projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Fix macOS build
[exim.git] / src / src / tls-gnu.c
CommitLineData
059ec3d9
PH		 1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
f9ba5e22 5/* Copyright (c) University of Cambridge 1995 - 2018 */
059ec3d9
PH		 6/* See the file NOTICE for conditions of use and distribution. */
7
17c76198 8/* Copyright (c) Phil Pennock 2012 */
059ec3d9 9
17c76198
PP		 10/* This file provides TLS/SSL support for Exim using the GnuTLS library,
11one of the available supported implementations. This file is #included into
12tls.c when USE_GNUTLS has been set.
059ec3d9 13
17c76198
PP		 14The code herein is a revamp of GnuTLS integration using the current APIs; the
15original tls-gnu.c was based on a patch which was contributed by Nikos
6aa6fc9c 16Mavrogiannopoulos. The revamp is partially a rewrite, partially cut&paste as
17c76198 17appropriate.
059ec3d9 18
17c76198
PP		 19APIs current as of GnuTLS 2.12.18; note that the GnuTLS manual is for GnuTLS 3,
20which is not widely deployed by OS vendors. Will note issues below, which may
21assist in updating the code in the future. Another sources of hints is
22mod_gnutls for Apache (SNI callback registration and handling).
059ec3d9 23
17c76198
PP		 24Keeping client and server variables more split than before and is currently
25the norm, in anticipation of TLS in ACL callouts.
059ec3d9 26
17c76198
PP		 27I wanted to switch to gnutls_certificate_set_verify_function() so that
28certificate rejection could happen during handshake where it belongs, rather
29than being dropped afterwards, but that was introduced in 2.10.0 and Debian
30(6.0.5) is still on 2.8.6. So for now we have to stick with sub-par behaviour.
059ec3d9 31
17c76198
PP		 32(I wasn't looking for libraries quite that old, when updating to get rid of
33compiler warnings of deprecated APIs. If it turns out that a lot of the rest
34require current GnuTLS, then we'll drop support for the ancient libraries).
35*/
b5aea5e1 36
17c76198
PP		 37#include <gnutls/gnutls.h>
38/* needed for cert checks in verification and DN extraction: */
39#include <gnutls/x509.h>
40/* man-page is incorrect, gnutls_rnd() is not in gnutls.h: */
41#include <gnutls/crypto.h>
184384c3 42
a5f239e4
PP		 43/* needed to disable PKCS11 autoload unless requested */
44#if GNUTLS_VERSION_NUMBER >= 0x020c00
45# include <gnutls/pkcs11.h>
76075bb5 46# define SUPPORT_PARAM_TO_PK_BITS
a5f239e4 47#endif
7e07527a
JH		 48#if GNUTLS_VERSION_NUMBER < 0x030103 && !defined(DISABLE_OCSP)
49# warning "GnuTLS library version too old; define DISABLE_OCSP in Makefile"
50# define DISABLE_OCSP
51#endif
0cbf2b82 52#if GNUTLS_VERSION_NUMBER < 0x020a00 && !defined(DISABLE_EVENT)
774ef2d7 53# warning "GnuTLS library version too old; tls:cert event unsupported"
0cbf2b82 54# define DISABLE_EVENT
a7538db1 55#endif
a7fec7a7
JH		 56#if GNUTLS_VERSION_NUMBER >= 0x030306
57# define SUPPORT_CA_DIR
58#else
59# undef SUPPORT_CA_DIR
60#endif
11a04b5a 61#if GNUTLS_VERSION_NUMBER >= 0x030014
cb1d7830
JH		 62# define SUPPORT_SYSDEFAULT_CABUNDLE
63#endif
184384c3
JH		 64#if GNUTLS_VERSION_NUMBER >= 0x030104
65# define GNUTLS_CERT_VFY_STATUS_PRINT
66#endif
925ac8e4
JH		 67#if GNUTLS_VERSION_NUMBER >= 0x030109
68# define SUPPORT_CORK
69#endif
f20cfa4a
JH		 70#if GNUTLS_VERSION_NUMBER >= 0x03010a
71# define SUPPORT_GNUTLS_SESS_DESC
72#endif
4d2a62a3
JH		 73#if GNUTLS_VERSION_NUMBER >= 0x030300
74# define GNUTLS_AUTO_GLOBAL_INIT
9f707b89 75# define GNUTLS_AUTO_PKCS11_MANUAL
4d2a62a3 76#endif
f20cfa4a
JH		 77#if GNUTLS_VERSION_NUMBER >= 0x030500
78# define SUPPORT_GNUTLS_KEYLOG
79#endif
47195144
JH		 80#if GNUTLS_VERSION_NUMBER >= 0x030506 && !defined(DISABLE_OCSP)
81# define SUPPORT_SRV_OCSP_STACK
82#endif
49132a3b
JH		 83#if GNUTLS_VERSION_NUMBER >= 0x030600
84# define GNUTLS_AUTO_DHPARAMS
85#endif
be427508 86#if GNUTLS_VERSION_NUMBER >= 0x030603
e326959e 87# define EXIM_HAVE_TLS1_3
be427508 88# define SUPPORT_GNUTLS_EXT_RAW_PARSE
e326959e 89# define GNUTLS_OCSP_STATUS_REQUEST_GET2
be427508 90#endif
c0635b6d
JH		 91
92#ifdef SUPPORT_DANE
93# if GNUTLS_VERSION_NUMBER >= 0x030000
94# define DANESSL_USAGE_DANE_TA 2
95# define DANESSL_USAGE_DANE_EE 3
96# else
97# error GnuTLS version too early for DANE
98# endif
99# if GNUTLS_VERSION_NUMBER < 0x999999
100# define GNUTLS_BROKEN_DANE_VALIDATION
101# endif
899b8bbc 102#endif
7e07527a 103
43e2db44
JH		 104#ifdef EXPERIMENTAL_TLS_RESUME
105# if GNUTLS_VERSION_NUMBER < 0x030603
106# error GNUTLS version too early for session-resumption
107# endif
108#endif
109
f2de3a33 110#ifndef DISABLE_OCSP
2b4a568d
JH		 111# include <gnutls/ocsp.h>
112#endif
899b8bbc
JH		 113#ifdef SUPPORT_DANE
114# include <gnutls/dane.h>
115#endif
059ec3d9 116
f1be21cf
JH		 117#include "tls-cipher-stdname.c"
118
119
b10c87b3
JH		 120#ifdef MACRO_PREDEF
121void
122options_tls(void)
123{
124# ifdef EXPERIMENTAL_TLS_RESUME
125builtin_macro_create_var(US"_RESUME_DECODE", RESUME_DECODE_STRING );
126# endif
e326959e
JH		 127# ifdef EXIM_HAVE_TLS1_3
128builtin_macro_create(US"_HAVE_TLS1_3");
129# endif
b10c87b3
JH		 130}
131#else
132
133
17c76198 134/* GnuTLS 2 vs 3
059ec3d9 135
17c76198
PP		 136GnuTLS 3 only:
137 gnutls_global_set_audit_log_function()
059ec3d9 138
17c76198
PP		 139Changes:
140 gnutls_certificate_verify_peers2(): is new, drop the 2 for old version
141*/
059ec3d9 142
17c76198 143/* Local static variables for GnuTLS */
059ec3d9 144
17c76198 145/* Values for verify_requirement */
059ec3d9 146
e51c7be2 147enum peer_verify_requirement
899b8bbc 148 { VERIFY_NONE, VERIFY_OPTIONAL, VERIFY_REQUIRED, VERIFY_DANE };
059ec3d9 149
17c76198
PP		 150/* This holds most state for server or client; with this, we can set up an
151outbound TLS-enabled connection in an ACL callout, while not stomping all
152over the TLS variables available for expansion.
059ec3d9 153
17c76198
PP		 154Some of these correspond to variables in globals.c; those variables will
155be set to point to content in one of these instances, as appropriate for
156the stage of the process lifetime.
059ec3d9 157
b1a32a3c 158Not handled here: global tlsp->tls_channelbinding.
17c76198 159*/
059ec3d9 160
17c76198 161typedef struct exim_gnutls_state {
9d1c15ef 162 gnutls_session_t session;
17c76198 163 gnutls_certificate_credentials_t x509_cred;
9d1c15ef 164 gnutls_priority_t priority_cache;
17c76198 165 enum peer_verify_requirement verify_requirement;
9d1c15ef
JH		 166 int fd_in;
167 int fd_out;
168 BOOL peer_cert_verified;
899b8bbc 169 BOOL peer_dane_verified;
9d1c15ef
JH		 170 BOOL trigger_sni_changes;
171 BOOL have_set_peerdn;
5fd28bb8 172 const struct host_item *host; /* NULL if server */
afdb5e9c 173 gnutls_x509_crt_t peercert;
9d1c15ef
JH		 174 uschar *peerdn;
175 uschar *ciphersuite;
176 uschar *received_sni;
17c76198
PP		 177
178 const uschar *tls_certificate;
179 const uschar *tls_privatekey;
180 const uschar *tls_sni; /* client send only, not received */
181 const uschar *tls_verify_certificates;
182 const uschar *tls_crl;
183 const uschar *tls_require_ciphers;
e51c7be2 184
17c76198
PP		 185 uschar *exp_tls_certificate;
186 uschar *exp_tls_privatekey;
17c76198
PP		 187 uschar *exp_tls_verify_certificates;
188 uschar *exp_tls_crl;
189 uschar *exp_tls_require_ciphers;
55414b25 190 const uschar *exp_tls_verify_cert_hostnames;
0cbf2b82 191#ifndef DISABLE_EVENT
a7538db1
JH		 192 uschar *event_action;
193#endif
899b8bbc
JH		 194#ifdef SUPPORT_DANE
195 char * const * dane_data;
196 const int * dane_data_len;
197#endif
17c76198 198
389ca47a 199 tls_support *tlsp; /* set in tls_init() */
817d9f57 200
17c76198
PP		 201 uschar *xfer_buffer;
202 int xfer_buffer_lwm;
203 int xfer_buffer_hwm;
8b77d27a
JH		 204 BOOL xfer_eof; /*XXX never gets set! */
205 BOOL xfer_error;
17c76198
PP		 206} exim_gnutls_state_st;
207
208static const exim_gnutls_state_st exim_gnutls_state_init = {
b10c87b3 209 /* all elements not explicitly intialised here get 0/NULL/FALSE */
f2ed27cf
JH		 210 .fd_in = -1,
211 .fd_out = -1,
17c76198 212};
83da1223 213
17c76198
PP		 214/* Not only do we have our own APIs which don't pass around state, assuming
215it's held in globals, GnuTLS doesn't appear to let us register callback data
216for callbacks, or as part of the session, so we have to keep a "this is the
217context we're currently dealing with" pointer and rely upon being
218single-threaded to keep from processing data on an inbound TLS connection while
219talking to another TLS connection for an outbound check. This does mean that
220there's no way for heart-beats to be responded to, for the duration of the
a7538db1
JH		 221second connection.
222XXX But see gnutls_session_get_ptr()
223*/
059ec3d9 224
74f1a423 225static exim_gnutls_state_st state_server;
059ec3d9 226
49132a3b 227#ifndef GNUTLS_AUTO_DHPARAMS
17c76198
PP		 228/* dh_params are initialised once within the lifetime of a process using TLS;
229if we used TLS in a long-lived daemon, we'd have to reconsider this. But we
230don't want to repeat this. */
83da1223 231
17c76198 232static gnutls_dh_params_t dh_server_params = NULL;
49132a3b 233#endif
059ec3d9 234
dea4b568 235static int ssl_session_timeout = 7200; /* Two hours */
059ec3d9 236
fc243e94 237static const uschar * const exim_default_gnutls_priority = US"NORMAL";
83da1223 238
17c76198 239/* Guard library core initialisation */
83da1223 240
17c76198 241static BOOL exim_gnutls_base_init_done = FALSE;
059ec3d9 242
4fb7df6d 243#ifndef DISABLE_OCSP
9196d5bf 244static BOOL gnutls_buggy_ocsp = FALSE;
e5489333 245static BOOL exim_testharness_disable_ocsp_validity_check = FALSE;
4fb7df6d 246#endif
9196d5bf 247
b10c87b3
JH		 248#ifdef EXPERIMENTAL_TLS_RESUME
249static gnutls_datum_t server_sessticket_key;
250#endif
059ec3d9 251
17c76198
PP		 252/* ------------------------------------------------------------------------ */
253/* macros */
83da1223 254
17c76198 255#define MAX_HOST_LEN 255
83da1223 256
17c76198
PP		 257/* Set this to control gnutls_global_set_log_level(); values 0 to 9 will setup
258the library logging; a value less than 0 disables the calls to set up logging
dc6d1769
JH		 259callbacks. GNuTLS also looks for an environment variable - except not for
260setuid binaries, making it useless - "GNUTLS_DEBUG_LEVEL".
261Allegedly the testscript line "GNUTLS_DEBUG_LEVEL=9 sudo exim ..." would work,
262but the env var must be added to /etc/sudoers too. */
2c17bb02 263#ifndef EXIM_GNUTLS_LIBRARY_LOG_LEVEL
b1a4f234 264# define EXIM_GNUTLS_LIBRARY_LOG_LEVEL -1
2c17bb02 265#endif
83da1223 266
2c17bb02 267#ifndef EXIM_CLIENT_DH_MIN_BITS
a7538db1 268# define EXIM_CLIENT_DH_MIN_BITS 1024
2c17bb02 269#endif
83da1223 270
af3498d6
PP		 271/* With GnuTLS 2.12.x+ we have gnutls_sec_param_to_pk_bits() with which we
272can ask for a bit-strength. Without that, we stick to the constant we had
273before, for now. */
2c17bb02 274#ifndef EXIM_SERVER_DH_BITS_PRE2_12
a7538db1 275# define EXIM_SERVER_DH_BITS_PRE2_12 1024
2c17bb02 276#endif
af3498d6 277
cf0c6164
JH		 278#define expand_check_tlsvar(Varname, errstr) \
279 expand_check(state->Varname, US #Varname, &state->exp_##Varname, errstr)
83da1223 280
17c76198 281#if GNUTLS_VERSION_NUMBER >= 0x020c00
e51c7be2
JH		 282# define HAVE_GNUTLS_SESSION_CHANNEL_BINDING
283# define HAVE_GNUTLS_SEC_PARAM_CONSTANTS
284# define HAVE_GNUTLS_RND
2519e60d
TL		 285/* The security fix we provide with the gnutls_allow_auto_pkcs11 option
286 * (4.82 PP/09) introduces a compatibility regression. The symbol simply
287 * isn't available sometimes, so this needs to become a conditional
288 * compilation; the sanest way to deal with this being a problem on
289 * older OSes is to block it in the Local/Makefile with this compiler
290 * definition */
e51c7be2
JH		 291# ifndef AVOID_GNUTLS_PKCS11
292# define HAVE_GNUTLS_PKCS11
293# endif /* AVOID_GNUTLS_PKCS11 */
17c76198 294#endif
83da1223 295
af3498d6
PP		 296
297
298
299/* ------------------------------------------------------------------------ */
300/* Callback declarations */
301
302#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
303static void exim_gnutls_logger_cb(int level, const char *message);
304#endif
305
306static int exim_sni_handling_cb(gnutls_session_t session);
307
e5489333
JH		 308#ifdef EXPERIMENTAL_TLS_RESUME
309static int
310tls_server_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
311 unsigned incoming, const gnutls_datum_t * msg);
312#endif
af3498d6
PP		 313
314
b10c87b3
JH		 315/* Daemon one-time initialisation */
316void
317tls_daemon_init(void)
318{
319#ifdef EXPERIMENTAL_TLS_RESUME
320/* We are dependent on the GnuTLS implementation of the Session Ticket
321encryption; both the strength and the key rotation period. We hope that
322the strength at least matches that of the ciphersuite (but GnuTLS does not
323document this). */
324
325static BOOL once = FALSE;
326if (once) return;
327once = TRUE;
328gnutls_session_ticket_key_generate(&server_sessticket_key); /* >= 2.10.0 */
329if (f.running_in_test_harness) ssl_session_timeout = 6;
330#endif
331}
332
17c76198
PP		 333/* ------------------------------------------------------------------------ */
334/* Static functions */
059ec3d9
PH		 335
336/*************************************************
337* Handle TLS error *
338*************************************************/
339
340/* Called from lots of places when errors occur before actually starting to do
341the TLS handshake, that is, while the session is still in clear. Always returns
342DEFER for a server and FAIL for a client so that most calls can use "return
343tls_error(...)" to do this processing and then give an appropriate return. A
344single function is used for both server and client, because it is called from
345some shared functions.
346
347Argument:
348 prefix text to include in the logged error
7199e1ee
TF		 349 msg additional error string (may be NULL)
350 usually obtained from gnutls_strerror()
17c76198
PP		 351 host NULL if setting up a server;
352 the connected host if setting up a client
cf0c6164 353 errstr pointer to returned error string
059ec3d9
PH		 354
355Returns: OK/DEFER/FAIL
356*/
357
358static int
48224640 359tls_error(const uschar *prefix, const uschar *msg, const host_item *host,
cf0c6164 360 uschar ** errstr)
059ec3d9 361{
cf0c6164 362if (errstr)
48224640 363 *errstr = string_sprintf("(%s)%s%s", prefix, msg ? ": " : "", msg ? msg : US"");
cf0c6164 364return host ? FAIL : DEFER;
059ec3d9
PH		 365}
366
367
452a164f
JH		 368static int
369tls_error_gnu(const uschar *prefix, int err, const host_item *host,
370 uschar ** errstr)
371{
372return tls_error(prefix, US gnutls_strerror(err), host, errstr);
373}
374
375static int
376tls_error_sys(const uschar *prefix, int err, const host_item *host,
377 uschar ** errstr)
378{
379return tls_error(prefix, US strerror(err), host, errstr);
380}
059ec3d9 381
17c76198 382
059ec3d9 383/*************************************************
17c76198 384* Deal with logging errors during I/O *
059ec3d9
PH		 385*************************************************/
386
17c76198 387/* We have to get the identity of the peer from saved data.
059ec3d9 388
17c76198
PP		 389Argument:
390 state the current GnuTLS exim state container
391 rc the GnuTLS error code, or 0 if it's a local error
392 when text identifying read or write
95f52235 393 text local error text when rc is 0
059ec3d9 394
17c76198 395Returns: nothing
059ec3d9
PH		 396*/
397
17c76198
PP		 398static void
399record_io_error(exim_gnutls_state_st *state, int rc, uschar *when, uschar *text)
059ec3d9 400{
48224640 401const uschar * msg;
cf0c6164 402uschar * errstr;
059ec3d9 403
17c76198 404if (rc == GNUTLS_E_FATAL_ALERT_RECEIVED)
95f52235 405 msg = string_sprintf("A TLS fatal alert has been received: %s",
17c76198
PP		 406 US gnutls_alert_get_name(gnutls_alert_get(state->session)));
407else
48224640 408 msg = US gnutls_strerror(rc);
059ec3d9 409
cf0c6164
JH		 410(void) tls_error(when, msg, state->host, &errstr);
411
412if (state->host)
413 log_write(0, LOG_MAIN, "H=%s [%s] TLS error on connection %s",
414 state->host->name, state->host->address, errstr);
415else
416 {
417 uschar * conn_info = smtp_get_connection_info();
418 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0) conn_info += 5;
419 /* I'd like to get separated H= here, but too hard for now */
420 log_write(0, LOG_MAIN, "TLS error on %s %s", conn_info, errstr);
421 }
17c76198 422}
059ec3d9 423
059ec3d9 424
059ec3d9 425
059ec3d9 426
17c76198
PP		 427/*************************************************
428* Set various Exim expansion vars *
429*************************************************/
059ec3d9 430
e51c7be2
JH		 431#define exim_gnutls_cert_err(Label) \
432 do \
433 { \
434 if (rc != GNUTLS_E_SUCCESS) \
435 { \
436 DEBUG(D_tls) debug_printf("TLS: cert problem: %s: %s\n", \
437 (Label), gnutls_strerror(rc)); \
438 return rc; \
439 } \
440 } while (0)
9d1c15ef
JH		 441
442static int
27f19eb4 443import_cert(const gnutls_datum_t * cert, gnutls_x509_crt_t * crtp)
9d1c15ef
JH		 444{
445int rc;
446
447rc = gnutls_x509_crt_init(crtp);
448exim_gnutls_cert_err(US"gnutls_x509_crt_init (crt)");
449
450rc = gnutls_x509_crt_import(*crtp, cert, GNUTLS_X509_FMT_DER);
451exim_gnutls_cert_err(US"failed to import certificate [gnutls_x509_crt_import(cert)]");
452
453return rc;
454}
455
456#undef exim_gnutls_cert_err
457
458
17c76198
PP		 459/* We set various Exim global variables from the state, once a session has
460been established. With TLS callouts, may need to change this to stack
461variables, or just re-call it with the server state after client callout
462has finished.
059ec3d9 463
9d1c15ef 464Make sure anything set here is unset in tls_getc().
17c76198
PP		 465
466Sets:
467 tls_active fd
468 tls_bits strength indicator
469 tls_certificate_verified bool indicator
b1a32a3c 470 tls_channelbinding for some SASL mechanisms
5b195d6b 471 tls_ver a string
17c76198 472 tls_cipher a string
9d1c15ef 473 tls_peercert pointer to library internal
17c76198
PP		 474 tls_peerdn a string
475 tls_sni a (UTF-8) string
9d1c15ef 476 tls_ourcert pointer to library internal
17c76198
PP		 477
478Argument:
479 state the relevant exim_gnutls_state_st *
480*/
481
482static void
9d1c15ef 483extract_exim_vars_from_tls_state(exim_gnutls_state_st * state)
17c76198 484{
17c76198
PP		 485#ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
486int old_pool;
487int rc;
488gnutls_datum_t channel;
489#endif
9d1c15ef 490tls_support * tlsp = state->tlsp;
17c76198 491
74f1a423
JH		 492tlsp->active.sock = state->fd_out;
493tlsp->active.tls_ctx = state;
17c76198 494
817d9f57 495DEBUG(D_tls) debug_printf("cipher: %s\n", state->ciphersuite);
17c76198 496
9d1c15ef 497tlsp->certificate_verified = state->peer_cert_verified;
899b8bbc
JH		 498#ifdef SUPPORT_DANE
499tlsp->dane_verified = state->peer_dane_verified;
500#endif
059ec3d9 501
b1a32a3c 502/* note that tls_channelbinding is not saved to the spool file, since it's
17c76198
PP		 503only available for use for authenticators while this TLS session is running. */
504
b1a32a3c 505tlsp->channelbinding = NULL;
17c76198
PP		 506#ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
507channel.data = NULL;
508channel.size = 0;
1f20760b
JH		 509if ((rc = gnutls_session_channel_binding(state->session, GNUTLS_CB_TLS_UNIQUE, &channel)))
510 { DEBUG(D_tls) debug_printf("Channel binding error: %s\n", gnutls_strerror(rc)); }
511else
512 {
b1a32a3c
JH		 513 /* Declare the taintedness of the binding info. On server, untainted; on
514 client, tainted - being the Finish msg from the server. */
515
17c76198
PP		 516 old_pool = store_pool;
517 store_pool = POOL_PERM;
b1a32a3c
JH		 518 tlsp->channelbinding = b64encode_taint(CUS channel.data, (int)channel.size,
519 !!state->host);
17c76198 520 store_pool = old_pool;
b1a32a3c 521 DEBUG(D_tls) debug_printf("Have channel bindings cached for possible auth usage\n");
1f20760b 522 }
17c76198
PP		 523#endif
524
9d1c15ef
JH		 525/* peercert is set in peer_status() */
526tlsp->peerdn = state->peerdn;
527tlsp->sni = state->received_sni;
528
529/* record our certificate */
530 {
27f19eb4 531 const gnutls_datum_t * cert = gnutls_certificate_get_ours(state->session);
9d1c15ef
JH		 532 gnutls_x509_crt_t crt;
533
534 tlsp->ourcert = cert && import_cert(cert, &crt)==0 ? crt : NULL;
535 }
059ec3d9
PH		 536}
537
538
539
17c76198 540
49132a3b 541#ifndef GNUTLS_AUTO_DHPARAMS
059ec3d9 542/*************************************************
575643cd 543* Setup up DH parameters *
059ec3d9
PH		 544*************************************************/
545
575643cd 546/* Generating the D-H parameters may take a long time. They only need to
059ec3d9
PH		 547be re-generated every so often, depending on security policy. What we do is to
548keep these parameters in a file in the spool directory. If the file does not
549exist, we generate them. This means that it is easy to cause a regeneration.
550
551The new file is written as a temporary file and renamed, so that an incomplete
552file is never present. If two processes both compute some new parameters, you
553waste a bit of effort, but it doesn't seem worth messing around with locking to
554prevent this.
555
059ec3d9
PH		 556Returns: OK/DEFER/FAIL
557*/
558
559static int
cf0c6164 560init_server_dh(uschar ** errstr)
059ec3d9 561{
17c76198
PP		 562int fd, rc;
563unsigned int dh_bits;
49132a3b 564gnutls_datum_t m = {.data = NULL, .size = 0};
a799883d
PP		 565uschar filename_buf[PATH_MAX];
566uschar *filename = NULL;
17c76198 567size_t sz;
a799883d
PP		 568uschar *exp_tls_dhparam;
569BOOL use_file_in_spool = FALSE;
17c76198 570host_item *host = NULL; /* dummy for macros */
059ec3d9 571
17c76198 572DEBUG(D_tls) debug_printf("Initialising GnuTLS server params.\n");
059ec3d9 573
452a164f
JH		 574if ((rc = gnutls_dh_params_init(&dh_server_params)))
575 return tls_error_gnu(US"gnutls_dh_params_init", rc, host, errstr);
059ec3d9 576
cf0c6164 577if (!expand_check(tls_dhparam, US"tls_dhparam", &exp_tls_dhparam, errstr))
a799883d
PP		 578 return DEFER;
579
580if (!exp_tls_dhparam)
581 {
582 DEBUG(D_tls) debug_printf("Loading default hard-coded DH params\n");
583 m.data = US std_dh_prime_default();
584 m.size = Ustrlen(m.data);
585 }
586else if (Ustrcmp(exp_tls_dhparam, "historic") == 0)
587 use_file_in_spool = TRUE;
588else if (Ustrcmp(exp_tls_dhparam, "none") == 0)
589 {
590 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
591 return OK;
592 }
593else if (exp_tls_dhparam[0] != '/')
594 {
f5d25c2b 595 if (!(m.data = US std_dh_prime_named(exp_tls_dhparam)))
48224640 596 return tls_error(US"No standard prime named", exp_tls_dhparam, NULL, errstr);
a799883d
PP		 597 m.size = Ustrlen(m.data);
598 }
599else
a799883d 600 filename = exp_tls_dhparam;
a799883d
PP		 601
602if (m.data)
603 {
452a164f
JH		 604 if ((rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM)))
605 return tls_error_gnu(US"gnutls_dh_params_import_pkcs3", rc, host, errstr);
a799883d
PP		 606 DEBUG(D_tls) debug_printf("Loaded fixed standard D-H parameters\n");
607 return OK;
608 }
609
af3498d6
PP		 610#ifdef HAVE_GNUTLS_SEC_PARAM_CONSTANTS
611/* If you change this constant, also change dh_param_fn_ext so that we can use a
17c76198 612different filename and ensure we have sufficient bits. */
452a164f
JH		 613
614if (!(dh_bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL)))
cf0c6164 615 return tls_error(US"gnutls_sec_param_to_pk_bits() failed", NULL, NULL, errstr);
af3498d6 616DEBUG(D_tls)
b34fc30c 617 debug_printf("GnuTLS tells us that for D-H PK, NORMAL is %d bits.\n",
af3498d6
PP		 618 dh_bits);
619#else
620dh_bits = EXIM_SERVER_DH_BITS_PRE2_12;
621DEBUG(D_tls)
622 debug_printf("GnuTLS lacks gnutls_sec_param_to_pk_bits(), using %d bits.\n",
623 dh_bits);
624#endif
059ec3d9 625
3375e053
PP		 626/* Some clients have hard-coded limits. */
627if (dh_bits > tls_dh_max_bits)
628 {
629 DEBUG(D_tls)
630 debug_printf("tls_dh_max_bits clamping override, using %d bits instead.\n",
631 tls_dh_max_bits);
632 dh_bits = tls_dh_max_bits;
633 }
634
a799883d
PP		 635if (use_file_in_spool)
636 {
637 if (!string_format(filename_buf, sizeof(filename_buf),
638 "%s/gnutls-params-%d", spool_directory, dh_bits))
cf0c6164 639 return tls_error(US"overlong filename", NULL, NULL, errstr);
a799883d
PP		 640 filename = filename_buf;
641 }
059ec3d9 642
b5aea5e1 643/* Open the cache file for reading and if successful, read it and set up the
575643cd 644parameters. */
059ec3d9 645
f5d25c2b 646if ((fd = Uopen(filename, O_RDONLY, 0)) >= 0)
059ec3d9 647 {
b5aea5e1 648 struct stat statbuf;
17c76198
PP		 649 FILE *fp;
650 int saved_errno;
651
652 if (fstat(fd, &statbuf) < 0) /* EIO */
653 {
654 saved_errno = errno;
655 (void)close(fd);
452a164f 656 return tls_error_sys(US"TLS cache stat failed", saved_errno, NULL, errstr);
17c76198
PP		 657 }
658 if (!S_ISREG(statbuf.st_mode))
b5aea5e1
PH		 659 {
660 (void)close(fd);
cf0c6164 661 return tls_error(US"TLS cache not a file", NULL, NULL, errstr);
17c76198 662 }
40c90bca 663 if (!(fp = fdopen(fd, "rb")))
17c76198
PP		 664 {
665 saved_errno = errno;
666 (void)close(fd);
452a164f
JH		 667 return tls_error_sys(US"fdopen(TLS cache stat fd) failed",
668 saved_errno, NULL, errstr);
b5aea5e1 669 }
059ec3d9 670
b5aea5e1 671 m.size = statbuf.st_size;
f3ebb786 672 if (!(m.data = store_malloc(m.size)))
17c76198
PP		 673 {
674 fclose(fp);
452a164f 675 return tls_error_sys(US"malloc failed", errno, NULL, errstr);
17c76198 676 }
40c90bca 677 if (!(sz = fread(m.data, m.size, 1, fp)))
17c76198
PP		 678 {
679 saved_errno = errno;
680 fclose(fp);
f3ebb786 681 store_free(m.data);
452a164f 682 return tls_error_sys(US"fread failed", saved_errno, NULL, errstr);
17c76198
PP		 683 }
684 fclose(fp);
b5aea5e1 685
17c76198 686 rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM);
f3ebb786 687 store_free(m.data);
452a164f
JH		 688 if (rc)
689 return tls_error_gnu(US"gnutls_dh_params_import_pkcs3", rc, host, errstr);
17c76198 690 DEBUG(D_tls) debug_printf("read D-H parameters from file \"%s\"\n", filename);
b5aea5e1
PH		 691 }
692
693/* If the file does not exist, fall through to compute new data and cache it.
694If there was any other opening error, it is serious. */
695
182ad5cf
PH		 696else if (errno == ENOENT)
697 {
17c76198 698 rc = -1;
182ad5cf 699 DEBUG(D_tls)
17c76198 700 debug_printf("D-H parameter cache file \"%s\" does not exist\n", filename);
182ad5cf
PH		 701 }
702else
17c76198 703 return tls_error(string_open_failed(errno, "\"%s\" for reading", filename),
cf0c6164 704 NULL, NULL, errstr);
b5aea5e1
PH		 705
706/* If ret < 0, either the cache file does not exist, or the data it contains
707is not useful. One particular case of this is when upgrading from an older
708release of Exim in which the data was stored in a different format. We don't
709try to be clever and support both formats; we just regenerate new data in this
710case. */
711
17c76198 712if (rc < 0)
b5aea5e1 713 {
17c76198 714 uschar *temp_fn;
201f5254 715 unsigned int dh_bits_gen = dh_bits;
059ec3d9 716
17c76198
PP		 717 if ((PATH_MAX - Ustrlen(filename)) < 10)
718 return tls_error(US"Filename too long to generate replacement",
48224640 719 filename, NULL, errstr);
059ec3d9 720
48224640 721 temp_fn = string_copy(US"%s.XXXXXXX");
f5d25c2b 722 if ((fd = mkstemp(CS temp_fn)) < 0) /* modifies temp_fn */
452a164f 723 return tls_error_sys(US"Unable to open temp file", errno, NULL, errstr);
b66fecb4 724 (void)exim_chown(temp_fn, exim_uid, exim_gid); /* Probably not necessary */
059ec3d9 725
49132a3b
JH		 726 /* GnuTLS overshoots! If we ask for 2236, we might get 2237 or more. But
727 there's no way to ask GnuTLS how many bits there really are. We can ask
728 how many bits were used in a TLS session, but that's it! The prime itself
729 is hidden behind too much abstraction. So we ask for less, and proceed on
730 a wing and a prayer. First attempt, subtracted 3 for 2233 and got 2240. */
731
cae6e576 732 if (dh_bits >= EXIM_CLIENT_DH_MIN_BITS + 10)
201f5254
PP		 733 {
734 dh_bits_gen = dh_bits - 10;
735 DEBUG(D_tls)
736 debug_printf("being paranoid about DH generation, make it '%d' bits'\n",
737 dh_bits_gen);
738 }
739
740 DEBUG(D_tls)
741 debug_printf("requesting generation of %d bit Diffie-Hellman prime ...\n",
742 dh_bits_gen);
452a164f
JH		 743 if ((rc = gnutls_dh_params_generate2(dh_server_params, dh_bits_gen)))
744 return tls_error_gnu(US"gnutls_dh_params_generate2", rc, host, errstr);
17c76198
PP		 745
746 /* gnutls_dh_params_export_pkcs3() will tell us the exact size, every time,
747 and I confirmed that a NULL call to get the size first is how the GnuTLS
748 sample apps handle this. */
749
750 sz = 0;
751 m.data = NULL;
452a164f
JH		 752 if ( (rc = gnutls_dh_params_export_pkcs3(dh_server_params,
753 GNUTLS_X509_FMT_PEM, m.data, &sz))
754 && rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
755 return tls_error_gnu(US"gnutls_dh_params_export_pkcs3(NULL) sizing",
756 rc, host, errstr);
17c76198 757 m.size = sz;
f3ebb786 758 if (!(m.data = store_malloc(m.size)))
452a164f 759 return tls_error_sys(US"memory allocation failed", errno, NULL, errstr);
40c90bca 760
1f00591e 761 /* this will return a size 1 less than the allocation size above */
452a164f
JH		 762 if ((rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM,
763 m.data, &sz)))
17c76198 764 {
f3ebb786 765 store_free(m.data);
452a164f 766 return tls_error_gnu(US"gnutls_dh_params_export_pkcs3() real", rc, host, errstr);
17c76198 767 }
1f00591e 768 m.size = sz; /* shrink by 1, probably */
059ec3d9 769
f5d25c2b 770 if ((sz = write_to_fd_buf(fd, m.data, (size_t) m.size)) != m.size)
17c76198 771 {
f3ebb786 772 store_free(m.data);
452a164f
JH		 773 return tls_error_sys(US"TLS cache write D-H params failed",
774 errno, NULL, errstr);
17c76198 775 }
f3ebb786 776 store_free(m.data);
f5d25c2b 777 if ((sz = write_to_fd_buf(fd, US"\n", 1)) != 1)
452a164f
JH		 778 return tls_error_sys(US"TLS cache write D-H params final newline failed",
779 errno, NULL, errstr);
17c76198 780
f5d25c2b 781 if ((rc = close(fd)))
452a164f 782 return tls_error_sys(US"TLS cache write close() failed", errno, NULL, errstr);
059ec3d9 783
17c76198 784 if (Urename(temp_fn, filename) < 0)
452a164f
JH		 785 return tls_error_sys(string_sprintf("failed to rename \"%s\" as \"%s\"",
786 temp_fn, filename), errno, NULL, errstr);
059ec3d9 787
17c76198 788 DEBUG(D_tls) debug_printf("wrote D-H parameters to file \"%s\"\n", filename);
059ec3d9
PH		 789 }
790
17c76198 791DEBUG(D_tls) debug_printf("initialized server D-H parameters\n");
059ec3d9
PH		 792return OK;
793}
49132a3b 794#endif
059ec3d9
PH		 795
796
797
798
23bb6982
JH		 799/* Create and install a selfsigned certificate, for use in server mode */
800
801static int
cf0c6164 802tls_install_selfsign(exim_gnutls_state_st * state, uschar ** errstr)
23bb6982
JH		 803{
804gnutls_x509_crt_t cert = NULL;
805time_t now;
806gnutls_x509_privkey_t pkey = NULL;
807const uschar * where;
808int rc;
809
810where = US"initialising pkey";
811if ((rc = gnutls_x509_privkey_init(&pkey))) goto err;
812
813where = US"initialising cert";
814if ((rc = gnutls_x509_crt_init(&cert))) goto err;
815
816where = US"generating pkey";
817if ((rc = gnutls_x509_privkey_generate(pkey, GNUTLS_PK_RSA,
76075bb5 818#ifdef SUPPORT_PARAM_TO_PK_BITS
4312da48
JH		 819# ifndef GNUTLS_SEC_PARAM_MEDIUM
820# define GNUTLS_SEC_PARAM_MEDIUM GNUTLS_SEC_PARAM_HIGH
821# endif
6aac3239 822 gnutls_sec_param_to_pk_bits(GNUTLS_PK_RSA, GNUTLS_SEC_PARAM_MEDIUM),
76075bb5 823#else
6aac3239 824 2048,
76075bb5
JH		 825#endif
826 0)))
23bb6982
JH		 827 goto err;
828
829where = US"configuring cert";
1613fd68 830now = 1;
23bb6982
JH		 831if ( (rc = gnutls_x509_crt_set_version(cert, 3))
832 || (rc = gnutls_x509_crt_set_serial(cert, &now, sizeof(now)))
833 || (rc = gnutls_x509_crt_set_activation_time(cert, now = time(NULL)))
834 || (rc = gnutls_x509_crt_set_expiration_time(cert, now + 60 * 60)) /* 1 hr */
835 || (rc = gnutls_x509_crt_set_key(cert, pkey))
836
837 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
838 GNUTLS_OID_X520_COUNTRY_NAME, 0, "UK", 2))
839 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
840 GNUTLS_OID_X520_ORGANIZATION_NAME, 0, "Exim Developers", 15))
841 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
842 GNUTLS_OID_X520_COMMON_NAME, 0,
843 smtp_active_hostname, Ustrlen(smtp_active_hostname)))
844 )
845 goto err;
846
847where = US"signing cert";
848if ((rc = gnutls_x509_crt_sign(cert, cert, pkey))) goto err;
849
850where = US"installing selfsign cert";
851 /* Since: 2.4.0 */
852if ((rc = gnutls_certificate_set_x509_key(state->x509_cred, &cert, 1, pkey)))
853 goto err;
854
855rc = OK;
856
857out:
858 if (cert) gnutls_x509_crt_deinit(cert);
859 if (pkey) gnutls_x509_privkey_deinit(pkey);
860 return rc;
861
862err:
452a164f 863 rc = tls_error_gnu(where, rc, NULL, errstr);
23bb6982
JH		 864 goto out;
865}
866
867
868
869
47195144
JH		 870/* Add certificate and key, from files.
871
872Return:
873 Zero or negative: good. Negate value for certificate index if < 0.
874 Greater than zero: FAIL or DEFER code.
875*/
876
ba86e143
JH		 877static int
878tls_add_certfile(exim_gnutls_state_st * state, const host_item * host,
879 uschar * certfile, uschar * keyfile, uschar ** errstr)
880{
881int rc = gnutls_certificate_set_x509_key_file(state->x509_cred,
882 CS certfile, CS keyfile, GNUTLS_X509_FMT_PEM);
47195144 883if (rc < 0)
452a164f 884 return tls_error_gnu(
47195144 885 string_sprintf("cert/key setup: cert=%s key=%s", certfile, keyfile),
452a164f 886 rc, host, errstr);
47195144 887return -rc;
ba86e143
JH		 888}
889
890
d896cef5
JH		 891#if !defined(DISABLE_OCSP) && !defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
892/* Load an OCSP proof from file for sending by the server. Called
893on getting a status-request handshake message, for earlier versions
894of GnuTLS. */
895
896static int
897server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
898 gnutls_datum_t * ocsp_response)
899{
900int ret;
901DEBUG(D_tls) debug_printf("OCSP stapling callback: %s\n", US ptr);
902
903if ((ret = gnutls_load_file(ptr, ocsp_response)) < 0)
904 {
905 DEBUG(D_tls) debug_printf("Failed to load ocsp stapling file %s\n",
906 CS ptr);
907 tls_in.ocsp = OCSP_NOT_RESP;
908 return GNUTLS_E_NO_CERTIFICATE_STATUS;
909 }
910
911tls_in.ocsp = OCSP_VFY_NOT_TRIED;
912return 0;
913}
914#endif
915
916
be427508 917#ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
e5489333
JH		 918/* Make a note that we saw a status-request */
919static int
920tls_server_clienthello_ext(void * ctx, unsigned tls_id,
921 const unsigned char *data, unsigned size)
922{
923/* https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml */
924if (tls_id == 5) /* status_request */
925 {
e326959e 926 DEBUG(D_tls) debug_printf("Seen status_request extension from client\n");
e5489333
JH		 927 tls_in.ocsp = OCSP_NOT_RESP;
928 }
929return 0;
930}
931
932/* Callback for client-hello, on server, if we think we might serve stapled-OCSP */
933static int
934tls_server_clienthello_cb(gnutls_session_t session, unsigned int htype,
935 unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
936{
937/* Call fn for each extension seen. 3.6.3 onwards */
938return gnutls_ext_raw_parse(NULL, tls_server_clienthello_ext, msg,
939 GNUTLS_EXT_RAW_FLAG_TLS_CLIENT_HELLO);
940}
e326959e
JH		 941
942
943/* Make a note that we saw a status-response */
944static int
945tls_server_servercerts_ext(void * ctx, unsigned tls_id,
946 const unsigned char *data, unsigned size)
947{
948/* debug_printf("%s %u\n", __FUNCTION__, tls_id); */
949/* https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml */
950if (FALSE && tls_id == 5) /* status_request */
951 {
952 DEBUG(D_tls) debug_printf("Seen status_request extension\n");
953 tls_in.ocsp = exim_testharness_disable_ocsp_validity_check
954 ? OCSP_VFY_NOT_TRIED : OCSP_VFIED; /* We know that GnuTLS verifies responses */
955 }
956return 0;
957}
958
959/* Callback for certificates packet, on server, if we think we might serve stapled-OCSP */
960static int
961tls_server_servercerts_cb(gnutls_session_t session, unsigned int htype,
962 unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
963{
964/* Call fn for each extension seen. 3.6.3 onwards */
965#ifdef notdef
966/*XXX crashes */
967return gnutls_ext_raw_parse(NULL, tls_server_servercerts_ext, msg, 0);
968#endif
969}
be427508 970#endif
e5489333 971
e326959e
JH		 972/*XXX in tls1.3 the cert-status travel as an extension next to the cert, in the
973 "Handshake Protocol: Certificate" record.
974So we need to spot the Certificate handshake message, parse it and spot any status_request extension(s)
975
976This is different to tls1.2 - where it is a separate record (wireshake term) / handshake message (gnutls term).
977*/
978
727a5d25 979#if defined(EXPERIMENTAL_TLS_RESUME) || defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
e5489333
JH		 980/* Callback for certificate-status, on server. We sent stapled OCSP. */
981static int
982tls_server_certstatus_cb(gnutls_session_t session, unsigned int htype,
983 unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
984{
e326959e 985DEBUG(D_tls) debug_printf("Sending certificate-status\n"); /*XXX we get this for tls1.2 but not for 1.3 */
e5489333
JH		 986#ifdef SUPPORT_SRV_OCSP_STACK
987tls_in.ocsp = exim_testharness_disable_ocsp_validity_check
988 ? OCSP_VFY_NOT_TRIED : OCSP_VFIED; /* We know that GnuTLS verifies responses */
989#else
990tls_in.ocsp = OCSP_VFY_NOT_TRIED;
991#endif
992return 0;
993}
994
995/* Callback for handshake messages, on server */
996static int
997tls_server_hook_cb(gnutls_session_t sess, u_int htype, unsigned when,
998 unsigned incoming, const gnutls_datum_t * msg)
999{
e326959e 1000/* debug_printf("%s: htype %u\n", __FUNCTION__, htype); */
e5489333
JH		 1001switch (htype)
1002 {
727a5d25 1003# ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
e5489333
JH		 1004 case GNUTLS_HANDSHAKE_CLIENT_HELLO:
1005 return tls_server_clienthello_cb(sess, htype, when, incoming, msg);
e326959e
JH		 1006 case GNUTLS_HANDSHAKE_CERTIFICATE_PKT:
1007 return tls_server_servercerts_cb(sess, htype, when, incoming, msg);
727a5d25 1008# endif
e5489333
JH		 1009 case GNUTLS_HANDSHAKE_CERTIFICATE_STATUS:
1010 return tls_server_certstatus_cb(sess, htype, when, incoming, msg);
727a5d25 1011# ifdef EXPERIMENTAL_TLS_RESUME
e5489333
JH		 1012 case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET:
1013 return tls_server_ticket_cb(sess, htype, when, incoming, msg);
727a5d25 1014# endif
e5489333
JH		 1015 default:
1016 return 0;
1017 }
1018}
727a5d25 1019#endif
e5489333
JH		 1020
1021
727a5d25 1022#if !defined(DISABLE_OCSP) && defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
e5489333
JH		 1023static void
1024tls_server_testharness_ocsp_fiddle(void)
1025{
1026extern char ** environ;
1027if (environ) for (uschar ** p = USS environ; *p; p++)
1028 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
1029 {
1030 DEBUG(D_tls) debug_printf("Permitting known bad OCSP response\n");
1031 exim_testharness_disable_ocsp_validity_check = TRUE;
1032 }
1033}
727a5d25 1034#endif
e5489333 1035
059ec3d9 1036/*************************************************
17c76198 1037* Variables re-expanded post-SNI *
059ec3d9
PH		 1038*************************************************/
1039
17c76198
PP		 1040/* Called from both server and client code, via tls_init(), and also from
1041the SNI callback after receiving an SNI, if tls_certificate includes "tls_sni".
1042
1043We can tell the two apart by state->received_sni being non-NULL in callback.
1044
1045The callback should not call us unless state->trigger_sni_changes is true,
1046which we are responsible for setting on the first pass through.
059ec3d9
PH		 1047
1048Arguments:
17c76198 1049 state exim_gnutls_state_st *
cf0c6164 1050 errstr error string pointer
059ec3d9
PH		 1051
1052Returns: OK/DEFER/FAIL
1053*/
1054
1055static int
ba86e143 1056tls_expand_session_files(exim_gnutls_state_st * state, uschar ** errstr)
059ec3d9 1057{
1365611d 1058struct stat statbuf;
059ec3d9 1059int rc;
17c76198
PP		 1060const host_item *host = state->host; /* macro should be reconsidered? */
1061uschar *saved_tls_certificate = NULL;
1062uschar *saved_tls_privatekey = NULL;
1063uschar *saved_tls_verify_certificates = NULL;
1064uschar *saved_tls_crl = NULL;
1065int cert_count;
1066
1067/* We check for tls_sni *before* expansion. */
2b4a568d 1068if (!host) /* server */
17c76198
PP		 1069 if (!state->received_sni)
1070 {
ba86e143
JH		 1071 if ( state->tls_certificate
1072 && ( Ustrstr(state->tls_certificate, US"tls_sni")
1073 || Ustrstr(state->tls_certificate, US"tls_in_sni")
1074 || Ustrstr(state->tls_certificate, US"tls_out_sni")
1075 ) )
17c76198
PP		 1076 {
1077 DEBUG(D_tls) debug_printf("We will re-expand TLS session files if we receive SNI.\n");
1078 state->trigger_sni_changes = TRUE;
1079 }
1080 }
1081 else
1082 {
1365611d 1083 /* useful for debugging */
17c76198
PP		 1084 saved_tls_certificate = state->exp_tls_certificate;
1085 saved_tls_privatekey = state->exp_tls_privatekey;
1086 saved_tls_verify_certificates = state->exp_tls_verify_certificates;
1087 saved_tls_crl = state->exp_tls_crl;
1088 }
059ec3d9 1089
452a164f
JH		 1090if ((rc = gnutls_certificate_allocate_credentials(&state->x509_cred)))
1091 return tls_error_gnu(US"gnutls_certificate_allocate_credentials",
1092 rc, host, errstr);
47195144
JH		 1093
1094#ifdef SUPPORT_SRV_OCSP_STACK
1095gnutls_certificate_set_flags(state->x509_cred, GNUTLS_CERTIFICATE_API_V2);
e326959e
JH		 1096
1097# if !defined(DISABLE_OCSP) && defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
1098if (!host && tls_ocsp_file)
1099 {
1100 if (f.running_in_test_harness)
1101 tls_server_testharness_ocsp_fiddle();
1102
1103 if (exim_testharness_disable_ocsp_validity_check)
1104 gnutls_certificate_set_flags(state->x509_cred,
1105 GNUTLS_CERTIFICATE_API_V2 | GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK);
1106 }
1107# endif
47195144 1108#endif
1365611d 1109
17c76198
PP		 1110/* remember: expand_check_tlsvar() is expand_check() but fiddling with
1111state members, assuming consistent naming; and expand_check() returns
1112false if expansion failed, unless expansion was forced to fail. */
059ec3d9 1113
17c76198
PP		 1114/* check if we at least have a certificate, before doing expensive
1115D-H generation. */
059ec3d9 1116
cf0c6164 1117if (!expand_check_tlsvar(tls_certificate, errstr))
17c76198 1118 return DEFER;
059ec3d9 1119
17c76198 1120/* certificate is mandatory in server, optional in client */
059ec3d9 1121
23bb6982
JH		 1122if ( !state->exp_tls_certificate
1123 || !*state->exp_tls_certificate
1124 )
2b4a568d 1125 if (!host)
cf0c6164 1126 return tls_install_selfsign(state, errstr);
17c76198
PP		 1127 else
1128 DEBUG(D_tls) debug_printf("TLS: no client certificate specified; okay\n");
059ec3d9 1129
cf0c6164 1130if (state->tls_privatekey && !expand_check_tlsvar(tls_privatekey, errstr))
059ec3d9
PH		 1131 return DEFER;
1132
17c76198
PP		 1133/* tls_privatekey is optional, defaulting to same file as certificate */
1134
e326959e 1135if (!state->tls_privatekey || !*state->tls_privatekey)
059ec3d9 1136 {
17c76198
PP		 1137 state->tls_privatekey = state->tls_certificate;
1138 state->exp_tls_privatekey = state->exp_tls_certificate;
059ec3d9 1139 }
c91535f3 1140
059ec3d9 1141
17c76198 1142if (state->exp_tls_certificate && *state->exp_tls_certificate)
059ec3d9
PH		 1143 {
1144 DEBUG(D_tls) debug_printf("certificate file = %s\nkey file = %s\n",
17c76198
PP		 1145 state->exp_tls_certificate, state->exp_tls_privatekey);
1146
1147 if (state->received_sni)
23bb6982
JH		 1148 if ( Ustrcmp(state->exp_tls_certificate, saved_tls_certificate) == 0
1149 && Ustrcmp(state->exp_tls_privatekey, saved_tls_privatekey) == 0
1150 )
17c76198 1151 {
b34fc30c 1152 DEBUG(D_tls) debug_printf("TLS SNI: cert and key unchanged\n");
17c76198
PP		 1153 }
1154 else
1155 {
b34fc30c 1156 DEBUG(D_tls) debug_printf("TLS SNI: have a changed cert/key pair.\n");
17c76198 1157 }
059ec3d9 1158
ba86e143
JH		 1159 if (!host) /* server */
1160 {
1161 const uschar * clist = state->exp_tls_certificate;
1162 const uschar * klist = state->exp_tls_privatekey;
47195144
JH		 1163 const uschar * olist;
1164 int csep = 0, ksep = 0, osep = 0, cnt = 0;
1165 uschar * cfile, * kfile, * ofile;
47195144 1166#ifndef DISABLE_OCSP
e326959e
JH		 1167# ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
1168 gnutls_x509_crt_fmt_t ocsp_fmt = GNUTLS_X509_FMT_DER;
1169# endif
1170
47195144
JH		 1171 if (!expand_check(tls_ocsp_file, US"tls_ocsp_file", &ofile, errstr))
1172 return DEFER;
1173 olist = ofile;
1174#endif
ba86e143
JH		 1175
1176 while (cfile = string_nextinlist(&clist, &csep, NULL, 0))
47195144 1177
ba86e143
JH		 1178 if (!(kfile = string_nextinlist(&klist, &ksep, NULL, 0)))
1179 return tls_error(US"cert/key setup: out of keys", NULL, host, errstr);
47195144 1180 else if (0 < (rc = tls_add_certfile(state, host, cfile, kfile, errstr)))
ba86e143
JH		 1181 return rc;
1182 else
47195144
JH		 1183 {
1184 int gnutls_cert_index = -rc;
e326959e
JH		 1185 DEBUG(D_tls) debug_printf("TLS: cert/key %d %s registered\n",
1186 gnutls_cert_index, cfile);
47195144
JH		 1187
1188#ifndef DISABLE_OCSP
1189 if (tls_ocsp_file)
e5489333 1190 {
e326959e 1191 /* Set the OCSP stapling server info */
47195144
JH		 1192 if (gnutls_buggy_ocsp)
1193 {
1194 DEBUG(D_tls)
1195 debug_printf("GnuTLS library is buggy for OCSP; avoiding\n");
1196 }
1197 else if ((ofile = string_nextinlist(&olist, &osep, NULL, 0)))
1198 {
e326959e
JH		 1199 DEBUG(D_tls) debug_printf("OCSP response file %d = %s\n",
1200 gnutls_cert_index, ofile);
be427508 1201# ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
e326959e 1202 if (Ustrncmp(ofile, US"PEM ", 4) == 0)
47195144 1203 {
e326959e
JH		 1204 ocsp_fmt = GNUTLS_X509_FMT_PEM;
1205 ofile += 4;
1206 }
1207 else if (Ustrncmp(ofile, US"DER ", 4) == 0)
1208 {
1209 ocsp_fmt = GNUTLS_X509_FMT_DER;
1210 ofile += 4;
1211 }
e5489333 1212
e326959e
JH		 1213 if ((rc = gnutls_certificate_set_ocsp_status_request_file2(
1214 state->x509_cred, CCS ofile, gnutls_cert_index,
1215 ocsp_fmt)) < 0)
1216 return tls_error_gnu(
1217 US"gnutls_certificate_set_ocsp_status_request_file2",
1218 rc, host, errstr);
1219 DEBUG(D_tls)
1220 debug_printf(" %d response%s loaded\n", rc, rc>1 ? "s":"");
e5489333 1221
e326959e
JH		 1222 /* Arrange callbacks for OCSP request observability */
1223
1224 gnutls_handshake_set_hook_function(state->session,
1225 GNUTLS_HANDSHAKE_ANY, GNUTLS_HOOK_POST, tls_server_hook_cb);
1226
1227# else
1228# if defined(SUPPORT_SRV_OCSP_STACK)
be427508
JH		 1229 if ((rc = gnutls_certificate_set_ocsp_status_request_function2(
1230 state->x509_cred, gnutls_cert_index,
1231 server_ocsp_stapling_cb, ofile)))
1232 return tls_error_gnu(
1233 US"gnutls_certificate_set_ocsp_status_request_function2",
1234 rc, host, errstr);
1235 else
e326959e 1236# endif
e5489333
JH		 1237 {
1238 if (cnt++ > 0)
1239 {
1240 DEBUG(D_tls)
1241 debug_printf("oops; multiple OCSP files not supported\n");
1242 break;
1243 }
d896cef5
JH		 1244 gnutls_certificate_set_ocsp_status_request_function(
1245 state->x509_cred, server_ocsp_stapling_cb, ofile);
e5489333 1246 }
e326959e 1247# endif /* SUPPORT_GNUTLS_EXT_RAW_PARSE */
47195144
JH		 1248 }
1249 else
1250 DEBUG(D_tls) debug_printf("ran out of OCSP response files in list\n");
e5489333 1251 }
fd71e7b8 1252#endif /* DISABLE_OCSP */
47195144 1253 }
ba86e143 1254 }
e5489333 1255 else /* client */
ba86e143 1256 {
47195144 1257 if (0 < (rc = tls_add_certfile(state, host,
ba86e143
JH		 1258 state->exp_tls_certificate, state->exp_tls_privatekey, errstr)))
1259 return rc;
1260 DEBUG(D_tls) debug_printf("TLS: cert/key registered\n");
1261 }
1262
b34fc30c 1263 } /* tls_certificate */
059ec3d9 1264
2b4a568d 1265
059ec3d9
PH		 1266/* Set the trusted CAs file if one is provided, and then add the CRL if one is
1267provided. Experiment shows that, if the certificate file is empty, an unhelpful
1268error message is provided. However, if we just refrain from setting anything up
1269in that case, certificate verification fails, which seems to be the correct
1270behaviour. */
1271
610ff438 1272if (state->tls_verify_certificates && *state->tls_verify_certificates)
059ec3d9 1273 {
cf0c6164 1274 if (!expand_check_tlsvar(tls_verify_certificates, errstr))
059ec3d9 1275 return DEFER;
610ff438
JH		 1276#ifndef SUPPORT_SYSDEFAULT_CABUNDLE
1277 if (Ustrcmp(state->exp_tls_verify_certificates, "system") == 0)
1278 state->exp_tls_verify_certificates = NULL;
1279#endif
17c76198 1280 if (state->tls_crl && *state->tls_crl)
cf0c6164 1281 if (!expand_check_tlsvar(tls_crl, errstr))
17c76198 1282 return DEFER;
059ec3d9 1283
1365611d
PP		 1284 if (!(state->exp_tls_verify_certificates &&
1285 *state->exp_tls_verify_certificates))
b34fc30c
PP		 1286 {
1287 DEBUG(D_tls)
1365611d
PP		 1288 debug_printf("TLS: tls_verify_certificates expanded empty, ignoring\n");
1289 /* With no tls_verify_certificates, we ignore tls_crl too */
17c76198 1290 return OK;
b34fc30c 1291 }
1365611d 1292 }
83e2f8a2
PP		 1293else
1294 {
1295 DEBUG(D_tls)
1296 debug_printf("TLS: tls_verify_certificates not set or empty, ignoring\n");
1297 return OK;
1298 }
17c76198 1299
cb1d7830
JH		 1300#ifdef SUPPORT_SYSDEFAULT_CABUNDLE
1301if (Ustrcmp(state->exp_tls_verify_certificates, "system") == 0)
1302 cert_count = gnutls_certificate_set_x509_system_trust(state->x509_cred);
1303else
1304#endif
1365611d 1305 {
cb1d7830
JH		 1306 if (Ustat(state->exp_tls_verify_certificates, &statbuf) < 0)
1307 {
d896cef5 1308 log_write(0, LOG_MAIN|LOG_PANIC, "could not stat '%s' "
cb1d7830
JH		 1309 "(tls_verify_certificates): %s", state->exp_tls_verify_certificates,
1310 strerror(errno));
1311 return DEFER;
1312 }
17c76198 1313
a7fec7a7 1314#ifndef SUPPORT_CA_DIR
cb1d7830
JH		 1315 /* The test suite passes in /dev/null; we could check for that path explicitly,
1316 but who knows if someone has some weird FIFO which always dumps some certs, or
1317 other weirdness. The thing we really want to check is that it's not a
1318 directory, since while OpenSSL supports that, GnuTLS does not.
60f914bc 1319 So s/!S_ISREG/S_ISDIR/ and change some messaging ... */
cb1d7830
JH		 1320 if (S_ISDIR(statbuf.st_mode))
1321 {
1322 DEBUG(D_tls)
1323 debug_printf("verify certificates path is a dir: \"%s\"\n",
1324 state->exp_tls_verify_certificates);
1325 log_write(0, LOG_MAIN|LOG_PANIC,
1326 "tls_verify_certificates \"%s\" is a directory",
1327 state->exp_tls_verify_certificates);
1328 return DEFER;
1329 }
a7fec7a7 1330#endif
059ec3d9 1331
cb1d7830
JH		 1332 DEBUG(D_tls) debug_printf("verify certificates = %s size=" OFF_T_FMT "\n",
1333 state->exp_tls_verify_certificates, statbuf.st_size);
059ec3d9 1334
cb1d7830
JH		 1335 if (statbuf.st_size == 0)
1336 {
1337 DEBUG(D_tls)
1338 debug_printf("cert file empty, no certs, no verification, ignoring any CRL\n");
1339 return OK;
1340 }
059ec3d9 1341
cb1d7830 1342 cert_count =
a7fec7a7
JH		 1343
1344#ifdef SUPPORT_CA_DIR
cb1d7830
JH		 1345 (statbuf.st_mode & S_IFMT) == S_IFDIR
1346 ?
1347 gnutls_certificate_set_x509_trust_dir(state->x509_cred,
1348 CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM)
1349 :
a7fec7a7 1350#endif
cb1d7830
JH		 1351 gnutls_certificate_set_x509_trust_file(state->x509_cred,
1352 CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM);
12d95aa6
JH		 1353
1354#ifdef SUPPORT_CA_DIR
1355 /* Mimic the behaviour with OpenSSL of not advertising a usable-cert list
1356 when using the directory-of-certs config model. */
1357
1358 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
1359 gnutls_certificate_send_x509_rdn_sequence(state->session, 1);
1360#endif
cb1d7830 1361 }
a7fec7a7 1362
1365611d 1363if (cert_count < 0)
452a164f
JH		 1364 return tls_error_gnu(US"setting certificate trust", cert_count, host, errstr);
1365DEBUG(D_tls)
1366 debug_printf("Added %d certificate authorities.\n", cert_count);
059ec3d9 1367
5c8cda3a
PP		 1368if (state->tls_crl && *state->tls_crl &&
1369 state->exp_tls_crl && *state->exp_tls_crl)
1365611d 1370 {
5c8cda3a 1371 DEBUG(D_tls) debug_printf("loading CRL file = %s\n", state->exp_tls_crl);
452a164f
JH		 1372 if ((cert_count = gnutls_certificate_set_x509_crl_file(state->x509_cred,
1373 CS state->exp_tls_crl, GNUTLS_X509_FMT_PEM)) < 0)
1374 return tls_error_gnu(US"gnutls_certificate_set_x509_crl_file",
1375 cert_count, host, errstr);
1376
5c8cda3a 1377 DEBUG(D_tls) debug_printf("Processed %d CRLs.\n", cert_count);
1365611d 1378 }
059ec3d9 1379
059ec3d9
PH		 1380return OK;
1381}
1382
1383
1384
1385
1365611d
PP		 1386/*************************************************
1387* Set X.509 state variables *
1388*************************************************/
1389
1390/* In GnuTLS, the registered cert/key are not replaced by a later
1391set of a cert/key, so for SNI support we need a whole new x509_cred
1392structure. Which means various other non-re-expanded pieces of state
1393need to be re-set in the new struct, so the setting logic is pulled
1394out to this.
1395
1396Arguments:
1397 state exim_gnutls_state_st *
cf0c6164 1398 errstr error string pointer
1365611d
PP		 1399
1400Returns: OK/DEFER/FAIL
1401*/
1402
1403static int
cf0c6164 1404tls_set_remaining_x509(exim_gnutls_state_st *state, uschar ** errstr)
1365611d
PP		 1405{
1406int rc;
1407const host_item *host = state->host; /* macro should be reconsidered? */
1408
49132a3b 1409#ifndef GNUTLS_AUTO_DHPARAMS
1365611d
PP		 1410/* Create D-H parameters, or read them from the cache file. This function does
1411its own SMTP error messaging. This only happens for the server, TLS D-H ignores
1412client-side params. */
1413
1414if (!state->host)
1415 {
1416 if (!dh_server_params)
452a164f 1417 if ((rc = init_server_dh(errstr)) != OK) return rc;
49132a3b
JH		 1418
1419 /* Unnecessary & discouraged with 3.6.0 or later */
1365611d
PP		 1420 gnutls_certificate_set_dh_params(state->x509_cred, dh_server_params);
1421 }
49132a3b 1422#endif
1365611d
PP		 1423
1424/* Link the credentials to the session. */
1425
452a164f
JH		 1426if ((rc = gnutls_credentials_set(state->session,
1427 GNUTLS_CRD_CERTIFICATE, state->x509_cred)))
1428 return tls_error_gnu(US"gnutls_credentials_set", rc, host, errstr);
1365611d
PP		 1429
1430return OK;
1431}
1432
059ec3d9 1433/*************************************************
17c76198 1434* Initialize for GnuTLS *
059ec3d9
PH		 1435*************************************************/
1436
9196d5bf 1437
4fb7df6d
JH		 1438#ifndef DISABLE_OCSP
1439
9196d5bf
JH		 1440static BOOL
1441tls_is_buggy_ocsp(void)
1442{
1443const uschar * s;
1444uschar maj, mid, mic;
1445
1446s = CUS gnutls_check_version(NULL);
1447maj = atoi(CCS s);
1448if (maj == 3)
1449 {
1450 while (*s && *s != '.') s++;
1451 mid = atoi(CCS ++s);
1452 if (mid <= 2)
1453 return TRUE;
1454 else if (mid >= 5)
1455 return FALSE;
1456 else
1457 {
1458 while (*s && *s != '.') s++;
1459 mic = atoi(CCS ++s);
1460 return mic <= (mid == 3 ? 16 : 3);
1461 }
1462 }
1463return FALSE;
1464}
1465
4fb7df6d 1466#endif
9196d5bf
JH		 1467
1468
17c76198
PP		 1469/* Called from both server and client code. In the case of a server, errors
1470before actual TLS negotiation return DEFER.
059ec3d9
PH		 1471
1472Arguments:
17c76198
PP		 1473 host connected host, if client; NULL if server
1474 certificate certificate file
1475 privatekey private key file
1476 sni TLS SNI to send, sometimes when client; else NULL
1477 cas CA certs file
1478 crl CRL file
1479 require_ciphers tls_require_ciphers setting
817d9f57 1480 caller_state returned state-info structure
cf0c6164 1481 errstr error string pointer
059ec3d9 1482
17c76198 1483Returns: OK/DEFER/FAIL
059ec3d9
PH		 1484*/
1485
17c76198
PP		 1486static int
1487tls_init(
1488 const host_item *host,
1489 const uschar *certificate,
1490 const uschar *privatekey,
1491 const uschar *sni,
1492 const uschar *cas,
1493 const uschar *crl,
1494 const uschar *require_ciphers,
cf0c6164 1495 exim_gnutls_state_st **caller_state,
74f1a423 1496 tls_support * tlsp,
cf0c6164 1497 uschar ** errstr)
059ec3d9 1498{
00c0dd4e 1499exim_gnutls_state_st * state;
17c76198
PP		 1500int rc;
1501size_t sz;
00c0dd4e
JH		 1502const char * errpos;
1503const uschar * p;
17c76198
PP		 1504
1505if (!exim_gnutls_base_init_done)
059ec3d9 1506 {
17c76198
PP		 1507 DEBUG(D_tls) debug_printf("GnuTLS global init required.\n");
1508
9f707b89 1509#if defined(HAVE_GNUTLS_PKCS11) && !defined(GNUTLS_AUTO_PKCS11_MANUAL)
a5f239e4
PP		 1510 /* By default, gnutls_global_init will init PKCS11 support in auto mode,
1511 which loads modules from a config file, which sounds good and may be wanted
1512 by some sysadmin, but also means in common configurations that GNOME keyring
1513 environment variables are used and so breaks for users calling mailq.
1514 To prevent this, we init PKCS11 first, which is the documented approach. */
2519e60d 1515 if (!gnutls_allow_auto_pkcs11)
452a164f
JH		 1516 if ((rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL)))
1517 return tls_error_gnu(US"gnutls_pkcs11_init", rc, host, errstr);
a5f239e4
PP		 1518#endif
1519
4d2a62a3 1520#ifndef GNUTLS_AUTO_GLOBAL_INIT
452a164f
JH		 1521 if ((rc = gnutls_global_init()))
1522 return tls_error_gnu(US"gnutls_global_init", rc, host, errstr);
4d2a62a3 1523#endif
17c76198
PP		 1524
1525#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
1526 DEBUG(D_tls)
059ec3d9 1527 {
17c76198 1528 gnutls_global_set_log_function(exim_gnutls_logger_cb);
aded2255 1529 /* arbitrarily chosen level; bump up to 9 for more */
17c76198 1530 gnutls_global_set_log_level(EXIM_GNUTLS_LIBRARY_LOG_LEVEL);
059ec3d9 1531 }
17c76198
PP		 1532#endif
1533
4fb7df6d
JH		 1534#ifndef DISABLE_OCSP
1535 if (tls_ocsp_file && (gnutls_buggy_ocsp = tls_is_buggy_ocsp()))
9196d5bf 1536 log_write(0, LOG_MAIN, "OCSP unusable with this GnuTLS library version");
4fb7df6d 1537#endif
9196d5bf 1538
17c76198 1539 exim_gnutls_base_init_done = TRUE;
059ec3d9 1540 }
059ec3d9 1541
17c76198
PP		 1542if (host)
1543 {
74f1a423
JH		 1544 /* For client-side sessions we allocate a context. This lets us run
1545 several in parallel. */
1546 int old_pool = store_pool;
1547 store_pool = POOL_PERM;
f3ebb786 1548 state = store_get(sizeof(exim_gnutls_state_st), FALSE);
74f1a423
JH		 1549 store_pool = old_pool;
1550
17c76198 1551 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
74f1a423 1552 state->tlsp = tlsp;
17c76198
PP		 1553 DEBUG(D_tls) debug_printf("initialising GnuTLS client session\n");
1554 rc = gnutls_init(&state->session, GNUTLS_CLIENT);
1555 }
1556else
1557 {
1558 state = &state_server;
1559 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
74f1a423 1560 state->tlsp = tlsp;
17c76198
PP		 1561 DEBUG(D_tls) debug_printf("initialising GnuTLS server session\n");
1562 rc = gnutls_init(&state->session, GNUTLS_SERVER);
1563 }
452a164f
JH		 1564if (rc)
1565 return tls_error_gnu(US"gnutls_init", rc, host, errstr);
059ec3d9 1566
17c76198 1567state->host = host;
059ec3d9 1568
17c76198
PP		 1569state->tls_certificate = certificate;
1570state->tls_privatekey = privatekey;
5779e6aa 1571state->tls_require_ciphers = require_ciphers;
17c76198
PP		 1572state->tls_sni = sni;
1573state->tls_verify_certificates = cas;
1574state->tls_crl = crl;
059ec3d9 1575
17c76198
PP		 1576/* This handles the variables that might get re-expanded after TLS SNI;
1577that's tls_certificate, tls_privatekey, tls_verify_certificates, tls_crl */
059ec3d9 1578
17c76198
PP		 1579DEBUG(D_tls)
1580 debug_printf("Expanding various TLS configuration options for session credentials.\n");
cf0c6164 1581if ((rc = tls_expand_session_files(state, errstr)) != OK) return rc;
059ec3d9 1582
1365611d
PP		 1583/* These are all other parts of the x509_cred handling, since SNI in GnuTLS
1584requires a new structure afterwards. */
83da1223 1585
cf0c6164 1586if ((rc = tls_set_remaining_x509(state, errstr)) != OK) return rc;
83da1223 1587
17c76198
PP		 1588/* set SNI in client, only */
1589if (host)
1590 {
cf0c6164 1591 if (!expand_check(sni, US"tls_out_sni", &state->tlsp->sni, errstr))
17c76198 1592 return DEFER;
0df4ab80 1593 if (state->tlsp->sni && *state->tlsp->sni)
17c76198
PP		 1594 {
1595 DEBUG(D_tls)
0df4ab80
JH		 1596 debug_printf("Setting TLS client SNI to \"%s\"\n", state->tlsp->sni);
1597 sz = Ustrlen(state->tlsp->sni);
452a164f
JH		 1598 if ((rc = gnutls_server_name_set(state->session,
1599 GNUTLS_NAME_DNS, state->tlsp->sni, sz)))
1600 return tls_error_gnu(US"gnutls_server_name_set", rc, host, errstr);
17c76198
PP		 1601 }
1602 }
1603else if (state->tls_sni)
1604 DEBUG(D_tls) debug_printf("*** PROBABLY A BUG *** " \
ba86e143 1605 "have an SNI set for a server [%s]\n", state->tls_sni);
83da1223 1606
17c76198 1607/* This is the priority string support,
42bfef1e 1608http://www.gnutls.org/manual/html_node/Priority-Strings.html
17c76198
PP		 1609and replaces gnutls_require_kx, gnutls_require_mac & gnutls_require_protocols.
1610This was backwards incompatible, but means Exim no longer needs to track
1611all algorithms and provide string forms for them. */
83da1223 1612
fc243e94 1613p = NULL;
17c76198 1614if (state->tls_require_ciphers && *state->tls_require_ciphers)
83da1223 1615 {
cf0c6164 1616 if (!expand_check_tlsvar(tls_require_ciphers, errstr))
17c76198
PP		 1617 return DEFER;
1618 if (state->exp_tls_require_ciphers && *state->exp_tls_require_ciphers)
83da1223 1619 {
17c76198 1620 p = state->exp_tls_require_ciphers;
fc243e94 1621 DEBUG(D_tls) debug_printf("GnuTLS session cipher/priority \"%s\"\n", p);
83da1223
PH		 1622 }
1623 }
fc243e94 1624if (!p)
17c76198 1625 {
fc243e94 1626 p = exim_default_gnutls_priority;
83e2f8a2 1627 DEBUG(D_tls)
fc243e94 1628 debug_printf("GnuTLS using default session cipher/priority \"%s\"\n", p);
17c76198 1629 }
83da1223 1630
452a164f
JH		 1631if ((rc = gnutls_priority_init(&state->priority_cache, CCS p, &errpos)))
1632 return tls_error_gnu(string_sprintf(
1633 "gnutls_priority_init(%s) failed at offset %ld, \"%.6s..\"",
1634 p, errpos - CS p, errpos),
1635 rc, host, errstr);
17c76198 1636
452a164f
JH		 1637if ((rc = gnutls_priority_set(state->session, state->priority_cache)))
1638 return tls_error_gnu(US"gnutls_priority_set", rc, host, errstr);
17c76198 1639
b10c87b3
JH		 1640/* This also sets the server ticket expiration time to the same, and
1641the STEK rotation time to 3x. */
1642
17c76198
PP		 1643gnutls_db_set_cache_expiration(state->session, ssl_session_timeout);
1644
1645/* Reduce security in favour of increased compatibility, if the admin
1646decides to make that trade-off. */
1647if (gnutls_compat_mode)
83da1223 1648 {
17c76198
PP		 1649#if LIBGNUTLS_VERSION_NUMBER >= 0x020104
1650 DEBUG(D_tls) debug_printf("lowering GnuTLS security, compatibility mode\n");
1651 gnutls_session_enable_compatibility_mode(state->session);
1652#else
1653 DEBUG(D_tls) debug_printf("Unable to set gnutls_compat_mode - GnuTLS version too old\n");
1654#endif
83da1223
PH		 1655 }
1656
17c76198 1657*caller_state = state;
17c76198 1658return OK;
83da1223
PH		 1659}
1660
1661
1662
059ec3d9 1663/*************************************************
17c76198 1664* Extract peer information *
059ec3d9
PH		 1665*************************************************/
1666
f1be21cf
JH		 1667static const uschar *
1668cipher_stdname_kcm(gnutls_kx_algorithm_t kx, gnutls_cipher_algorithm_t cipher,
1669 gnutls_mac_algorithm_t mac)
1670{
1671uschar cs_id[2];
1672gnutls_kx_algorithm_t kx_i;
1673gnutls_cipher_algorithm_t cipher_i;
1674gnutls_mac_algorithm_t mac_i;
1675
1676for (size_t i = 0;
1677 gnutls_cipher_suite_info(i, cs_id, &kx_i, &cipher_i, &mac_i, NULL);
1678 i++)
1679 if (kx_i == kx && cipher_i == cipher && mac_i == mac)
1680 return cipher_stdname(cs_id[0], cs_id[1]);
1681return NULL;
1682}
1683
1684
1685
17c76198 1686/* Called from both server and client code.
4fe99a6c
PP		 1687Only this is allowed to set state->peerdn and state->have_set_peerdn
1688and we use that to detect double-calls.
059ec3d9 1689
75fe387d
PP		 1690NOTE: the state blocks last while the TLS connection is up, which is fine
1691for logging in the server side, but for the client side, we log after teardown
1692in src/deliver.c. While the session is up, we can twist about states and
1693repoint tls_* globals, but those variables used for logging or other variable
1694expansion that happens _after_ delivery need to have a longer life-time.
1695
1696So for those, we get the data from POOL_PERM; the re-invoke guard keeps us from
1697doing this more than once per generation of a state context. We set them in
1698the state context, and repoint tls_* to them. After the state goes away, the
1699tls_* copies of the pointers remain valid and client delivery logging is happy.
1700
1701tls_certificate_verified is a BOOL, so the tls_peerdn and tls_cipher issues
1702don't apply.
1703
059ec3d9 1704Arguments:
17c76198 1705 state exim_gnutls_state_st *
cf0c6164 1706 errstr pointer to error string
059ec3d9 1707
17c76198 1708Returns: OK/DEFER/FAIL
059ec3d9
PH		 1709*/
1710
17c76198 1711static int
b10c87b3 1712peer_status(exim_gnutls_state_st * state, uschar ** errstr)
059ec3d9 1713{
b10c87b3
JH		 1714gnutls_session_t session = state->session;
1715const gnutls_datum_t * cert_list;
75fe387d 1716int old_pool, rc;
17c76198 1717unsigned int cert_list_size = 0;
4fe99a6c
PP		 1718gnutls_protocol_t protocol;
1719gnutls_cipher_algorithm_t cipher;
1720gnutls_kx_algorithm_t kx;
1721gnutls_mac_algorithm_t mac;
17c76198
PP		 1722gnutls_certificate_type_t ct;
1723gnutls_x509_crt_t crt;
b10c87b3 1724uschar * dn_buf;
17c76198 1725size_t sz;
059ec3d9 1726
4fe99a6c 1727if (state->have_set_peerdn)
17c76198 1728 return OK;
4fe99a6c 1729state->have_set_peerdn = TRUE;
059ec3d9 1730
4fe99a6c 1731state->peerdn = NULL;
059ec3d9 1732
4fe99a6c 1733/* tls_cipher */
b10c87b3
JH		 1734cipher = gnutls_cipher_get(session);
1735protocol = gnutls_protocol_get_version(session);
1736mac = gnutls_mac_get(session);
b9c6f63c
JH		 1737kx =
1738#ifdef GNUTLS_TLS1_3
1739 protocol >= GNUTLS_TLS1_3 ? 0 :
1740#endif
b10c87b3 1741 gnutls_kx_get(session);
4fe99a6c 1742
75fe387d 1743old_pool = store_pool;
f1be21cf 1744 {
b10c87b3 1745 tls_support * tlsp = state->tlsp;
f1be21cf 1746 store_pool = POOL_PERM;
d9acfc1c
JH		 1747
1748#ifdef SUPPORT_GNUTLS_SESS_DESC
1749 {
1750 gstring * g = NULL;
b10c87b3 1751 uschar * s = US gnutls_session_get_desc(session), c;
d9acfc1c
JH		 1752
1753 /* Nikos M suggests we use this by preference. It returns like:
1754 (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
1755
1756 For partial back-compat, put a colon after the TLS version, replace the
1757 )-( grouping with __, replace in-group - with _ and append the :keysize. */
1758
1759 /* debug_printf("peer_status: gnutls_session_get_desc %s\n", s); */
1760
1761 for (s++; (c = *s) && c != ')'; s++) g = string_catn(g, s, 1);
e4307860 1762
5b195d6b 1763 tlsp->ver = string_copyn(g->s, g->ptr);
e4307860
JH		 1764 for (uschar * p = US tlsp->ver; *p; p++)
1765 if (*p == '-') { *p = '\0'; break; } /* TLS1.0-PKIX -> TLS1.0 */
1766
d9acfc1c
JH		 1767 g = string_catn(g, US":", 1);
1768 if (*s) s++; /* now on _ between groups */
1769 while ((c = *s))
1770 {
e4307860
JH		 1771 for (*++s && ++s; (c = *s) && c != ')'; s++)
1772 g = string_catn(g, c == '-' ? US"_" : s, 1);
d9acfc1c
JH		 1773 /* now on ) closing group */
1774 if ((c = *s) && *++s == '-') g = string_catn(g, US"__", 2);
1775 /* now on _ between groups */
1776 }
1777 g = string_catn(g, US":", 1);
1778 g = string_cat(g, string_sprintf("%d", (int) gnutls_cipher_get_key_size(cipher) * 8));
1779 state->ciphersuite = string_from_gstring(g);
1780 }
1781#else
f1be21cf
JH		 1782 state->ciphersuite = string_sprintf("%s:%s:%d",
1783 gnutls_protocol_get_name(protocol),
1784 gnutls_cipher_suite_get_name(kx, cipher, mac),
1785 (int) gnutls_cipher_get_key_size(cipher) * 8);
1786
1787 /* I don't see a way that spaces could occur, in the current GnuTLS
1788 code base, but it was a concern in the old code and perhaps older GnuTLS
1789 releases did return "TLS 1.0"; play it safe, just in case. */
1790
1791 for (uschar * p = state->ciphersuite; *p; p++) if (isspace(*p)) *p = '-';
5b195d6b
JH		 1792 tlsp->ver = string_copyn(state->ciphersuite,
1793 Ustrchr(state->ciphersuite, ':') - state->ciphersuite);
d9acfc1c
JH		 1794#endif
1795
1796/* debug_printf("peer_status: ciphersuite %s\n", state->ciphersuite); */
1797
b10c87b3
JH		 1798 tlsp->cipher = state->ciphersuite;
1799 tlsp->bits = gnutls_cipher_get_key_size(cipher) * 8;
f1be21cf 1800
b10c87b3 1801 tlsp->cipher_stdname = cipher_stdname_kcm(kx, cipher, mac);
f1be21cf 1802 }
75fe387d 1803store_pool = old_pool;
4fe99a6c
PP		 1804
1805/* tls_peerdn */
b10c87b3 1806cert_list = gnutls_certificate_get_peers(session, &cert_list_size);
83da1223 1807
f1be21cf 1808if (!cert_list || cert_list_size == 0)
17c76198 1809 {
17c76198
PP		 1810 DEBUG(D_tls) debug_printf("TLS: no certificate from peer (%p & %d)\n",
1811 cert_list, cert_list_size);
e51c7be2 1812 if (state->verify_requirement >= VERIFY_REQUIRED)
17c76198 1813 return tls_error(US"certificate verification failed",
48224640 1814 US"no certificate received from peer", state->host, errstr);
17c76198
PP		 1815 return OK;
1816 }
059ec3d9 1817
b10c87b3 1818if ((ct = gnutls_certificate_type_get(session)) != GNUTLS_CRT_X509)
059ec3d9 1819 {
95f52235 1820 const uschar * ctn = US gnutls_certificate_type_get_name(ct);
17c76198
PP		 1821 DEBUG(D_tls)
1822 debug_printf("TLS: peer cert not X.509 but instead \"%s\"\n", ctn);
e51c7be2 1823 if (state->verify_requirement >= VERIFY_REQUIRED)
17c76198 1824 return tls_error(US"certificate verification not possible, unhandled type",
cf0c6164 1825 ctn, state->host, errstr);
17c76198 1826 return OK;
83da1223 1827 }
059ec3d9 1828
e51c7be2
JH		 1829#define exim_gnutls_peer_err(Label) \
1830 do { \
1831 if (rc != GNUTLS_E_SUCCESS) \
1832 { \
1833 DEBUG(D_tls) debug_printf("TLS: peer cert problem: %s: %s\n", \
1834 (Label), gnutls_strerror(rc)); \
1835 if (state->verify_requirement >= VERIFY_REQUIRED) \
452a164f 1836 return tls_error_gnu((Label), rc, state->host, errstr); \
e51c7be2
JH		 1837 return OK; \
1838 } \
1839 } while (0)
17c76198 1840
9d1c15ef
JH		 1841rc = import_cert(&cert_list[0], &crt);
1842exim_gnutls_peer_err(US"cert 0");
1843
1844state->tlsp->peercert = state->peercert = crt;
17c76198 1845
17c76198
PP		 1846sz = 0;
1847rc = gnutls_x509_crt_get_dn(crt, NULL, &sz);
1848if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
83da1223 1849 {
17c76198
PP		 1850 exim_gnutls_peer_err(US"getting size for cert DN failed");
1851 return FAIL; /* should not happen */
059ec3d9 1852 }
f3ebb786 1853dn_buf = store_get_perm(sz, TRUE); /* tainted */
17c76198
PP		 1854rc = gnutls_x509_crt_get_dn(crt, CS dn_buf, &sz);
1855exim_gnutls_peer_err(US"failed to extract certificate DN [gnutls_x509_crt_get_dn(cert 0)]");
9d1c15ef 1856
17c76198
PP		 1857state->peerdn = dn_buf;
1858
1859return OK;
1860#undef exim_gnutls_peer_err
1861}
059ec3d9 1862
059ec3d9 1863
059ec3d9 1864
059ec3d9 1865
17c76198
PP		 1866/*************************************************
1867* Verify peer certificate *
1868*************************************************/
059ec3d9 1869
17c76198
PP		 1870/* Called from both server and client code.
1871*Should* be using a callback registered with
1872gnutls_certificate_set_verify_function() to fail the handshake if we dislike
1873the peer information, but that's too new for some OSes.
059ec3d9 1874
17c76198 1875Arguments:
899b8bbc
JH		 1876 state exim_gnutls_state_st *
1877 errstr where to put an error message
059ec3d9 1878
17c76198
PP		 1879Returns:
1880 FALSE if the session should be rejected
1881 TRUE if the cert is okay or we just don't care
1882*/
059ec3d9 1883
17c76198 1884static BOOL
28646fa9 1885verify_certificate(exim_gnutls_state_st * state, uschar ** errstr)
17c76198
PP		 1886{
1887int rc;
899b8bbc
JH		 1888uint verify;
1889
8008accd 1890DEBUG(D_tls) debug_printf("TLS: checking peer certificate\n");
cf0c6164 1891*errstr = NULL;
b10c87b3 1892rc = peer_status(state, errstr);
17c76198 1893
b10c87b3
JH		 1894if (state->verify_requirement == VERIFY_NONE)
1895 return TRUE;
1896
1897if (rc != OK || !state->peerdn)
e6060e2c 1898 {
17c76198 1899 verify = GNUTLS_CERT_INVALID;
cf0c6164 1900 *errstr = US"certificate not supplied";
17c76198
PP		 1901 }
1902else
899b8bbc
JH		 1903
1904 {
1905#ifdef SUPPORT_DANE
1906 if (state->verify_requirement == VERIFY_DANE && state->host)
1907 {
1908 /* Using dane_verify_session_crt() would be easy, as it does it all for us
1909 including talking to a DNS resolver. But we want to do that bit ourselves
1910 as the testsuite intercepts and fakes its own DNS environment. */
1911
1912 dane_state_t s;
1913 dane_query_t r;
899b8bbc 1914 uint lsize;
94c13285
JH		 1915 const gnutls_datum_t * certlist =
1916 gnutls_certificate_get_peers(state->session, &lsize);
1917 int usage = tls_out.tlsa_usage;
1918
1919# ifdef GNUTLS_BROKEN_DANE_VALIDATION
1920 /* Split the TLSA records into two sets, TA and EE selectors. Run the
1921 dane-verification separately so that we know which selector verified;
570cb1bd 1922 then we know whether to do name-verification (needed for TA but not EE). */
94c13285
JH		 1923
1924 if (usage == ((1<<DANESSL_USAGE_DANE_TA) | (1<<DANESSL_USAGE_DANE_EE)))
bd5b3f3c 1925 { /* a mixed-usage bundle */
94c13285
JH		 1926 int i, j, nrec;
1927 const char ** dd;
1928 int * ddl;
1929
1930 for(nrec = 0; state->dane_data_len[nrec]; ) nrec++;
1931 nrec++;
1932
f3ebb786
JH		 1933 dd = store_get(nrec * sizeof(uschar *), FALSE);
1934 ddl = store_get(nrec * sizeof(int), FALSE);
94c13285
JH		 1935 nrec--;
1936
1937 if ((rc = dane_state_init(&s, 0)))
1938 goto tlsa_prob;
1939
1940 for (usage = DANESSL_USAGE_DANE_EE;
1941 usage >= DANESSL_USAGE_DANE_TA; usage--)
1942 { /* take records with this usage */
1943 for (j = i = 0; i < nrec; i++)
1944 if (state->dane_data[i][0] == usage)
1945 {
1946 dd[j] = state->dane_data[i];
1947 ddl[j++] = state->dane_data_len[i];
1948 }
1949 if (j)
1950 {
1951 dd[j] = NULL;
1952 ddl[j] = 0;
1953
1954 if ((rc = dane_raw_tlsa(s, &r, (char * const *)dd, ddl, 1, 0)))
1955 goto tlsa_prob;
1956
1957 if ((rc = dane_verify_crt_raw(s, certlist, lsize,
1958 gnutls_certificate_type_get(state->session),
1959 r, 0,
1960 usage == DANESSL_USAGE_DANE_EE
1961 ? DANE_VFLAG_ONLY_CHECK_EE_USAGE : 0,
1962 &verify)))
1963 {
1964 DEBUG(D_tls)
1965 debug_printf("TLSA record problem: %s\n", dane_strerror(rc));
1966 }
1967 else if (verify == 0) /* verification passed */
1968 {
1969 usage = 1 << usage;
1970 break;
1971 }
1972 }
1973 }
899b8bbc 1974
94c13285
JH		 1975 if (rc) goto tlsa_prob;
1976 }
1977 else
1978# endif
899b8bbc 1979 {
94c13285
JH		 1980 if ( (rc = dane_state_init(&s, 0))
1981 || (rc = dane_raw_tlsa(s, &r, state->dane_data, state->dane_data_len,
1982 1, 0))
1983 || (rc = dane_verify_crt_raw(s, certlist, lsize,
1984 gnutls_certificate_type_get(state->session),
5ec37a55 1985 r, 0,
94c13285
JH		 1986# ifdef GNUTLS_BROKEN_DANE_VALIDATION
1987 usage == (1 << DANESSL_USAGE_DANE_EE)
1988 ? DANE_VFLAG_ONLY_CHECK_EE_USAGE : 0,
1989# else
1990 0,
1991# endif
1992 &verify))
1993 )
1994 goto tlsa_prob;
899b8bbc 1995 }
94c13285
JH		 1996
1997 if (verify != 0) /* verification failed */
899b8bbc
JH		 1998 {
1999 gnutls_datum_t str;
2000 (void) dane_verification_status_print(verify, &str, 0);
2001 *errstr = US str.data; /* don't bother to free */
2002 goto badcert;
2003 }
28646fa9 2004
94c13285
JH		 2005# ifdef GNUTLS_BROKEN_DANE_VALIDATION
2006 /* If a TA-mode TLSA record was used for verification we must additionally
570cb1bd 2007 verify the cert name (but not the CA chain). For EE-mode, skip it. */
28646fa9 2008
94c13285
JH		 2009 if (usage & (1 << DANESSL_USAGE_DANE_EE))
2010# endif
28646fa9 2011 {
570cb1bd 2012 state->peer_dane_verified = state->peer_cert_verified = TRUE;
28646fa9
JH		 2013 goto goodcert;
2014 }
570cb1bd
JH		 2015# ifdef GNUTLS_BROKEN_DANE_VALIDATION
2016 /* Assume that the name on the A-record is the one that should be matching
2017 the cert. An alternate view is that the domain part of the email address
2018 is also permissible. */
2019
2020 if (gnutls_x509_crt_check_hostname(state->tlsp->peercert,
2021 CS state->host->name))
2022 {
2023 state->peer_dane_verified = state->peer_cert_verified = TRUE;
2024 goto goodcert;
2025 }
2026# endif
899b8bbc 2027 }
570cb1bd 2028#endif /*SUPPORT_DANE*/
899b8bbc 2029
17c76198 2030 rc = gnutls_certificate_verify_peers2(state->session, &verify);
899b8bbc 2031 }
e6060e2c 2032
899b8bbc 2033/* Handle the result of verification. INVALID is set if any others are. */
059ec3d9 2034
28646fa9 2035if (rc < 0 || verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED))
17c76198
PP		 2036 {
2037 state->peer_cert_verified = FALSE;
cf0c6164 2038 if (!*errstr)
184384c3
JH		 2039 {
2040#ifdef GNUTLS_CERT_VFY_STATUS_PRINT
2041 DEBUG(D_tls)
2042 {
2043 gnutls_datum_t txt;
2044
2045 if (gnutls_certificate_verification_status_print(verify,
2046 gnutls_certificate_type_get(state->session), &txt, 0)
2047 == GNUTLS_E_SUCCESS)
2048 {
2049 debug_printf("%s\n", txt.data);
2050 gnutls_free(txt.data);
2051 }
2052 }
2053#endif
cf0c6164
JH		 2054 *errstr = verify & GNUTLS_CERT_REVOKED
2055 ? US"certificate revoked" : US"certificate invalid";
184384c3 2056 }
059ec3d9 2057
17c76198 2058 DEBUG(D_tls)
e51c7be2 2059 debug_printf("TLS certificate verification failed (%s): peerdn=\"%s\"\n",
cf0c6164 2060 *errstr, state->peerdn ? state->peerdn : US"<unset>");
059ec3d9 2061
e51c7be2 2062 if (state->verify_requirement >= VERIFY_REQUIRED)
899b8bbc 2063 goto badcert;
17c76198 2064 DEBUG(D_tls)
4789da3a 2065 debug_printf("TLS verify failure overridden (host in tls_try_verify_hosts)\n");
17c76198 2066 }
e51c7be2 2067
17c76198
PP		 2068else
2069 {
5fd28bb8
JH		 2070 /* Client side, check the server's certificate name versus the name on the
2071 A-record for the connection we made. What to do for server side - what name
2072 to use for client? We document that there is no such checking for server
2073 side. */
2074
2075 if ( state->exp_tls_verify_cert_hostnames
2076 && !gnutls_x509_crt_check_hostname(state->tlsp->peercert,
2077 CS state->exp_tls_verify_cert_hostnames)
2078 )
e51c7be2 2079 {
5fd28bb8
JH		 2080 DEBUG(D_tls)
2081 debug_printf("TLS certificate verification failed: cert name mismatch\n");
2082 if (state->verify_requirement >= VERIFY_REQUIRED)
2083 goto badcert;
2084 return TRUE;
e51c7be2 2085 }
5fd28bb8 2086
17c76198 2087 state->peer_cert_verified = TRUE;
e51c7be2 2088 DEBUG(D_tls) debug_printf("TLS certificate verified: peerdn=\"%s\"\n",
4fe99a6c 2089 state->peerdn ? state->peerdn : US"<unset>");
17c76198 2090 }
059ec3d9 2091
28646fa9
JH		 2092goodcert:
2093 state->tlsp->peerdn = state->peerdn;
2094 return TRUE;
899b8bbc 2095
b83314e3 2096#ifdef SUPPORT_DANE
94c13285 2097tlsa_prob:
624f33df
JH		 2098 *errstr = string_sprintf("TLSA record problem: %s",
2099 rc == DANE_E_REQUESTED_DATA_NOT_AVAILABLE ? "none usable" : dane_strerror(rc));
b83314e3
JH		 2100#endif
2101
899b8bbc
JH		 2102badcert:
2103 gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_BAD_CERTIFICATE);
2104 return FALSE;
17c76198 2105}
059ec3d9 2106
17c76198
PP		 2107
2108
2109
2110/* ------------------------------------------------------------------------ */
2111/* Callbacks */
2112
2113/* Logging function which can be registered with
2114 * gnutls_global_set_log_function()
2115 * gnutls_global_set_log_level() 0..9
2116 */
af3498d6 2117#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
059ec3d9 2118static void
17c76198 2119exim_gnutls_logger_cb(int level, const char *message)
059ec3d9 2120{
8c79eebf
PP		 2121 size_t len = strlen(message);
2122 if (len < 1)
2123 {
2124 DEBUG(D_tls) debug_printf("GnuTLS<%d> empty debug message\n", level);
2125 return;
2126 }
2127 DEBUG(D_tls) debug_printf("GnuTLS<%d>: %s%s", level, message,
2128 message[len-1] == '\n' ? "" : "\n");
17c76198 2129}
af3498d6 2130#endif
059ec3d9 2131
059ec3d9 2132
17c76198
PP		 2133/* Called after client hello, should handle SNI work.
2134This will always set tls_sni (state->received_sni) if available,
2135and may trigger presenting different certificates,
2136if state->trigger_sni_changes is TRUE.
059ec3d9 2137
17c76198
PP		 2138Should be registered with
2139 gnutls_handshake_set_post_client_hello_function()
059ec3d9 2140
17c76198
PP		 2141"This callback must return 0 on success or a gnutls error code to terminate the
2142handshake.".
059ec3d9 2143
17c76198
PP		 2144For inability to get SNI information, we return 0.
2145We only return non-zero if re-setup failed.
817d9f57 2146Only used for server-side TLS.
17c76198 2147*/
44bbabb5 2148
17c76198
PP		 2149static int
2150exim_sni_handling_cb(gnutls_session_t session)
2151{
2152char sni_name[MAX_HOST_LEN];
2153size_t data_len = MAX_HOST_LEN;
817d9f57 2154exim_gnutls_state_st *state = &state_server;
17c76198
PP		 2155unsigned int sni_type;
2156int rc, old_pool;
cf0c6164 2157uschar * dummy_errstr;
17c76198
PP		 2158
2159rc = gnutls_server_name_get(session, sni_name, &data_len, &sni_type, 0);
b34fc30c
PP		 2160if (rc != GNUTLS_E_SUCCESS)
2161 {
8775d84f 2162 DEBUG(D_tls)
b34fc30c
PP		 2163 if (rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
2164 debug_printf("TLS: no SNI presented in handshake.\n");
2165 else
2166 debug_printf("TLS failure: gnutls_server_name_get(): %s [%d]\n",
2167 gnutls_strerror(rc), rc);
b34fc30c
PP		 2168 return 0;
2169 }
2170
17c76198
PP		 2171if (sni_type != GNUTLS_NAME_DNS)
2172 {
2173 DEBUG(D_tls) debug_printf("TLS: ignoring SNI of unhandled type %u\n", sni_type);
2174 return 0;
2175 }
44bbabb5 2176
17c76198
PP		 2177/* We now have a UTF-8 string in sni_name */
2178old_pool = store_pool;
2179store_pool = POOL_PERM;
89a80675 2180state->received_sni = string_copy_taint(US sni_name, TRUE);
17c76198
PP		 2181store_pool = old_pool;
2182
2183/* We set this one now so that variable expansions below will work */
817d9f57 2184state->tlsp->sni = state->received_sni;
17c76198
PP		 2185
2186DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", sni_name,
2187 state->trigger_sni_changes ? "" : " (unused for certificate selection)");
2188
2189if (!state->trigger_sni_changes)
2190 return 0;
2191
cf0c6164 2192if ((rc = tls_expand_session_files(state, &dummy_errstr)) != OK)
17c76198
PP		 2193 {
2194 /* If the setup of certs/etc failed before handshake, TLS would not have
2195 been offered. The best we can do now is abort. */
2196 return GNUTLS_E_APPLICATION_ERROR_MIN;
2197 }
2198
cf0c6164 2199rc = tls_set_remaining_x509(state, &dummy_errstr);
1365611d
PP		 2200if (rc != OK) return GNUTLS_E_APPLICATION_ERROR_MIN;
2201
2202return 0;
059ec3d9
PH		 2203}
2204
2205
2206
0cbf2b82 2207#ifndef DISABLE_EVENT
a7538db1
JH		 2208/*
2209We use this callback to get observability and detail-level control
723fe533
JH		 2210for an exim TLS connection (either direction), raising a tls:cert event
2211for each cert in the chain presented by the peer. Any event
a7538db1
JH		 2212can deny verification.
2213
2214Return 0 for the handshake to continue or non-zero to terminate.
2215*/
2216
2217static int
723fe533 2218verify_cb(gnutls_session_t session)
a7538db1 2219{
27f19eb4 2220const gnutls_datum_t * cert_list;
a7538db1
JH		 2221unsigned int cert_list_size = 0;
2222gnutls_x509_crt_t crt;
2223int rc;
b30275b8 2224uschar * yield;
a7538db1
JH		 2225exim_gnutls_state_st * state = gnutls_session_get_ptr(session);
2226
bd5b3f3c 2227if ((cert_list = gnutls_certificate_get_peers(session, &cert_list_size)))
a7538db1
JH		 2228 while (cert_list_size--)
2229 {
bd5b3f3c 2230 if ((rc = import_cert(&cert_list[cert_list_size], &crt)) != GNUTLS_E_SUCCESS)
a7538db1
JH		 2231 {
2232 DEBUG(D_tls) debug_printf("TLS: peer cert problem: depth %d: %s\n",
2233 cert_list_size, gnutls_strerror(rc));
2234 break;
2235 }
2236
2237 state->tlsp->peercert = crt;
b30275b8
JH		 2238 if ((yield = event_raise(state->event_action,
2239 US"tls:cert", string_sprintf("%d", cert_list_size))))
a7538db1
JH		 2240 {
2241 log_write(0, LOG_MAIN,
b30275b8
JH		 2242 "SSL verify denied by event-action: depth=%d: %s",
2243 cert_list_size, yield);
a7538db1
JH		 2244 return 1; /* reject */
2245 }
2246 state->tlsp->peercert = NULL;
2247 }
2248
2249return 0;
2250}
2251
2252#endif
44662487
JH		 2253
2254
f20cfa4a
JH		 2255static gstring *
2256ddump(gnutls_datum_t * d)
2257{
2258gstring * g = string_get((d->size+1) * 2);
2259uschar * s = d->data;
2260for (unsigned i = d->size; i > 0; i--, s++)
2261 {
2262 g = string_catn(g, US "0123456789abcdef" + (*s >> 4), 1);
2263 g = string_catn(g, US "0123456789abcdef" + (*s & 0xf), 1);
2264 }
2265return g;
2266}
17c76198 2267
dc6d1769
JH		 2268static void
2269post_handshake_debug(exim_gnutls_state_st * state)
2270{
dc6d1769
JH		 2271#ifdef SUPPORT_GNUTLS_SESS_DESC
2272debug_printf("%s\n", gnutls_session_get_desc(state->session));
2273#endif
2274#ifdef SUPPORT_GNUTLS_KEYLOG
e326959e
JH		 2275
2276# ifdef EXIM_HAVE_TLS1_3
dc6d1769 2277if (gnutls_protocol_get_version(state->session) < GNUTLS_TLS1_3)
a8af957d
JH		 2278#else
2279if (TRUE)
2280#endif
dc6d1769
JH		 2281 {
2282 gnutls_datum_t c, s;
2283 gstring * gc, * gs;
2284 /* we only want the client random and the master secret */
2285 gnutls_session_get_random(state->session, &c, &s);
2286 gnutls_session_get_master_secret(state->session, &s);
2287 gc = ddump(&c);
2288 gs = ddump(&s);
2289 debug_printf("CLIENT_RANDOM %.*s %.*s\n", (int)gc->ptr, gc->s, (int)gs->ptr, gs->s);
2290 }
2291else
2292 debug_printf("To get keying info for TLS1.3 is hard:\n"
2293 " set environment variable SSLKEYLOGFILE to a filename writable by uid exim\n"
2294 " add SSLKEYLOGFILE to keep_environment in the exim config\n"
2295 " run exim as root\n"
e326959e
JH		 2296 " if using sudo, add SSLKEYLOGFILE to env_keep in /etc/sudoers\n"
2297 " (works for TLS1.2 also, and saves cut-paste into file)\n");
dc6d1769
JH		 2298#endif
2299}
2300
b10c87b3
JH		 2301
2302#ifdef EXPERIMENTAL_TLS_RESUME
2303static int
2304tls_server_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
2305 unsigned incoming, const gnutls_datum_t * msg)
2306{
2307DEBUG(D_tls) debug_printf("newticket cb\n");
2308tls_in.resumption |= RESUME_CLIENT_REQUESTED;
2309return 0;
2310}
2311
2312static void
2313tls_server_resume_prehandshake(exim_gnutls_state_st * state)
2314{
2315/* Should the server offer session resumption? */
2316tls_in.resumption = RESUME_SUPPORTED;
2317if (verify_check_host(&tls_resumption_hosts) == OK)
2318 {
2319 int rc;
2320 /* GnuTLS appears to not do ticket overlap, but does emit a fresh ticket when
2321 an offered resumption is unacceptable. We lose one resumption per ticket
2322 lifetime, and sessions cannot be indefinitely re-used. There seems to be no
2323 way (3.6.7) of changing the default number of 2 TLS1.3 tickets issued, but at
2324 least they go out in a single packet. */
2325
2326 if (!(rc = gnutls_session_ticket_enable_server(state->session,
2327 &server_sessticket_key)))
2328 tls_in.resumption |= RESUME_SERVER_TICKET;
2329 else
2330 DEBUG(D_tls)
2331 debug_printf("enabling session tickets: %s\n", US gnutls_strerror(rc));
2332
2333 /* Try to tell if we see a ticket request */
2334 gnutls_handshake_set_hook_function(state->session,
e5489333 2335 GNUTLS_HANDSHAKE_ANY, GNUTLS_HOOK_POST, tls_server_hook_cb);
b10c87b3
JH		 2336 }
2337}
2338
2339static void
2340tls_server_resume_posthandshake(exim_gnutls_state_st * state)
2341{
2342if (gnutls_session_resumption_requested(state->session))
2343 {
2344 /* This tells us the client sent a full ticket. We use a
2345 callback on session-ticket request, elsewhere, to tell
2346 if a client asked for a ticket. */
2347
2348 tls_in.resumption |= RESUME_CLIENT_SUGGESTED;
2349 DEBUG(D_tls) debug_printf("client requested resumption\n");
2350 }
2351if (gnutls_session_is_resumed(state->session))
2352 {
2353 tls_in.resumption |= RESUME_USED;
2354 DEBUG(D_tls) debug_printf("Session resumed\n");
2355 }
2356}
2357#endif
17c76198
PP		 2358/* ------------------------------------------------------------------------ */
2359/* Exported functions */
2360
2361
2362
2363
059ec3d9
PH		 2364/*************************************************
2365* Start a TLS session in a server *
2366*************************************************/
2367
2368/* This is called when Exim is running as a server, after having received
2369the STARTTLS command. It must respond to that command, and then negotiate
2370a TLS session.
2371
2372Arguments:
83da1223 2373 require_ciphers list of allowed ciphers or NULL
cf0c6164 2374 errstr pointer to error string
059ec3d9
PH		 2375
2376Returns: OK on success
2377 DEFER for errors before the start of the negotiation
4c04137d 2378 FAIL for errors during the negotiation; the server can't
059ec3d9
PH		 2379 continue running.
2380*/
2381
2382int
cf0c6164 2383tls_server_start(const uschar * require_ciphers, uschar ** errstr)
059ec3d9
PH		 2384{
2385int rc;
cf0c6164 2386exim_gnutls_state_st * state = NULL;
059ec3d9
PH		 2387
2388/* Check for previous activation */
74f1a423 2389if (tls_in.active.sock >= 0)
059ec3d9 2390 {
48224640 2391 tls_error(US"STARTTLS received after TLS started", US "", NULL, errstr);
925ac8e4 2392 smtp_printf("554 Already in TLS\r\n", FALSE);
059ec3d9
PH		 2393 return FAIL;
2394 }
2395
2396/* Initialize the library. If it fails, it will already have logged the error
2397and sent an SMTP response. */
2398
17c76198 2399DEBUG(D_tls) debug_printf("initialising GnuTLS as a server\n");
059ec3d9 2400
d85cdeb5
JH		 2401 {
2402#ifdef MEASURE_TIMING
2403 struct timeval t0;
2404 gettimeofday(&t0, NULL);
2405#endif
2406
2407 if ((rc = tls_init(NULL, tls_certificate, tls_privatekey,
2408 NULL, tls_verify_certificates, tls_crl,
2409 require_ciphers, &state, &tls_in, errstr)) != OK) return rc;
2410
2411#ifdef MEASURE_TIMING
2412 report_time_since(&t0, US"server tls_init (delta)");
2413#endif
2414 }
059ec3d9 2415
b10c87b3
JH		 2416#ifdef EXPERIMENTAL_TLS_RESUME
2417tls_server_resume_prehandshake(state);
2418#endif
2419
059ec3d9
PH		 2420/* If this is a host for which certificate verification is mandatory or
2421optional, set up appropriately. */
2422
059ec3d9 2423if (verify_check_host(&tls_verify_hosts) == OK)
17c76198 2424 {
e51c7be2
JH		 2425 DEBUG(D_tls)
2426 debug_printf("TLS: a client certificate will be required.\n");
17c76198
PP		 2427 state->verify_requirement = VERIFY_REQUIRED;
2428 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
2429 }
059ec3d9 2430else if (verify_check_host(&tls_try_verify_hosts) == OK)
17c76198 2431 {
e51c7be2
JH		 2432 DEBUG(D_tls)
2433 debug_printf("TLS: a client certificate will be requested but not required.\n");
17c76198
PP		 2434 state->verify_requirement = VERIFY_OPTIONAL;
2435 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
2436 }
2437else
2438 {
e51c7be2
JH		 2439 DEBUG(D_tls)
2440 debug_printf("TLS: a client certificate will not be requested.\n");
17c76198
PP		 2441 state->verify_requirement = VERIFY_NONE;
2442 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
2443 }
059ec3d9 2444
0cbf2b82 2445#ifndef DISABLE_EVENT
723fe533
JH		 2446if (event_action)
2447 {
2448 state->event_action = event_action;
2449 gnutls_session_set_ptr(state->session, state);
2450 gnutls_certificate_set_verify_function(state->x509_cred, verify_cb);
2451 }
2452#endif
2453
17c76198
PP		 2454/* Register SNI handling; always, even if not in tls_certificate, so that the
2455expansion variable $tls_sni is always available. */
059ec3d9 2456
17c76198
PP		 2457gnutls_handshake_set_post_client_hello_function(state->session,
2458 exim_sni_handling_cb);
059ec3d9
PH		 2459
2460/* Set context and tell client to go ahead, except in the case of TLS startup
2461on connection, where outputting anything now upsets the clients and tends to
2462make them disconnect. We need to have an explicit fflush() here, to force out
2463the response. Other smtp_printf() calls do not need it, because in non-TLS
2464mode, the fflush() happens when smtp_getc() is called. */
2465
817d9f57 2466if (!state->tlsp->on_connect)
059ec3d9 2467 {
925ac8e4 2468 smtp_printf("220 TLS go ahead\r\n", FALSE);
9d1c15ef 2469 fflush(smtp_out);
059ec3d9
PH		 2470 }
2471
2472/* Now negotiate the TLS session. We put our own timer on it, since it seems
8008accd
JH		 2473that the GnuTLS library doesn't.
2474From 3.1.0 there is gnutls_handshake_set_timeout() - but it requires you
2475to set (and clear down afterwards) up a pull-timeout callback function that does
2476a select, so we're no better off unless avoiding signals becomes an issue. */
059ec3d9 2477
17c76198 2478gnutls_transport_set_ptr2(state->session,
27f19eb4
JH		 2479 (gnutls_transport_ptr_t)(long) fileno(smtp_in),
2480 (gnutls_transport_ptr_t)(long) fileno(smtp_out));
17c76198
PP		 2481state->fd_in = fileno(smtp_in);
2482state->fd_out = fileno(smtp_out);
059ec3d9
PH		 2483
2484sigalrm_seen = FALSE;
c2a1bba0 2485if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
17c76198 2486do
17c76198 2487 rc = gnutls_handshake(state->session);
157a7880 2488while (rc == GNUTLS_E_AGAIN || rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen);
c2a1bba0 2489ALARM_CLR(0);
059ec3d9 2490
17c76198 2491if (rc != GNUTLS_E_SUCCESS)
059ec3d9 2492 {
059ec3d9
PH		 2493 /* It seems that, except in the case of a timeout, we have to close the
2494 connection right here; otherwise if the other end is running OpenSSL it hangs
2495 until the server times out. */
2496
60d10ce7 2497 if (sigalrm_seen)
ad7fc6eb 2498 {
48224640 2499 tls_error(US"gnutls_handshake", US"timed out", NULL, errstr);
ad7fc6eb
JH		 2500 gnutls_db_remove_session(state->session);
2501 }
60d10ce7 2502 else
059ec3d9 2503 {
452a164f 2504 tls_error_gnu(US"gnutls_handshake", rc, NULL, errstr);
f5d25c2b 2505 (void) gnutls_alert_send_appropriate(state->session, rc);
ad7fc6eb 2506 gnutls_deinit(state->session);
ed62aae3 2507 gnutls_certificate_free_credentials(state->x509_cred);
60d10ce7 2508 millisleep(500);
ad7fc6eb 2509 shutdown(state->fd_out, SHUT_WR);
d7978c0f 2510 for (int i = 1024; fgetc(smtp_in) != EOF && i > 0; ) i--; /* drain skt */
f1e894f3
PH		 2511 (void)fclose(smtp_out);
2512 (void)fclose(smtp_in);
60d10ce7 2513 smtp_out = smtp_in = NULL;
059ec3d9
PH		 2514 }
2515
2516 return FAIL;
2517 }
2518
b10c87b3
JH		 2519#ifdef EXPERIMENTAL_TLS_RESUME
2520tls_server_resume_posthandshake(state);
2521#endif
2522
dc6d1769 2523DEBUG(D_tls) post_handshake_debug(state);
059ec3d9 2524
17c76198
PP		 2525/* Verify after the fact */
2526
899b8bbc 2527if (!verify_certificate(state, errstr))
059ec3d9 2528 {
9d1c15ef 2529 if (state->verify_requirement != VERIFY_OPTIONAL)
17c76198 2530 {
cf0c6164 2531 (void) tls_error(US"certificate verification failed", *errstr, NULL, errstr);
9d1c15ef 2532 return FAIL;
17c76198 2533 }
9d1c15ef
JH		 2534 DEBUG(D_tls)
2535 debug_printf("TLS: continuing on only because verification was optional, after: %s\n",
cf0c6164 2536 *errstr);
059ec3d9
PH		 2537 }
2538
17c76198
PP		 2539/* Sets various Exim expansion variables; always safe within server */
2540
9d1c15ef 2541extract_exim_vars_from_tls_state(state);
059ec3d9
PH		 2542
2543/* TLS has been set up. Adjust the input functions to read via TLS,
2544and initialize appropriately. */
2545
17c76198 2546state->xfer_buffer = store_malloc(ssl_xfer_buffer_size);
059ec3d9
PH		 2547
2548receive_getc = tls_getc;
0d81dabc 2549receive_getbuf = tls_getbuf;
584e96c6 2550receive_get_cache = tls_get_cache;
059ec3d9
PH		 2551receive_ungetc = tls_ungetc;
2552receive_feof = tls_feof;
2553receive_ferror = tls_ferror;
58eb016e 2554receive_smtp_buffered = tls_smtp_buffered;
059ec3d9 2555
059ec3d9
PH		 2556return OK;
2557}
2558
2559
2560
2561
aa2a70ba
JH		 2562static void
2563tls_client_setup_hostname_checks(host_item * host, exim_gnutls_state_st * state,
2564 smtp_transport_options_block * ob)
2565{
3fb3231c 2566if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
aa2a70ba 2567 {
4af0d74a 2568 state->exp_tls_verify_cert_hostnames =
8c5d388a 2569#ifdef SUPPORT_I18N
4af0d74a
JH		 2570 string_domain_utf8_to_alabel(host->name, NULL);
2571#else
2572 host->name;
2573#endif
aa2a70ba
JH		 2574 DEBUG(D_tls)
2575 debug_printf("TLS: server cert verification includes hostname: \"%s\".\n",
2576 state->exp_tls_verify_cert_hostnames);
2577 }
2578}
aa2a70ba
JH		 2579
2580
899b8bbc
JH		 2581
2582
2583#ifdef SUPPORT_DANE
2584/* Given our list of RRs from the TLSA lookup, build a lookup block in
2585GnuTLS-DANE's preferred format. Hang it on the state str for later
2586use in DANE verification.
2587
2588We point at the dnsa data not copy it, so it must remain valid until
2589after verification is done.*/
2590
3674140c 2591static BOOL
899b8bbc
JH		 2592dane_tlsa_load(exim_gnutls_state_st * state, dns_answer * dnsa)
2593{
899b8bbc
JH		 2594dns_scan dnss;
2595int i;
2596const char ** dane_data;
2597int * dane_data_len;
2598
d7978c0f
JH		 2599i = 1;
2600for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
899b8bbc
JH		 2601 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
2602 ) if (rr->type == T_TLSA) i++;
2603
f3ebb786
JH		 2604dane_data = store_get(i * sizeof(uschar *), FALSE);
2605dane_data_len = store_get(i * sizeof(int), FALSE);
899b8bbc 2606
d7978c0f
JH		 2607i = 0;
2608for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
899b8bbc 2609 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
1b76ad22 2610 ) if (rr->type == T_TLSA && rr->size > 3)
899b8bbc
JH		 2611 {
2612 const uschar * p = rr->data;
f3ebb786 2613/*XXX need somehow to mark rr and its data as tainted. Doues this mean copying it? */
3674140c
JH		 2614 uint8_t usage = p[0], sel = p[1], type = p[2];
2615
2616 DEBUG(D_tls)
2617 debug_printf("TLSA: %d %d %d size %d\n", usage, sel, type, rr->size);
2618
94c13285
JH		 2619 if ( (usage != DANESSL_USAGE_DANE_TA && usage != DANESSL_USAGE_DANE_EE)
2620 || (sel != 0 && sel != 1)
2621 )
2622 continue;
3674140c
JH		 2623 switch(type)
2624 {
2625 case 0: /* Full: cannot check at present */
2626 break;
2627 case 1: if (rr->size != 3 + 256/8) continue; /* sha2-256 */
2628 break;
2629 case 2: if (rr->size != 3 + 512/8) continue; /* sha2-512 */
2630 break;
2631 default: continue;
2632 }
899b8bbc
JH		 2633
2634 tls_out.tlsa_usage |= 1<<usage;
48224640 2635 dane_data[i] = CS p;
899b8bbc
JH		 2636 dane_data_len[i++] = rr->size;
2637 }
3674140c
JH		 2638
2639if (!i) return FALSE;
2640
899b8bbc
JH		 2641dane_data[i] = NULL;
2642dane_data_len[i] = 0;
2643
2644state->dane_data = (char * const *)dane_data;
2645state->dane_data_len = dane_data_len;
3674140c 2646return TRUE;
899b8bbc
JH		 2647}
2648#endif
2649
2650
2651
b10c87b3
JH		 2652#ifdef EXPERIMENTAL_TLS_RESUME
2653/* On the client, get any stashed session for the given IP from hints db
2654and apply it to the ssl-connection for attempted resumption. Although
2655there is a gnutls_session_ticket_enable_client() interface it is
2656documented as unnecessary (as of 3.6.7) as "session tickets are emabled
2657by deafult". There seems to be no way to disable them, so even hosts not
2658enabled by the transport option will be sent a ticket request. We will
2659however avoid storing and retrieving session information. */
2660
2661static void
2662tls_retrieve_session(tls_support * tlsp, gnutls_session_t session,
2663 host_item * host, smtp_transport_options_block * ob)
2664{
2665tlsp->resumption = RESUME_SUPPORTED;
2666if (verify_check_given_host(CUSS &ob->tls_resumption_hosts, host) == OK)
2667 {
2668 dbdata_tls_session * dt;
2669 int len, rc;
2670 open_db dbblock, * dbm_file;
2671
2672 DEBUG(D_tls)
2673 debug_printf("check for resumable session for %s\n", host->address);
2674 tlsp->host_resumable = TRUE;
2675 tlsp->resumption |= RESUME_CLIENT_REQUESTED;
2676 if ((dbm_file = dbfn_open(US"tls", O_RDONLY, &dbblock, FALSE, FALSE)))
2677 {
dea4b568
JH		 2678 /* Key for the db is the IP. We'd like to filter the retrieved session
2679 for ticket advisory expiry, but 3.6.1 seems to give no access to that */
2680
b10c87b3
JH		 2681 if ((dt = dbfn_read_with_length(dbm_file, host->address, &len)))
2682 if (!(rc = gnutls_session_set_data(session,
2683 CUS dt->session, (size_t)len - sizeof(dbdata_tls_session))))
2684 {
2685 DEBUG(D_tls) debug_printf("good session\n");
2686 tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
2687 }
2688 else DEBUG(D_tls) debug_printf("setting session resumption data: %s\n",
2689 US gnutls_strerror(rc));
2690 dbfn_close(dbm_file);
2691 }
2692 }
2693}
2694
2695
2696static void
2697tls_save_session(tls_support * tlsp, gnutls_session_t session, const host_item * host)
2698{
2699/* TLS 1.2 - we get both the callback and the direct posthandshake call,
2700but this flag is not set until the second. TLS 1.3 it's the other way about.
2701Keep both calls as the session data cannot be extracted before handshake
2702completes. */
2703
2704if (gnutls_session_get_flags(session) & GNUTLS_SFLAGS_SESSION_TICKET)
2705 {
2706 gnutls_datum_t tkt;
2707 int rc;
2708
2709 DEBUG(D_tls) debug_printf("server offered session ticket\n");
2710 tlsp->ticket_received = TRUE;
2711 tlsp->resumption |= RESUME_SERVER_TICKET;
2712
2713 if (tlsp->host_resumable)
2714 if (!(rc = gnutls_session_get_data2(session, &tkt)))
2715 {
2716 open_db dbblock, * dbm_file;
2717 int dlen = sizeof(dbdata_tls_session) + tkt.size;
f3ebb786 2718 dbdata_tls_session * dt = store_get(dlen, TRUE);
b10c87b3
JH		 2719
2720 DEBUG(D_tls) debug_printf("session data size %u\n", (unsigned)tkt.size);
2721 memcpy(dt->session, tkt.data, tkt.size);
2722 gnutls_free(tkt.data);
2723
2724 if ((dbm_file = dbfn_open(US"tls", O_RDWR, &dbblock, FALSE, FALSE)))
2725 {
2726 /* key for the db is the IP */
2727 dbfn_delete(dbm_file, host->address);
2728 dbfn_write(dbm_file, host->address, dt, dlen);
2729 dbfn_close(dbm_file);
2730
2731 DEBUG(D_tls)
2732 debug_printf("wrote session db (len %u)\n", (unsigned)dlen);
2733 }
2734 }
2735 else DEBUG(D_tls)
2736 debug_printf("extract session data: %s\n", US gnutls_strerror(rc));
2737 }
2738}
2739
2740
2741/* With a TLS1.3 session, the ticket(s) are not seen until
2742the first data read is attempted. And there's often two of them.
2743Pick them up with this callback. We are also called for 1.2
2744but we do nothing.
2745*/
2746static int
2747tls_client_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
2748 unsigned incoming, const gnutls_datum_t * msg)
2749{
2750exim_gnutls_state_st * state = gnutls_session_get_ptr(sess);
2751tls_support * tlsp = state->tlsp;
2752
2753DEBUG(D_tls) debug_printf("newticket cb\n");
2754
2755if (!tlsp->ticket_received)
2756 tls_save_session(tlsp, sess, state->host);
2757return 0;
2758}
2759
2760
2761static void
2762tls_client_resume_prehandshake(exim_gnutls_state_st * state,
2763 tls_support * tlsp, host_item * host,
2764 smtp_transport_options_block * ob)
2765{
2766gnutls_session_set_ptr(state->session, state);
2767gnutls_handshake_set_hook_function(state->session,
2768 GNUTLS_HANDSHAKE_NEW_SESSION_TICKET, GNUTLS_HOOK_POST, tls_client_ticket_cb);
2769
2770tls_retrieve_session(tlsp, state->session, host, ob);
2771}
2772
2773static void
2774tls_client_resume_posthandshake(exim_gnutls_state_st * state,
2775 tls_support * tlsp, host_item * host)
2776{
2777if (gnutls_session_is_resumed(state->session))
2778 {
2779 DEBUG(D_tls) debug_printf("Session resumed\n");
2780 tlsp->resumption |= RESUME_USED;
2781 }
2782
2783tls_save_session(tlsp, state->session, host);
2784}
2785#endif /* EXPERIMENTAL_TLS_RESUME */
2786
2787
059ec3d9
PH		 2788/*************************************************
2789* Start a TLS session in a client *
2790*************************************************/
2791
2792/* Called from the smtp transport after STARTTLS has been accepted.
2793
2794Arguments:
c05bdbd6
JH		 2795 cctx connection context
2796 conn_args connection details
2797 cookie datum for randomness (not used)
2798 tlsp record details of channel configuration here; must be non-NULL
2799 errstr error string pointer
2800
2801Returns: TRUE for success with TLS session context set in smtp context,
2802 FALSE on error
059ec3d9
PH		 2803*/
2804
c05bdbd6
JH		 2805BOOL
2806tls_client_start(client_conn_ctx * cctx, smtp_connect_args * conn_args,
2807 void * cookie ARG_UNUSED,
2808 tls_support * tlsp, uschar ** errstr)
059ec3d9 2809{
c05bdbd6
JH		 2810host_item * host = conn_args->host; /* for msgs and option-tests */
2811transport_instance * tb = conn_args->tblock; /* always smtp or NULL */
2812smtp_transport_options_block * ob = tb
afdb5e9c
JH		 2813 ? (smtp_transport_options_block *)tb->options_block
2814 : &smtp_transport_option_defaults;
059ec3d9 2815int rc;
899b8bbc 2816exim_gnutls_state_st * state = NULL;
c05bdbd6 2817uschar * cipher_list = NULL;
74f1a423 2818
f2de3a33 2819#ifndef DISABLE_OCSP
5130845b 2820BOOL require_ocsp =
3fb3231c 2821 verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK;
44662487 2822BOOL request_ocsp = require_ocsp ? TRUE
3fb3231c 2823 : verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
2b4a568d 2824#endif
059ec3d9 2825
c05bdbd6 2826DEBUG(D_tls) debug_printf("initialising GnuTLS as a client on fd %d\n", cctx->sock);
059ec3d9 2827
5ec37a55 2828#ifdef SUPPORT_DANE
c05bdbd6
JH		 2829/* If dane is flagged, have either request or require dane for this host, and
2830a TLSA record found. Therefore, dane verify required. Which implies cert must
2831be requested and supplied, dane verify must pass, and cert verify irrelevant
2832(incl. hostnames), and (caller handled) require_tls */
2833
2834if (conn_args->dane && ob->dane_require_tls_ciphers)
5ec37a55
PP		 2835 {
2836 /* not using expand_check_tlsvar because not yet in state */
2837 if (!expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
2838 &cipher_list, errstr))
c05bdbd6 2839 return FALSE;
cf260049
JH		 2840 cipher_list = cipher_list && *cipher_list
2841 ? ob->dane_require_tls_ciphers : ob->tls_require_ciphers;
5ec37a55
PP		 2842 }
2843#endif
2844
2845if (!cipher_list)
2846 cipher_list = ob->tls_require_ciphers;
2847
d85cdeb5
JH		 2848 {
2849#ifdef MEASURE_TIMING
2850 struct timeval t0;
2851 gettimeofday(&t0, NULL);
2852#endif
2853
2854 if (tls_init(host, ob->tls_certificate, ob->tls_privatekey,
2855 ob->tls_sni, ob->tls_verify_certificates, ob->tls_crl,
2856 cipher_list, &state, tlsp, errstr) != OK)
2857 return FALSE;
2858
2859#ifdef MEASURE_TIMING
2860 report_time_since(&t0, US"client tls_init (delta)");
2861#endif
2862 }
059ec3d9 2863
54c90be1 2864 {
65867078
JH		 2865 int dh_min_bits = ob->tls_dh_min_bits;
2866 if (dh_min_bits < EXIM_CLIENT_DH_MIN_MIN_BITS)
2867 {
2868 DEBUG(D_tls)
2869 debug_printf("WARNING: tls_dh_min_bits far too low,"
2870 " clamping %d up to %d\n",
2871 dh_min_bits, EXIM_CLIENT_DH_MIN_MIN_BITS);
2872 dh_min_bits = EXIM_CLIENT_DH_MIN_MIN_BITS;
2873 }
54c90be1 2874
65867078
JH		 2875 DEBUG(D_tls) debug_printf("Setting D-H prime minimum"
2876 " acceptable bits to %d\n",
2877 dh_min_bits);
2878 gnutls_dh_set_prime_bits(state->session, dh_min_bits);
2879 }
83da1223 2880
94431adb 2881/* Stick to the old behaviour for compatibility if tls_verify_certificates is
2b4a568d
JH		 2882set but both tls_verify_hosts and tls_try_verify_hosts are unset. Check only
2883the specified host patterns if one of them is defined */
2884
899b8bbc 2885#ifdef SUPPORT_DANE
c05bdbd6 2886if (conn_args->dane && dane_tlsa_load(state, &conn_args->tlsa_dnsa))
899b8bbc
JH		 2887 {
2888 DEBUG(D_tls)
2889 debug_printf("TLS: server certificate DANE required.\n");
2890 state->verify_requirement = VERIFY_DANE;
2891 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
899b8bbc
JH		 2892 }
2893else
2894#endif
2895 if ( ( state->exp_tls_verify_certificates
2896 && !ob->tls_verify_hosts
2897 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
2898 )
3fb3231c 2899 || verify_check_given_host(CUSS &ob->tls_verify_hosts, host) == OK
899b8bbc 2900 )
17c76198 2901 {
aa2a70ba 2902 tls_client_setup_hostname_checks(host, state, ob);
aa2a70ba
JH		 2903 DEBUG(D_tls)
2904 debug_printf("TLS: server certificate verification required.\n");
2905 state->verify_requirement = VERIFY_REQUIRED;
52f93eed
WB		 2906 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
2907 }
3fb3231c 2908else if (verify_check_given_host(CUSS &ob->tls_try_verify_hosts, host) == OK)
52f93eed 2909 {
aa2a70ba 2910 tls_client_setup_hostname_checks(host, state, ob);
e51c7be2
JH		 2911 DEBUG(D_tls)
2912 debug_printf("TLS: server certificate verification optional.\n");
52f93eed 2913 state->verify_requirement = VERIFY_OPTIONAL;
17c76198
PP		 2914 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
2915 }
2916else
2917 {
e51c7be2
JH		 2918 DEBUG(D_tls)
2919 debug_printf("TLS: server certificate verification not required.\n");
52f93eed
WB		 2920 state->verify_requirement = VERIFY_NONE;
2921 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
17c76198 2922 }
059ec3d9 2923
f2de3a33
JH		 2924#ifndef DISABLE_OCSP
2925 /* supported since GnuTLS 3.1.3 */
44662487 2926if (request_ocsp)
9d1c15ef
JH		 2927 {
2928 DEBUG(D_tls) debug_printf("TLS: will request OCSP stapling\n");
65867078
JH		 2929 if ((rc = gnutls_ocsp_status_request_enable_client(state->session,
2930 NULL, 0, NULL)) != OK)
74f1a423 2931 {
452a164f 2932 tls_error_gnu(US"cert-status-req", rc, state->host, errstr);
c05bdbd6 2933 return FALSE;
74f1a423
JH		 2934 }
2935 tlsp->ocsp = OCSP_NOT_RESP;
9d1c15ef 2936 }
2b4a568d
JH		 2937#endif
2938
b10c87b3
JH		 2939#ifdef EXPERIMENTAL_TLS_RESUME
2940tls_client_resume_prehandshake(state, tlsp, host, ob);
2941#endif
2942
0cbf2b82 2943#ifndef DISABLE_EVENT
afdb5e9c 2944if (tb && tb->event_action)
a7538db1 2945 {
774ef2d7 2946 state->event_action = tb->event_action;
a7538db1 2947 gnutls_session_set_ptr(state->session, state);
723fe533 2948 gnutls_certificate_set_verify_function(state->x509_cred, verify_cb);
a7538db1
JH		 2949 }
2950#endif
2951
c05bdbd6
JH		 2952gnutls_transport_set_ptr(state->session, (gnutls_transport_ptr_t)(long) cctx->sock);
2953state->fd_in = cctx->sock;
2954state->fd_out = cctx->sock;
059ec3d9 2955
9d1c15ef 2956DEBUG(D_tls) debug_printf("about to gnutls_handshake\n");
059ec3d9
PH		 2957/* There doesn't seem to be a built-in timeout on connection. */
2958
2959sigalrm_seen = FALSE;
c2a1bba0 2960ALARM(ob->command_timeout);
17c76198 2961do
17c76198 2962 rc = gnutls_handshake(state->session);
f1fed05b 2963while (rc == GNUTLS_E_AGAIN || rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen);
c2a1bba0 2964ALARM_CLR(0);
059ec3d9 2965
4fe99a6c 2966if (rc != GNUTLS_E_SUCCESS)
74f1a423 2967 {
60d10ce7
JH		 2968 if (sigalrm_seen)
2969 {
2970 gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_USER_CANCELED);
48224640 2971 tls_error(US"gnutls_handshake", US"timed out", state->host, errstr);
60d10ce7
JH		 2972 }
2973 else
452a164f 2974 tls_error_gnu(US"gnutls_handshake", rc, state->host, errstr);
c05bdbd6 2975 return FALSE;
74f1a423 2976 }
4fe99a6c 2977
dc6d1769 2978DEBUG(D_tls) post_handshake_debug(state);
059ec3d9 2979
17c76198 2980/* Verify late */
059ec3d9 2981
899b8bbc 2982if (!verify_certificate(state, errstr))
74f1a423
JH		 2983 {
2984 tls_error(US"certificate verification failed", *errstr, state->host, errstr);
c05bdbd6 2985 return FALSE;
74f1a423 2986 }
059ec3d9 2987
f2de3a33 2988#ifndef DISABLE_OCSP
7a501c87 2989if (request_ocsp)
2b4a568d
JH		 2990 {
2991 DEBUG(D_tls)
2992 {
2993 gnutls_datum_t stapling;
2994 gnutls_ocsp_resp_t resp;
2995 gnutls_datum_t printed;
e326959e
JH		 2996 unsigned idx = 0;
2997
2998 for (;
2999# ifdef GNUTLS_OCSP_STATUS_REQUEST_GET2
3000 (rc = gnutls_ocsp_status_request_get2(state->session, idx, &stapling)) == 0;
3001#else
3002 (rc = gnutls_ocsp_status_request_get(state->session, &stapling)) == 0;
3003#endif
3004 idx++)
3005 if ( (rc= gnutls_ocsp_resp_init(&resp)) == 0
3006 && (rc= gnutls_ocsp_resp_import(resp, &stapling)) == 0
3007 && (rc= gnutls_ocsp_resp_print(resp, GNUTLS_OCSP_PRINT_COMPACT, &printed)) == 0
3008 )
3009 {
3010 debug_printf("%.4096s", printed.data);
3011 gnutls_free(printed.data);
3012 }
3013 else
3014 (void) tls_error_gnu(US"ocsp decode", rc, state->host, errstr);
3015 if (idx == 0 && rc)
452a164f 3016 (void) tls_error_gnu(US"ocsp decode", rc, state->host, errstr);
2b4a568d
JH		 3017 }
3018
2b4a568d 3019 if (gnutls_ocsp_status_request_is_checked(state->session, 0) == 0)
018058b2 3020 {
74f1a423
JH		 3021 tlsp->ocsp = OCSP_FAILED;
3022 tls_error(US"certificate status check failed", NULL, state->host, errstr);
7a501c87
JH		 3023 if (require_ocsp)
3024 return FALSE;
3025 }
3026 else
3027 {
3028 DEBUG(D_tls) debug_printf("Passed OCSP checking\n");
3029 tlsp->ocsp = OCSP_VFIED;
018058b2 3030 }
2b4a568d
JH		 3031 }
3032#endif
3033
b10c87b3
JH		 3034#ifdef EXPERIMENTAL_TLS_RESUME
3035tls_client_resume_posthandshake(state, tlsp, host);
3036#endif
059ec3d9 3037
4fe99a6c 3038/* Sets various Exim expansion variables; may need to adjust for ACL callouts */
059ec3d9 3039
9d1c15ef 3040extract_exim_vars_from_tls_state(state);
059ec3d9 3041
c05bdbd6
JH		 3042cctx->tls_ctx = state;
3043return TRUE;
059ec3d9
PH		 3044}
3045
3046
3047
17c76198 3048
059ec3d9 3049/*************************************************
17c76198 3050* Close down a TLS session *
059ec3d9
PH		 3051*************************************************/
3052
17c76198
PP		 3053/* This is also called from within a delivery subprocess forked from the
3054daemon, to shut down the TLS library, without actually doing a shutdown (which
3055would tamper with the TLS session in the parent process).
059ec3d9 3056
dec766a1 3057Arguments:
74f1a423 3058 ct_ctx client context pointer, or NULL for the one global server context
dec766a1 3059 shutdown 1 if TLS close-alert is to be sent,
afdb5e9c 3060 2 if also response to be waited for
dec766a1 3061
17c76198 3062Returns: nothing
059ec3d9
PH		 3063*/
3064
17c76198 3065void
74f1a423 3066tls_close(void * ct_ctx, int shutdown)
059ec3d9 3067{
74f1a423 3068exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
bd231acd 3069tls_support * tlsp = state->tlsp;
059ec3d9 3070
bd231acd 3071if (!tlsp || tlsp->active.sock < 0) return; /* TLS was not active */
17c76198
PP		 3072
3073if (shutdown)
3074 {
dec766a1
WB		 3075 DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS%s\n",
3076 shutdown > 1 ? " (with response-wait)" : "");
3077
c2a1bba0 3078 ALARM(2);
dec766a1 3079 gnutls_bye(state->session, shutdown > 1 ? GNUTLS_SHUT_RDWR : GNUTLS_SHUT_WR);
c2a1bba0 3080 ALARM_CLR(0);
17c76198
PP		 3081 }
3082
bd231acd
JH		 3083if (!ct_ctx) /* server */
3084 {
3085 receive_getc = smtp_getc;
3086 receive_getbuf = smtp_getbuf;
3087 receive_get_cache = smtp_get_cache;
3088 receive_ungetc = smtp_ungetc;
3089 receive_feof = smtp_feof;
3090 receive_ferror = smtp_ferror;
3091 receive_smtp_buffered = smtp_buffered;
3092 }
3093
17c76198 3094gnutls_deinit(state->session);
ed62aae3
HSHR		 3095gnutls_certificate_free_credentials(state->x509_cred);
3096
bd231acd
JH		 3097tlsp->active.sock = -1;
3098tlsp->active.tls_ctx = NULL;
3099/* Leave bits, peercert, cipher, peerdn, certificate_verified set, for logging */
b1a32a3c 3100tlsp->channelbinding = NULL;
bd231acd 3101
17c76198 3102
b808677c 3103if (state->xfer_buffer) store_free(state->xfer_buffer);
17c76198 3104memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
059ec3d9
PH		 3105}
3106
3107
3108
17c76198 3109
0d81dabc
JH		 3110static BOOL
3111tls_refill(unsigned lim)
3112{
3113exim_gnutls_state_st * state = &state_server;
3114ssize_t inbytes;
3115
3116DEBUG(D_tls) debug_printf("Calling gnutls_record_recv(%p, %p, %u)\n",
3117 state->session, state->xfer_buffer, ssl_xfer_buffer_size);
3118
f1fed05b 3119sigalrm_seen = FALSE;
c2a1bba0 3120if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
4896a319
AM		 3121
3122do
3123 inbytes = gnutls_record_recv(state->session, state->xfer_buffer,
3124 MIN(ssl_xfer_buffer_size, lim));
3125while (inbytes == GNUTLS_E_AGAIN);
3126
c2a1bba0 3127if (smtp_receive_timeout > 0) ALARM_CLR(0);
9723f966
JH		 3128
3129if (had_command_timeout) /* set by signal handler */
3130 smtp_command_timeout_exit(); /* does not return */
3131if (had_command_sigterm)
3132 smtp_command_sigterm_exit();
3133if (had_data_timeout)
3134 smtp_data_timeout_exit();
3135if (had_data_sigint)
3136 smtp_data_sigint_exit();
3137
3138/* Timeouts do not get this far. A zero-byte return appears to mean that the
3139TLS session has been closed down, not that the socket itself has been closed
3140down. Revert to non-TLS handling. */
0d81dabc
JH		 3141
3142if (sigalrm_seen)
3143 {
3144 DEBUG(D_tls) debug_printf("Got tls read timeout\n");
8b77d27a 3145 state->xfer_error = TRUE;
0d81dabc
JH		 3146 return FALSE;
3147 }
3148
3149else if (inbytes == 0)
3150 {
3151 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
bd231acd 3152 tls_close(NULL, TLS_NO_SHUTDOWN);
0d81dabc
JH		 3153 return FALSE;
3154 }
3155
3156/* Handle genuine errors */
3157
3158else if (inbytes < 0)
3159 {
95f52235 3160 DEBUG(D_tls) debug_printf("%s: err from gnutls_record_recv\n", __FUNCTION__);
0d81dabc 3161 record_io_error(state, (int) inbytes, US"recv", NULL);
8b77d27a 3162 state->xfer_error = TRUE;
0d81dabc
JH		 3163 return FALSE;
3164 }
3165#ifndef DISABLE_DKIM
3166dkim_exim_verify_feed(state->xfer_buffer, inbytes);
3167#endif
3168state->xfer_buffer_hwm = (int) inbytes;
3169state->xfer_buffer_lwm = 0;
3170return TRUE;
3171}
3172
059ec3d9
PH		 3173/*************************************************
3174* TLS version of getc *
3175*************************************************/
3176
3177/* This gets the next byte from the TLS input buffer. If the buffer is empty,
3178it refills the buffer via the GnuTLS reading function.
817d9f57 3179Only used by the server-side TLS.
059ec3d9 3180
17c76198
PP		 3181This feeds DKIM and should be used for all message-body reads.
3182
aded2255 3183Arguments: lim Maximum amount to read/buffer
059ec3d9
PH		 3184Returns: the next character or EOF
3185*/
3186
3187int
bd8fbe36 3188tls_getc(unsigned lim)
059ec3d9 3189{
0d81dabc 3190exim_gnutls_state_st * state = &state_server;
059ec3d9 3191
0d81dabc
JH		 3192if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
3193 if (!tls_refill(lim))
3194 return state->xfer_error ? EOF : smtp_getc(lim);
ed62aae3 3195
0d81dabc 3196/* Something in the buffer; return next uschar */
059ec3d9 3197
0d81dabc
JH		 3198return state->xfer_buffer[state->xfer_buffer_lwm++];
3199}
059ec3d9 3200
0d81dabc
JH		 3201uschar *
3202tls_getbuf(unsigned * len)
3203{
3204exim_gnutls_state_st * state = &state_server;
3205unsigned size;
3206uschar * buf;
059ec3d9 3207
0d81dabc
JH		 3208if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
3209 if (!tls_refill(*len))
059ec3d9 3210 {
0d81dabc
JH		 3211 if (!state->xfer_error) return smtp_getbuf(len);
3212 *len = 0;
3213 return NULL;
059ec3d9 3214 }
059ec3d9 3215
0d81dabc
JH		 3216if ((size = state->xfer_buffer_hwm - state->xfer_buffer_lwm) > *len)
3217 size = *len;
3218buf = &state->xfer_buffer[state->xfer_buffer_lwm];
3219state->xfer_buffer_lwm += size;
3220*len = size;
3221return buf;
059ec3d9
PH		 3222}
3223
0d81dabc 3224
584e96c6
JH		 3225void
3226tls_get_cache()
3227{
9960d1e5 3228#ifndef DISABLE_DKIM
584e96c6
JH		 3229exim_gnutls_state_st * state = &state_server;
3230int n = state->xfer_buffer_hwm - state->xfer_buffer_lwm;
3231if (n > 0)
3232 dkim_exim_verify_feed(state->xfer_buffer+state->xfer_buffer_lwm, n);
584e96c6 3233#endif
9960d1e5 3234}
584e96c6 3235
059ec3d9 3236
925ac8e4
JH		 3237BOOL
3238tls_could_read(void)
3239{
3240return state_server.xfer_buffer_lwm < state_server.xfer_buffer_hwm
3241 || gnutls_record_check_pending(state_server.session) > 0;
3242}
3243
3244
059ec3d9 3245
17c76198 3246
059ec3d9
PH		 3247/*************************************************
3248* Read bytes from TLS channel *
3249*************************************************/
3250
17c76198
PP		 3251/* This does not feed DKIM, so if the caller uses this for reading message body,
3252then the caller must feed DKIM.
817d9f57 3253
059ec3d9 3254Arguments:
74f1a423 3255 ct_ctx client context pointer, or NULL for the one global server context
059ec3d9
PH		 3256 buff buffer of data
3257 len size of buffer
3258
3259Returns: the number of bytes read
afdb5e9c 3260 -1 after a failed read, including EOF
059ec3d9
PH		 3261*/
3262
3263int
74f1a423 3264tls_read(void * ct_ctx, uschar *buff, size_t len)
059ec3d9 3265{
74f1a423 3266exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
17c76198 3267ssize_t inbytes;
059ec3d9 3268
17c76198
PP		 3269if (len > INT_MAX)
3270 len = INT_MAX;
059ec3d9 3271
17c76198
PP		 3272if (state->xfer_buffer_lwm < state->xfer_buffer_hwm)
3273 DEBUG(D_tls)
3274 debug_printf("*** PROBABLY A BUG *** " \
3275 "tls_read() called with data in the tls_getc() buffer, %d ignored\n",
3276 state->xfer_buffer_hwm - state->xfer_buffer_lwm);
3277
3278DEBUG(D_tls)
3279 debug_printf("Calling gnutls_record_recv(%p, %p, " SIZE_T_FMT ")\n",
3280 state->session, buff, len);
3281
4896a319
AM		 3282do
3283 inbytes = gnutls_record_recv(state->session, buff, len);
3284while (inbytes == GNUTLS_E_AGAIN);
3285
059ec3d9
PH		 3286if (inbytes > 0) return inbytes;
3287if (inbytes == 0)
3288 {
3289 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
3290 }
5fd28bb8 3291else
4896a319 3292 {
95f52235 3293 DEBUG(D_tls) debug_printf("%s: err from gnutls_record_recv\n", __FUNCTION__);
4896a319
AM		 3294 record_io_error(state, (int)inbytes, US"recv", NULL);
3295 }
059ec3d9
PH		 3296
3297return -1;
3298}
3299
3300
3301
17c76198 3302
059ec3d9
PH		 3303/*************************************************
3304* Write bytes down TLS channel *
3305*************************************************/
3306
3307/*
3308Arguments:
74f1a423 3309 ct_ctx client context pointer, or NULL for the one global server context
059ec3d9
PH		 3310 buff buffer of data
3311 len number of bytes
925ac8e4 3312 more more data expected soon
059ec3d9 3313
30398c06
JH		 3314Calling with len zero and more unset will flush buffered writes. The buff
3315argument can be null for that case.
3316
059ec3d9
PH		 3317Returns: the number of bytes after a successful write,
3318 -1 after a failed write
3319*/
3320
3321int
74f1a423 3322tls_write(void * ct_ctx, const uschar * buff, size_t len, BOOL more)
059ec3d9 3323{
17c76198
PP		 3324ssize_t outbytes;
3325size_t left = len;
74f1a423 3326exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
925ac8e4
JH		 3327#ifdef SUPPORT_CORK
3328static BOOL corked = FALSE;
3329
3330if (more && !corked) gnutls_record_cork(state->session);
3331#endif
3332
3333DEBUG(D_tls) debug_printf("%s(%p, " SIZE_T_FMT "%s)\n", __FUNCTION__,
3334 buff, left, more ? ", more" : "");
059ec3d9 3335
059ec3d9
PH		 3336while (left > 0)
3337 {
17c76198
PP		 3338 DEBUG(D_tls) debug_printf("gnutls_record_send(SSL, %p, " SIZE_T_FMT ")\n",
3339 buff, left);
4896a319
AM		 3340
3341 do
3342 outbytes = gnutls_record_send(state->session, buff, left);
3343 while (outbytes == GNUTLS_E_AGAIN);
059ec3d9 3344
17c76198 3345 DEBUG(D_tls) debug_printf("outbytes=" SSIZE_T_FMT "\n", outbytes);
059ec3d9
PH		 3346 if (outbytes < 0)
3347 {
1b76ad22 3348 DEBUG(D_tls) debug_printf("%s: gnutls_record_send err\n", __FUNCTION__);
17c76198 3349 record_io_error(state, outbytes, US"send", NULL);
059ec3d9
PH		 3350 return -1;
3351 }
3352 if (outbytes == 0)
3353 {
17c76198 3354 record_io_error(state, 0, US"send", US"TLS channel closed on write");
059ec3d9
PH		 3355 return -1;
3356 }
3357
3358 left -= outbytes;
3359 buff += outbytes;
3360 }
3361
17c76198
PP		 3362if (len > INT_MAX)
3363 {
3364 DEBUG(D_tls)
3365 debug_printf("Whoops! Wrote more bytes (" SIZE_T_FMT ") than INT_MAX\n",
3366 len);
3367 len = INT_MAX;
3368 }
3369
925ac8e4
JH		 3370#ifdef SUPPORT_CORK
3371if (more != corked)
3372 {
3373 if (!more) (void) gnutls_record_uncork(state->session, 0);
3374 corked = more;
3375 }
3376#endif
3377
17c76198 3378return (int) len;
059ec3d9
PH		 3379}
3380
3381
3382
17c76198 3383
059ec3d9 3384/*************************************************
17c76198 3385* Random number generation *
059ec3d9
PH		 3386*************************************************/
3387
17c76198
PP		 3388/* Pseudo-random number generation. The result is not expected to be
3389cryptographically strong but not so weak that someone will shoot themselves
3390in the foot using it as a nonce in input in some email header scheme or
3391whatever weirdness they'll twist this into. The result should handle fork()
3392and avoid repeating sequences. OpenSSL handles that for us.
059ec3d9 3393
17c76198
PP		 3394Arguments:
3395 max range maximum
3396Returns a random number in range [0, max-1]
059ec3d9
PH		 3397*/
3398
af3498d6 3399#ifdef HAVE_GNUTLS_RND
17c76198
PP		 3400int
3401vaguely_random_number(int max)
059ec3d9 3402{
17c76198
PP		 3403unsigned int r;
3404int i, needed_len;
17c76198
PP		 3405uschar smallbuf[sizeof(r)];
3406
3407if (max <= 1)
3408 return 0;
3409
3410needed_len = sizeof(r);
3411/* Don't take 8 times more entropy than needed if int is 8 octets and we were
d7978c0f
JH		 3412asked for a number less than 10. */
3413
17c76198
PP		 3414for (r = max, i = 0; r; ++i)
3415 r >>= 1;
3416i = (i + 7) / 8;
3417if (i < needed_len)
3418 needed_len = i;
3419
3420i = gnutls_rnd(GNUTLS_RND_NONCE, smallbuf, needed_len);
3421if (i < 0)
059ec3d9 3422 {
17c76198
PP		 3423 DEBUG(D_all) debug_printf("gnutls_rnd() failed, using fallback.\n");
3424 return vaguely_random_number_fallback(max);
3425 }
3426r = 0;
d7978c0f
JH		 3427for (uschar * p = smallbuf; needed_len; --needed_len, ++p)
3428 r = r * 256 + *p;
059ec3d9 3429
17c76198
PP		 3430/* We don't particularly care about weighted results; if someone wants
3431 * smooth distribution and cares enough then they should submit a patch then. */
3432return r % max;
059ec3d9 3433}
af3498d6
PP		 3434#else /* HAVE_GNUTLS_RND */
3435int
3436vaguely_random_number(int max)
3437{
3438 return vaguely_random_number_fallback(max);
3439}
3440#endif /* HAVE_GNUTLS_RND */
059ec3d9 3441
36f12725
NM		 3442
3443
3444
3375e053
PP		 3445/*************************************************
3446* Let tls_require_ciphers be checked at startup *
3447*************************************************/
3448
3449/* The tls_require_ciphers option, if set, must be something which the
3450library can parse.
3451
3452Returns: NULL on success, or error message
3453*/
3454
3455uschar *
3456tls_validate_require_cipher(void)
3457{
3458int rc;
3459uschar *expciphers = NULL;
3460gnutls_priority_t priority_cache;
3461const char *errpos;
cf0c6164 3462uschar * dummy_errstr;
3375e053 3463
4d2a62a3
JH		 3464#ifdef GNUTLS_AUTO_GLOBAL_INIT
3465# define validate_check_rc(Label) do { \
3466 if (rc != GNUTLS_E_SUCCESS) { if (exim_gnutls_base_init_done) \
3467 return string_sprintf("%s failed: %s", (Label), gnutls_strerror(rc)); } } while (0)
3468# define return_deinit(Label) do { return (Label); } while (0)
3469#else
3470# define validate_check_rc(Label) do { \
3375e053 3471 if (rc != GNUTLS_E_SUCCESS) { if (exim_gnutls_base_init_done) gnutls_global_deinit(); \
4d2a62a3
JH		 3472 return string_sprintf("%s failed: %s", (Label), gnutls_strerror(rc)); } } while (0)
3473# define return_deinit(Label) do { gnutls_global_deinit(); return (Label); } while (0)
3474#endif
3375e053
PP		 3475
3476if (exim_gnutls_base_init_done)
3477 log_write(0, LOG_MAIN|LOG_PANIC,
3478 "already initialised GnuTLS, Exim developer bug");
3479
9f707b89 3480#if defined(HAVE_GNUTLS_PKCS11) && !defined(GNUTLS_AUTO_PKCS11_MANUAL)
2519e60d 3481if (!gnutls_allow_auto_pkcs11)
a5f239e4
PP		 3482 {
3483 rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
3484 validate_check_rc(US"gnutls_pkcs11_init");
3485 }
3486#endif
4d2a62a3 3487#ifndef GNUTLS_AUTO_GLOBAL_INIT
3375e053
PP		 3488rc = gnutls_global_init();
3489validate_check_rc(US"gnutls_global_init()");
4d2a62a3 3490#endif
3375e053
PP		 3491exim_gnutls_base_init_done = TRUE;
3492
3493if (!(tls_require_ciphers && *tls_require_ciphers))
3494 return_deinit(NULL);
3495
cf0c6164
JH		 3496if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers,
3497 &dummy_errstr))
3375e053
PP		 3498 return_deinit(US"failed to expand tls_require_ciphers");
3499
3500if (!(expciphers && *expciphers))
3501 return_deinit(NULL);
3502
3503DEBUG(D_tls)
3504 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
3505
3506rc = gnutls_priority_init(&priority_cache, CS expciphers, &errpos);
3507validate_check_rc(string_sprintf(
3508 "gnutls_priority_init(%s) failed at offset %ld, \"%.8s..\"",
3509 expciphers, errpos - CS expciphers, errpos));
3510
3511#undef return_deinit
3512#undef validate_check_rc
4d2a62a3 3513#ifndef GNUTLS_AUTO_GLOBAL_INIT
3375e053 3514gnutls_global_deinit();
4d2a62a3 3515#endif
3375e053
PP		 3516
3517return NULL;
3518}
3519
3520
3521
3522
36f12725
NM		 3523/*************************************************
3524* Report the library versions. *
3525*************************************************/
3526
3527/* See a description in tls-openssl.c for an explanation of why this exists.
3528
3529Arguments: a FILE* to print the results to
3530Returns: nothing
3531*/
3532
3533void
3534tls_version_report(FILE *f)
3535{
754a0503
PP		 3536fprintf(f, "Library version: GnuTLS: Compile: %s\n"
3537 " Runtime: %s\n",
3538 LIBGNUTLS_VERSION,
3539 gnutls_check_version(NULL));
36f12725
NM		 3540}
3541
b10c87b3 3542#endif /*!MACRO_PREDEF*/
2b4a568d
JH		 3543/* vi: aw ai sw=2
3544*/
059ec3d9 3545/* End of tls-gnu.c */
Unnamed repository; edit this file 'description' to name the repository.