATION
110# endif
899b8bbc 111#endif
7e07527a 112
43e2db44
JH		 113#ifdef EXPERIMENTAL_TLS_RESUME
114# if GNUTLS_VERSION_NUMBER < 0x030603
115# error GNUTLS version too early for session-resumption
116# endif
117#endif
118
f2de3a33 119#ifndef DISABLE_OCSP
2b4a568d
JH		 120# include <gnutls/ocsp.h>
121#endif
899b8bbc
JH		 122#ifdef SUPPORT_DANE
123# include <gnutls/dane.h>
124#endif
059ec3d9 125
f1be21cf
JH		 126#include "tls-cipher-stdname.c"
127
128
b10c87b3
JH		 129#ifdef MACRO_PREDEF
130void
131options_tls(void)
132{
133# ifdef EXPERIMENTAL_TLS_RESUME
134builtin_macro_create_var(US"_RESUME_DECODE", RESUME_DECODE_STRING );
135# endif
e326959e
JH		 136# ifdef EXIM_HAVE_TLS1_3
137builtin_macro_create(US"_HAVE_TLS1_3");
138# endif
97277c1f
JH		 139# ifdef EXIM_HAVE_OCSP
140builtin_macro_create(US"_HAVE_TLS_OCSP");
141# endif
142# ifdef SUPPORT_SRV_OCSP_STACK
143builtin_macro_create(US"_HAVE_TLS_OCSP_LIST");
144# endif
b10c87b3
JH		 145}
146#else
147
148
17c76198 149/* GnuTLS 2 vs 3
059ec3d9 150
17c76198
PP		 151GnuTLS 3 only:
152 gnutls_global_set_audit_log_function()
059ec3d9 153
17c76198
PP		 154Changes:
155 gnutls_certificate_verify_peers2(): is new, drop the 2 for old version
156*/
059ec3d9 157
17c76198 158/* Local static variables for GnuTLS */
059ec3d9 159
17c76198 160/* Values for verify_requirement */
059ec3d9 161
e51c7be2 162enum peer_verify_requirement
899b8bbc 163 { VERIFY_NONE, VERIFY_OPTIONAL, VERIFY_REQUIRED, VERIFY_DANE };
059ec3d9 164
17c76198
PP		 165/* This holds most state for server or client; with this, we can set up an
166outbound TLS-enabled connection in an ACL callout, while not stomping all
167over the TLS variables available for expansion.
059ec3d9 168
17c76198
PP		 169Some of these correspond to variables in globals.c; those variables will
170be set to point to content in one of these instances, as appropriate for
171the stage of the process lifetime.
059ec3d9 172
b1a32a3c 173Not handled here: global tlsp->tls_channelbinding.
17c76198 174*/
059ec3d9 175
17c76198 176typedef struct exim_gnutls_state {
9d1c15ef 177 gnutls_session_t session;
17c76198 178 gnutls_certificate_credentials_t x509_cred;
9d1c15ef 179 gnutls_priority_t priority_cache;
17c76198 180 enum peer_verify_requirement verify_requirement;
9d1c15ef
JH		 181 int fd_in;
182 int fd_out;
bd95ffc2
JH		 183
184 BOOL peer_cert_verified:1;
185 BOOL peer_dane_verified:1;
186 BOOL trigger_sni_changes:1;
187 BOOL have_set_peerdn:1;
188 BOOL xfer_eof:1; /*XXX never gets set! */
189 BOOL xfer_error:1;
190#ifdef SUPPORT_CORK
191 BOOL corked:1;
192#endif
193
5fd28bb8 194 const struct host_item *host; /* NULL if server */
afdb5e9c 195 gnutls_x509_crt_t peercert;
9d1c15ef
JH		 196 uschar *peerdn;
197 uschar *ciphersuite;
198 uschar *received_sni;
17c76198
PP		 199
200 const uschar *tls_certificate;
201 const uschar *tls_privatekey;
202 const uschar *tls_sni; /* client send only, not received */
203 const uschar *tls_verify_certificates;
204 const uschar *tls_crl;
205 const uschar *tls_require_ciphers;
e51c7be2 206
17c76198
PP		 207 uschar *exp_tls_certificate;
208 uschar *exp_tls_privatekey;
17c76198
PP		 209 uschar *exp_tls_verify_certificates;
210 uschar *exp_tls_crl;
211 uschar *exp_tls_require_ciphers;
55414b25 212 const uschar *exp_tls_verify_cert_hostnames;
0cbf2b82 213#ifndef DISABLE_EVENT
a7538db1
JH		 214 uschar *event_action;
215#endif
899b8bbc
JH		 216#ifdef SUPPORT_DANE
217 char * const * dane_data;
218 const int * dane_data_len;
219#endif
17c76198 220
389ca47a 221 tls_support *tlsp; /* set in tls_init() */
817d9f57 222
17c76198
PP		 223 uschar *xfer_buffer;
224 int xfer_buffer_lwm;
225 int xfer_buffer_hwm;
17c76198
PP		 226} exim_gnutls_state_st;
227
228static const exim_gnutls_state_st exim_gnutls_state_init = {
b10c87b3 229 /* all elements not explicitly intialised here get 0/NULL/FALSE */
f2ed27cf
JH		 230 .fd_in = -1,
231 .fd_out = -1,
17c76198 232};
83da1223 233
17c76198
PP		 234/* Not only do we have our own APIs which don't pass around state, assuming
235it's held in globals, GnuTLS doesn't appear to let us register callback data
236for callbacks, or as part of the session, so we have to keep a "this is the
237context we're currently dealing with" pointer and rely upon being
238single-threaded to keep from processing data on an inbound TLS connection while
239talking to another TLS connection for an outbound check. This does mean that
240there's no way for heart-beats to be responded to, for the duration of the
a7538db1
JH		 241second connection.
242XXX But see gnutls_session_get_ptr()
243*/
059ec3d9 244
74f1a423 245static exim_gnutls_state_st state_server;
059ec3d9 246
49132a3b 247#ifndef GNUTLS_AUTO_DHPARAMS
17c76198
PP		 248/* dh_params are initialised once within the lifetime of a process using TLS;
249if we used TLS in a long-lived daemon, we'd have to reconsider this. But we
250don't want to repeat this. */
83da1223 251
17c76198 252static gnutls_dh_params_t dh_server_params = NULL;
49132a3b 253#endif
059ec3d9 254
dea4b568 255static int ssl_session_timeout = 7200; /* Two hours */
059ec3d9 256
fc243e94 257static const uschar * const exim_default_gnutls_priority = US"NORMAL";
83da1223 258
17c76198 259/* Guard library core initialisation */
83da1223 260
17c76198 261static BOOL exim_gnutls_base_init_done = FALSE;
059ec3d9 262
4fb7df6d 263#ifndef DISABLE_OCSP
9196d5bf 264static BOOL gnutls_buggy_ocsp = FALSE;
e5489333 265static BOOL exim_testharness_disable_ocsp_validity_check = FALSE;
4fb7df6d 266#endif
9196d5bf 267
b10c87b3
JH		 268#ifdef EXPERIMENTAL_TLS_RESUME
269static gnutls_datum_t server_sessticket_key;
270#endif
059ec3d9 271
17c76198
PP		 272/* ------------------------------------------------------------------------ */
273/* macros */
83da1223 274
17c76198 275#define MAX_HOST_LEN 255
83da1223 276
17c76198
PP		 277/* Set this to control gnutls_global_set_log_level(); values 0 to 9 will setup
278the library logging; a value less than 0 disables the calls to set up logging
dc6d1769
JH		 279callbacks. GNuTLS also looks for an environment variable - except not for
280setuid binaries, making it useless - "GNUTLS_DEBUG_LEVEL".
281Allegedly the testscript line "GNUTLS_DEBUG_LEVEL=9 sudo exim ..." would work,
282but the env var must be added to /etc/sudoers too. */
2c17bb02 283#ifndef EXIM_GNUTLS_LIBRARY_LOG_LEVEL
b1a4f234 284# define EXIM_GNUTLS_LIBRARY_LOG_LEVEL -1
2c17bb02 285#endif
83da1223 286
2c17bb02 287#ifndef EXIM_CLIENT_DH_MIN_BITS
a7538db1 288# define EXIM_CLIENT_DH_MIN_BITS 1024
2c17bb02 289#endif
83da1223 290
af3498d6
PP		 291/* With GnuTLS 2.12.x+ we have gnutls_sec_param_to_pk_bits() with which we
292can ask for a bit-strength. Without that, we stick to the constant we had
293before, for now. */
2c17bb02 294#ifndef EXIM_SERVER_DH_BITS_PRE2_12
a7538db1 295# define EXIM_SERVER_DH_BITS_PRE2_12 1024
2c17bb02 296#endif
af3498d6 297
cf0c6164
JH		 298#define expand_check_tlsvar(Varname, errstr) \
299 expand_check(state->Varname, US #Varname, &state->exp_##Varname, errstr)
83da1223 300
17c76198 301#if GNUTLS_VERSION_NUMBER >= 0x020c00
e51c7be2
JH		 302# define HAVE_GNUTLS_SESSION_CHANNEL_BINDING
303# define HAVE_GNUTLS_SEC_PARAM_CONSTANTS
304# define HAVE_GNUTLS_RND
2519e60d
TL		 305/* The security fix we provide with the gnutls_allow_auto_pkcs11 option
306 * (4.82 PP/09) introduces a compatibility regression. The symbol simply
307 * isn't available sometimes, so this needs to become a conditional
308 * compilation; the sanest way to deal with this being a problem on
309 * older OSes is to block it in the Local/Makefile with this compiler
310 * definition */
e51c7be2
JH		 311# ifndef AVOID_GNUTLS_PKCS11
312# define HAVE_GNUTLS_PKCS11
313# endif /* AVOID_GNUTLS_PKCS11 */
17c76198 314#endif
83da1223 315
af3498d6
PP		 316
317
318
319/* ------------------------------------------------------------------------ */
320/* Callback declarations */
321
322#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
323static void exim_gnutls_logger_cb(int level, const char *message);
324#endif
325
326static int exim_sni_handling_cb(gnutls_session_t session);
327
e5489333
JH		 328#ifdef EXPERIMENTAL_TLS_RESUME
329static int
330tls_server_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
331 unsigned incoming, const gnutls_datum_t * msg);
332#endif
af3498d6
PP		 333
334
b10c87b3
JH		 335/* Daemon one-time initialisation */
336void
337tls_daemon_init(void)
338{
339#ifdef EXPERIMENTAL_TLS_RESUME
340/* We are dependent on the GnuTLS implementation of the Session Ticket
341encryption; both the strength and the key rotation period. We hope that
342the strength at least matches that of the ciphersuite (but GnuTLS does not
343document this). */
344
345static BOOL once = FALSE;
346if (once) return;
347once = TRUE;
348gnutls_session_ticket_key_generate(&server_sessticket_key); /* >= 2.10.0 */
349if (f.running_in_test_harness) ssl_session_timeout = 6;
350#endif
351}
352
17c76198
PP		 353/* ------------------------------------------------------------------------ */
354/* Static functions */
059ec3d9
PH		 355
356/*************************************************
357* Handle TLS error *
358*************************************************/
359
360/* Called from lots of places when errors occur before actually starting to do
361the TLS handshake, that is, while the session is still in clear. Always returns
362DEFER for a server and FAIL for a client so that most calls can use "return
363tls_error(...)" to do this processing and then give an appropriate return. A
364single function is used for both server and client, because it is called from
365some shared functions.
366
367Argument:
368 prefix text to include in the logged error
7199e1ee
TF		 369 msg additional error string (may be NULL)
370 usually obtained from gnutls_strerror()
17c76198
PP		 371 host NULL if setting up a server;
372 the connected host if setting up a client
cf0c6164 373 errstr pointer to returned error string
059ec3d9
PH		 374
375Returns: OK/DEFER/FAIL
376*/
377
378static int
48224640 379tls_error(const uschar *prefix, const uschar *msg, const host_item *host,
cf0c6164 380 uschar ** errstr)
059ec3d9 381{
cf0c6164 382if (errstr)
48224640 383 *errstr = string_sprintf("(%s)%s%s", prefix, msg ? ": " : "", msg ? msg : US"");
cf0c6164 384return host ? FAIL : DEFER;
059ec3d9
PH		 385}
386
387
452a164f
JH		 388static int
389tls_error_gnu(const uschar *prefix, int err, const host_item *host,
390 uschar ** errstr)
391{
392return tls_error(prefix, US gnutls_strerror(err), host, errstr);
393}
394
395static int
396tls_error_sys(const uschar *prefix, int err, const host_item *host,
397 uschar ** errstr)
398{
399return tls_error(prefix, US strerror(err), host, errstr);
400}
059ec3d9 401
17c76198 402
059ec3d9 403/*************************************************
17c76198 404* Deal with logging errors during I/O *
059ec3d9
PH		 405*************************************************/
406
17c76198 407/* We have to get the identity of the peer from saved data.
059ec3d9 408
17c76198
PP		 409Argument:
410 state the current GnuTLS exim state container
411 rc the GnuTLS error code, or 0 if it's a local error
412 when text identifying read or write
95f52235 413 text local error text when rc is 0
059ec3d9 414
17c76198 415Returns: nothing
059ec3d9
PH		 416*/
417
17c76198
PP		 418static void
419record_io_error(exim_gnutls_state_st *state, int rc, uschar *when, uschar *text)
059ec3d9 420{
48224640 421const uschar * msg;
cf0c6164 422uschar * errstr;
059ec3d9 423
17c76198 424if (rc == GNUTLS_E_FATAL_ALERT_RECEIVED)
95f52235 425 msg = string_sprintf("A TLS fatal alert has been received: %s",
17c76198
PP		 426 US gnutls_alert_get_name(gnutls_alert_get(state->session)));
427else
48224640 428 msg = US gnutls_strerror(rc);
059ec3d9 429
cf0c6164
JH		 430(void) tls_error(when, msg, state->host, &errstr);
431
432if (state->host)
433 log_write(0, LOG_MAIN, "H=%s [%s] TLS error on connection %s",
434 state->host->name, state->host->address, errstr);
435else
436 {
437 uschar * conn_info = smtp_get_connection_info();
438 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0) conn_info += 5;
439 /* I'd like to get separated H= here, but too hard for now */
440 log_write(0, LOG_MAIN, "TLS error on %s %s", conn_info, errstr);
441 }
17c76198 442}
059ec3d9 443
059ec3d9 444
059ec3d9 445
059ec3d9 446
17c76198
PP		 447/*************************************************
448* Set various Exim expansion vars *
449*************************************************/
059ec3d9 450
e51c7be2
JH		 451#define exim_gnutls_cert_err(Label) \
452 do \
453 { \
454 if (rc != GNUTLS_E_SUCCESS) \
455 { \
456 DEBUG(D_tls) debug_printf("TLS: cert problem: %s: %s\n", \
457 (Label), gnutls_strerror(rc)); \
458 return rc; \
459 } \
460 } while (0)
9d1c15ef
JH		 461
462static int
27f19eb4 463import_cert(const gnutls_datum_t * cert, gnutls_x509_crt_t * crtp)
9d1c15ef
JH		 464{
465int rc;
466
467rc = gnutls_x509_crt_init(crtp);
468exim_gnutls_cert_err(US"gnutls_x509_crt_init (crt)");
469
470rc = gnutls_x509_crt_import(*crtp, cert, GNUTLS_X509_FMT_DER);
471exim_gnutls_cert_err(US"failed to import certificate [gnutls_x509_crt_import(cert)]");
472
473return rc;
474}
475
476#undef exim_gnutls_cert_err
477
478
17c76198
PP		 479/* We set various Exim global variables from the state, once a session has
480been established. With TLS callouts, may need to change this to stack
481variables, or just re-call it with the server state after client callout
482has finished.
059ec3d9 483
9d1c15ef 484Make sure anything set here is unset in tls_getc().
17c76198
PP		 485
486Sets:
487 tls_active fd
488 tls_bits strength indicator
489 tls_certificate_verified bool indicator
b1a32a3c 490 tls_channelbinding for some SASL mechanisms
da40b1ec 491 tls_ver a string
17c76198 492 tls_cipher a string
9d1c15ef 493 tls_peercert pointer to library internal
17c76198
PP		 494 tls_peerdn a string
495 tls_sni a (UTF-8) string
9d1c15ef 496 tls_ourcert pointer to library internal
17c76198
PP		 497
498Argument:
499 state the relevant exim_gnutls_state_st *
500*/
501
502static void
9d1c15ef 503extract_exim_vars_from_tls_state(exim_gnutls_state_st * state)
17c76198 504{
17c76198
PP		 505#ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
506int old_pool;
507int rc;
508gnutls_datum_t channel;
509#endif
9d1c15ef 510tls_support * tlsp = state->tlsp;
17c76198 511
74f1a423
JH		 512tlsp->active.sock = state->fd_out;
513tlsp->active.tls_ctx = state;
17c76198 514
817d9f57 515DEBUG(D_tls) debug_printf("cipher: %s\n", state->ciphersuite);
17c76198 516
9d1c15ef 517tlsp->certificate_verified = state->peer_cert_verified;
899b8bbc
JH		 518#ifdef SUPPORT_DANE
519tlsp->dane_verified = state->peer_dane_verified;
520#endif
059ec3d9 521
b1a32a3c 522/* note that tls_channelbinding is not saved to the spool file, since it's
17c76198
PP		 523only available for use for authenticators while this TLS session is running. */
524
b1a32a3c 525tlsp->channelbinding = NULL;
17c76198
PP		 526#ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
527channel.data = NULL;
528channel.size = 0;
1f20760b
JH		 529if ((rc = gnutls_session_channel_binding(state->session, GNUTLS_CB_TLS_UNIQUE, &channel)))
530 { DEBUG(D_tls) debug_printf("Channel binding error: %s\n", gnutls_strerror(rc)); }
531else
532 {
b1a32a3c
JH		 533 /* Declare the taintedness of the binding info. On server, untainted; on
534 client, tainted - being the Finish msg from the server. */
535
17c76198
PP		 536 old_pool = store_pool;
537 store_pool = POOL_PERM;
b1a32a3c
JH		 538 tlsp->channelbinding = b64encode_taint(CUS channel.data, (int)channel.size,
539 !!state->host);
17c76198 540 store_pool = old_pool;
b1a32a3c 541 DEBUG(D_tls) debug_printf("Have channel bindings cached for possible auth usage\n");
1f20760b 542 }
17c76198
PP		 543#endif
544
9d1c15ef
JH		 545/* peercert is set in peer_status() */
546tlsp->peerdn = state->peerdn;
547tlsp->sni = state->received_sni;
548
549/* record our certificate */
550 {
27f19eb4 551 const gnutls_datum_t * cert = gnutls_certificate_get_ours(state->session);
9d1c15ef
JH		 552 gnutls_x509_crt_t crt;
553
554 tlsp->ourcert = cert && import_cert(cert, &crt)==0 ? crt : NULL;
555 }
059ec3d9
PH		 556}
557
558
559
17c76198 560
49132a3b 561#ifndef GNUTLS_AUTO_DHPARAMS
059ec3d9 562/*************************************************
575643cd 563* Setup up DH parameters *
059ec3d9
PH		 564*************************************************/
565
575643cd 566/* Generating the D-H parameters may take a long time. They only need to
059ec3d9
PH		 567be re-generated every so often, depending on security policy. What we do is to
568keep these parameters in a file in the spool directory. If the file does not
569exist, we generate them. This means that it is easy to cause a regeneration.
570
571The new file is written as a temporary file and renamed, so that an incomplete
572file is never present. If two processes both compute some new parameters, you
573waste a bit of effort, but it doesn't seem worth messing around with locking to
574prevent this.
575
059ec3d9
PH		 576Returns: OK/DEFER/FAIL
577*/
578
579static int
cf0c6164 580init_server_dh(uschar ** errstr)
059ec3d9 581{
17c76198
PP		 582int fd, rc;
583unsigned int dh_bits;
49132a3b 584gnutls_datum_t m = {.data = NULL, .size = 0};
a799883d
PP		 585uschar filename_buf[PATH_MAX];
586uschar *filename = NULL;
17c76198 587size_t sz;
a799883d
PP		 588uschar *exp_tls_dhparam;
589BOOL use_file_in_spool = FALSE;
17c76198 590host_item *host = NULL; /* dummy for macros */
059ec3d9 591
17c76198 592DEBUG(D_tls) debug_printf("Initialising GnuTLS server params.\n");
059ec3d9 593
452a164f
JH		 594if ((rc = gnutls_dh_params_init(&dh_server_params)))
595 return tls_error_gnu(US"gnutls_dh_params_init", rc, host, errstr);
059ec3d9 596
cf0c6164 597if (!expand_check(tls_dhparam, US"tls_dhparam", &exp_tls_dhparam, errstr))
a799883d
PP		 598 return DEFER;
599
600if (!exp_tls_dhparam)
601 {
602 DEBUG(D_tls) debug_printf("Loading default hard-coded DH params\n");
603 m.data = US std_dh_prime_default();
604 m.size = Ustrlen(m.data);
605 }
606else if (Ustrcmp(exp_tls_dhparam, "historic") == 0)
607 use_file_in_spool = TRUE;
608else if (Ustrcmp(exp_tls_dhparam, "none") == 0)
609 {
610 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
611 return OK;
612 }
613else if (exp_tls_dhparam[0] != '/')
614 {
f5d25c2b 615 if (!(m.data = US std_dh_prime_named(exp_tls_dhparam)))
48224640 616 return tls_error(US"No standard prime named", exp_tls_dhparam, NULL, errstr);
a799883d
PP		 617 m.size = Ustrlen(m.data);
618 }
619else
a799883d 620 filename = exp_tls_dhparam;
a799883d
PP		 621
622if (m.data)
623 {
452a164f
JH		 624 if ((rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM)))
625 return tls_error_gnu(US"gnutls_dh_params_import_pkcs3", rc, host, errstr);
a799883d
PP		 626 DEBUG(D_tls) debug_printf("Loaded fixed standard D-H parameters\n");
627 return OK;
628 }
629
af3498d6
PP		 630#ifdef HAVE_GNUTLS_SEC_PARAM_CONSTANTS
631/* If you change this constant, also change dh_param_fn_ext so that we can use a
17c76198 632different filename and ensure we have sufficient bits. */
452a164f
JH		 633
634if (!(dh_bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL)))
cf0c6164 635 return tls_error(US"gnutls_sec_param_to_pk_bits() failed", NULL, NULL, errstr);
af3498d6 636DEBUG(D_tls)
b34fc30c 637 debug_printf("GnuTLS tells us that for D-H PK, NORMAL is %d bits.\n",
af3498d6
PP		 638 dh_bits);
639#else
640dh_bits = EXIM_SERVER_DH_BITS_PRE2_12;
641DEBUG(D_tls)
642 debug_printf("GnuTLS lacks gnutls_sec_param_to_pk_bits(), using %d bits.\n",
643 dh_bits);
644#endif
059ec3d9 645
3375e053
PP		 646/* Some clients have hard-coded limits. */
647if (dh_bits > tls_dh_max_bits)
648 {
649 DEBUG(D_tls)
650 debug_printf("tls_dh_max_bits clamping override, using %d bits instead.\n",
651 tls_dh_max_bits);
652 dh_bits = tls_dh_max_bits;
653 }
654
a799883d
PP		 655if (use_file_in_spool)
656 {
657 if (!string_format(filename_buf, sizeof(filename_buf),
658 "%s/gnutls-params-%d", spool_directory, dh_bits))
cf0c6164 659 return tls_error(US"overlong filename", NULL, NULL, errstr);
a799883d
PP		 660 filename = filename_buf;
661 }
059ec3d9 662
b5aea5e1 663/* Open the cache file for reading and if successful, read it and set up the
575643cd 664parameters. */
059ec3d9 665
f5d25c2b 666if ((fd = Uopen(filename, O_RDONLY, 0)) >= 0)
059ec3d9 667 {
b5aea5e1 668 struct stat statbuf;
17c76198
PP		 669 FILE *fp;
670 int saved_errno;
671
672 if (fstat(fd, &statbuf) < 0) /* EIO */
673 {
674 saved_errno = errno;
675 (void)close(fd);
452a164f 676 return tls_error_sys(US"TLS cache stat failed", saved_errno, NULL, errstr);
17c76198
PP		 677 }
678 if (!S_ISREG(statbuf.st_mode))
b5aea5e1
PH		 679 {
680 (void)close(fd);
cf0c6164 681 return tls_error(US"TLS cache not a file", NULL, NULL, errstr);
17c76198 682 }
40c90bca 683 if (!(fp = fdopen(fd, "rb")))
17c76198
PP		 684 {
685 saved_errno = errno;
686 (void)close(fd);
452a164f
JH		 687 return tls_error_sys(US"fdopen(TLS cache stat fd) failed",
688 saved_errno, NULL, errstr);
b5aea5e1 689 }
059ec3d9 690
b5aea5e1 691 m.size = statbuf.st_size;
f3ebb786 692 if (!(m.data = store_malloc(m.size)))
17c76198
PP		 693 {
694 fclose(fp);
452a164f 695 return tls_error_sys(US"malloc failed", errno, NULL, errstr);
17c76198 696 }
40c90bca 697 if (!(sz = fread(m.data, m.size, 1, fp)))
17c76198
PP		 698 {
699 saved_errno = errno;
700 fclose(fp);
f3ebb786 701 store_free(m.data);
452a164f 702 return tls_error_sys(US"fread failed", saved_errno, NULL, errstr);
17c76198
PP		 703 }
704 fclose(fp);
b5aea5e1 705
17c76198 706 rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM);
f3ebb786 707 store_free(m.data);
452a164f
JH		 708 if (rc)
709 return tls_error_gnu(US"gnutls_dh_params_import_pkcs3", rc, host, errstr);
17c76198 710 DEBUG(D_tls) debug_printf("read D-H parameters from file \"%s\"\n", filename);
b5aea5e1
PH		 711 }
712
713/* If the file does not exist, fall through to compute new data and cache it.
714If there was any other opening error, it is serious. */
715
182ad5cf
PH		 716else if (errno == ENOENT)
717 {
17c76198 718 rc = -1;
182ad5cf 719 DEBUG(D_tls)
17c76198 720 debug_printf("D-H parameter cache file \"%s\" does not exist\n", filename);
182ad5cf
PH		 721 }
722else
17c76198 723 return tls_error(string_open_failed(errno, "\"%s\" for reading", filename),
cf0c6164 724 NULL, NULL, errstr);
b5aea5e1
PH		 725
726/* If ret < 0, either the cache file does not exist, or the data it contains
727is not useful. One particular case of this is when upgrading from an older
728release of Exim in which the data was stored in a different format. We don't
729try to be clever and support both formats; we just regenerate new data in this
730case. */
731
17c76198 732if (rc < 0)
b5aea5e1 733 {
17c76198 734 uschar *temp_fn;
201f5254 735 unsigned int dh_bits_gen = dh_bits;
059ec3d9 736
17c76198
PP		 737 if ((PATH_MAX - Ustrlen(filename)) < 10)
738 return tls_error(US"Filename too long to generate replacement",
48224640 739 filename, NULL, errstr);
059ec3d9 740
48224640 741 temp_fn = string_copy(US"%s.XXXXXXX");
f5d25c2b 742 if ((fd = mkstemp(CS temp_fn)) < 0) /* modifies temp_fn */
452a164f 743 return tls_error_sys(US"Unable to open temp file", errno, NULL, errstr);
b66fecb4 744 (void)exim_chown(temp_fn, exim_uid, exim_gid); /* Probably not necessary */
059ec3d9 745
49132a3b
JH		 746 /* GnuTLS overshoots! If we ask for 2236, we might get 2237 or more. But
747 there's no way to ask GnuTLS how many bits there really are. We can ask
748 how many bits were used in a TLS session, but that's it! The prime itself
749 is hidden behind too much abstraction. So we ask for less, and proceed on
750 a wing and a prayer. First attempt, subtracted 3 for 2233 and got 2240. */
751
cae6e576 752 if (dh_bits >= EXIM_CLIENT_DH_MIN_BITS + 10)
201f5254
PP		 753 {
754 dh_bits_gen = dh_bits - 10;
755 DEBUG(D_tls)
756 debug_printf("being paranoid about DH generation, make it '%d' bits'\n",
757 dh_bits_gen);
758 }
759
760 DEBUG(D_tls)
761 debug_printf("requesting generation of %d bit Diffie-Hellman prime ...\n",
762 dh_bits_gen);
452a164f
JH		 763 if ((rc = gnutls_dh_params_generate2(dh_server_params, dh_bits_gen)))
764 return tls_error_gnu(US"gnutls_dh_params_generate2", rc, host, errstr);
17c76198
PP		 765
766 /* gnutls_dh_params_export_pkcs3() will tell us the exact size, every time,
767 and I confirmed that a NULL call to get the size first is how the GnuTLS
768 sample apps handle this. */
769
770 sz = 0;
771 m.data = NULL;
452a164f
JH		 772 if ( (rc = gnutls_dh_params_export_pkcs3(dh_server_params,
773 GNUTLS_X509_FMT_PEM, m.data, &sz))
774 && rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
775 return tls_error_gnu(US"gnutls_dh_params_export_pkcs3(NULL) sizing",
776 rc, host, errstr);
17c76198 777 m.size = sz;
f3ebb786 778 if (!(m.data = store_malloc(m.size)))
452a164f 779 return tls_error_sys(US"memory allocation failed", errno, NULL, errstr);
40c90bca 780
1f00591e 781 /* this will return a size 1 less than the allocation size above */
452a164f
JH		 782 if ((rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM,
783 m.data, &sz)))
17c76198 784 {
f3ebb786 785 store_free(m.data);
452a164f 786 return tls_error_gnu(US"gnutls_dh_params_export_pkcs3() real", rc, host, errstr);
17c76198 787 }
1f00591e 788 m.size = sz; /* shrink by 1, probably */
059ec3d9 789
f5d25c2b 790 if ((sz = write_to_fd_buf(fd, m.data, (size_t) m.size)) != m.size)
17c76198 791 {
f3ebb786 792 store_free(m.data);
452a164f
JH		 793 return tls_error_sys(US"TLS cache write D-H params failed",
794 errno, NULL, errstr);
17c76198 795 }
f3ebb786 796 store_free(m.data);
f5d25c2b 797 if ((sz = write_to_fd_buf(fd, US"\n", 1)) != 1)
452a164f
JH		 798 return tls_error_sys(US"TLS cache write D-H params final newline failed",
799 errno, NULL, errstr);
17c76198 800
f5d25c2b 801 if ((rc = close(fd)))
452a164f 802 return tls_error_sys(US"TLS cache write close() failed", errno, NULL, errstr);
059ec3d9 803
17c76198 804 if (Urename(temp_fn, filename) < 0)
452a164f
JH		 805 return tls_error_sys(string_sprintf("failed to rename \"%s\" as \"%s\"",
806 temp_fn, filename), errno, NULL, errstr);
059ec3d9 807
17c76198 808 DEBUG(D_tls) debug_printf("wrote D-H parameters to file \"%s\"\n", filename);
059ec3d9
PH		 809 }
810
17c76198 811DEBUG(D_tls) debug_printf("initialized server D-H parameters\n");
059ec3d9
PH		 812return OK;
813}
49132a3b 814#endif
059ec3d9
PH		 815
816
817
818
23bb6982
JH		 819/* Create and install a selfsigned certificate, for use in server mode */
820
821static int
cf0c6164 822tls_install_selfsign(exim_gnutls_state_st * state, uschar ** errstr)
23bb6982
JH		 823{
824gnutls_x509_crt_t cert = NULL;
825time_t now;
826gnutls_x509_privkey_t pkey = NULL;
827const uschar * where;
828int rc;
829
c1cea16d
JH		 830#ifndef SUPPORT_SELFSIGN
831where = US"library too old";
832rc = GNUTLS_E_NO_CERTIFICATE_FOUND;
833if (TRUE) goto err;
834#endif
835
23bb6982
JH		 836where = US"initialising pkey";
837if ((rc = gnutls_x509_privkey_init(&pkey))) goto err;
838
839where = US"initialising cert";
840if ((rc = gnutls_x509_crt_init(&cert))) goto err;
841
c1cea16d 842where = US"generating pkey"; /* Hangs on 2.12.23 */
23bb6982 843if ((rc = gnutls_x509_privkey_generate(pkey, GNUTLS_PK_RSA,
76075bb5 844#ifdef SUPPORT_PARAM_TO_PK_BITS
4312da48
JH		 845# ifndef GNUTLS_SEC_PARAM_MEDIUM
846# define GNUTLS_SEC_PARAM_MEDIUM GNUTLS_SEC_PARAM_HIGH
847# endif
6aac3239 848 gnutls_sec_param_to_pk_bits(GNUTLS_PK_RSA, GNUTLS_SEC_PARAM_MEDIUM),
76075bb5 849#else
6aac3239 850 2048,
76075bb5
JH		 851#endif
852 0)))
23bb6982
JH		 853 goto err;
854
855where = US"configuring cert";
1613fd68 856now = 1;
23bb6982
JH		 857if ( (rc = gnutls_x509_crt_set_version(cert, 3))
858 || (rc = gnutls_x509_crt_set_serial(cert, &now, sizeof(now)))
859 || (rc = gnutls_x509_crt_set_activation_time(cert, now = time(NULL)))
860 || (rc = gnutls_x509_crt_set_expiration_time(cert, now + 60 * 60)) /* 1 hr */
861 || (rc = gnutls_x509_crt_set_key(cert, pkey))
862
863 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
864 GNUTLS_OID_X520_COUNTRY_NAME, 0, "UK", 2))
865 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
866 GNUTLS_OID_X520_ORGANIZATION_NAME, 0, "Exim Developers", 15))
867 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
868 GNUTLS_OID_X520_COMMON_NAME, 0,
869 smtp_active_hostname, Ustrlen(smtp_active_hostname)))
870 )
871 goto err;
872
873where = US"signing cert";
874if ((rc = gnutls_x509_crt_sign(cert, cert, pkey))) goto err;
875
876where = US"installing selfsign cert";
877 /* Since: 2.4.0 */
878if ((rc = gnutls_certificate_set_x509_key(state->x509_cred, &cert, 1, pkey)))
879 goto err;
880
881rc = OK;
882
883out:
884 if (cert) gnutls_x509_crt_deinit(cert);
885 if (pkey) gnutls_x509_privkey_deinit(pkey);
886 return rc;
887
888err:
452a164f 889 rc = tls_error_gnu(where, rc, NULL, errstr);
23bb6982
JH		 890 goto out;
891}
892
893
894
895
47195144
JH		 896/* Add certificate and key, from files.
897
898Return:
899 Zero or negative: good. Negate value for certificate index if < 0.
900 Greater than zero: FAIL or DEFER code.
901*/
902
ba86e143
JH		 903static int
904tls_add_certfile(exim_gnutls_state_st * state, const host_item * host,
905 uschar * certfile, uschar * keyfile, uschar ** errstr)
906{
907int rc = gnutls_certificate_set_x509_key_file(state->x509_cred,
908 CS certfile, CS keyfile, GNUTLS_X509_FMT_PEM);
47195144 909if (rc < 0)
452a164f 910 return tls_error_gnu(
47195144 911 string_sprintf("cert/key setup: cert=%s key=%s", certfile, keyfile),
452a164f 912 rc, host, errstr);
47195144 913return -rc;
ba86e143
JH		 914}
915
916
d896cef5
JH		 917#if !defined(DISABLE_OCSP) && !defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
918/* Load an OCSP proof from file for sending by the server. Called
919on getting a status-request handshake message, for earlier versions
920of GnuTLS. */
921
922static int
923server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
924 gnutls_datum_t * ocsp_response)
925{
926int ret;
927DEBUG(D_tls) debug_printf("OCSP stapling callback: %s\n", US ptr);
928
929if ((ret = gnutls_load_file(ptr, ocsp_response)) < 0)
930 {
931 DEBUG(D_tls) debug_printf("Failed to load ocsp stapling file %s\n",
932 CS ptr);
933 tls_in.ocsp = OCSP_NOT_RESP;
934 return GNUTLS_E_NO_CERTIFICATE_STATUS;
935 }
936
937tls_in.ocsp = OCSP_VFY_NOT_TRIED;
938return 0;
939}
940#endif
941
942
be427508 943#ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
e5489333
JH		 944/* Make a note that we saw a status-request */
945static int
946tls_server_clienthello_ext(void * ctx, unsigned tls_id,
947 const unsigned char *data, unsigned size)
948{
949/* https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml */
950if (tls_id == 5) /* status_request */
951 {
e326959e 952 DEBUG(D_tls) debug_printf("Seen status_request extension from client\n");
e5489333
JH		 953 tls_in.ocsp = OCSP_NOT_RESP;
954 }
955return 0;
956}
957
958/* Callback for client-hello, on server, if we think we might serve stapled-OCSP */
959static int
960tls_server_clienthello_cb(gnutls_session_t session, unsigned int htype,
961 unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
962{
963/* Call fn for each extension seen. 3.6.3 onwards */
964return gnutls_ext_raw_parse(NULL, tls_server_clienthello_ext, msg,
965 GNUTLS_EXT_RAW_FLAG_TLS_CLIENT_HELLO);
966}
e326959e
JH		 967
968
969/* Make a note that we saw a status-response */
970static int
971tls_server_servercerts_ext(void * ctx, unsigned tls_id,
972 const unsigned char *data, unsigned size)
973{
974/* debug_printf("%s %u\n", __FUNCTION__, tls_id); */
975/* https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml */
976if (FALSE && tls_id == 5) /* status_request */
977 {
978 DEBUG(D_tls) debug_printf("Seen status_request extension\n");
979 tls_in.ocsp = exim_testharness_disable_ocsp_validity_check
980 ? OCSP_VFY_NOT_TRIED : OCSP_VFIED; /* We know that GnuTLS verifies responses */
981 }
982return 0;
983}
984
985/* Callback for certificates packet, on server, if we think we might serve stapled-OCSP */
986static int
987tls_server_servercerts_cb(gnutls_session_t session, unsigned int htype,
988 unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
989{
990/* Call fn for each extension seen. 3.6.3 onwards */
991#ifdef notdef
992/*XXX crashes */
993return gnutls_ext_raw_parse(NULL, tls_server_servercerts_ext, msg, 0);
994#endif
995}
be427508 996#endif
e5489333 997
e326959e
JH		 998/*XXX in tls1.3 the cert-status travel as an extension next to the cert, in the
999 "Handshake Protocol: Certificate" record.
1000So we need to spot the Certificate handshake message, parse it and spot any status_request extension(s)
1001
1002This is different to tls1.2 - where it is a separate record (wireshake term) / handshake message (gnutls term).
1003*/
1004
727a5d25 1005#if defined(EXPERIMENTAL_TLS_RESUME) || defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
e5489333
JH		 1006/* Callback for certificate-status, on server. We sent stapled OCSP. */
1007static int
1008tls_server_certstatus_cb(gnutls_session_t session, unsigned int htype,
1009 unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
1010{
e326959e 1011DEBUG(D_tls) debug_printf("Sending certificate-status\n"); /*XXX we get this for tls1.2 but not for 1.3 */
e5489333
JH		 1012#ifdef SUPPORT_SRV_OCSP_STACK
1013tls_in.ocsp = exim_testharness_disable_ocsp_validity_check
1014 ? OCSP_VFY_NOT_TRIED : OCSP_VFIED; /* We know that GnuTLS verifies responses */
1015#else
1016tls_in.ocsp = OCSP_VFY_NOT_TRIED;
1017#endif
1018return 0;
1019}
1020
1021/* Callback for handshake messages, on server */
1022static int
1023tls_server_hook_cb(gnutls_session_t sess, u_int htype, unsigned when,
1024 unsigned incoming, const gnutls_datum_t * msg)
1025{
e326959e 1026/* debug_printf("%s: htype %u\n", __FUNCTION__, htype); */
e5489333
JH		 1027switch (htype)
1028 {
727a5d25 1029# ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
e5489333
JH		 1030 case GNUTLS_HANDSHAKE_CLIENT_HELLO:
1031 return tls_server_clienthello_cb(sess, htype, when, incoming, msg);
e326959e
JH		 1032 case GNUTLS_HANDSHAKE_CERTIFICATE_PKT:
1033 return tls_server_servercerts_cb(sess, htype, when, incoming, msg);
727a5d25 1034# endif
e5489333
JH		 1035 case GNUTLS_HANDSHAKE_CERTIFICATE_STATUS:
1036 return tls_server_certstatus_cb(sess, htype, when, incoming, msg);
727a5d25 1037# ifdef EXPERIMENTAL_TLS_RESUME
e5489333
JH		 1038 case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET:
1039 return tls_server_ticket_cb(sess, htype, when, incoming, msg);
727a5d25 1040# endif
e5489333
JH		 1041 default:
1042 return 0;
1043 }
1044}
727a5d25 1045#endif
e5489333
JH		 1046
1047
727a5d25 1048#if !defined(DISABLE_OCSP) && defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
e5489333
JH		 1049static void
1050tls_server_testharness_ocsp_fiddle(void)
1051{
1052extern char ** environ;
1053if (environ) for (uschar ** p = USS environ; *p; p++)
1054 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
1055 {
1056 DEBUG(D_tls) debug_printf("Permitting known bad OCSP response\n");
1057 exim_testharness_disable_ocsp_validity_check = TRUE;
1058 }
1059}
727a5d25 1060#endif
e5489333 1061
059ec3d9 1062/*************************************************
17c76198 1063* Variables re-expanded post-SNI *
059ec3d9
PH		 1064*************************************************/
1065
17c76198
PP		 1066/* Called from both server and client code, via tls_init(), and also from
1067the SNI callback after receiving an SNI, if tls_certificate includes "tls_sni".
1068
1069We can tell the two apart by state->received_sni being non-NULL in callback.
1070
1071The callback should not call us unless state->trigger_sni_changes is true,
1072which we are responsible for setting on the first pass through.
059ec3d9
PH		 1073
1074Arguments:
17c76198 1075 state exim_gnutls_state_st *
cf0c6164 1076 errstr error string pointer
059ec3d9
PH		 1077
1078Returns: OK/DEFER/FAIL
1079*/
1080
1081static int
ba86e143 1082tls_expand_session_files(exim_gnutls_state_st * state, uschar ** errstr)
059ec3d9 1083{
1365611d 1084struct stat statbuf;
059ec3d9 1085int rc;
17c76198
PP		 1086const host_item *host = state->host; /* macro should be reconsidered? */
1087uschar *saved_tls_certificate = NULL;
1088uschar *saved_tls_privatekey = NULL;
1089uschar *saved_tls_verify_certificates = NULL;
1090uschar *saved_tls_crl = NULL;
1091int cert_count;
1092
1093/* We check for tls_sni *before* expansion. */
2b4a568d 1094if (!host) /* server */
17c76198
PP		 1095 if (!state->received_sni)
1096 {
ba86e143
JH		 1097 if ( state->tls_certificate
1098 && ( Ustrstr(state->tls_certificate, US"tls_sni")
1099 || Ustrstr(state->tls_certificate, US"tls_in_sni")
1100 || Ustrstr(state->tls_certificate, US"tls_out_sni")
1101 ) )
17c76198
PP		 1102 {
1103 DEBUG(D_tls) debug_printf("We will re-expand TLS session files if we receive SNI.\n");
1104 state->trigger_sni_changes = TRUE;
1105 }
1106 }
1107 else
1108 {
1365611d 1109 /* useful for debugging */
17c76198
PP		 1110 saved_tls_certificate = state->exp_tls_certificate;
1111 saved_tls_privatekey = state->exp_tls_privatekey;
1112 saved_tls_verify_certificates = state->exp_tls_verify_certificates;
1113 saved_tls_crl = state->exp_tls_crl;
1114 }
059ec3d9 1115
452a164f
JH		 1116if ((rc = gnutls_certificate_allocate_credentials(&state->x509_cred)))
1117 return tls_error_gnu(US"gnutls_certificate_allocate_credentials",
1118 rc, host, errstr);
47195144
JH		 1119
1120#ifdef SUPPORT_SRV_OCSP_STACK
1121gnutls_certificate_set_flags(state->x509_cred, GNUTLS_CERTIFICATE_API_V2);
e326959e
JH		 1122
1123# if !defined(DISABLE_OCSP) && defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
1124if (!host && tls_ocsp_file)
1125 {
1126 if (f.running_in_test_harness)
1127 tls_server_testharness_ocsp_fiddle();
1128
1129 if (exim_testharness_disable_ocsp_validity_check)
1130 gnutls_certificate_set_flags(state->x509_cred,
1131 GNUTLS_CERTIFICATE_API_V2 | GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK);
1132 }
1133# endif
47195144 1134#endif
1365611d 1135
17c76198
PP		 1136/* remember: expand_check_tlsvar() is expand_check() but fiddling with
1137state members, assuming consistent naming; and expand_check() returns
1138false if expansion failed, unless expansion was forced to fail. */
059ec3d9 1139
17c76198
PP		 1140/* check if we at least have a certificate, before doing expensive
1141D-H generation. */
059ec3d9 1142
cf0c6164 1143if (!expand_check_tlsvar(tls_certificate, errstr))
17c76198 1144 return DEFER;
059ec3d9 1145
17c76198 1146/* certificate is mandatory in server, optional in client */
059ec3d9 1147
23bb6982
JH		 1148if ( !state->exp_tls_certificate
1149 || !*state->exp_tls_certificate
1150 )
2b4a568d 1151 if (!host)
cf0c6164 1152 return tls_install_selfsign(state, errstr);
17c76198
PP		 1153 else
1154 DEBUG(D_tls) debug_printf("TLS: no client certificate specified; okay\n");
059ec3d9 1155
cf0c6164 1156if (state->tls_privatekey && !expand_check_tlsvar(tls_privatekey, errstr))
059ec3d9
PH		 1157 return DEFER;
1158
17c76198
PP		 1159/* tls_privatekey is optional, defaulting to same file as certificate */
1160
e326959e 1161if (!state->tls_privatekey || !*state->tls_privatekey)
059ec3d9 1162 {
17c76198
PP		 1163 state->tls_privatekey = state->tls_certificate;
1164 state->exp_tls_privatekey = state->exp_tls_certificate;
059ec3d9 1165 }
c91535f3 1166
059ec3d9 1167
17c76198 1168if (state->exp_tls_certificate && *state->exp_tls_certificate)
059ec3d9
PH		 1169 {
1170 DEBUG(D_tls) debug_printf("certificate file = %s\nkey file = %s\n",
17c76198
PP		 1171 state->exp_tls_certificate, state->exp_tls_privatekey);
1172
1173 if (state->received_sni)
23bb6982
JH		 1174 if ( Ustrcmp(state->exp_tls_certificate, saved_tls_certificate) == 0
1175 && Ustrcmp(state->exp_tls_privatekey, saved_tls_privatekey) == 0
1176 )
17c76198 1177 {
b34fc30c 1178 DEBUG(D_tls) debug_printf("TLS SNI: cert and key unchanged\n");
17c76198
PP		 1179 }
1180 else
1181 {
b34fc30c 1182 DEBUG(D_tls) debug_printf("TLS SNI: have a changed cert/key pair.\n");
17c76198 1183 }
059ec3d9 1184
ba86e143
JH		 1185 if (!host) /* server */
1186 {
1187 const uschar * clist = state->exp_tls_certificate;
1188 const uschar * klist = state->exp_tls_privatekey;
47195144
JH		 1189 const uschar * olist;
1190 int csep = 0, ksep = 0, osep = 0, cnt = 0;
1191 uschar * cfile, * kfile, * ofile;
47195144 1192#ifndef DISABLE_OCSP
e326959e
JH		 1193# ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
1194 gnutls_x509_crt_fmt_t ocsp_fmt = GNUTLS_X509_FMT_DER;
1195# endif
1196
47195144
JH		 1197 if (!expand_check(tls_ocsp_file, US"tls_ocsp_file", &ofile, errstr))
1198 return DEFER;
1199 olist = ofile;
1200#endif
ba86e143
JH		 1201
1202 while (cfile = string_nextinlist(&clist, &csep, NULL, 0))
47195144 1203
ba86e143
JH		 1204 if (!(kfile = string_nextinlist(&klist, &ksep, NULL, 0)))
1205 return tls_error(US"cert/key setup: out of keys", NULL, host, errstr);
47195144 1206 else if (0 < (rc = tls_add_certfile(state, host, cfile, kfile, errstr)))
ba86e143
JH		 1207 return rc;
1208 else
47195144
JH		 1209 {
1210 int gnutls_cert_index = -rc;
e326959e
JH		 1211 DEBUG(D_tls) debug_printf("TLS: cert/key %d %s registered\n",
1212 gnutls_cert_index, cfile);
47195144
JH		 1213
1214#ifndef DISABLE_OCSP
1215 if (tls_ocsp_file)
e5489333 1216 {
e326959e 1217 /* Set the OCSP stapling server info */
47195144
JH		 1218 if (gnutls_buggy_ocsp)
1219 {
1220 DEBUG(D_tls)
1221 debug_printf("GnuTLS library is buggy for OCSP; avoiding\n");
1222 }
1223 else if ((ofile = string_nextinlist(&olist, &osep, NULL, 0)))
1224 {
e326959e
JH		 1225 DEBUG(D_tls) debug_printf("OCSP response file %d = %s\n",
1226 gnutls_cert_index, ofile);
be427508 1227# ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
e326959e 1228 if (Ustrncmp(ofile, US"PEM ", 4) == 0)
47195144 1229 {
e326959e
JH		 1230 ocsp_fmt = GNUTLS_X509_FMT_PEM;
1231 ofile += 4;
1232 }
1233 else if (Ustrncmp(ofile, US"DER ", 4) == 0)
1234 {
1235 ocsp_fmt = GNUTLS_X509_FMT_DER;
1236 ofile += 4;
1237 }
e5489333 1238
e326959e
JH		 1239 if ((rc = gnutls_certificate_set_ocsp_status_request_file2(
1240 state->x509_cred, CCS ofile, gnutls_cert_index,
1241 ocsp_fmt)) < 0)
1242 return tls_error_gnu(
1243 US"gnutls_certificate_set_ocsp_status_request_file2",
1244 rc, host, errstr);
1245 DEBUG(D_tls)
1246 debug_printf(" %d response%s loaded\n", rc, rc>1 ? "s":"");
e5489333 1247
e326959e
JH		 1248 /* Arrange callbacks for OCSP request observability */
1249
1250 gnutls_handshake_set_hook_function(state->session,
1251 GNUTLS_HANDSHAKE_ANY, GNUTLS_HOOK_POST, tls_server_hook_cb);
1252
1253# else
1254# if defined(SUPPORT_SRV_OCSP_STACK)
be427508
JH		 1255 if ((rc = gnutls_certificate_set_ocsp_status_request_function2(
1256 state->x509_cred, gnutls_cert_index,
1257 server_ocsp_stapling_cb, ofile)))
1258 return tls_error_gnu(
1259 US"gnutls_certificate_set_ocsp_status_request_function2",
1260 rc, host, errstr);
1261 else
e326959e 1262# endif
e5489333
JH		 1263 {
1264 if (cnt++ > 0)
1265 {
1266 DEBUG(D_tls)
1267 debug_printf("oops; multiple OCSP files not supported\n");
1268 break;
1269 }
d896cef5
JH		 1270 gnutls_certificate_set_ocsp_status_request_function(
1271 state->x509_cred, server_ocsp_stapling_cb, ofile);
e5489333 1272 }
e326959e 1273# endif /* SUPPORT_GNUTLS_EXT_RAW_PARSE */
47195144
JH		 1274 }
1275 else
1276 DEBUG(D_tls) debug_printf("ran out of OCSP response files in list\n");
e5489333 1277 }
fd71e7b8 1278#endif /* DISABLE_OCSP */
47195144 1279 }
ba86e143 1280 }
e5489333 1281 else /* client */
ba86e143 1282 {
47195144 1283 if (0 < (rc = tls_add_certfile(state, host,
ba86e143
JH		 1284 state->exp_tls_certificate, state->exp_tls_privatekey, errstr)))
1285 return rc;
1286 DEBUG(D_tls) debug_printf("TLS: cert/key registered\n");
1287 }
1288
b34fc30c 1289 } /* tls_certificate */
059ec3d9 1290
2b4a568d 1291
059ec3d9
PH		 1292/* Set the trusted CAs file if one is provided, and then add the CRL if one is
1293provided. Experiment shows that, if the certificate file is empty, an unhelpful
1294error message is provided. However, if we just refrain from setting anything up
1295in that case, certificate verification fails, which seems to be the correct
1296behaviour. */
1297
610ff438 1298if (state->tls_verify_certificates && *state->tls_verify_certificates)
059ec3d9 1299 {
cf0c6164 1300 if (!expand_check_tlsvar(tls_verify_certificates, errstr))
059ec3d9 1301 return DEFER;
610ff438
JH		 1302#ifndef SUPPORT_SYSDEFAULT_CABUNDLE
1303 if (Ustrcmp(state->exp_tls_verify_certificates, "system") == 0)
1304 state->exp_tls_verify_certificates = NULL;
1305#endif
17c76198 1306 if (state->tls_crl && *state->tls_crl)
cf0c6164 1307 if (!expand_check_tlsvar(tls_crl, errstr))
17c76198 1308 return DEFER;
059ec3d9 1309
1365611d
PP		 1310 if (!(state->exp_tls_verify_certificates &&
1311 *state->exp_tls_verify_certificates))
b34fc30c
PP		 1312 {
1313 DEBUG(D_tls)
1365611d
PP		 1314 debug_printf("TLS: tls_verify_certificates expanded empty, ignoring\n");
1315 /* With no tls_verify_certificates, we ignore tls_crl too */
17c76198 1316 return OK;
b34fc30c 1317 }
1365611d 1318 }
83e2f8a2
PP		 1319else
1320 {
1321 DEBUG(D_tls)
1322 debug_printf("TLS: tls_verify_certificates not set or empty, ignoring\n");
1323 return OK;
1324 }
17c76198 1325
cb1d7830
JH		 1326#ifdef SUPPORT_SYSDEFAULT_CABUNDLE
1327if (Ustrcmp(state->exp_tls_verify_certificates, "system") == 0)
1328 cert_count = gnutls_certificate_set_x509_system_trust(state->x509_cred);
1329else
1330#endif
1365611d 1331 {
cb1d7830
JH		 1332 if (Ustat(state->exp_tls_verify_certificates, &statbuf) < 0)
1333 {
d896cef5 1334 log_write(0, LOG_MAIN|LOG_PANIC, "could not stat '%s' "
cb1d7830
JH		 1335 "(tls_verify_certificates): %s", state->exp_tls_verify_certificates,
1336 strerror(errno));
1337 return DEFER;
1338 }
17c76198 1339
a7fec7a7 1340#ifndef SUPPORT_CA_DIR
cb1d7830
JH		 1341 /* The test suite passes in /dev/null; we could check for that path explicitly,
1342 but who knows if someone has some weird FIFO which always dumps some certs, or
1343 other weirdness. The thing we really want to check is that it's not a
1344 directory, since while OpenSSL supports that, GnuTLS does not.
60f914bc 1345 So s/!S_ISREG/S_ISDIR/ and change some messaging ... */
cb1d7830
JH		 1346 if (S_ISDIR(statbuf.st_mode))
1347 {
1348 DEBUG(D_tls)
1349 debug_printf("verify certificates path is a dir: \"%s\"\n",
1350 state->exp_tls_verify_certificates);
1351 log_write(0, LOG_MAIN|LOG_PANIC,
1352 "tls_verify_certificates \"%s\" is a directory",
1353 state->exp_tls_verify_certificates);
1354 return DEFER;
1355 }
a7fec7a7 1356#endif
059ec3d9 1357
cb1d7830
JH		 1358 DEBUG(D_tls) debug_printf("verify certificates = %s size=" OFF_T_FMT "\n",
1359 state->exp_tls_verify_certificates, statbuf.st_size);
059ec3d9 1360
cb1d7830
JH		 1361 if (statbuf.st_size == 0)
1362 {
1363 DEBUG(D_tls)
1364 debug_printf("cert file empty, no certs, no verification, ignoring any CRL\n");
1365 return OK;
1366 }
059ec3d9 1367
cb1d7830 1368 cert_count =
a7fec7a7
JH		 1369
1370#ifdef SUPPORT_CA_DIR
cb1d7830
JH		 1371 (statbuf.st_mode & S_IFMT) == S_IFDIR
1372 ?
1373 gnutls_certificate_set_x509_trust_dir(state->x509_cred,
1374 CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM)
1375 :
a7fec7a7 1376#endif
cb1d7830
JH		 1377 gnutls_certificate_set_x509_trust_file(state->x509_cred,
1378 CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM);
12d95aa6
JH		 1379
1380#ifdef SUPPORT_CA_DIR
1381 /* Mimic the behaviour with OpenSSL of not advertising a usable-cert list
1382 when using the directory-of-certs config model. */
1383
1384 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
1385 gnutls_certificate_send_x509_rdn_sequence(state->session, 1);
1386#endif
cb1d7830 1387 }
a7fec7a7 1388
1365611d 1389if (cert_count < 0)
452a164f
JH		 1390 return tls_error_gnu(US"setting certificate trust", cert_count, host, errstr);
1391DEBUG(D_tls)
1392 debug_printf("Added %d certificate authorities.\n", cert_count);
059ec3d9 1393
5c8cda3a
PP		 1394if (state->tls_crl && *state->tls_crl &&
1395 state->exp_tls_crl && *state->exp_tls_crl)
1365611d 1396 {
5c8cda3a 1397 DEBUG(D_tls) debug_printf("loading CRL file = %s\n", state->exp_tls_crl);
452a164f
JH		 1398 if ((cert_count = gnutls_certificate_set_x509_crl_file(state->x509_cred,
1399 CS state->exp_tls_crl, GNUTLS_X509_FMT_PEM)) < 0)
1400 return tls_error_gnu(US"gnutls_certificate_set_x509_crl_file",
1401 cert_count, host, errstr);
1402
5c8cda3a 1403 DEBUG(D_tls) debug_printf("Processed %d CRLs.\n", cert_count);
1365611d 1404 }
059ec3d9 1405
059ec3d9
PH		 1406return OK;
1407}
1408
1409
1410
1411
1365611d
PP		 1412/*************************************************
1413* Set X.509 state variables *
1414*************************************************/
1415
1416/* In GnuTLS, the registered cert/key are not replaced by a later
1417set of a cert/key, so for SNI support we need a whole new x509_cred
1418structure. Which means various other non-re-expanded pieces of state
1419need to be re-set in the new struct, so the setting logic is pulled
1420out to this.
1421
1422Arguments:
1423 state exim_gnutls_state_st *
cf0c6164 1424 errstr error string pointer
1365611d
PP		 1425
1426Returns: OK/DEFER/FAIL
1427*/
1428
1429static int
cf0c6164 1430tls_set_remaining_x509(exim_gnutls_state_st *state, uschar ** errstr)
1365611d
PP		 1431{
1432int rc;
1433const host_item *host = state->host; /* macro should be reconsidered? */
1434
49132a3b 1435#ifndef GNUTLS_AUTO_DHPARAMS
1365611d
PP		 1436/* Create D-H parameters, or read them from the cache file. This function does
1437its own SMTP error messaging. This only happens for the server, TLS D-H ignores
1438client-side params. */
1439
1440if (!state->host)
1441 {
1442 if (!dh_server_params)
452a164f 1443 if ((rc = init_server_dh(errstr)) != OK) return rc;
49132a3b
JH		 1444
1445 /* Unnecessary & discouraged with 3.6.0 or later */
1365611d
PP		 1446 gnutls_certificate_set_dh_params(state->x509_cred, dh_server_params);
1447 }
49132a3b 1448#endif
1365611d
PP		 1449
1450/* Link the credentials to the session. */
1451
452a164f
JH		 1452if ((rc = gnutls_credentials_set(state->session,
1453 GNUTLS_CRD_CERTIFICATE, state->x509_cred)))
1454 return tls_error_gnu(US"gnutls_credentials_set", rc, host, errstr);
1365611d
PP		 1455
1456return OK;
1457}
1458
059ec3d9 1459/*************************************************
17c76198 1460* Initialize for GnuTLS *
059ec3d9
PH		 1461*************************************************/
1462
9196d5bf 1463
4fb7df6d
JH		 1464#ifndef DISABLE_OCSP
1465
9196d5bf
JH		 1466static BOOL
1467tls_is_buggy_ocsp(void)
1468{
1469const uschar * s;
1470uschar maj, mid, mic;
1471
1472s = CUS gnutls_check_version(NULL);
1473maj = atoi(CCS s);
1474if (maj == 3)
1475 {
1476 while (*s && *s != '.') s++;
1477 mid = atoi(CCS ++s);
1478 if (mid <= 2)
1479 return TRUE;
1480 else if (mid >= 5)
1481 return FALSE;
1482 else
1483 {
1484 while (*s && *s != '.') s++;
1485 mic = atoi(CCS ++s);
1486 return mic <= (mid == 3 ? 16 : 3);
1487 }
1488 }
1489return FALSE;
1490}
1491
4fb7df6d 1492#endif
9196d5bf
JH		 1493
1494
17c76198
PP		 1495/* Called from both server and client code. In the case of a server, errors
1496before actual TLS negotiation return DEFER.
059ec3d9
PH		 1497
1498Arguments:
17c76198
PP		 1499 host connected host, if client; NULL if server
1500 certificate certificate file
1501 privatekey private key file
1502 sni TLS SNI to send, sometimes when client; else NULL
1503 cas CA certs file
1504 crl CRL file
1505 require_ciphers tls_require_ciphers setting
817d9f57 1506 caller_state returned state-info structure
cf0c6164 1507 errstr error string pointer
059ec3d9 1508
17c76198 1509Returns: OK/DEFER/FAIL
059ec3d9
PH		 1510*/
1511
17c76198
PP		 1512static int
1513tls_init(
1514 const host_item *host,
1515 const uschar *certificate,
1516 const uschar *privatekey,
1517 const uschar *sni,
1518 const uschar *cas,
1519 const uschar *crl,
1520 const uschar *require_ciphers,
cf0c6164 1521 exim_gnutls_state_st **caller_state,
74f1a423 1522 tls_support * tlsp,
cf0c6164 1523 uschar ** errstr)
059ec3d9 1524{
00c0dd4e 1525exim_gnutls_state_st * state;
17c76198
PP		 1526int rc;
1527size_t sz;
00c0dd4e
JH		 1528const char * errpos;
1529const uschar * p;
17c76198
PP		 1530
1531if (!exim_gnutls_base_init_done)
059ec3d9 1532 {
17c76198
PP		 1533 DEBUG(D_tls) debug_printf("GnuTLS global init required.\n");
1534
9f707b89 1535#if defined(HAVE_GNUTLS_PKCS11) && !defined(GNUTLS_AUTO_PKCS11_MANUAL)
a5f239e4
PP		 1536 /* By default, gnutls_global_init will init PKCS11 support in auto mode,
1537 which loads modules from a config file, which sounds good and may be wanted
1538 by some sysadmin, but also means in common configurations that GNOME keyring
1539 environment variables are used and so breaks for users calling mailq.
1540 To prevent this, we init PKCS11 first, which is the documented approach. */
2519e60d 1541 if (!gnutls_allow_auto_pkcs11)
452a164f
JH		 1542 if ((rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL)))
1543 return tls_error_gnu(US"gnutls_pkcs11_init", rc, host, errstr);
a5f239e4
PP		 1544#endif
1545
4d2a62a3 1546#ifndef GNUTLS_AUTO_GLOBAL_INIT
452a164f
JH		 1547 if ((rc = gnutls_global_init()))
1548 return tls_error_gnu(US"gnutls_global_init", rc, host, errstr);
4d2a62a3 1549#endif
17c76198
PP		 1550
1551#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
1552 DEBUG(D_tls)
059ec3d9 1553 {
17c76198 1554 gnutls_global_set_log_function(exim_gnutls_logger_cb);
aded2255 1555 /* arbitrarily chosen level; bump up to 9 for more */
17c76198 1556 gnutls_global_set_log_level(EXIM_GNUTLS_LIBRARY_LOG_LEVEL);
059ec3d9 1557 }
17c76198
PP		 1558#endif
1559
4fb7df6d
JH		 1560#ifndef DISABLE_OCSP
1561 if (tls_ocsp_file && (gnutls_buggy_ocsp = tls_is_buggy_ocsp()))
9196d5bf 1562 log_write(0, LOG_MAIN, "OCSP unusable with this GnuTLS library version");
4fb7df6d 1563#endif
9196d5bf 1564
17c76198 1565 exim_gnutls_base_init_done = TRUE;
059ec3d9 1566 }
059ec3d9 1567
17c76198
PP		 1568if (host)
1569 {
74f1a423
JH		 1570 /* For client-side sessions we allocate a context. This lets us run
1571 several in parallel. */
1572 int old_pool = store_pool;
1573 store_pool = POOL_PERM;
f3ebb786 1574 state = store_get(sizeof(exim_gnutls_state_st), FALSE);
74f1a423
JH		 1575 store_pool = old_pool;
1576
17c76198 1577 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
74f1a423 1578 state->tlsp = tlsp;
17c76198
PP		 1579 DEBUG(D_tls) debug_printf("initialising GnuTLS client session\n");
1580 rc = gnutls_init(&state->session, GNUTLS_CLIENT);
1581 }
1582else
1583 {
1584 state = &state_server;
1585 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
74f1a423 1586 state->tlsp = tlsp;
17c76198
PP		 1587 DEBUG(D_tls) debug_printf("initialising GnuTLS server session\n");
1588 rc = gnutls_init(&state->session, GNUTLS_SERVER);
1589 }
452a164f
JH		 1590if (rc)
1591 return tls_error_gnu(US"gnutls_init", rc, host, errstr);
059ec3d9 1592
17c76198 1593state->host = host;
059ec3d9 1594
17c76198
PP		 1595state->tls_certificate = certificate;
1596state->tls_privatekey = privatekey;
5779e6aa 1597state->tls_require_ciphers = require_ciphers;
17c76198
PP		 1598state->tls_sni = sni;
1599state->tls_verify_certificates = cas;
1600state->tls_crl = crl;
059ec3d9 1601
17c76198
PP		 1602/* This handles the variables that might get re-expanded after TLS SNI;
1603that's tls_certificate, tls_privatekey, tls_verify_certificates, tls_crl */
059ec3d9 1604
17c76198
PP		 1605DEBUG(D_tls)
1606 debug_printf("Expanding various TLS configuration options for session credentials.\n");
cf0c6164 1607if ((rc = tls_expand_session_files(state, errstr)) != OK) return rc;
059ec3d9 1608
1365611d
PP		 1609/* These are all other parts of the x509_cred handling, since SNI in GnuTLS
1610requires a new structure afterwards. */
83da1223 1611
cf0c6164 1612if ((rc = tls_set_remaining_x509(state, errstr)) != OK) return rc;
83da1223 1613
17c76198
PP		 1614/* set SNI in client, only */
1615if (host)
1616 {
cf0c6164 1617 if (!expand_check(sni, US"tls_out_sni", &state->tlsp->sni, errstr))
17c76198 1618 return DEFER;
0df4ab80 1619 if (state->tlsp->sni && *state->tlsp->sni)
17c76198
PP		 1620 {
1621 DEBUG(D_tls)
0df4ab80
JH		 1622 debug_printf("Setting TLS client SNI to \"%s\"\n", state->tlsp->sni);
1623 sz = Ustrlen(state->tlsp->sni);
452a164f
JH		 1624 if ((rc = gnutls_server_name_set(state->session,
1625 GNUTLS_NAME_DNS, state->tlsp->sni, sz)))
1626 return tls_error_gnu(US"gnutls_server_name_set", rc, host, errstr);
17c76198
PP		 1627 }
1628 }
1629else if (state->tls_sni)
1630 DEBUG(D_tls) debug_printf("*** PROBABLY A BUG *** " \
ba86e143 1631 "have an SNI set for a server [%s]\n", state->tls_sni);
83da1223 1632
17c76198 1633/* This is the priority string support,
42bfef1e 1634http://www.gnutls.org/manual/html_node/Priority-Strings.html
17c76198
PP		 1635and replaces gnutls_require_kx, gnutls_require_mac & gnutls_require_protocols.
1636This was backwards incompatible, but means Exim no longer needs to track
1637all algorithms and provide string forms for them. */
83da1223 1638
fc243e94 1639p = NULL;
17c76198 1640if (state->tls_require_ciphers && *state->tls_require_ciphers)
83da1223 1641 {
cf0c6164 1642 if (!expand_check_tlsvar(tls_require_ciphers, errstr))
17c76198
PP		 1643 return DEFER;
1644 if (state->exp_tls_require_ciphers && *state->exp_tls_require_ciphers)
83da1223 1645 {
17c76198 1646 p = state->exp_tls_require_ciphers;
fc243e94 1647 DEBUG(D_tls) debug_printf("GnuTLS session cipher/priority \"%s\"\n", p);
83da1223
PH		 1648 }
1649 }
fc243e94 1650if (!p)
17c76198 1651 {
fc243e94 1652 p = exim_default_gnutls_priority;
83e2f8a2 1653 DEBUG(D_tls)
fc243e94 1654 debug_printf("GnuTLS using default session cipher/priority \"%s\"\n", p);
17c76198 1655 }
83da1223 1656
452a164f
JH		 1657if ((rc = gnutls_priority_init(&state->priority_cache, CCS p, &errpos)))
1658 return tls_error_gnu(string_sprintf(
1659 "gnutls_priority_init(%s) failed at offset %ld, \"%.6s..\"",
1660 p, errpos - CS p, errpos),
1661 rc, host, errstr);
17c76198 1662
452a164f
JH		 1663if ((rc = gnutls_priority_set(state->session, state->priority_cache)))
1664 return tls_error_gnu(US"gnutls_priority_set", rc, host, errstr);
17c76198 1665
b10c87b3
JH		 1666/* This also sets the server ticket expiration time to the same, and
1667the STEK rotation time to 3x. */
1668
17c76198
PP		 1669gnutls_db_set_cache_expiration(state->session, ssl_session_timeout);
1670
1671/* Reduce security in favour of increased compatibility, if the admin
1672decides to make that trade-off. */
1673if (gnutls_compat_mode)
83da1223 1674 {
17c76198
PP		 1675#if LIBGNUTLS_VERSION_NUMBER >= 0x020104
1676 DEBUG(D_tls) debug_printf("lowering GnuTLS security, compatibility mode\n");
1677 gnutls_session_enable_compatibility_mode(state->session);
1678#else
1679 DEBUG(D_tls) debug_printf("Unable to set gnutls_compat_mode - GnuTLS version too old\n");
1680#endif
83da1223
PH		 1681 }
1682
17c76198 1683*caller_state = state;
17c76198 1684return OK;
83da1223
PH		 1685}
1686
1687
1688
059ec3d9 1689/*************************************************
17c76198 1690* Extract peer information *
059ec3d9
PH		 1691*************************************************/
1692
f1be21cf
JH		 1693static const uschar *
1694cipher_stdname_kcm(gnutls_kx_algorithm_t kx, gnutls_cipher_algorithm_t cipher,
1695 gnutls_mac_algorithm_t mac)
1696{
1697uschar cs_id[2];
1698gnutls_kx_algorithm_t kx_i;
1699gnutls_cipher_algorithm_t cipher_i;
1700gnutls_mac_algorithm_t mac_i;
1701
1702for (size_t i = 0;
1703 gnutls_cipher_suite_info(i, cs_id, &kx_i, &cipher_i, &mac_i, NULL);
1704 i++)
1705 if (kx_i == kx && cipher_i == cipher && mac_i == mac)
1706 return cipher_stdname(cs_id[0], cs_id[1]);
1707return NULL;
1708}
1709
1710
1711
17c76198 1712/* Called from both server and client code.
4fe99a6c
PP		 1713Only this is allowed to set state->peerdn and state->have_set_peerdn
1714and we use that to detect double-calls.
059ec3d9 1715
75fe387d
PP		 1716NOTE: the state blocks last while the TLS connection is up, which is fine
1717for logging in the server side, but for the client side, we log after teardown
1718in src/deliver.c. While the session is up, we can twist about states and
1719repoint tls_* globals, but those variables used for logging or other variable
1720expansion that happens _after_ delivery need to have a longer life-time.
1721
1722So for those, we get the data from POOL_PERM; the re-invoke guard keeps us from
1723doing this more than once per generation of a state context. We set them in
1724the state context, and repoint tls_* to them. After the state goes away, the
1725tls_* copies of the pointers remain valid and client delivery logging is happy.
1726
1727tls_certificate_verified is a BOOL, so the tls_peerdn and tls_cipher issues
1728don't apply.
1729
059ec3d9 1730Arguments:
17c76198 1731 state exim_gnutls_state_st *
cf0c6164 1732 errstr pointer to error string
059ec3d9 1733
17c76198 1734Returns: OK/DEFER/FAIL
059ec3d9
PH		 1735*/
1736
17c76198 1737static int
b10c87b3 1738peer_status(exim_gnutls_state_st * state, uschar ** errstr)
059ec3d9 1739{
b10c87b3
JH		 1740gnutls_session_t session = state->session;
1741const gnutls_datum_t * cert_list;
75fe387d 1742int old_pool, rc;
17c76198 1743unsigned int cert_list_size = 0;
4fe99a6c
PP		 1744gnutls_protocol_t protocol;
1745gnutls_cipher_algorithm_t cipher;
1746gnutls_kx_algorithm_t kx;
1747gnutls_mac_algorithm_t mac;
17c76198
PP		 1748gnutls_certificate_type_t ct;
1749gnutls_x509_crt_t crt;
b10c87b3 1750uschar * dn_buf;
17c76198 1751size_t sz;
059ec3d9 1752
4fe99a6c 1753if (state->have_set_peerdn)
17c76198 1754 return OK;
4fe99a6c 1755state->have_set_peerdn = TRUE;
059ec3d9 1756
4fe99a6c 1757state->peerdn = NULL;
059ec3d9 1758
4fe99a6c 1759/* tls_cipher */
b10c87b3
JH		 1760cipher = gnutls_cipher_get(session);
1761protocol = gnutls_protocol_get_version(session);
1762mac = gnutls_mac_get(session);
b9c6f63c
JH		 1763kx =
1764#ifdef GNUTLS_TLS1_3
1765 protocol >= GNUTLS_TLS1_3 ? 0 :
1766#endif
b10c87b3 1767 gnutls_kx_get(session);
4fe99a6c 1768
75fe387d 1769old_pool = store_pool;
f1be21cf 1770 {
b10c87b3 1771 tls_support * tlsp = state->tlsp;
f1be21cf 1772 store_pool = POOL_PERM;
d9acfc1c
JH		 1773
1774#ifdef SUPPORT_GNUTLS_SESS_DESC
1775 {
1776 gstring * g = NULL;
b10c87b3 1777 uschar * s = US gnutls_session_get_desc(session), c;
d9acfc1c
JH		 1778
1779 /* Nikos M suggests we use this by preference. It returns like:
1780 (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
1781
1782 For partial back-compat, put a colon after the TLS version, replace the
1783 )-( grouping with __, replace in-group - with _ and append the :keysize. */
1784
1785 /* debug_printf("peer_status: gnutls_session_get_desc %s\n", s); */
1786
1787 for (s++; (c = *s) && c != ')'; s++) g = string_catn(g, s, 1);
da40b1ec
JH		 1788
1789 tlsp->ver = string_copyn(g->s, g->ptr);
1790 for (uschar * p = US tlsp->ver; *p; p++)
1791 if (*p == '-') { *p = '\0'; break; } /* TLS1.0-PKIX -> TLS1.0 */
1792
d9acfc1c
JH		 1793 g = string_catn(g, US":", 1);
1794 if (*s) s++; /* now on _ between groups */
1795 while ((c = *s))
1796 {
da40b1ec
JH		 1797 for (*++s && ++s; (c = *s) && c != ')'; s++)
1798 g = string_catn(g, c == '-' ? US"_" : s, 1);
d9acfc1c
JH		 1799 /* now on ) closing group */
1800 if ((c = *s) && *++s == '-') g = string_catn(g, US"__", 2);
1801 /* now on _ between groups */
1802 }
1803 g = string_catn(g, US":", 1);
1804 g = string_cat(g, string_sprintf("%d", (int) gnutls_cipher_get_key_size(cipher) * 8));
1805 state->ciphersuite = string_from_gstring(g);
1806 }
1807#else
f1be21cf
JH		 1808 state->ciphersuite = string_sprintf("%s:%s:%d",
1809 gnutls_protocol_get_name(protocol),
1810 gnutls_cipher_suite_get_name(kx, cipher, mac),
1811 (int) gnutls_cipher_get_key_size(cipher) * 8);
1812
1813 /* I don't see a way that spaces could occur, in the current GnuTLS
1814 code base, but it was a concern in the old code and perhaps older GnuTLS
1815 releases did return "TLS 1.0"; play it safe, just in case. */
1816
1817 for (uschar * p = state->ciphersuite; *p; p++) if (isspace(*p)) *p = '-';
da40b1ec
JH		 1818 tlsp->ver = string_copyn(state->ciphersuite,
1819 Ustrchr(state->ciphersuite, ':') - state->ciphersuite);
d9acfc1c
JH		 1820#endif
1821
1822/* debug_printf("peer_status: ciphersuite %s\n", state->ciphersuite); */
1823
b10c87b3
JH		 1824 tlsp->cipher = state->ciphersuite;
1825 tlsp->bits = gnutls_cipher_get_key_size(cipher) * 8;
f1be21cf 1826
b10c87b3 1827 tlsp->cipher_stdname = cipher_stdname_kcm(kx, cipher, mac);
f1be21cf 1828 }
75fe387d 1829store_pool = old_pool;
4fe99a6c
PP		 1830
1831/* tls_peerdn */
b10c87b3 1832cert_list = gnutls_certificate_get_peers(session, &cert_list_size);
83da1223 1833
f1be21cf 1834if (!cert_list || cert_list_size == 0)
17c76198 1835 {
17c76198
PP		 1836 DEBUG(D_tls) debug_printf("TLS: no certificate from peer (%p & %d)\n",
1837 cert_list, cert_list_size);
e51c7be2 1838 if (state->verify_requirement >= VERIFY_REQUIRED)
17c76198 1839 return tls_error(US"certificate verification failed",
48224640 1840 US"no certificate received from peer", state->host, errstr);
17c76198
PP		 1841 return OK;
1842 }
059ec3d9 1843
b10c87b3 1844if ((ct = gnutls_certificate_type_get(session)) != GNUTLS_CRT_X509)
059ec3d9 1845 {
95f52235 1846 const uschar * ctn = US gnutls_certificate_type_get_name(ct);
17c76198
PP		 1847 DEBUG(D_tls)
1848 debug_printf("TLS: peer cert not X.509 but instead \"%s\"\n", ctn);
e51c7be2 1849 if (state->verify_requirement >= VERIFY_REQUIRED)
17c76198 1850 return tls_error(US"certificate verification not possible, unhandled type",
cf0c6164 1851 ctn, state->host, errstr);
17c76198 1852 return OK;
83da1223 1853 }
059ec3d9 1854
e51c7be2
JH		 1855#define exim_gnutls_peer_err(Label) \
1856 do { \
1857 if (rc != GNUTLS_E_SUCCESS) \
1858 { \
1859 DEBUG(D_tls) debug_printf("TLS: peer cert problem: %s: %s\n", \
1860 (Label), gnutls_strerror(rc)); \
1861 if (state->verify_requirement >= VERIFY_REQUIRED) \
452a164f 1862 return tls_error_gnu((Label), rc, state->host, errstr); \
e51c7be2
JH		 1863 return OK; \
1864 } \
1865 } while (0)
17c76198 1866
9d1c15ef
JH		 1867rc = import_cert(&cert_list[0], &crt);
1868exim_gnutls_peer_err(US"cert 0");
1869
1870state->tlsp->peercert = state->peercert = crt;
17c76198 1871
17c76198
PP		 1872sz = 0;
1873rc = gnutls_x509_crt_get_dn(crt, NULL, &sz);
1874if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
83da1223 1875 {
17c76198
PP		 1876 exim_gnutls_peer_err(US"getting size for cert DN failed");
1877 return FAIL; /* should not happen */
059ec3d9 1878 }
f3ebb786 1879dn_buf = store_get_perm(sz, TRUE); /* tainted */
17c76198
PP		 1880rc = gnutls_x509_crt_get_dn(crt, CS dn_buf, &sz);
1881exim_gnutls_peer_err(US"failed to extract certificate DN [gnutls_x509_crt_get_dn(cert 0)]");
9d1c15ef 1882
17c76198
PP		 1883state->peerdn = dn_buf;
1884
1885return OK;
1886#undef exim_gnutls_peer_err
1887}
059ec3d9 1888
059ec3d9 1889
059ec3d9 1890
059ec3d9 1891
17c76198
PP		 1892/*************************************************
1893* Verify peer certificate *
1894*************************************************/
059ec3d9 1895
17c76198
PP		 1896/* Called from both server and client code.
1897*Should* be using a callback registered with
1898gnutls_certificate_set_verify_function() to fail the handshake if we dislike
1899the peer information, but that's too new for some OSes.
059ec3d9 1900
17c76198 1901Arguments:
899b8bbc
JH		 1902 state exim_gnutls_state_st *
1903 errstr where to put an error message
059ec3d9 1904
17c76198
PP		 1905Returns:
1906 FALSE if the session should be rejected
1907 TRUE if the cert is okay or we just don't care
1908*/
059ec3d9 1909
17c76198 1910static BOOL
28646fa9 1911verify_certificate(exim_gnutls_state_st * state, uschar ** errstr)
17c76198
PP		 1912{
1913int rc;
899b8bbc
JH		 1914uint verify;
1915
8008accd 1916DEBUG(D_tls) debug_printf("TLS: checking peer certificate\n");
cf0c6164 1917*errstr = NULL;
b10c87b3 1918rc = peer_status(state, errstr);
17c76198 1919
b10c87b3
JH		 1920if (state->verify_requirement == VERIFY_NONE)
1921 return TRUE;
1922
1923if (rc != OK || !state->peerdn)
e6060e2c 1924 {
17c76198 1925 verify = GNUTLS_CERT_INVALID;
cf0c6164 1926 *errstr = US"certificate not supplied";
17c76198
PP		 1927 }
1928else
899b8bbc
JH		 1929
1930 {
1931#ifdef SUPPORT_DANE
1932 if (state->verify_requirement == VERIFY_DANE && state->host)
1933 {
1934 /* Using dane_verify_session_crt() would be easy, as it does it all for us
1935 including talking to a DNS resolver. But we want to do that bit ourselves
1936 as the testsuite intercepts and fakes its own DNS environment. */
1937
1938 dane_state_t s;
1939 dane_query_t r;
899b8bbc 1940 uint lsize;
94c13285
JH		 1941 const gnutls_datum_t * certlist =
1942 gnutls_certificate_get_peers(state->session, &lsize);
1943 int usage = tls_out.tlsa_usage;
1944
1945# ifdef GNUTLS_BROKEN_DANE_VALIDATION
1946 /* Split the TLSA records into two sets, TA and EE selectors. Run the
1947 dane-verification separately so that we know which selector verified;
570cb1bd 1948 then we know whether to do name-verification (needed for TA but not EE). */
94c13285
JH		 1949
1950 if (usage == ((1<<DANESSL_USAGE_DANE_TA) | (1<<DANESSL_USAGE_DANE_EE)))
bd5b3f3c 1951 { /* a mixed-usage bundle */
94c13285
JH		 1952 int i, j, nrec;
1953 const char ** dd;
1954 int * ddl;
1955
3d2e82c5 1956 for (nrec = 0; state->dane_data_len[nrec]; ) nrec++;
94c13285
JH		 1957 nrec++;
1958
f3ebb786
JH		 1959 dd = store_get(nrec * sizeof(uschar *), FALSE);
1960 ddl = store_get(nrec * sizeof(int), FALSE);
94c13285
JH		 1961 nrec--;
1962
1963 if ((rc = dane_state_init(&s, 0)))
1964 goto tlsa_prob;
1965
1966 for (usage = DANESSL_USAGE_DANE_EE;
1967 usage >= DANESSL_USAGE_DANE_TA; usage--)
1968 { /* take records with this usage */
1969 for (j = i = 0; i < nrec; i++)
1970 if (state->dane_data[i][0] == usage)
1971 {
1972 dd[j] = state->dane_data[i];
1973 ddl[j++] = state->dane_data_len[i];
1974 }
1975 if (j)
1976 {
1977 dd[j] = NULL;
1978 ddl[j] = 0;
1979
1980 if ((rc = dane_raw_tlsa(s, &r, (char * const *)dd, ddl, 1, 0)))
1981 goto tlsa_prob;
1982
1983 if ((rc = dane_verify_crt_raw(s, certlist, lsize,
1984 gnutls_certificate_type_get(state->session),
1985 r, 0,
1986 usage == DANESSL_USAGE_DANE_EE
1987 ? DANE_VFLAG_ONLY_CHECK_EE_USAGE : 0,
1988 &verify)))
1989 {
1990 DEBUG(D_tls)
1991 debug_printf("TLSA record problem: %s\n", dane_strerror(rc));
1992 }
1993 else if (verify == 0) /* verification passed */
1994 {
1995 usage = 1 << usage;
1996 break;
1997 }
1998 }
1999 }
899b8bbc 2000
94c13285
JH		 2001 if (rc) goto tlsa_prob;
2002 }
2003 else
2004# endif
899b8bbc 2005 {
94c13285
JH		 2006 if ( (rc = dane_state_init(&s, 0))
2007 || (rc = dane_raw_tlsa(s, &r, state->dane_data, state->dane_data_len,
2008 1, 0))
2009 || (rc = dane_verify_crt_raw(s, certlist, lsize,
2010 gnutls_certificate_type_get(state->session),
5ec37a55 2011 r, 0,
94c13285
JH		 2012# ifdef GNUTLS_BROKEN_DANE_VALIDATION
2013 usage == (1 << DANESSL_USAGE_DANE_EE)
2014 ? DANE_VFLAG_ONLY_CHECK_EE_USAGE : 0,
2015# else
2016 0,
2017# endif
2018 &verify))
2019 )
2020 goto tlsa_prob;
899b8bbc 2021 }
94c13285
JH		 2022
2023 if (verify != 0) /* verification failed */
899b8bbc
JH		 2024 {
2025 gnutls_datum_t str;
2026 (void) dane_verification_status_print(verify, &str, 0);
2027 *errstr = US str.data; /* don't bother to free */
2028 goto badcert;
2029 }
28646fa9 2030
94c13285
JH		 2031# ifdef GNUTLS_BROKEN_DANE_VALIDATION
2032 /* If a TA-mode TLSA record was used for verification we must additionally
570cb1bd 2033 verify the cert name (but not the CA chain). For EE-mode, skip it. */
28646fa9 2034
94c13285
JH		 2035 if (usage & (1 << DANESSL_USAGE_DANE_EE))
2036# endif
28646fa9 2037 {
570cb1bd 2038 state->peer_dane_verified = state->peer_cert_verified = TRUE;
28646fa9
JH		 2039 goto goodcert;
2040 }
570cb1bd
JH		 2041# ifdef GNUTLS_BROKEN_DANE_VALIDATION
2042 /* Assume that the name on the A-record is the one that should be matching
2043 the cert. An alternate view is that the domain part of the email address
2044 is also permissible. */
2045
2046 if (gnutls_x509_crt_check_hostname(state->tlsp->peercert,
2047 CS state->host->name))
2048 {
2049 state->peer_dane_verified = state->peer_cert_verified = TRUE;
2050 goto goodcert;
2051 }
2052# endif
899b8bbc 2053 }
570cb1bd 2054#endif /*SUPPORT_DANE*/
899b8bbc 2055
17c76198 2056 rc = gnutls_certificate_verify_peers2(state->session, &verify);
899b8bbc 2057 }
e6060e2c 2058
899b8bbc 2059/* Handle the result of verification. INVALID is set if any others are. */
059ec3d9 2060
28646fa9 2061if (rc < 0 || verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED))
17c76198
PP		 2062 {
2063 state->peer_cert_verified = FALSE;
cf0c6164 2064 if (!*errstr)
184384c3
JH		 2065 {
2066#ifdef GNUTLS_CERT_VFY_STATUS_PRINT
2067 DEBUG(D_tls)
2068 {
2069 gnutls_datum_t txt;
2070
2071 if (gnutls_certificate_verification_status_print(verify,
2072 gnutls_certificate_type_get(state->session), &txt, 0)
2073 == GNUTLS_E_SUCCESS)
2074 {
2075 debug_printf("%s\n", txt.data);
2076 gnutls_free(txt.data);
2077 }
2078 }
2079#endif
cf0c6164
JH		 2080 *errstr = verify & GNUTLS_CERT_REVOKED
2081 ? US"certificate revoked" : US"certificate invalid";
184384c3 2082 }
059ec3d9 2083
17c76198 2084 DEBUG(D_tls)
e51c7be2 2085 debug_printf("TLS certificate verification failed (%s): peerdn=\"%s\"\n",
cf0c6164 2086 *errstr, state->peerdn ? state->peerdn : US"<unset>");
059ec3d9 2087
e51c7be2 2088 if (state->verify_requirement >= VERIFY_REQUIRED)
899b8bbc 2089 goto badcert;
17c76198 2090 DEBUG(D_tls)
4789da3a 2091 debug_printf("TLS verify failure overridden (host in tls_try_verify_hosts)\n");
17c76198 2092 }
e51c7be2 2093
17c76198
PP		 2094else
2095 {
5fd28bb8
JH		 2096 /* Client side, check the server's certificate name versus the name on the
2097 A-record for the connection we made. What to do for server side - what name
2098 to use for client? We document that there is no such checking for server
2099 side. */
2100
2101 if ( state->exp_tls_verify_cert_hostnames
2102 && !gnutls_x509_crt_check_hostname(state->tlsp->peercert,
2103 CS state->exp_tls_verify_cert_hostnames)
2104 )
e51c7be2 2105 {
5fd28bb8
JH		 2106 DEBUG(D_tls)
2107 debug_printf("TLS certificate verification failed: cert name mismatch\n");
2108 if (state->verify_requirement >= VERIFY_REQUIRED)
2109 goto badcert;
2110 return TRUE;
e51c7be2 2111 }
5fd28bb8 2112
17c76198 2113 state->peer_cert_verified = TRUE;
e51c7be2 2114 DEBUG(D_tls) debug_printf("TLS certificate verified: peerdn=\"%s\"\n",
4fe99a6c 2115 state->peerdn ? state->peerdn : US"<unset>");
17c76198 2116 }
059ec3d9 2117
28646fa9
JH		 2118goodcert:
2119 state->tlsp->peerdn = state->peerdn;
2120 return TRUE;
899b8bbc 2121
b83314e3 2122#ifdef SUPPORT_DANE
94c13285 2123tlsa_prob:
624f33df
JH		 2124 *errstr = string_sprintf("TLSA record problem: %s",
2125 rc == DANE_E_REQUESTED_DATA_NOT_AVAILABLE ? "none usable" : dane_strerror(rc));
b83314e3
JH		 2126#endif
2127
899b8bbc
JH		 2128badcert:
2129 gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_BAD_CERTIFICATE);
2130 return FALSE;
17c76198 2131}
059ec3d9 2132
17c76198
PP		 2133
2134
2135
2136/* ------------------------------------------------------------------------ */
2137/* Callbacks */
2138
2139/* Logging function which can be registered with
2140 * gnutls_global_set_log_function()
2141 * gnutls_global_set_log_level() 0..9
2142 */
af3498d6 2143#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
059ec3d9 2144static void
17c76198 2145exim_gnutls_logger_cb(int level, const char *message)
059ec3d9 2146{
8c79eebf
PP		 2147 size_t len = strlen(message);
2148 if (len < 1)
2149 {
2150 DEBUG(D_tls) debug_printf("GnuTLS<%d> empty debug message\n", level);
2151 return;
2152 }
2153 DEBUG(D_tls) debug_printf("GnuTLS<%d>: %s%s", level, message,
2154 message[len-1] == '\n' ? "" : "\n");
17c76198 2155}
af3498d6 2156#endif
059ec3d9 2157
059ec3d9 2158
17c76198
PP		 2159/* Called after client hello, should handle SNI work.
2160This will always set tls_sni (state->received_sni) if available,
2161and may trigger presenting different certificates,
2162if state->trigger_sni_changes is TRUE.
059ec3d9 2163
17c76198
PP		 2164Should be registered with
2165 gnutls_handshake_set_post_client_hello_function()
059ec3d9 2166
17c76198
PP		 2167"This callback must return 0 on success or a gnutls error code to terminate the
2168handshake.".
059ec3d9 2169
17c76198
PP		 2170For inability to get SNI information, we return 0.
2171We only return non-zero if re-setup failed.
817d9f57 2172Only used for server-side TLS.
17c76198 2173*/
44bbabb5 2174
17c76198
PP		 2175static int
2176exim_sni_handling_cb(gnutls_session_t session)
2177{
2178char sni_name[MAX_HOST_LEN];
2179size_t data_len = MAX_HOST_LEN;
817d9f57 2180exim_gnutls_state_st *state = &state_server;
17c76198
PP		 2181unsigned int sni_type;
2182int rc, old_pool;
cf0c6164 2183uschar * dummy_errstr;
17c76198
PP		 2184
2185rc = gnutls_server_name_get(session, sni_name, &data_len, &sni_type, 0);
b34fc30c
PP		 2186if (rc != GNUTLS_E_SUCCESS)
2187 {
8775d84f 2188 DEBUG(D_tls)
b34fc30c
PP		 2189 if (rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
2190 debug_printf("TLS: no SNI presented in handshake.\n");
2191 else
2192 debug_printf("TLS failure: gnutls_server_name_get(): %s [%d]\n",
2193 gnutls_strerror(rc), rc);
b34fc30c
PP		 2194 return 0;
2195 }
2196
17c76198
PP		 2197if (sni_type != GNUTLS_NAME_DNS)
2198 {
2199 DEBUG(D_tls) debug_printf("TLS: ignoring SNI of unhandled type %u\n", sni_type);
2200 return 0;
2201 }
44bbabb5 2202
17c76198
PP		 2203/* We now have a UTF-8 string in sni_name */
2204old_pool = store_pool;
2205store_pool = POOL_PERM;
89a80675 2206state->received_sni = string_copy_taint(US sni_name, TRUE);
17c76198
PP		 2207store_pool = old_pool;
2208
2209/* We set this one now so that variable expansions below will work */
817d9f57 2210state->tlsp->sni = state->received_sni;
17c76198
PP		 2211
2212DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", sni_name,
2213 state->trigger_sni_changes ? "" : " (unused for certificate selection)");
2214
2215if (!state->trigger_sni_changes)
2216 return 0;
2217
cf0c6164 2218if ((rc = tls_expand_session_files(state, &dummy_errstr)) != OK)
17c76198
PP		 2219 {
2220 /* If the setup of certs/etc failed before handshake, TLS would not have
2221 been offered. The best we can do now is abort. */
2222 return GNUTLS_E_APPLICATION_ERROR_MIN;
2223 }
2224
cf0c6164 2225rc = tls_set_remaining_x509(state, &dummy_errstr);
1365611d
PP		 2226if (rc != OK) return GNUTLS_E_APPLICATION_ERROR_MIN;
2227
2228return 0;
059ec3d9
PH		 2229}
2230
2231
2232
0cbf2b82 2233#ifndef DISABLE_EVENT
a7538db1
JH		 2234/*
2235We use this callback to get observability and detail-level control
723fe533
JH		 2236for an exim TLS connection (either direction), raising a tls:cert event
2237for each cert in the chain presented by the peer. Any event
a7538db1
JH		 2238can deny verification.
2239
2240Return 0 for the handshake to continue or non-zero to terminate.
2241*/
2242
2243static int
723fe533 2244verify_cb(gnutls_session_t session)
a7538db1 2245{
27f19eb4 2246const gnutls_datum_t * cert_list;
a7538db1
JH		 2247unsigned int cert_list_size = 0;
2248gnutls_x509_crt_t crt;
2249int rc;
b30275b8 2250uschar * yield;
a7538db1
JH		 2251exim_gnutls_state_st * state = gnutls_session_get_ptr(session);
2252
bd5b3f3c 2253if ((cert_list = gnutls_certificate_get_peers(session, &cert_list_size)))
a7538db1
JH		 2254 while (cert_list_size--)
2255 {
bd5b3f3c 2256 if ((rc = import_cert(&cert_list[cert_list_size], &crt)) != GNUTLS_E_SUCCESS)
a7538db1
JH		 2257 {
2258 DEBUG(D_tls) debug_printf("TLS: peer cert problem: depth %d: %s\n",
2259 cert_list_size, gnutls_strerror(rc));
2260 break;
2261 }
2262
2263 state->tlsp->peercert = crt;
b30275b8
JH		 2264 if ((yield = event_raise(state->event_action,
2265 US"tls:cert", string_sprintf("%d", cert_list_size))))
a7538db1
JH		 2266 {
2267 log_write(0, LOG_MAIN,
b30275b8
JH		 2268 "SSL verify denied by event-action: depth=%d: %s",
2269 cert_list_size, yield);
a7538db1
JH		 2270 return 1; /* reject */
2271 }
2272 state->tlsp->peercert = NULL;
2273 }
2274
2275return 0;
2276}
2277
2278#endif
44662487
JH		 2279
2280
f20cfa4a
JH		 2281static gstring *
2282ddump(gnutls_datum_t * d)
2283{
2284gstring * g = string_get((d->size+1) * 2);
2285uschar * s = d->data;
2286for (unsigned i = d->size; i > 0; i--, s++)
2287 {
2288 g = string_catn(g, US "0123456789abcdef" + (*s >> 4), 1);
2289 g = string_catn(g, US "0123456789abcdef" + (*s & 0xf), 1);
2290 }
2291return g;
2292}
17c76198 2293
dc6d1769
JH		 2294static void
2295post_handshake_debug(exim_gnutls_state_st * state)
2296{
dc6d1769
JH		 2297#ifdef SUPPORT_GNUTLS_SESS_DESC
2298debug_printf("%s\n", gnutls_session_get_desc(state->session));
2299#endif
e326959e 2300
86ede124 2301#ifdef SUPPORT_GNUTLS_KEYLOG
e326959e 2302# ifdef EXIM_HAVE_TLS1_3
dc6d1769 2303if (gnutls_protocol_get_version(state->session) < GNUTLS_TLS1_3)
86ede124 2304# else
a8af957d 2305if (TRUE)
86ede124 2306# endif
dc6d1769
JH		 2307 {
2308 gnutls_datum_t c, s;
2309 gstring * gc, * gs;
86ede124 2310 /* For TLS1.2 we only want the client random and the master secret */
dc6d1769
JH		 2311 gnutls_session_get_random(state->session, &c, &s);
2312 gnutls_session_get_master_secret(state->session, &s);
2313 gc = ddump(&c);
2314 gs = ddump(&s);
2315 debug_printf("CLIENT_RANDOM %.*s %.*s\n", (int)gc->ptr, gc->s, (int)gs->ptr, gs->s);
2316 }
2317else
2318 debug_printf("To get keying info for TLS1.3 is hard:\n"
7832b9aa
HSHR		 2319 " Set environment variable SSLKEYLOGFILE to a filename relative to the spool directory,\n"
2320 " and make sure it is writable by the Exim runtime user.\n"
2321 " Add SSLKEYLOGFILE to keep_environment in the exim config.\n"
2322 " Start Exim as root.\n"
2323 " If using sudo, add SSLKEYLOGFILE to env_keep in /etc/sudoers\n"
2324 " (works for TLS1.2 also, and saves cut-paste into file).\n"
86ede124 2325 " Trying to use add_environment for this will not work\n");
dc6d1769
JH		 2326#endif
2327}
2328
b10c87b3
JH		 2329
2330#ifdef EXPERIMENTAL_TLS_RESUME
2331static int
2332tls_server_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
2333 unsigned incoming, const gnutls_datum_t * msg)
2334{
2335DEBUG(D_tls) debug_printf("newticket cb\n");
2336tls_in.resumption |= RESUME_CLIENT_REQUESTED;
2337return 0;
2338}
2339
2340static void
2341tls_server_resume_prehandshake(exim_gnutls_state_st * state)
2342{
2343/* Should the server offer session resumption? */
2344tls_in.resumption = RESUME_SUPPORTED;
2345if (verify_check_host(&tls_resumption_hosts) == OK)
2346 {
2347 int rc;
2348 /* GnuTLS appears to not do ticket overlap, but does emit a fresh ticket when
2349 an offered resumption is unacceptable. We lose one resumption per ticket
2350 lifetime, and sessions cannot be indefinitely re-used. There seems to be no
2351 way (3.6.7) of changing the default number of 2 TLS1.3 tickets issued, but at
2352 least they go out in a single packet. */
2353
2354 if (!(rc = gnutls_session_ticket_enable_server(state->session,
2355 &server_sessticket_key)))
2356 tls_in.resumption |= RESUME_SERVER_TICKET;
2357 else
2358 DEBUG(D_tls)
2359 debug_printf("enabling session tickets: %s\n", US gnutls_strerror(rc));
2360
2361 /* Try to tell if we see a ticket request */
2362 gnutls_handshake_set_hook_function(state->session,
e5489333 2363 GNUTLS_HANDSHAKE_ANY, GNUTLS_HOOK_POST, tls_server_hook_cb);
b10c87b3
JH		 2364 }
2365}
2366
2367static void
2368tls_server_resume_posthandshake(exim_gnutls_state_st * state)
2369{
2370if (gnutls_session_resumption_requested(state->session))
2371 {
2372 /* This tells us the client sent a full ticket. We use a
2373 callback on session-ticket request, elsewhere, to tell
2374 if a client asked for a ticket. */
2375
2376 tls_in.resumption |= RESUME_CLIENT_SUGGESTED;
2377 DEBUG(D_tls) debug_printf("client requested resumption\n");
2378 }
2379if (gnutls_session_is_resumed(state->session))
2380 {
2381 tls_in.resumption |= RESUME_USED;
2382 DEBUG(D_tls) debug_printf("Session resumed\n");
2383 }
2384}
2385#endif
17c76198
PP		 2386/* ------------------------------------------------------------------------ */
2387/* Exported functions */
2388
2389
2390
2391
059ec3d9
PH		 2392/*************************************************
2393* Start a TLS session in a server *
2394*************************************************/
2395
2396/* This is called when Exim is running as a server, after having received
2397the STARTTLS command. It must respond to that command, and then negotiate
2398a TLS session.
2399
2400Arguments:
83da1223 2401 require_ciphers list of allowed ciphers or NULL
cf0c6164 2402 errstr pointer to error string
059ec3d9
PH		 2403
2404Returns: OK on success
2405 DEFER for errors before the start of the negotiation
4c04137d 2406 FAIL for errors during the negotiation; the server can't
059ec3d9
PH		 2407 continue running.
2408*/
2409
2410int
cf0c6164 2411tls_server_start(const uschar * require_ciphers, uschar ** errstr)
059ec3d9
PH		 2412{
2413int rc;
cf0c6164 2414exim_gnutls_state_st * state = NULL;
059ec3d9
PH		 2415
2416/* Check for previous activation */
74f1a423 2417if (tls_in.active.sock >= 0)
059ec3d9 2418 {
48224640 2419 tls_error(US"STARTTLS received after TLS started", US "", NULL, errstr);
925ac8e4 2420 smtp_printf("554 Already in TLS\r\n", FALSE);
059ec3d9
PH		 2421 return FAIL;
2422 }
2423
2424/* Initialize the library. If it fails, it will already have logged the error
2425and sent an SMTP response. */
2426
17c76198 2427DEBUG(D_tls) debug_printf("initialising GnuTLS as a server\n");
059ec3d9 2428
d85cdeb5
JH		 2429 {
2430#ifdef MEASURE_TIMING
2431 struct timeval t0;
2432 gettimeofday(&t0, NULL);
2433#endif
2434
2435 if ((rc = tls_init(NULL, tls_certificate, tls_privatekey,
2436 NULL, tls_verify_certificates, tls_crl,
2437 require_ciphers, &state, &tls_in, errstr)) != OK) return rc;
2438
2439#ifdef MEASURE_TIMING
2440 report_time_since(&t0, US"server tls_init (delta)");
2441#endif
2442 }
059ec3d9 2443
b10c87b3
JH		 2444#ifdef EXPERIMENTAL_TLS_RESUME
2445tls_server_resume_prehandshake(state);
2446#endif
2447
059ec3d9
PH		 2448/* If this is a host for which certificate verification is mandatory or
2449optional, set up appropriately. */
2450
059ec3d9 2451if (verify_check_host(&tls_verify_hosts) == OK)
17c76198 2452 {
e51c7be2
JH		 2453 DEBUG(D_tls)
2454 debug_printf("TLS: a client certificate will be required.\n");
17c76198
PP		 2455 state->verify_requirement = VERIFY_REQUIRED;
2456 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
2457 }
059ec3d9 2458else if (verify_check_host(&tls_try_verify_hosts) == OK)
17c76198 2459 {
e51c7be2
JH		 2460 DEBUG(D_tls)
2461 debug_printf("TLS: a client certificate will be requested but not required.\n");
17c76198
PP		 2462 state->verify_requirement = VERIFY_OPTIONAL;
2463 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
2464 }
2465else
2466 {
e51c7be2
JH		 2467 DEBUG(D_tls)
2468 debug_printf("TLS: a client certificate will not be requested.\n");
17c76198
PP		 2469 state->verify_requirement = VERIFY_NONE;
2470 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
2471 }
059ec3d9 2472
0cbf2b82 2473#ifndef DISABLE_EVENT
723fe533
JH		 2474if (event_action)
2475 {
2476 state->event_action = event_action;
2477 gnutls_session_set_ptr(state->session, state);
2478 gnutls_certificate_set_verify_function(state->x509_cred, verify_cb);
2479 }
2480#endif
2481
17c76198
PP		 2482/* Register SNI handling; always, even if not in tls_certificate, so that the
2483expansion variable $tls_sni is always available. */
059ec3d9 2484
17c76198
PP		 2485gnutls_handshake_set_post_client_hello_function(state->session,
2486 exim_sni_handling_cb);
059ec3d9
PH		 2487
2488/* Set context and tell client to go ahead, except in the case of TLS startup
2489on connection, where outputting anything now upsets the clients and tends to
2490make them disconnect. We need to have an explicit fflush() here, to force out
2491the response. Other smtp_printf() calls do not need it, because in non-TLS
2492mode, the fflush() happens when smtp_getc() is called. */
2493
817d9f57 2494if (!state->tlsp->on_connect)
059ec3d9 2495 {
925ac8e4 2496 smtp_printf("220 TLS go ahead\r\n", FALSE);
9d1c15ef 2497 fflush(smtp_out);
059ec3d9
PH		 2498 }
2499
2500/* Now negotiate the TLS session. We put our own timer on it, since it seems
8008accd
JH		 2501that the GnuTLS library doesn't.
2502From 3.1.0 there is gnutls_handshake_set_timeout() - but it requires you
2503to set (and clear down afterwards) up a pull-timeout callback function that does
2504a select, so we're no better off unless avoiding signals becomes an issue. */
059ec3d9 2505
17c76198 2506gnutls_transport_set_ptr2(state->session,
27f19eb4
JH		 2507 (gnutls_transport_ptr_t)(long) fileno(smtp_in),
2508 (gnutls_transport_ptr_t)(long) fileno(smtp_out));
17c76198
PP		 2509state->fd_in = fileno(smtp_in);
2510state->fd_out = fileno(smtp_out);
059ec3d9
PH		 2511
2512sigalrm_seen = FALSE;
c2a1bba0 2513if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
17c76198 2514do
17c76198 2515 rc = gnutls_handshake(state->session);
05c3a5a2 2516while (rc == GNUTLS_E_AGAIN || rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen);
c2a1bba0 2517ALARM_CLR(0);
059ec3d9 2518
17c76198 2519if (rc != GNUTLS_E_SUCCESS)
059ec3d9 2520 {
059ec3d9
PH		 2521 /* It seems that, except in the case of a timeout, we have to close the
2522 connection right here; otherwise if the other end is running OpenSSL it hangs
2523 until the server times out. */
2524
60d10ce7 2525 if (sigalrm_seen)
ad7fc6eb 2526 {
48224640 2527 tls_error(US"gnutls_handshake", US"timed out", NULL, errstr);
ad7fc6eb
JH		 2528 gnutls_db_remove_session(state->session);
2529 }
60d10ce7 2530 else
059ec3d9 2531 {
452a164f 2532 tls_error_gnu(US"gnutls_handshake", rc, NULL, errstr);
f5d25c2b 2533 (void) gnutls_alert_send_appropriate(state->session, rc);
ad7fc6eb 2534 gnutls_deinit(state->session);
ed62aae3 2535 gnutls_certificate_free_credentials(state->x509_cred);
60d10ce7 2536 millisleep(500);
ad7fc6eb 2537 shutdown(state->fd_out, SHUT_WR);
d7978c0f 2538 for (int i = 1024; fgetc(smtp_in) != EOF && i > 0; ) i--; /* drain skt */
f1e894f3
PH		 2539 (void)fclose(smtp_out);
2540 (void)fclose(smtp_in);
60d10ce7 2541 smtp_out = smtp_in = NULL;
059ec3d9
PH		 2542 }
2543
2544 return FAIL;
2545 }
2546
17ba0f52 2547#ifdef GNUTLS_SFLAGS_EXT_MASTER_SECRET
1c519e07
JH		 2548if (gnutls_session_get_flags(state->session) & GNUTLS_SFLAGS_EXT_MASTER_SECRET)
2549 tls_in.ext_master_secret = TRUE;
17ba0f52 2550#endif
1c519e07 2551
b10c87b3
JH		 2552#ifdef EXPERIMENTAL_TLS_RESUME
2553tls_server_resume_posthandshake(state);
2554#endif
2555
dc6d1769 2556DEBUG(D_tls) post_handshake_debug(state);
059ec3d9 2557
17c76198
PP		 2558/* Verify after the fact */
2559
899b8bbc 2560if (!verify_certificate(state, errstr))
059ec3d9 2561 {
9d1c15ef 2562 if (state->verify_requirement != VERIFY_OPTIONAL)
17c76198 2563 {
cf0c6164 2564 (void) tls_error(US"certificate verification failed", *errstr, NULL, errstr);
9d1c15ef 2565 return FAIL;
17c76198 2566 }
9d1c15ef
JH		 2567 DEBUG(D_tls)
2568 debug_printf("TLS: continuing on only because verification was optional, after: %s\n",
cf0c6164 2569 *errstr);
059ec3d9
PH		 2570 }
2571
17c76198
PP		 2572/* Sets various Exim expansion variables; always safe within server */
2573
9d1c15ef 2574extract_exim_vars_from_tls_state(state);
059ec3d9
PH		 2575
2576/* TLS has been set up. Adjust the input functions to read via TLS,
2577and initialize appropriately. */
2578
17c76198 2579state->xfer_buffer = store_malloc(ssl_xfer_buffer_size);
059ec3d9
PH		 2580
2581receive_getc = tls_getc;
0d81dabc 2582receive_getbuf = tls_getbuf;
584e96c6 2583receive_get_cache = tls_get_cache;
059ec3d9
PH		 2584receive_ungetc = tls_ungetc;
2585receive_feof = tls_feof;
2586receive_ferror = tls_ferror;
58eb016e 2587receive_smtp_buffered = tls_smtp_buffered;
059ec3d9 2588
059ec3d9
PH		 2589return OK;
2590}
2591
2592
2593
2594
aa2a70ba
JH		 2595static void
2596tls_client_setup_hostname_checks(host_item * host, exim_gnutls_state_st * state,
2597 smtp_transport_options_block * ob)
2598{
3fb3231c 2599if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
aa2a70ba 2600 {
4af0d74a 2601 state->exp_tls_verify_cert_hostnames =
8c5d388a 2602#ifdef SUPPORT_I18N
4af0d74a
JH		 2603 string_domain_utf8_to_alabel(host->name, NULL);
2604#else
2605 host->name;
2606#endif
aa2a70ba
JH		 2607 DEBUG(D_tls)
2608 debug_printf("TLS: server cert verification includes hostname: \"%s\".\n",
2609 state->exp_tls_verify_cert_hostnames);
2610 }
2611}
aa2a70ba
JH		 2612
2613
899b8bbc
JH		 2614
2615
2616#ifdef SUPPORT_DANE
2617/* Given our list of RRs from the TLSA lookup, build a lookup block in
2618GnuTLS-DANE's preferred format. Hang it on the state str for later
2619use in DANE verification.
2620
2621We point at the dnsa data not copy it, so it must remain valid until
2622after verification is done.*/
2623
3674140c 2624static BOOL
899b8bbc
JH		 2625dane_tlsa_load(exim_gnutls_state_st * state, dns_answer * dnsa)
2626{
899b8bbc
JH		 2627dns_scan dnss;
2628int i;
2629const char ** dane_data;
2630int * dane_data_len;
2631
d7978c0f
JH		 2632i = 1;
2633for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
899b8bbc
JH		 2634 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
2635 ) if (rr->type == T_TLSA) i++;
2636
f3ebb786
JH		 2637dane_data = store_get(i * sizeof(uschar *), FALSE);
2638dane_data_len = store_get(i * sizeof(int), FALSE);
899b8bbc 2639
d7978c0f
JH		 2640i = 0;
2641for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
899b8bbc 2642 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
1b76ad22 2643 ) if (rr->type == T_TLSA && rr->size > 3)
899b8bbc
JH		 2644 {
2645 const uschar * p = rr->data;
f3ebb786 2646/*XXX need somehow to mark rr and its data as tainted. Doues this mean copying it? */
3674140c
JH		 2647 uint8_t usage = p[0], sel = p[1], type = p[2];
2648
2649 DEBUG(D_tls)
2650 debug_printf("TLSA: %d %d %d size %d\n", usage, sel, type, rr->size);
2651
94c13285
JH		 2652 if ( (usage != DANESSL_USAGE_DANE_TA && usage != DANESSL_USAGE_DANE_EE)
2653 || (sel != 0 && sel != 1)
2654 )
2655 continue;
3674140c
JH		 2656 switch(type)
2657 {
2658 case 0: /* Full: cannot check at present */
2659 break;
2660 case 1: if (rr->size != 3 + 256/8) continue; /* sha2-256 */
2661 break;
2662 case 2: if (rr->size != 3 + 512/8) continue; /* sha2-512 */
2663 break;
2664 default: continue;
2665 }
899b8bbc
JH		 2666
2667 tls_out.tlsa_usage |= 1<<usage;
48224640 2668 dane_data[i] = CS p;
899b8bbc
JH		 2669 dane_data_len[i++] = rr->size;
2670 }
3674140c
JH		 2671
2672if (!i) return FALSE;
2673
899b8bbc
JH		 2674dane_data[i] = NULL;
2675dane_data_len[i] = 0;
2676
2677state->dane_data = (char * const *)dane_data;
2678state->dane_data_len = dane_data_len;
3674140c 2679return TRUE;
899b8bbc
JH		 2680}
2681#endif
2682
2683
2684
b10c87b3
JH		 2685#ifdef EXPERIMENTAL_TLS_RESUME
2686/* On the client, get any stashed session for the given IP from hints db
2687and apply it to the ssl-connection for attempted resumption. Although
2688there is a gnutls_session_ticket_enable_client() interface it is
2689documented as unnecessary (as of 3.6.7) as "session tickets are emabled
2690by deafult". There seems to be no way to disable them, so even hosts not
2691enabled by the transport option will be sent a ticket request. We will
2692however avoid storing and retrieving session information. */
2693
2694static void
2695tls_retrieve_session(tls_support * tlsp, gnutls_session_t session,
2696 host_item * host, smtp_transport_options_block * ob)
2697{
2698tlsp->resumption = RESUME_SUPPORTED;
2699if (verify_check_given_host(CUSS &ob->tls_resumption_hosts, host) == OK)
2700 {
2701 dbdata_tls_session * dt;
2702 int len, rc;
2703 open_db dbblock, * dbm_file;
2704
2705 DEBUG(D_tls)
2706 debug_printf("check for resumable session for %s\n", host->address);
2707 tlsp->host_resumable = TRUE;
2708 tlsp->resumption |= RESUME_CLIENT_REQUESTED;
2709 if ((dbm_file = dbfn_open(US"tls", O_RDONLY, &dbblock, FALSE, FALSE)))
2710 {
dea4b568
JH		 2711 /* Key for the db is the IP. We'd like to filter the retrieved session
2712 for ticket advisory expiry, but 3.6.1 seems to give no access to that */
2713
b10c87b3
JH		 2714 if ((dt = dbfn_read_with_length(dbm_file, host->address, &len)))
2715 if (!(rc = gnutls_session_set_data(session,
2716 CUS dt->session, (size_t)len - sizeof(dbdata_tls_session))))
2717 {
2718 DEBUG(D_tls) debug_printf("good session\n");
2719 tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
2720 }
2721 else DEBUG(D_tls) debug_printf("setting session resumption data: %s\n",
2722 US gnutls_strerror(rc));
2723 dbfn_close(dbm_file);
2724 }
2725 }
2726}
2727
2728
2729static void
2730tls_save_session(tls_support * tlsp, gnutls_session_t session, const host_item * host)
2731{
2732/* TLS 1.2 - we get both the callback and the direct posthandshake call,
2733but this flag is not set until the second. TLS 1.3 it's the other way about.
2734Keep both calls as the session data cannot be extracted before handshake
2735completes. */
2736
2737if (gnutls_session_get_flags(session) & GNUTLS_SFLAGS_SESSION_TICKET)
2738 {
2739 gnutls_datum_t tkt;
2740 int rc;
2741
2742 DEBUG(D_tls) debug_printf("server offered session ticket\n");
2743 tlsp->ticket_received = TRUE;
2744 tlsp->resumption |= RESUME_SERVER_TICKET;
2745
2746 if (tlsp->host_resumable)
2747 if (!(rc = gnutls_session_get_data2(session, &tkt)))
2748 {
2749 open_db dbblock, * dbm_file;
2750 int dlen = sizeof(dbdata_tls_session) + tkt.size;
f3ebb786 2751 dbdata_tls_session * dt = store_get(dlen, TRUE);
b10c87b3
JH		 2752
2753 DEBUG(D_tls) debug_printf("session data size %u\n", (unsigned)tkt.size);
2754 memcpy(dt->session, tkt.data, tkt.size);
2755 gnutls_free(tkt.data);
2756
2757 if ((dbm_file = dbfn_open(US"tls", O_RDWR, &dbblock, FALSE, FALSE)))
2758 {
2759 /* key for the db is the IP */
2760 dbfn_delete(dbm_file, host->address);
2761 dbfn_write(dbm_file, host->address, dt, dlen);
2762 dbfn_close(dbm_file);
2763
2764 DEBUG(D_tls)
2765 debug_printf("wrote session db (len %u)\n", (unsigned)dlen);
2766 }
2767 }
2768 else DEBUG(D_tls)
2769 debug_printf("extract session data: %s\n", US gnutls_strerror(rc));
2770 }
2771}
2772
2773
2774/* With a TLS1.3 session, the ticket(s) are not seen until
2775the first data read is attempted. And there's often two of them.
2776Pick them up with this callback. We are also called for 1.2
2777but we do nothing.
2778*/
2779static int
2780tls_client_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
2781 unsigned incoming, const gnutls_datum_t * msg)
2782{
2783exim_gnutls_state_st * state = gnutls_session_get_ptr(sess);
2784tls_support * tlsp = state->tlsp;
2785
2786DEBUG(D_tls) debug_printf("newticket cb\n");
2787
2788if (!tlsp->ticket_received)
2789 tls_save_session(tlsp, sess, state->host);
2790return 0;
2791}
2792
2793
2794static void
2795tls_client_resume_prehandshake(exim_gnutls_state_st * state,
2796 tls_support * tlsp, host_item * host,
2797 smtp_transport_options_block * ob)
2798{
2799gnutls_session_set_ptr(state->session, state);
2800gnutls_handshake_set_hook_function(state->session,
2801 GNUTLS_HANDSHAKE_NEW_SESSION_TICKET, GNUTLS_HOOK_POST, tls_client_ticket_cb);
2802
2803tls_retrieve_session(tlsp, state->session, host, ob);
2804}
2805
2806static void
2807tls_client_resume_posthandshake(exim_gnutls_state_st * state,
2808 tls_support * tlsp, host_item * host)
2809{
2810if (gnutls_session_is_resumed(state->session))
2811 {
2812 DEBUG(D_tls) debug_printf("Session resumed\n");
2813 tlsp->resumption |= RESUME_USED;
2814 }
2815
2816tls_save_session(tlsp, state->session, host);
2817}
2818#endif /* EXPERIMENTAL_TLS_RESUME */
2819
2820
059ec3d9
PH		 2821/*************************************************
2822* Start a TLS session in a client *
2823*************************************************/
2824
2825/* Called from the smtp transport after STARTTLS has been accepted.
2826
2827Arguments:
c05bdbd6
JH		 2828 cctx connection context
2829 conn_args connection details
2830 cookie datum for randomness (not used)
2831 tlsp record details of channel configuration here; must be non-NULL
2832 errstr error string pointer
2833
2834Returns: TRUE for success with TLS session context set in smtp context,
2835 FALSE on error
059ec3d9
PH		 2836*/
2837
c05bdbd6
JH		 2838BOOL
2839tls_client_start(client_conn_ctx * cctx, smtp_connect_args * conn_args,
2840 void * cookie ARG_UNUSED,
2841 tls_support * tlsp, uschar ** errstr)
059ec3d9 2842{
c05bdbd6
JH		 2843host_item * host = conn_args->host; /* for msgs and option-tests */
2844transport_instance * tb = conn_args->tblock; /* always smtp or NULL */
2845smtp_transport_options_block * ob = tb
afdb5e9c
JH		 2846 ? (smtp_transport_options_block *)tb->options_block
2847 : &smtp_transport_option_defaults;
059ec3d9 2848int rc;
899b8bbc 2849exim_gnutls_state_st * state = NULL;
c05bdbd6 2850uschar * cipher_list = NULL;
74f1a423 2851
f2de3a33 2852#ifndef DISABLE_OCSP
5130845b 2853BOOL require_ocsp =
3fb3231c 2854 verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK;
44662487 2855BOOL request_ocsp = require_ocsp ? TRUE
3fb3231c 2856 : verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
2b4a568d 2857#endif
059ec3d9 2858
c05bdbd6 2859DEBUG(D_tls) debug_printf("initialising GnuTLS as a client on fd %d\n", cctx->sock);
059ec3d9 2860
5ec37a55 2861#ifdef SUPPORT_DANE
c05bdbd6
JH		 2862/* If dane is flagged, have either request or require dane for this host, and
2863a TLSA record found. Therefore, dane verify required. Which implies cert must
2864be requested and supplied, dane verify must pass, and cert verify irrelevant
2865(incl. hostnames), and (caller handled) require_tls */
2866
2867if (conn_args->dane && ob->dane_require_tls_ciphers)
5ec37a55
PP		 2868 {
2869 /* not using expand_check_tlsvar because not yet in state */
2870 if (!expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
2871 &cipher_list, errstr))
c05bdbd6 2872 return FALSE;
cf260049
JH		 2873 cipher_list = cipher_list && *cipher_list
2874 ? ob->dane_require_tls_ciphers : ob->tls_require_ciphers;
5ec37a55
PP		 2875 }
2876#endif
2877
2878if (!cipher_list)
2879 cipher_list = ob->tls_require_ciphers;
2880
d85cdeb5
JH		 2881 {
2882#ifdef MEASURE_TIMING
2883 struct timeval t0;
2884 gettimeofday(&t0, NULL);
2885#endif
2886
2887 if (tls_init(host, ob->tls_certificate, ob->tls_privatekey,
2888 ob->tls_sni, ob->tls_verify_certificates, ob->tls_crl,
2889 cipher_list, &state, tlsp, errstr) != OK)
2890 return FALSE;
2891
2892#ifdef MEASURE_TIMING
2893 report_time_since(&t0, US"client tls_init (delta)");
2894#endif
2895 }
059ec3d9 2896
54c90be1 2897 {
65867078
JH		 2898 int dh_min_bits = ob->tls_dh_min_bits;
2899 if (dh_min_bits < EXIM_CLIENT_DH_MIN_MIN_BITS)
2900 {
2901 DEBUG(D_tls)
2902 debug_printf("WARNING: tls_dh_min_bits far too low,"
2903 " clamping %d up to %d\n",
2904 dh_min_bits, EXIM_CLIENT_DH_MIN_MIN_BITS);
2905 dh_min_bits = EXIM_CLIENT_DH_MIN_MIN_BITS;
2906 }
54c90be1 2907
65867078
JH		 2908 DEBUG(D_tls) debug_printf("Setting D-H prime minimum"
2909 " acceptable bits to %d\n",
2910 dh_min_bits);
2911 gnutls_dh_set_prime_bits(state->session, dh_min_bits);
2912 }
83da1223 2913
94431adb 2914/* Stick to the old behaviour for compatibility if tls_verify_certificates is
2b4a568d
JH		 2915set but both tls_verify_hosts and tls_try_verify_hosts are unset. Check only
2916the specified host patterns if one of them is defined */
2917
899b8bbc 2918#ifdef SUPPORT_DANE
c05bdbd6 2919if (conn_args->dane && dane_tlsa_load(state, &conn_args->tlsa_dnsa))
899b8bbc
JH		 2920 {
2921 DEBUG(D_tls)
2922 debug_printf("TLS: server certificate DANE required.\n");
2923 state->verify_requirement = VERIFY_DANE;
2924 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
899b8bbc
JH		 2925 }
2926else
2927#endif
2928 if ( ( state->exp_tls_verify_certificates
2929 && !ob->tls_verify_hosts
2930 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
2931 )
3fb3231c 2932 || verify_check_given_host(CUSS &ob->tls_verify_hosts, host) == OK
899b8bbc 2933 )
17c76198 2934 {
aa2a70ba 2935 tls_client_setup_hostname_checks(host, state, ob);
aa2a70ba
JH		 2936 DEBUG(D_tls)
2937 debug_printf("TLS: server certificate verification required.\n");
2938 state->verify_requirement = VERIFY_REQUIRED;
52f93eed
WB		 2939 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
2940 }
3fb3231c 2941else if (verify_check_given_host(CUSS &ob->tls_try_verify_hosts, host) == OK)
52f93eed 2942 {
aa2a70ba 2943 tls_client_setup_hostname_checks(host, state, ob);
e51c7be2
JH		 2944 DEBUG(D_tls)
2945 debug_printf("TLS: server certificate verification optional.\n");
52f93eed 2946 state->verify_requirement = VERIFY_OPTIONAL;
17c76198
PP		 2947 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
2948 }
2949else
2950 {
e51c7be2
JH		 2951 DEBUG(D_tls)
2952 debug_printf("TLS: server certificate verification not required.\n");
52f93eed
WB		 2953 state->verify_requirement = VERIFY_NONE;
2954 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
17c76198 2955 }
059ec3d9 2956
f2de3a33
JH		 2957#ifndef DISABLE_OCSP
2958 /* supported since GnuTLS 3.1.3 */
44662487 2959if (request_ocsp)
9d1c15ef
JH		 2960 {
2961 DEBUG(D_tls) debug_printf("TLS: will request OCSP stapling\n");
65867078
JH		 2962 if ((rc = gnutls_ocsp_status_request_enable_client(state->session,
2963 NULL, 0, NULL)) != OK)
74f1a423 2964 {
452a164f 2965 tls_error_gnu(US"cert-status-req", rc, state->host, errstr);
c05bdbd6 2966 return FALSE;
74f1a423
JH		 2967 }
2968 tlsp->ocsp = OCSP_NOT_RESP;
9d1c15ef 2969 }
2b4a568d
JH		 2970#endif
2971
b10c87b3
JH		 2972#ifdef EXPERIMENTAL_TLS_RESUME
2973tls_client_resume_prehandshake(state, tlsp, host, ob);
2974#endif
2975
0cbf2b82 2976#ifndef DISABLE_EVENT
afdb5e9c 2977if (tb && tb->event_action)
a7538db1 2978 {
774ef2d7 2979 state->event_action = tb->event_action;
a7538db1 2980 gnutls_session_set_ptr(state->session, state);
723fe533 2981 gnutls_certificate_set_verify_function(state->x509_cred, verify_cb);
a7538db1
JH		 2982 }
2983#endif
2984
c05bdbd6
JH		 2985gnutls_transport_set_ptr(state->session, (gnutls_transport_ptr_t)(long) cctx->sock);
2986state->fd_in = cctx->sock;
2987state->fd_out = cctx->sock;
059ec3d9 2988
9d1c15ef 2989DEBUG(D_tls) debug_printf("about to gnutls_handshake\n");
059ec3d9
PH		 2990/* There doesn't seem to be a built-in timeout on connection. */
2991
2992sigalrm_seen = FALSE;
c2a1bba0 2993ALARM(ob->command_timeout);
17c76198 2994do
17c76198 2995 rc = gnutls_handshake(state->session);
05c3a5a2 2996while (rc == GNUTLS_E_AGAIN || rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen);
c2a1bba0 2997ALARM_CLR(0);
059ec3d9 2998
4fe99a6c 2999if (rc != GNUTLS_E_SUCCESS)
74f1a423 3000 {
60d10ce7
JH		 3001 if (sigalrm_seen)
3002 {
3003 gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_USER_CANCELED);
48224640 3004 tls_error(US"gnutls_handshake", US"timed out", state->host, errstr);
60d10ce7
JH		 3005 }
3006 else
452a164f 3007 tls_error_gnu(US"gnutls_handshake", rc, state->host, errstr);
c05bdbd6 3008 return FALSE;
74f1a423 3009 }
4fe99a6c 3010
dc6d1769 3011DEBUG(D_tls) post_handshake_debug(state);
059ec3d9 3012
17c76198 3013/* Verify late */
059ec3d9 3014
899b8bbc 3015if (!verify_certificate(state, errstr))
74f1a423
JH		 3016 {
3017 tls_error(US"certificate verification failed", *errstr, state->host, errstr);
c05bdbd6 3018 return FALSE;
74f1a423 3019 }
059ec3d9 3020
17ba0f52 3021#ifdef GNUTLS_SFLAGS_EXT_MASTER_SECRET
1c519e07
JH		 3022if (gnutls_session_get_flags(state->session) & GNUTLS_SFLAGS_EXT_MASTER_SECRET)
3023 tlsp->ext_master_secret = TRUE;
17ba0f52 3024#endif
1c519e07 3025
f2de3a33 3026#ifndef DISABLE_OCSP
7a501c87 3027if (request_ocsp)
2b4a568d
JH		 3028 {
3029 DEBUG(D_tls)
3030 {
3031 gnutls_datum_t stapling;
3032 gnutls_ocsp_resp_t resp;
3033 gnutls_datum_t printed;
e326959e
JH		 3034 unsigned idx = 0;
3035
3036 for (;
3037# ifdef GNUTLS_OCSP_STATUS_REQUEST_GET2
3038 (rc = gnutls_ocsp_status_request_get2(state->session, idx, &stapling)) == 0;
3039#else
3040 (rc = gnutls_ocsp_status_request_get(state->session, &stapling)) == 0;
3041#endif
3042 idx++)
3043 if ( (rc= gnutls_ocsp_resp_init(&resp)) == 0
3044 && (rc= gnutls_ocsp_resp_import(resp, &stapling)) == 0
3045 && (rc= gnutls_ocsp_resp_print(resp, GNUTLS_OCSP_PRINT_COMPACT, &printed)) == 0
3046 )
3047 {
3048 debug_printf("%.4096s", printed.data);
3049 gnutls_free(printed.data);
3050 }
3051 else
3052 (void) tls_error_gnu(US"ocsp decode", rc, state->host, errstr);
3053 if (idx == 0 && rc)
452a164f 3054 (void) tls_error_gnu(US"ocsp decode", rc, state->host, errstr);
2b4a568d
JH		 3055 }
3056
2b4a568d 3057 if (gnutls_ocsp_status_request_is_checked(state->session, 0) == 0)
018058b2 3058 {
74f1a423
JH		 3059 tlsp->ocsp = OCSP_FAILED;
3060 tls_error(US"certificate status check failed", NULL, state->host, errstr);
7a501c87
JH		 3061 if (require_ocsp)
3062 return FALSE;
3063 }
3064 else
3065 {
3066 DEBUG(D_tls) debug_printf("Passed OCSP checking\n");
3067 tlsp->ocsp = OCSP_VFIED;
018058b2 3068 }
2b4a568d
JH		 3069 }
3070#endif
3071
b10c87b3
JH		 3072#ifdef EXPERIMENTAL_TLS_RESUME
3073tls_client_resume_posthandshake(state, tlsp, host);
3074#endif
059ec3d9 3075
4fe99a6c 3076/* Sets various Exim expansion variables; may need to adjust for ACL callouts */
059ec3d9 3077
9d1c15ef 3078extract_exim_vars_from_tls_state(state);
059ec3d9 3079
c05bdbd6
JH		 3080cctx->tls_ctx = state;
3081return TRUE;
059ec3d9
PH		 3082}
3083
3084
3085
17c76198 3086
059ec3d9 3087/*************************************************
17c76198 3088* Close down a TLS session *
059ec3d9
PH		 3089*************************************************/
3090
17c76198
PP		 3091/* This is also called from within a delivery subprocess forked from the
3092daemon, to shut down the TLS library, without actually doing a shutdown (which
3093would tamper with the TLS session in the parent process).
059ec3d9 3094
dec766a1 3095Arguments:
74f1a423 3096 ct_ctx client context pointer, or NULL for the one global server context
dec766a1 3097 shutdown 1 if TLS close-alert is to be sent,
afdb5e9c 3098 2 if also response to be waited for
dec766a1 3099
17c76198 3100Returns: nothing
059ec3d9
PH		 3101*/
3102
17c76198 3103void
74f1a423 3104tls_close(void * ct_ctx, int shutdown)
059ec3d9 3105{
74f1a423 3106exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
bd231acd 3107tls_support * tlsp = state->tlsp;
059ec3d9 3108
bd231acd 3109if (!tlsp || tlsp->active.sock < 0) return; /* TLS was not active */
17c76198
PP		 3110
3111if (shutdown)
3112 {
dec766a1
WB		 3113 DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS%s\n",
3114 shutdown > 1 ? " (with response-wait)" : "");
3115
c2a1bba0 3116 ALARM(2);
dec766a1 3117 gnutls_bye(state->session, shutdown > 1 ? GNUTLS_SHUT_RDWR : GNUTLS_SHUT_WR);
c2a1bba0 3118 ALARM_CLR(0);
17c76198
PP		 3119 }
3120
bd231acd
JH		 3121if (!ct_ctx) /* server */
3122 {
3123 receive_getc = smtp_getc;
3124 receive_getbuf = smtp_getbuf;
3125 receive_get_cache = smtp_get_cache;
3126 receive_ungetc = smtp_ungetc;
3127 receive_feof = smtp_feof;
3128 receive_ferror = smtp_ferror;
3129 receive_smtp_buffered = smtp_buffered;
3130 }
3131
17c76198 3132gnutls_deinit(state->session);
ed62aae3
HSHR		 3133gnutls_certificate_free_credentials(state->x509_cred);
3134
bd231acd
JH		 3135tlsp->active.sock = -1;
3136tlsp->active.tls_ctx = NULL;
3137/* Leave bits, peercert, cipher, peerdn, certificate_verified set, for logging */
b1a32a3c 3138tlsp->channelbinding = NULL;
bd231acd 3139
17c76198 3140
b808677c 3141if (state->xfer_buffer) store_free(state->xfer_buffer);
17c76198 3142memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
059ec3d9
PH		 3143}
3144
3145
3146
17c76198 3147
0d81dabc
JH		 3148static BOOL
3149tls_refill(unsigned lim)
3150{
3151exim_gnutls_state_st * state = &state_server;
3152ssize_t inbytes;
3153
50a3f205 3154DEBUG(D_tls) debug_printf("Calling gnutls_record_recv(session=%p, buffer=%p, buffersize=%u)\n",
0d81dabc
JH		 3155 state->session, state->xfer_buffer, ssl_xfer_buffer_size);
3156
f1fed05b 3157sigalrm_seen = FALSE;
c2a1bba0 3158if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
4896a319 3159
05c3a5a2
HSHR		 3160do
3161 inbytes = gnutls_record_recv(state->session, state->xfer_buffer,
3162 MIN(ssl_xfer_buffer_size, lim));
3163while (inbytes == GNUTLS_E_AGAIN);
4896a319 3164
c2a1bba0 3165if (smtp_receive_timeout > 0) ALARM_CLR(0);
9723f966
JH		 3166
3167if (had_command_timeout) /* set by signal handler */
3168 smtp_command_timeout_exit(); /* does not return */
3169if (had_command_sigterm)
3170 smtp_command_sigterm_exit();
3171if (had_data_timeout)
3172 smtp_data_timeout_exit();
3173if (had_data_sigint)
3174 smtp_data_sigint_exit();
3175
3176/* Timeouts do not get this far. A zero-byte return appears to mean that the
3177TLS session has been closed down, not that the socket itself has been closed
3178down. Revert to non-TLS handling. */
0d81dabc
JH		 3179
3180if (sigalrm_seen)
3181 {
3182 DEBUG(D_tls) debug_printf("Got tls read timeout\n");
8b77d27a 3183 state->xfer_error = TRUE;
0d81dabc
JH		 3184 return FALSE;
3185 }
3186
3187else if (inbytes == 0)
3188 {
3189 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
bd231acd 3190 tls_close(NULL, TLS_NO_SHUTDOWN);
0d81dabc
JH		 3191 return FALSE;
3192 }
3193
3194/* Handle genuine errors */
3195
3196else if (inbytes < 0)
3197 {
95f52235 3198 DEBUG(D_tls) debug_printf("%s: err from gnutls_record_recv\n", __FUNCTION__);
0d81dabc 3199 record_io_error(state, (int) inbytes, US"recv", NULL);
8b77d27a 3200 state->xfer_error = TRUE;
0d81dabc
JH		 3201 return FALSE;
3202 }
3203#ifndef DISABLE_DKIM
3204dkim_exim_verify_feed(state->xfer_buffer, inbytes);
3205#endif
3206state->xfer_buffer_hwm = (int) inbytes;
3207state->xfer_buffer_lwm = 0;
3208return TRUE;
3209}
3210
059ec3d9
PH		 3211/*************************************************
3212* TLS version of getc *
3213*************************************************/
3214
3215/* This gets the next byte from the TLS input buffer. If the buffer is empty,
3216it refills the buffer via the GnuTLS reading function.
817d9f57 3217Only used by the server-side TLS.
059ec3d9 3218
17c76198
PP		 3219This feeds DKIM and should be used for all message-body reads.
3220
aded2255 3221Arguments: lim Maximum amount to read/buffer
059ec3d9
PH		 3222Returns: the next character or EOF
3223*/
3224
3225int
bd8fbe36 3226tls_getc(unsigned lim)
059ec3d9 3227{
0d81dabc 3228exim_gnutls_state_st * state = &state_server;
059ec3d9 3229
0d81dabc
JH		 3230if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
3231 if (!tls_refill(lim))
3232 return state->xfer_error ? EOF : smtp_getc(lim);
ed62aae3 3233
0d81dabc 3234/* Something in the buffer; return next uschar */
059ec3d9 3235
0d81dabc
JH		 3236return state->xfer_buffer[state->xfer_buffer_lwm++];
3237}
059ec3d9 3238
0d81dabc
JH		 3239uschar *
3240tls_getbuf(unsigned * len)
3241{
3242exim_gnutls_state_st * state = &state_server;
3243unsigned size;
3244uschar * buf;
059ec3d9 3245
0d81dabc
JH		 3246if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
3247 if (!tls_refill(*len))
059ec3d9 3248 {
0d81dabc
JH		 3249 if (!state->xfer_error) return smtp_getbuf(len);
3250 *len = 0;
3251 return NULL;
059ec3d9 3252 }
059ec3d9 3253
0d81dabc
JH		 3254if ((size = state->xfer_buffer_hwm - state->xfer_buffer_lwm) > *len)
3255 size = *len;
3256buf = &state->xfer_buffer[state->xfer_buffer_lwm];
3257state->xfer_buffer_lwm += size;
3258*len = size;
3259return buf;
059ec3d9
PH		 3260}
3261
0d81dabc 3262
584e96c6
JH		 3263void
3264tls_get_cache()
3265{
9960d1e5 3266#ifndef DISABLE_DKIM
584e96c6
JH		 3267exim_gnutls_state_st * state = &state_server;
3268int n = state->xfer_buffer_hwm - state->xfer_buffer_lwm;
3269if (n > 0)
3270 dkim_exim_verify_feed(state->xfer_buffer+state->xfer_buffer_lwm, n);
584e96c6 3271#endif
9960d1e5 3272}
584e96c6 3273
059ec3d9 3274
925ac8e4
JH		 3275BOOL
3276tls_could_read(void)
3277{
3278return state_server.xfer_buffer_lwm < state_server.xfer_buffer_hwm
3279 || gnutls_record_check_pending(state_server.session) > 0;
3280}
3281
3282
059ec3d9 3283
17c76198 3284
059ec3d9
PH		 3285/*************************************************
3286* Read bytes from TLS channel *
3287*************************************************/
3288
17c76198
PP		 3289/* This does not feed DKIM, so if the caller uses this for reading message body,
3290then the caller must feed DKIM.
817d9f57 3291
059ec3d9 3292Arguments:
74f1a423 3293 ct_ctx client context pointer, or NULL for the one global server context
059ec3d9
PH		 3294 buff buffer of data
3295 len size of buffer
3296
3297Returns: the number of bytes read
afdb5e9c 3298 -1 after a failed read, including EOF
059ec3d9
PH		 3299*/
3300
3301int
74f1a423 3302tls_read(void * ct_ctx, uschar *buff, size_t len)
059ec3d9 3303{
74f1a423 3304exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
17c76198 3305ssize_t inbytes;
059ec3d9 3306
17c76198
PP		 3307if (len > INT_MAX)
3308 len = INT_MAX;
059ec3d9 3309
17c76198
PP		 3310if (state->xfer_buffer_lwm < state->xfer_buffer_hwm)
3311 DEBUG(D_tls)
3312 debug_printf("*** PROBABLY A BUG *** " \
3313 "tls_read() called with data in the tls_getc() buffer, %d ignored\n",
3314 state->xfer_buffer_hwm - state->xfer_buffer_lwm);
3315
3316DEBUG(D_tls)
50a3f205 3317 debug_printf("Calling gnutls_record_recv(session=%p, buffer=%p, len=" SIZE_T_FMT ")\n",
17c76198
PP		 3318 state->session, buff, len);
3319
05c3a5a2
HSHR		 3320do
3321 inbytes = gnutls_record_recv(state->session, buff, len);
3322while (inbytes == GNUTLS_E_AGAIN);
4896a319 3323
059ec3d9
PH		 3324if (inbytes > 0) return inbytes;
3325if (inbytes == 0)
3326 {
3327 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
3328 }
5fd28bb8 3329else
4896a319 3330 {
95f52235 3331 DEBUG(D_tls) debug_printf("%s: err from gnutls_record_recv\n", __FUNCTION__);
4896a319
AM		 3332 record_io_error(state, (int)inbytes, US"recv", NULL);
3333 }
059ec3d9
PH		 3334
3335return -1;
3336}
3337
3338
3339
17c76198 3340
059ec3d9
PH		 3341/*************************************************
3342* Write bytes down TLS channel *
3343*************************************************/
3344
3345/*
3346Arguments:
74f1a423 3347 ct_ctx client context pointer, or NULL for the one global server context
059ec3d9
PH		 3348 buff buffer of data
3349 len number of bytes
925ac8e4 3350 more more data expected soon
059ec3d9 3351
30398c06
JH		 3352Calling with len zero and more unset will flush buffered writes. The buff
3353argument can be null for that case.
3354
059ec3d9
PH		 3355Returns: the number of bytes after a successful write,
3356 -1 after a failed write
3357*/
3358
3359int
74f1a423 3360tls_write(void * ct_ctx, const uschar * buff, size_t len, BOOL more)
059ec3d9 3361{
17c76198
PP		 3362ssize_t outbytes;
3363size_t left = len;
74f1a423 3364exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
925ac8e4 3365
8f9adfd3
HSHR		 3366#ifdef SUPPORT_CORK
3367if (more && !state->corked)
3368 {
3369 DEBUG(D_tls) debug_printf("gnutls_record_cork(session=%p)\n", state->session);
3370 gnutls_record_cork(state->session);
3371 state->corked = TRUE;
3372 }
925ac8e4
JH		 3373#endif
3374
3375DEBUG(D_tls) debug_printf("%s(%p, " SIZE_T_FMT "%s)\n", __FUNCTION__,
3376 buff, left, more ? ", more" : "");
059ec3d9 3377
059ec3d9
PH		 3378while (left > 0)
3379 {
50a3f205 3380 DEBUG(D_tls) debug_printf("gnutls_record_send(session=%p, buffer=%p, left=" SIZE_T_FMT ")\n",
d89f32c2 3381 state->session, buff, left);
4896a319 3382
05c3a5a2
HSHR		 3383 do
3384 outbytes = gnutls_record_send(state->session, buff, left);
3385 while (outbytes == GNUTLS_E_AGAIN);
059ec3d9 3386
17c76198 3387 DEBUG(D_tls) debug_printf("outbytes=" SSIZE_T_FMT "\n", outbytes);
8f9adfd3 3388
059ec3d9
PH		 3389 if (outbytes < 0)
3390 {
1b76ad22 3391 DEBUG(D_tls) debug_printf("%s: gnutls_record_send err\n", __FUNCTION__);
17c76198 3392 record_io_error(state, outbytes, US"send", NULL);
059ec3d9
PH		 3393 return -1;
3394 }
3395 if (outbytes == 0)
3396 {
17c76198 3397 record_io_error(state, 0, US"send", US"TLS channel closed on write");
059ec3d9
PH		 3398 return -1;
3399 }
3400
3401 left -= outbytes;
3402 buff += outbytes;
3403 }
3404
17c76198
PP		 3405if (len > INT_MAX)
3406 {
3407 DEBUG(D_tls)
3408 debug_printf("Whoops! Wrote more bytes (" SIZE_T_FMT ") than INT_MAX\n",
3409 len);
3410 len = INT_MAX;
3411 }
3412
925ac8e4 3413#ifdef SUPPORT_CORK
8f9adfd3
HSHR		 3414if (!more && state->corked)
3415 {
3416 DEBUG(D_tls) debug_printf("gnutls_record_uncork(session=%p)\n", state->session);
05c3a5a2
HSHR		 3417 do
3418 /* We can't use GNUTLS_RECORD_WAIT here, as it retries on
3419 GNUTLS_E_AGAIN || GNUTLS_E_INTR, which would break our timeout set by alarm().
3420 The GNUTLS_E_AGAIN should not happen ever, as our sockets are blocking anyway.
3421 But who knows. (That all relies on the fact that GNUTLS_E_INTR and GNUTLS_E_AGAIN
3422 match the EINTR and EAGAIN errno values.) */
3423 outbytes = gnutls_record_uncork(state->session, 0);
3424 while (outbytes == GNUTLS_E_AGAIN);
3425
d8d7e3a4
HSHR		 3426 if (outbytes < 0)
3427 {
3428 record_io_error(state, len, US"uncork", NULL);
3429 return -1;
3430 }
05c3a5a2 3431
8f9adfd3 3432 state->corked = FALSE;
925ac8e4
JH		 3433 }
3434#endif
3435
17c76198 3436return (int) len;
059ec3d9
PH		 3437}
3438
3439
3440
17c76198 3441
059ec3d9 3442/*************************************************
17c76198 3443* Random number generation *
059ec3d9
PH		 3444*************************************************/
3445
17c76198
PP		 3446/* Pseudo-random number generation. The result is not expected to be
3447cryptographically strong but not so weak that someone will shoot themselves
3448in the foot using it as a nonce in input in some email header scheme or
3449whatever weirdness they'll twist this into. The result should handle fork()
3450and avoid repeating sequences. OpenSSL handles that for us.
059ec3d9 3451
17c76198
PP		 3452Arguments:
3453 max range maximum
3454Returns a random number in range [0, max-1]
059ec3d9
PH		 3455*/
3456
af3498d6 3457#ifdef HAVE_GNUTLS_RND
17c76198
PP		 3458int
3459vaguely_random_number(int max)
059ec3d9 3460{
17c76198
PP		 3461unsigned int r;
3462int i, needed_len;
17c76198
PP		 3463uschar smallbuf[sizeof(r)];
3464
3465if (max <= 1)
3466 return 0;
3467
3468needed_len = sizeof(r);
3469/* Don't take 8 times more entropy than needed if int is 8 octets and we were
d7978c0f
JH		 3470asked for a number less than 10. */
3471
17c76198
PP		 3472for (r = max, i = 0; r; ++i)
3473 r >>= 1;
3474i = (i + 7) / 8;
3475if (i < needed_len)
3476 needed_len = i;
3477
3478i = gnutls_rnd(GNUTLS_RND_NONCE, smallbuf, needed_len);
3479if (i < 0)
059ec3d9 3480 {
17c76198
PP		 3481 DEBUG(D_all) debug_printf("gnutls_rnd() failed, using fallback.\n");
3482 return vaguely_random_number_fallback(max);
3483 }
3484r = 0;
d7978c0f
JH		 3485for (uschar * p = smallbuf; needed_len; --needed_len, ++p)
3486 r = r * 256 + *p;
059ec3d9 3487
17c76198
PP		 3488/* We don't particularly care about weighted results; if someone wants
3489 * smooth distribution and cares enough then they should submit a patch then. */
3490return r % max;
059ec3d9 3491}
af3498d6
PP		 3492#else /* HAVE_GNUTLS_RND */
3493int
3494vaguely_random_number(int max)
3495{
3496 return vaguely_random_number_fallback(max);
3497}
3498#endif /* HAVE_GNUTLS_RND */
059ec3d9 3499
36f12725
NM		 3500
3501
3502
3375e053
PP		 3503/*************************************************
3504* Let tls_require_ciphers be checked at startup *
3505*************************************************/
3506
3507/* The tls_require_ciphers option, if set, must be something which the
3508library can parse.
3509
3510Returns: NULL on success, or error message
3511*/
3512
3513uschar *
3514tls_validate_require_cipher(void)
3515{
3516int rc;
3517uschar *expciphers = NULL;
3518gnutls_priority_t priority_cache;
3519const char *errpos;
cf0c6164 3520uschar * dummy_errstr;
3375e053 3521
4d2a62a3
JH		 3522#ifdef GNUTLS_AUTO_GLOBAL_INIT
3523# define validate_check_rc(Label) do { \
3524 if (rc != GNUTLS_E_SUCCESS) { if (exim_gnutls_base_init_done) \
3525 return string_sprintf("%s failed: %s", (Label), gnutls_strerror(rc)); } } while (0)
3526# define return_deinit(Label) do { return (Label); } while (0)
3527#else
3528# define validate_check_rc(Label) do { \
3375e053 3529 if (rc != GNUTLS_E_SUCCESS) { if (exim_gnutls_base_init_done) gnutls_global_deinit(); \
4d2a62a3
JH		 3530 return string_sprintf("%s failed: %s", (Label), gnutls_strerror(rc)); } } while (0)
3531# define return_deinit(Label) do { gnutls_global_deinit(); return (Label); } while (0)
3532#endif
3375e053
PP		 3533
3534if (exim_gnutls_base_init_done)
3535 log_write(0, LOG_MAIN|LOG_PANIC,
3536 "already initialised GnuTLS, Exim developer bug");
3537
9f707b89 3538#if defined(HAVE_GNUTLS_PKCS11) && !defined(GNUTLS_AUTO_PKCS11_MANUAL)
2519e60d 3539if (!gnutls_allow_auto_pkcs11)
a5f239e4
PP		 3540 {
3541 rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
3542 validate_check_rc(US"gnutls_pkcs11_init");
3543 }
3544#endif
4d2a62a3 3545#ifndef GNUTLS_AUTO_GLOBAL_INIT
3375e053
PP		 3546rc = gnutls_global_init();
3547validate_check_rc(US"gnutls_global_init()");
4d2a62a3 3548#endif
3375e053
PP		 3549exim_gnutls_base_init_done = TRUE;
3550
3551if (!(tls_require_ciphers && *tls_require_ciphers))
3552 return_deinit(NULL);
3553
cf0c6164
JH		 3554if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers,
3555 &dummy_errstr))
3375e053
PP		 3556 return_deinit(US"failed to expand tls_require_ciphers");
3557
3558if (!(expciphers && *expciphers))
3559 return_deinit(NULL);
3560
3561DEBUG(D_tls)
3562 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
3563
3564rc = gnutls_priority_init(&priority_cache, CS expciphers, &errpos);
3565validate_check_rc(string_sprintf(
3566 "gnutls_priority_init(%s) failed at offset %ld, \"%.8s..\"",
3567 expciphers, errpos - CS expciphers, errpos));
3568
3569#undef return_deinit
3570#undef validate_check_rc
4d2a62a3 3571#ifndef GNUTLS_AUTO_GLOBAL_INIT
3375e053 3572gnutls_global_deinit();
4d2a62a3 3573#endif
3375e053
PP		 3574
3575return NULL;
3576}
3577
3578
3579
3580
36f12725
NM		 3581/*************************************************
3582* Report the library versions. *
3583*************************************************/
3584
3585/* See a description in tls-openssl.c for an explanation of why this exists.
3586
3587Arguments: a FILE* to print the results to
3588Returns: nothing
3589*/
3590
3591void
3592tls_version_report(FILE *f)
3593{
754a0503
PP		 3594fprintf(f, "Library version: GnuTLS: Compile: %s\n"
3595 " Runtime: %s\n",
3596 LIBGNUTLS_VERSION,
3597 gnutls_check_version(NULL));
36f12725
NM		 3598}
3599
b10c87b3 3600#endif /*!MACRO_PREDEF*/
2b4a568d
JH		 3601/* vi: aw ai sw=2
3602*/
059ec3d9 3603/* End of tls-gnu.c */
Unnamed repository; edit this file 'description' to name the repository.