projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
ACL: Disallow '/' characters in queue names specified for "queue="
[exim.git] / src / src / tls-gnu.c
CommitLineData
059ec3d9
PH		 1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
9242a7e8 5/* Copyright (c) University of Cambridge 1995 - 2017 */
059ec3d9
PH		 6/* See the file NOTICE for conditions of use and distribution. */
7
17c76198 8/* Copyright (c) Phil Pennock 2012 */
059ec3d9 9
17c76198
PP		 10/* This file provides TLS/SSL support for Exim using the GnuTLS library,
11one of the available supported implementations. This file is #included into
12tls.c when USE_GNUTLS has been set.
059ec3d9 13
17c76198
PP		 14The code herein is a revamp of GnuTLS integration using the current APIs; the
15original tls-gnu.c was based on a patch which was contributed by Nikos
6aa6fc9c 16Mavrogiannopoulos. The revamp is partially a rewrite, partially cut&paste as
17c76198 17appropriate.
059ec3d9 18
17c76198
PP		 19APIs current as of GnuTLS 2.12.18; note that the GnuTLS manual is for GnuTLS 3,
20which is not widely deployed by OS vendors. Will note issues below, which may
21assist in updating the code in the future. Another sources of hints is
22mod_gnutls for Apache (SNI callback registration and handling).
059ec3d9 23
17c76198
PP		 24Keeping client and server variables more split than before and is currently
25the norm, in anticipation of TLS in ACL callouts.
059ec3d9 26
17c76198
PP		 27I wanted to switch to gnutls_certificate_set_verify_function() so that
28certificate rejection could happen during handshake where it belongs, rather
29than being dropped afterwards, but that was introduced in 2.10.0 and Debian
30(6.0.5) is still on 2.8.6. So for now we have to stick with sub-par behaviour.
059ec3d9 31
17c76198
PP		 32(I wasn't looking for libraries quite that old, when updating to get rid of
33compiler warnings of deprecated APIs. If it turns out that a lot of the rest
34require current GnuTLS, then we'll drop support for the ancient libraries).
35*/
b5aea5e1 36
17c76198
PP		 37#include <gnutls/gnutls.h>
38/* needed for cert checks in verification and DN extraction: */
39#include <gnutls/x509.h>
40/* man-page is incorrect, gnutls_rnd() is not in gnutls.h: */
41#include <gnutls/crypto.h>
a5f239e4
PP		 42/* needed to disable PKCS11 autoload unless requested */
43#if GNUTLS_VERSION_NUMBER >= 0x020c00
44# include <gnutls/pkcs11.h>
76075bb5 45# define SUPPORT_PARAM_TO_PK_BITS
a5f239e4 46#endif
7e07527a
JH		 47#if GNUTLS_VERSION_NUMBER < 0x030103 && !defined(DISABLE_OCSP)
48# warning "GnuTLS library version too old; define DISABLE_OCSP in Makefile"
49# define DISABLE_OCSP
50#endif
0cbf2b82 51#if GNUTLS_VERSION_NUMBER < 0x020a00 && !defined(DISABLE_EVENT)
774ef2d7 52# warning "GnuTLS library version too old; tls:cert event unsupported"
0cbf2b82 53# define DISABLE_EVENT
a7538db1 54#endif
a7fec7a7
JH		 55#if GNUTLS_VERSION_NUMBER >= 0x030306
56# define SUPPORT_CA_DIR
57#else
58# undef SUPPORT_CA_DIR
59#endif
11a04b5a 60#if GNUTLS_VERSION_NUMBER >= 0x030014
cb1d7830
JH		 61# define SUPPORT_SYSDEFAULT_CABUNDLE
62#endif
925ac8e4
JH		 63#if GNUTLS_VERSION_NUMBER >= 0x030109
64# define SUPPORT_CORK
65#endif
47195144
JH		 66#if GNUTLS_VERSION_NUMBER >= 0x030506 && !defined(DISABLE_OCSP)
67# define SUPPORT_SRV_OCSP_STACK
68#endif
899b8bbc
JH		 69#if GNUTLS_VERSION_NUMBER >= 0x030000 && defined(EXPERIMENTAL_DANE)
70# define SUPPORT_DANE
71#endif
7e07527a 72
f2de3a33 73#ifndef DISABLE_OCSP
2b4a568d
JH		 74# include <gnutls/ocsp.h>
75#endif
899b8bbc
JH		 76#ifdef SUPPORT_DANE
77# include <gnutls/dane.h>
78#endif
059ec3d9 79
17c76198 80/* GnuTLS 2 vs 3
059ec3d9 81
17c76198
PP		 82GnuTLS 3 only:
83 gnutls_global_set_audit_log_function()
059ec3d9 84
17c76198
PP		 85Changes:
86 gnutls_certificate_verify_peers2(): is new, drop the 2 for old version
87*/
059ec3d9 88
17c76198 89/* Local static variables for GnuTLS */
059ec3d9 90
17c76198 91/* Values for verify_requirement */
059ec3d9 92
e51c7be2 93enum peer_verify_requirement
899b8bbc 94 { VERIFY_NONE, VERIFY_OPTIONAL, VERIFY_REQUIRED, VERIFY_DANE };
059ec3d9 95
17c76198
PP		 96/* This holds most state for server or client; with this, we can set up an
97outbound TLS-enabled connection in an ACL callout, while not stomping all
98over the TLS variables available for expansion.
059ec3d9 99
17c76198
PP		 100Some of these correspond to variables in globals.c; those variables will
101be set to point to content in one of these instances, as appropriate for
102the stage of the process lifetime.
059ec3d9 103
389ca47a 104Not handled here: global tls_channelbinding_b64.
17c76198 105*/
059ec3d9 106
17c76198 107typedef struct exim_gnutls_state {
9d1c15ef 108 gnutls_session_t session;
17c76198 109 gnutls_certificate_credentials_t x509_cred;
9d1c15ef 110 gnutls_priority_t priority_cache;
17c76198 111 enum peer_verify_requirement verify_requirement;
9d1c15ef
JH		 112 int fd_in;
113 int fd_out;
114 BOOL peer_cert_verified;
899b8bbc 115 BOOL peer_dane_verified;
9d1c15ef
JH		 116 BOOL trigger_sni_changes;
117 BOOL have_set_peerdn;
17c76198 118 const struct host_item *host;
9d1c15ef
JH		 119 gnutls_x509_crt_t peercert;
120 uschar *peerdn;
121 uschar *ciphersuite;
122 uschar *received_sni;
17c76198
PP		 123
124 const uschar *tls_certificate;
125 const uschar *tls_privatekey;
126 const uschar *tls_sni; /* client send only, not received */
127 const uschar *tls_verify_certificates;
128 const uschar *tls_crl;
129 const uschar *tls_require_ciphers;
e51c7be2 130
17c76198
PP		 131 uschar *exp_tls_certificate;
132 uschar *exp_tls_privatekey;
17c76198
PP		 133 uschar *exp_tls_verify_certificates;
134 uschar *exp_tls_crl;
135 uschar *exp_tls_require_ciphers;
55414b25 136 const uschar *exp_tls_verify_cert_hostnames;
0cbf2b82 137#ifndef DISABLE_EVENT
a7538db1
JH		 138 uschar *event_action;
139#endif
899b8bbc
JH		 140#ifdef SUPPORT_DANE
141 char * const * dane_data;
142 const int * dane_data_len;
143#endif
17c76198 144
389ca47a 145 tls_support *tlsp; /* set in tls_init() */
817d9f57 146
17c76198
PP		 147 uschar *xfer_buffer;
148 int xfer_buffer_lwm;
149 int xfer_buffer_hwm;
150 int xfer_eof;
151 int xfer_error;
17c76198
PP		 152} exim_gnutls_state_st;
153
154static const exim_gnutls_state_st exim_gnutls_state_init = {
f2ed27cf
JH		 155 .session = NULL,
156 .x509_cred = NULL,
157 .priority_cache = NULL,
158 .verify_requirement = VERIFY_NONE,
159 .fd_in = -1,
160 .fd_out = -1,
161 .peer_cert_verified = FALSE,
899b8bbc 162 .peer_dane_verified = FALSE,
f2ed27cf
JH		 163 .trigger_sni_changes =FALSE,
164 .have_set_peerdn = FALSE,
165 .host = NULL,
166 .peercert = NULL,
167 .peerdn = NULL,
168 .ciphersuite = NULL,
169 .received_sni = NULL,
170
171 .tls_certificate = NULL,
172 .tls_privatekey = NULL,
173 .tls_sni = NULL,
174 .tls_verify_certificates = NULL,
175 .tls_crl = NULL,
176 .tls_require_ciphers =NULL,
177
178 .exp_tls_certificate = NULL,
179 .exp_tls_privatekey = NULL,
180 .exp_tls_verify_certificates = NULL,
181 .exp_tls_crl = NULL,
182 .exp_tls_require_ciphers = NULL,
f2ed27cf 183 .exp_tls_verify_cert_hostnames = NULL,
0cbf2b82 184#ifndef DISABLE_EVENT
f2ed27cf 185 .event_action = NULL,
e51c7be2 186#endif
f2ed27cf
JH		 187 .tlsp = NULL,
188
189 .xfer_buffer = NULL,
190 .xfer_buffer_lwm = 0,
191 .xfer_buffer_hwm = 0,
192 .xfer_eof = 0,
193 .xfer_error = 0,
17c76198 194};
83da1223 195
17c76198
PP		 196/* Not only do we have our own APIs which don't pass around state, assuming
197it's held in globals, GnuTLS doesn't appear to let us register callback data
198for callbacks, or as part of the session, so we have to keep a "this is the
199context we're currently dealing with" pointer and rely upon being
200single-threaded to keep from processing data on an inbound TLS connection while
201talking to another TLS connection for an outbound check. This does mean that
202there's no way for heart-beats to be responded to, for the duration of the
a7538db1
JH		 203second connection.
204XXX But see gnutls_session_get_ptr()
205*/
059ec3d9 206
17c76198 207static exim_gnutls_state_st state_server, state_client;
059ec3d9 208
17c76198
PP		 209/* dh_params are initialised once within the lifetime of a process using TLS;
210if we used TLS in a long-lived daemon, we'd have to reconsider this. But we
211don't want to repeat this. */
83da1223 212
17c76198 213static gnutls_dh_params_t dh_server_params = NULL;
059ec3d9 214
17c76198 215/* No idea how this value was chosen; preserving it. Default is 3600. */
059ec3d9 216
17c76198 217static const int ssl_session_timeout = 200;
059ec3d9 218
17c76198 219static const char * const exim_default_gnutls_priority = "NORMAL";
83da1223 220
17c76198 221/* Guard library core initialisation */
83da1223 222
17c76198 223static BOOL exim_gnutls_base_init_done = FALSE;
059ec3d9 224
4fb7df6d 225#ifndef DISABLE_OCSP
9196d5bf 226static BOOL gnutls_buggy_ocsp = FALSE;
4fb7df6d 227#endif
9196d5bf 228
059ec3d9 229
17c76198
PP		 230/* ------------------------------------------------------------------------ */
231/* macros */
83da1223 232
17c76198 233#define MAX_HOST_LEN 255
83da1223 234
17c76198
PP		 235/* Set this to control gnutls_global_set_log_level(); values 0 to 9 will setup
236the library logging; a value less than 0 disables the calls to set up logging
ef9da2ee
JH		 237callbacks. Possibly GNuTLS also looks for an environment variable
238"GNUTLS_DEBUG_LEVEL". */
2c17bb02 239#ifndef EXIM_GNUTLS_LIBRARY_LOG_LEVEL
a7538db1 240# define EXIM_GNUTLS_LIBRARY_LOG_LEVEL -1
2c17bb02 241#endif
83da1223 242
2c17bb02 243#ifndef EXIM_CLIENT_DH_MIN_BITS
a7538db1 244# define EXIM_CLIENT_DH_MIN_BITS 1024
2c17bb02 245#endif
83da1223 246
af3498d6
PP		 247/* With GnuTLS 2.12.x+ we have gnutls_sec_param_to_pk_bits() with which we
248can ask for a bit-strength. Without that, we stick to the constant we had
249before, for now. */
2c17bb02 250#ifndef EXIM_SERVER_DH_BITS_PRE2_12
a7538db1 251# define EXIM_SERVER_DH_BITS_PRE2_12 1024
2c17bb02 252#endif
af3498d6 253
47195144
JH		 254#define exim_gnutls_err_check(rc, Label) do { \
255 if ((rc) != GNUTLS_E_SUCCESS) \
cf0c6164
JH		 256 return tls_error((Label), gnutls_strerror(rc), host, errstr); \
257 } while (0)
059ec3d9 258
cf0c6164
JH		 259#define expand_check_tlsvar(Varname, errstr) \
260 expand_check(state->Varname, US #Varname, &state->exp_##Varname, errstr)
83da1223 261
17c76198 262#if GNUTLS_VERSION_NUMBER >= 0x020c00
e51c7be2
JH		 263# define HAVE_GNUTLS_SESSION_CHANNEL_BINDING
264# define HAVE_GNUTLS_SEC_PARAM_CONSTANTS
265# define HAVE_GNUTLS_RND
2519e60d
TL		 266/* The security fix we provide with the gnutls_allow_auto_pkcs11 option
267 * (4.82 PP/09) introduces a compatibility regression. The symbol simply
268 * isn't available sometimes, so this needs to become a conditional
269 * compilation; the sanest way to deal with this being a problem on
270 * older OSes is to block it in the Local/Makefile with this compiler
271 * definition */
e51c7be2
JH		 272# ifndef AVOID_GNUTLS_PKCS11
273# define HAVE_GNUTLS_PKCS11
274# endif /* AVOID_GNUTLS_PKCS11 */
17c76198 275#endif
83da1223 276
af3498d6
PP		 277
278
279
280/* ------------------------------------------------------------------------ */
281/* Callback declarations */
282
283#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
284static void exim_gnutls_logger_cb(int level, const char *message);
285#endif
286
287static int exim_sni_handling_cb(gnutls_session_t session);
288
f2de3a33 289#ifndef DISABLE_OCSP
44662487
JH		 290static int server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
291 gnutls_datum_t * ocsp_response);
292#endif
af3498d6
PP		 293
294
295
17c76198
PP		 296/* ------------------------------------------------------------------------ */
297/* Static functions */
059ec3d9
PH		 298
299/*************************************************
300* Handle TLS error *
301*************************************************/
302
303/* Called from lots of places when errors occur before actually starting to do
304the TLS handshake, that is, while the session is still in clear. Always returns
305DEFER for a server and FAIL for a client so that most calls can use "return
306tls_error(...)" to do this processing and then give an appropriate return. A
307single function is used for both server and client, because it is called from
308some shared functions.
309
310Argument:
311 prefix text to include in the logged error
7199e1ee
TF		 312 msg additional error string (may be NULL)
313 usually obtained from gnutls_strerror()
17c76198
PP		 314 host NULL if setting up a server;
315 the connected host if setting up a client
cf0c6164 316 errstr pointer to returned error string
059ec3d9
PH		 317
318Returns: OK/DEFER/FAIL
319*/
320
321static int
cf0c6164
JH		 322tls_error(const uschar *prefix, const char *msg, const host_item *host,
323 uschar ** errstr)
059ec3d9 324{
cf0c6164
JH		 325if (errstr)
326 *errstr = string_sprintf("(%s)%s%s", prefix, msg ? ": " : "", msg ? msg : "");
327return host ? FAIL : DEFER;
059ec3d9
PH		 328}
329
330
331
17c76198 332
059ec3d9 333/*************************************************
17c76198 334* Deal with logging errors during I/O *
059ec3d9
PH		 335*************************************************/
336
17c76198 337/* We have to get the identity of the peer from saved data.
059ec3d9 338
17c76198
PP		 339Argument:
340 state the current GnuTLS exim state container
341 rc the GnuTLS error code, or 0 if it's a local error
342 when text identifying read or write
343 text local error text when ec is 0
059ec3d9 344
17c76198 345Returns: nothing
059ec3d9
PH		 346*/
347
17c76198
PP		 348static void
349record_io_error(exim_gnutls_state_st *state, int rc, uschar *when, uschar *text)
059ec3d9 350{
cf0c6164
JH		 351const char * msg;
352uschar * errstr;
059ec3d9 353
17c76198
PP		 354if (rc == GNUTLS_E_FATAL_ALERT_RECEIVED)
355 msg = CS string_sprintf("%s: %s", US gnutls_strerror(rc),
356 US gnutls_alert_get_name(gnutls_alert_get(state->session)));
357else
358 msg = gnutls_strerror(rc);
059ec3d9 359
cf0c6164
JH		 360(void) tls_error(when, msg, state->host, &errstr);
361
362if (state->host)
363 log_write(0, LOG_MAIN, "H=%s [%s] TLS error on connection %s",
364 state->host->name, state->host->address, errstr);
365else
366 {
367 uschar * conn_info = smtp_get_connection_info();
368 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0) conn_info += 5;
369 /* I'd like to get separated H= here, but too hard for now */
370 log_write(0, LOG_MAIN, "TLS error on %s %s", conn_info, errstr);
371 }
17c76198 372}
059ec3d9 373
059ec3d9 374
059ec3d9 375
059ec3d9 376
17c76198
PP		 377/*************************************************
378* Set various Exim expansion vars *
379*************************************************/
059ec3d9 380
e51c7be2
JH		 381#define exim_gnutls_cert_err(Label) \
382 do \
383 { \
384 if (rc != GNUTLS_E_SUCCESS) \
385 { \
386 DEBUG(D_tls) debug_printf("TLS: cert problem: %s: %s\n", \
387 (Label), gnutls_strerror(rc)); \
388 return rc; \
389 } \
390 } while (0)
9d1c15ef
JH		 391
392static int
27f19eb4 393import_cert(const gnutls_datum_t * cert, gnutls_x509_crt_t * crtp)
9d1c15ef
JH		 394{
395int rc;
396
397rc = gnutls_x509_crt_init(crtp);
398exim_gnutls_cert_err(US"gnutls_x509_crt_init (crt)");
399
400rc = gnutls_x509_crt_import(*crtp, cert, GNUTLS_X509_FMT_DER);
401exim_gnutls_cert_err(US"failed to import certificate [gnutls_x509_crt_import(cert)]");
402
403return rc;
404}
405
406#undef exim_gnutls_cert_err
407
408
17c76198
PP		 409/* We set various Exim global variables from the state, once a session has
410been established. With TLS callouts, may need to change this to stack
411variables, or just re-call it with the server state after client callout
412has finished.
059ec3d9 413
9d1c15ef 414Make sure anything set here is unset in tls_getc().
17c76198
PP		 415
416Sets:
417 tls_active fd
418 tls_bits strength indicator
419 tls_certificate_verified bool indicator
420 tls_channelbinding_b64 for some SASL mechanisms
421 tls_cipher a string
9d1c15ef 422 tls_peercert pointer to library internal
17c76198
PP		 423 tls_peerdn a string
424 tls_sni a (UTF-8) string
9d1c15ef 425 tls_ourcert pointer to library internal
17c76198
PP		 426
427Argument:
428 state the relevant exim_gnutls_state_st *
429*/
430
431static void
9d1c15ef 432extract_exim_vars_from_tls_state(exim_gnutls_state_st * state)
17c76198 433{
17c76198 434gnutls_cipher_algorithm_t cipher;
17c76198
PP		 435#ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
436int old_pool;
437int rc;
438gnutls_datum_t channel;
439#endif
9d1c15ef 440tls_support * tlsp = state->tlsp;
17c76198 441
9d1c15ef 442tlsp->active = state->fd_out;
17c76198
PP		 443
444cipher = gnutls_cipher_get(state->session);
445/* returns size in "bytes" */
9d1c15ef 446tlsp->bits = gnutls_cipher_get_key_size(cipher) * 8;
17c76198 447
9d1c15ef 448tlsp->cipher = state->ciphersuite;
17c76198 449
817d9f57 450DEBUG(D_tls) debug_printf("cipher: %s\n", state->ciphersuite);
17c76198 451
9d1c15ef 452tlsp->certificate_verified = state->peer_cert_verified;
899b8bbc
JH		 453#ifdef SUPPORT_DANE
454tlsp->dane_verified = state->peer_dane_verified;
455#endif
059ec3d9 456
17c76198
PP		 457/* note that tls_channelbinding_b64 is not saved to the spool file, since it's
458only available for use for authenticators while this TLS session is running. */
459
460tls_channelbinding_b64 = NULL;
461#ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
462channel.data = NULL;
463channel.size = 0;
464rc = gnutls_session_channel_binding(state->session, GNUTLS_CB_TLS_UNIQUE, &channel);
465if (rc) {
466 DEBUG(D_tls) debug_printf("Channel binding error: %s\n", gnutls_strerror(rc));
467} else {
468 old_pool = store_pool;
469 store_pool = POOL_PERM;
f4d091fb 470 tls_channelbinding_b64 = b64encode(channel.data, (int)channel.size);
17c76198
PP		 471 store_pool = old_pool;
472 DEBUG(D_tls) debug_printf("Have channel bindings cached for possible auth usage.\n");
473}
474#endif
475
9d1c15ef
JH		 476/* peercert is set in peer_status() */
477tlsp->peerdn = state->peerdn;
478tlsp->sni = state->received_sni;
479
480/* record our certificate */
481 {
27f19eb4 482 const gnutls_datum_t * cert = gnutls_certificate_get_ours(state->session);
9d1c15ef
JH		 483 gnutls_x509_crt_t crt;
484
485 tlsp->ourcert = cert && import_cert(cert, &crt)==0 ? crt : NULL;
486 }
059ec3d9
PH		 487}
488
489
490
17c76198 491
059ec3d9 492/*************************************************
575643cd 493* Setup up DH parameters *
059ec3d9
PH		 494*************************************************/
495
575643cd 496/* Generating the D-H parameters may take a long time. They only need to
059ec3d9
PH		 497be re-generated every so often, depending on security policy. What we do is to
498keep these parameters in a file in the spool directory. If the file does not
499exist, we generate them. This means that it is easy to cause a regeneration.
500
501The new file is written as a temporary file and renamed, so that an incomplete
502file is never present. If two processes both compute some new parameters, you
503waste a bit of effort, but it doesn't seem worth messing around with locking to
504prevent this.
505
059ec3d9
PH		 506Returns: OK/DEFER/FAIL
507*/
508
509static int
cf0c6164 510init_server_dh(uschar ** errstr)
059ec3d9 511{
17c76198
PP		 512int fd, rc;
513unsigned int dh_bits;
27f19eb4 514gnutls_datum_t m;
a799883d
PP		 515uschar filename_buf[PATH_MAX];
516uschar *filename = NULL;
17c76198 517size_t sz;
a799883d
PP		 518uschar *exp_tls_dhparam;
519BOOL use_file_in_spool = FALSE;
520BOOL use_fixed_file = FALSE;
17c76198 521host_item *host = NULL; /* dummy for macros */
059ec3d9 522
17c76198 523DEBUG(D_tls) debug_printf("Initialising GnuTLS server params.\n");
059ec3d9 524
17c76198 525rc = gnutls_dh_params_init(&dh_server_params);
47195144 526exim_gnutls_err_check(rc, US"gnutls_dh_params_init");
059ec3d9 527
a799883d
PP		 528m.data = NULL;
529m.size = 0;
530
cf0c6164 531if (!expand_check(tls_dhparam, US"tls_dhparam", &exp_tls_dhparam, errstr))
a799883d
PP		 532 return DEFER;
533
534if (!exp_tls_dhparam)
535 {
536 DEBUG(D_tls) debug_printf("Loading default hard-coded DH params\n");
537 m.data = US std_dh_prime_default();
538 m.size = Ustrlen(m.data);
539 }
540else if (Ustrcmp(exp_tls_dhparam, "historic") == 0)
541 use_file_in_spool = TRUE;
542else if (Ustrcmp(exp_tls_dhparam, "none") == 0)
543 {
544 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
545 return OK;
546 }
547else if (exp_tls_dhparam[0] != '/')
548 {
f5d25c2b 549 if (!(m.data = US std_dh_prime_named(exp_tls_dhparam)))
cf0c6164 550 return tls_error(US"No standard prime named", CS exp_tls_dhparam, NULL, errstr);
a799883d
PP		 551 m.size = Ustrlen(m.data);
552 }
553else
554 {
555 use_fixed_file = TRUE;
556 filename = exp_tls_dhparam;
557 }
558
559if (m.data)
560 {
561 rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM);
47195144 562 exim_gnutls_err_check(rc, US"gnutls_dh_params_import_pkcs3");
a799883d
PP		 563 DEBUG(D_tls) debug_printf("Loaded fixed standard D-H parameters\n");
564 return OK;
565 }
566
af3498d6
PP		 567#ifdef HAVE_GNUTLS_SEC_PARAM_CONSTANTS
568/* If you change this constant, also change dh_param_fn_ext so that we can use a
17c76198
PP		 569different filename and ensure we have sufficient bits. */
570dh_bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL);
571if (!dh_bits)
cf0c6164 572 return tls_error(US"gnutls_sec_param_to_pk_bits() failed", NULL, NULL, errstr);
af3498d6 573DEBUG(D_tls)
b34fc30c 574 debug_printf("GnuTLS tells us that for D-H PK, NORMAL is %d bits.\n",
af3498d6
PP		 575 dh_bits);
576#else
577dh_bits = EXIM_SERVER_DH_BITS_PRE2_12;
578DEBUG(D_tls)
579 debug_printf("GnuTLS lacks gnutls_sec_param_to_pk_bits(), using %d bits.\n",
580 dh_bits);
581#endif
059ec3d9 582
3375e053
PP		 583/* Some clients have hard-coded limits. */
584if (dh_bits > tls_dh_max_bits)
585 {
586 DEBUG(D_tls)
587 debug_printf("tls_dh_max_bits clamping override, using %d bits instead.\n",
588 tls_dh_max_bits);
589 dh_bits = tls_dh_max_bits;
590 }
591
a799883d
PP		 592if (use_file_in_spool)
593 {
594 if (!string_format(filename_buf, sizeof(filename_buf),
595 "%s/gnutls-params-%d", spool_directory, dh_bits))
cf0c6164 596 return tls_error(US"overlong filename", NULL, NULL, errstr);
a799883d
PP		 597 filename = filename_buf;
598 }
059ec3d9 599
b5aea5e1 600/* Open the cache file for reading and if successful, read it and set up the
575643cd 601parameters. */
059ec3d9 602
f5d25c2b 603if ((fd = Uopen(filename, O_RDONLY, 0)) >= 0)
059ec3d9 604 {
b5aea5e1 605 struct stat statbuf;
17c76198
PP		 606 FILE *fp;
607 int saved_errno;
608
609 if (fstat(fd, &statbuf) < 0) /* EIO */
610 {
611 saved_errno = errno;
612 (void)close(fd);
cf0c6164 613 return tls_error(US"TLS cache stat failed", strerror(saved_errno), NULL, errstr);
17c76198
PP		 614 }
615 if (!S_ISREG(statbuf.st_mode))
b5aea5e1
PH		 616 {
617 (void)close(fd);
cf0c6164 618 return tls_error(US"TLS cache not a file", NULL, NULL, errstr);
17c76198 619 }
40c90bca 620 if (!(fp = fdopen(fd, "rb")))
17c76198
PP		 621 {
622 saved_errno = errno;
623 (void)close(fd);
624 return tls_error(US"fdopen(TLS cache stat fd) failed",
cf0c6164 625 strerror(saved_errno), NULL, errstr);
b5aea5e1 626 }
059ec3d9 627
b5aea5e1 628 m.size = statbuf.st_size;
40c90bca 629 if (!(m.data = malloc(m.size)))
17c76198
PP		 630 {
631 fclose(fp);
cf0c6164 632 return tls_error(US"malloc failed", strerror(errno), NULL, errstr);
17c76198 633 }
40c90bca 634 if (!(sz = fread(m.data, m.size, 1, fp)))
17c76198
PP		 635 {
636 saved_errno = errno;
637 fclose(fp);
638 free(m.data);
cf0c6164 639 return tls_error(US"fread failed", strerror(saved_errno), NULL, errstr);
17c76198
PP		 640 }
641 fclose(fp);
b5aea5e1 642
17c76198 643 rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM);
b5aea5e1 644 free(m.data);
47195144 645 exim_gnutls_err_check(rc, US"gnutls_dh_params_import_pkcs3");
17c76198 646 DEBUG(D_tls) debug_printf("read D-H parameters from file \"%s\"\n", filename);
b5aea5e1
PH		 647 }
648
649/* If the file does not exist, fall through to compute new data and cache it.
650If there was any other opening error, it is serious. */
651
182ad5cf
PH		 652else if (errno == ENOENT)
653 {
17c76198 654 rc = -1;
182ad5cf 655 DEBUG(D_tls)
17c76198 656 debug_printf("D-H parameter cache file \"%s\" does not exist\n", filename);
182ad5cf
PH		 657 }
658else
17c76198 659 return tls_error(string_open_failed(errno, "\"%s\" for reading", filename),
cf0c6164 660 NULL, NULL, errstr);
b5aea5e1
PH		 661
662/* If ret < 0, either the cache file does not exist, or the data it contains
663is not useful. One particular case of this is when upgrading from an older
664release of Exim in which the data was stored in a different format. We don't
665try to be clever and support both formats; we just regenerate new data in this
666case. */
667
17c76198 668if (rc < 0)
b5aea5e1 669 {
17c76198 670 uschar *temp_fn;
201f5254 671 unsigned int dh_bits_gen = dh_bits;
059ec3d9 672
17c76198
PP		 673 if ((PATH_MAX - Ustrlen(filename)) < 10)
674 return tls_error(US"Filename too long to generate replacement",
cf0c6164 675 CS filename, NULL, errstr);
059ec3d9 676
17c76198 677 temp_fn = string_copy(US "%s.XXXXXXX");
f5d25c2b 678 if ((fd = mkstemp(CS temp_fn)) < 0) /* modifies temp_fn */
cf0c6164 679 return tls_error(US"Unable to open temp file", strerror(errno), NULL, errstr);
059ec3d9
PH		 680 (void)fchown(fd, exim_uid, exim_gid); /* Probably not necessary */
681
201f5254
PP		 682 /* GnuTLS overshoots!
683 * If we ask for 2236, we might get 2237 or more.
684 * But there's no way to ask GnuTLS how many bits there really are.
685 * We can ask how many bits were used in a TLS session, but that's it!
686 * The prime itself is hidden behind too much abstraction.
687 * So we ask for less, and proceed on a wing and a prayer.
688 * First attempt, subtracted 3 for 2233 and got 2240.
689 */
cae6e576 690 if (dh_bits >= EXIM_CLIENT_DH_MIN_BITS + 10)
201f5254
PP		 691 {
692 dh_bits_gen = dh_bits - 10;
693 DEBUG(D_tls)
694 debug_printf("being paranoid about DH generation, make it '%d' bits'\n",
695 dh_bits_gen);
696 }
697
698 DEBUG(D_tls)
699 debug_printf("requesting generation of %d bit Diffie-Hellman prime ...\n",
700 dh_bits_gen);
701 rc = gnutls_dh_params_generate2(dh_server_params, dh_bits_gen);
47195144 702 exim_gnutls_err_check(rc, US"gnutls_dh_params_generate2");
17c76198
PP		 703
704 /* gnutls_dh_params_export_pkcs3() will tell us the exact size, every time,
705 and I confirmed that a NULL call to get the size first is how the GnuTLS
706 sample apps handle this. */
707
708 sz = 0;
709 m.data = NULL;
710 rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM,
711 m.data, &sz);
712 if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
47195144 713 exim_gnutls_err_check(rc, US"gnutls_dh_params_export_pkcs3(NULL) sizing");
17c76198 714 m.size = sz;
40c90bca 715 if (!(m.data = malloc(m.size)))
cf0c6164 716 return tls_error(US"memory allocation failed", strerror(errno), NULL, errstr);
40c90bca 717
1f00591e 718 /* this will return a size 1 less than the allocation size above */
17c76198 719 rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM,
1f00591e 720 m.data, &sz);
17c76198
PP		 721 if (rc != GNUTLS_E_SUCCESS)
722 {
723 free(m.data);
47195144 724 exim_gnutls_err_check(rc, US"gnutls_dh_params_export_pkcs3() real");
17c76198 725 }
1f00591e 726 m.size = sz; /* shrink by 1, probably */
059ec3d9 727
f5d25c2b 728 if ((sz = write_to_fd_buf(fd, m.data, (size_t) m.size)) != m.size)
17c76198
PP		 729 {
730 free(m.data);
731 return tls_error(US"TLS cache write D-H params failed",
cf0c6164 732 strerror(errno), NULL, errstr);
17c76198 733 }
b5aea5e1 734 free(m.data);
f5d25c2b 735 if ((sz = write_to_fd_buf(fd, US"\n", 1)) != 1)
17c76198 736 return tls_error(US"TLS cache write D-H params final newline failed",
cf0c6164 737 strerror(errno), NULL, errstr);
17c76198 738
f5d25c2b 739 if ((rc = close(fd)))
cf0c6164 740 return tls_error(US"TLS cache write close() failed", strerror(errno), NULL, errstr);
059ec3d9 741
17c76198
PP		 742 if (Urename(temp_fn, filename) < 0)
743 return tls_error(string_sprintf("failed to rename \"%s\" as \"%s\"",
cf0c6164 744 temp_fn, filename), strerror(errno), NULL, errstr);
059ec3d9 745
17c76198 746 DEBUG(D_tls) debug_printf("wrote D-H parameters to file \"%s\"\n", filename);
059ec3d9
PH		 747 }
748
17c76198 749DEBUG(D_tls) debug_printf("initialized server D-H parameters\n");
059ec3d9
PH		 750return OK;
751}
752
753
754
755
23bb6982
JH		 756/* Create and install a selfsigned certificate, for use in server mode */
757
758static int
cf0c6164 759tls_install_selfsign(exim_gnutls_state_st * state, uschar ** errstr)
23bb6982
JH		 760{
761gnutls_x509_crt_t cert = NULL;
762time_t now;
763gnutls_x509_privkey_t pkey = NULL;
764const uschar * where;
765int rc;
766
767where = US"initialising pkey";
768if ((rc = gnutls_x509_privkey_init(&pkey))) goto err;
769
770where = US"initialising cert";
771if ((rc = gnutls_x509_crt_init(&cert))) goto err;
772
773where = US"generating pkey";
774if ((rc = gnutls_x509_privkey_generate(pkey, GNUTLS_PK_RSA,
76075bb5 775#ifdef SUPPORT_PARAM_TO_PK_BITS
23bb6982 776 gnutls_sec_param_to_pk_bits(GNUTLS_PK_RSA, GNUTLS_SEC_PARAM_LOW),
76075bb5
JH		 777#else
778 1024,
779#endif
780 0)))
23bb6982
JH		 781 goto err;
782
783where = US"configuring cert";
784now = 0;
785if ( (rc = gnutls_x509_crt_set_version(cert, 3))
786 || (rc = gnutls_x509_crt_set_serial(cert, &now, sizeof(now)))
787 || (rc = gnutls_x509_crt_set_activation_time(cert, now = time(NULL)))
788 || (rc = gnutls_x509_crt_set_expiration_time(cert, now + 60 * 60)) /* 1 hr */
789 || (rc = gnutls_x509_crt_set_key(cert, pkey))
790
791 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
792 GNUTLS_OID_X520_COUNTRY_NAME, 0, "UK", 2))
793 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
794 GNUTLS_OID_X520_ORGANIZATION_NAME, 0, "Exim Developers", 15))
795 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
796 GNUTLS_OID_X520_COMMON_NAME, 0,
797 smtp_active_hostname, Ustrlen(smtp_active_hostname)))
798 )
799 goto err;
800
801where = US"signing cert";
802if ((rc = gnutls_x509_crt_sign(cert, cert, pkey))) goto err;
803
804where = US"installing selfsign cert";
805 /* Since: 2.4.0 */
806if ((rc = gnutls_certificate_set_x509_key(state->x509_cred, &cert, 1, pkey)))
807 goto err;
808
809rc = OK;
810
811out:
812 if (cert) gnutls_x509_crt_deinit(cert);
813 if (pkey) gnutls_x509_privkey_deinit(pkey);
814 return rc;
815
816err:
cf0c6164 817 rc = tls_error(where, gnutls_strerror(rc), NULL, errstr);
23bb6982
JH		 818 goto out;
819}
820
821
822
823
47195144
JH		 824/* Add certificate and key, from files.
825
826Return:
827 Zero or negative: good. Negate value for certificate index if < 0.
828 Greater than zero: FAIL or DEFER code.
829*/
830
ba86e143
JH		 831static int
832tls_add_certfile(exim_gnutls_state_st * state, const host_item * host,
833 uschar * certfile, uschar * keyfile, uschar ** errstr)
834{
835int rc = gnutls_certificate_set_x509_key_file(state->x509_cred,
836 CS certfile, CS keyfile, GNUTLS_X509_FMT_PEM);
47195144
JH		 837if (rc < 0)
838 return tls_error(
839 string_sprintf("cert/key setup: cert=%s key=%s", certfile, keyfile),
840 gnutls_strerror(rc), host, errstr);
841return -rc;
ba86e143
JH		 842}
843
844
059ec3d9 845/*************************************************
17c76198 846* Variables re-expanded post-SNI *
059ec3d9
PH		 847*************************************************/
848
17c76198
PP		 849/* Called from both server and client code, via tls_init(), and also from
850the SNI callback after receiving an SNI, if tls_certificate includes "tls_sni".
851
852We can tell the two apart by state->received_sni being non-NULL in callback.
853
854The callback should not call us unless state->trigger_sni_changes is true,
855which we are responsible for setting on the first pass through.
059ec3d9
PH		 856
857Arguments:
17c76198 858 state exim_gnutls_state_st *
cf0c6164 859 errstr error string pointer
059ec3d9
PH		 860
861Returns: OK/DEFER/FAIL
862*/
863
864static int
ba86e143 865tls_expand_session_files(exim_gnutls_state_st * state, uschar ** errstr)
059ec3d9 866{
1365611d 867struct stat statbuf;
059ec3d9 868int rc;
17c76198
PP		 869const host_item *host = state->host; /* macro should be reconsidered? */
870uschar *saved_tls_certificate = NULL;
871uschar *saved_tls_privatekey = NULL;
872uschar *saved_tls_verify_certificates = NULL;
873uschar *saved_tls_crl = NULL;
874int cert_count;
875
876/* We check for tls_sni *before* expansion. */
2b4a568d 877if (!host) /* server */
17c76198
PP		 878 if (!state->received_sni)
879 {
ba86e143
JH		 880 if ( state->tls_certificate
881 && ( Ustrstr(state->tls_certificate, US"tls_sni")
882 || Ustrstr(state->tls_certificate, US"tls_in_sni")
883 || Ustrstr(state->tls_certificate, US"tls_out_sni")
884 ) )
17c76198
PP		 885 {
886 DEBUG(D_tls) debug_printf("We will re-expand TLS session files if we receive SNI.\n");
887 state->trigger_sni_changes = TRUE;
888 }
889 }
890 else
891 {
1365611d 892 /* useful for debugging */
17c76198
PP		 893 saved_tls_certificate = state->exp_tls_certificate;
894 saved_tls_privatekey = state->exp_tls_privatekey;
895 saved_tls_verify_certificates = state->exp_tls_verify_certificates;
896 saved_tls_crl = state->exp_tls_crl;
897 }
059ec3d9 898
1365611d 899rc = gnutls_certificate_allocate_credentials(&state->x509_cred);
47195144
JH		 900exim_gnutls_err_check(rc, US"gnutls_certificate_allocate_credentials");
901
902#ifdef SUPPORT_SRV_OCSP_STACK
903gnutls_certificate_set_flags(state->x509_cred, GNUTLS_CERTIFICATE_API_V2);
904#endif
1365611d 905
17c76198
PP		 906/* remember: expand_check_tlsvar() is expand_check() but fiddling with
907state members, assuming consistent naming; and expand_check() returns
908false if expansion failed, unless expansion was forced to fail. */
059ec3d9 909
17c76198
PP		 910/* check if we at least have a certificate, before doing expensive
911D-H generation. */
059ec3d9 912
cf0c6164 913if (!expand_check_tlsvar(tls_certificate, errstr))
17c76198 914 return DEFER;
059ec3d9 915
17c76198 916/* certificate is mandatory in server, optional in client */
059ec3d9 917
23bb6982
JH		 918if ( !state->exp_tls_certificate
919 || !*state->exp_tls_certificate
920 )
2b4a568d 921 if (!host)
cf0c6164 922 return tls_install_selfsign(state, errstr);
17c76198
PP		 923 else
924 DEBUG(D_tls) debug_printf("TLS: no client certificate specified; okay\n");
059ec3d9 925
cf0c6164 926if (state->tls_privatekey && !expand_check_tlsvar(tls_privatekey, errstr))
059ec3d9
PH		 927 return DEFER;
928
17c76198
PP		 929/* tls_privatekey is optional, defaulting to same file as certificate */
930
931if (state->tls_privatekey == NULL || *state->tls_privatekey == '\0')
059ec3d9 932 {
17c76198
PP		 933 state->tls_privatekey = state->tls_certificate;
934 state->exp_tls_privatekey = state->exp_tls_certificate;
059ec3d9 935 }
c91535f3 936
059ec3d9 937
17c76198 938if (state->exp_tls_certificate && *state->exp_tls_certificate)
059ec3d9
PH		 939 {
940 DEBUG(D_tls) debug_printf("certificate file = %s\nkey file = %s\n",
17c76198
PP		 941 state->exp_tls_certificate, state->exp_tls_privatekey);
942
943 if (state->received_sni)
23bb6982
JH		 944 if ( Ustrcmp(state->exp_tls_certificate, saved_tls_certificate) == 0
945 && Ustrcmp(state->exp_tls_privatekey, saved_tls_privatekey) == 0
946 )
17c76198 947 {
b34fc30c 948 DEBUG(D_tls) debug_printf("TLS SNI: cert and key unchanged\n");
17c76198
PP		 949 }
950 else
951 {
b34fc30c 952 DEBUG(D_tls) debug_printf("TLS SNI: have a changed cert/key pair.\n");
17c76198 953 }
059ec3d9 954
ba86e143
JH		 955 if (!host) /* server */
956 {
957 const uschar * clist = state->exp_tls_certificate;
958 const uschar * klist = state->exp_tls_privatekey;
47195144
JH		 959 const uschar * olist;
960 int csep = 0, ksep = 0, osep = 0, cnt = 0;
961 uschar * cfile, * kfile, * ofile;
962
963#ifndef DISABLE_OCSP
964 if (!expand_check(tls_ocsp_file, US"tls_ocsp_file", &ofile, errstr))
965 return DEFER;
966 olist = ofile;
967#endif
ba86e143
JH		 968
969 while (cfile = string_nextinlist(&clist, &csep, NULL, 0))
47195144 970
ba86e143
JH		 971 if (!(kfile = string_nextinlist(&klist, &ksep, NULL, 0)))
972 return tls_error(US"cert/key setup: out of keys", NULL, host, errstr);
47195144 973 else if (0 < (rc = tls_add_certfile(state, host, cfile, kfile, errstr)))
ba86e143
JH		 974 return rc;
975 else
47195144
JH		 976 {
977 int gnutls_cert_index = -rc;
ba86e143 978 DEBUG(D_tls) debug_printf("TLS: cert/key %s registered\n", cfile);
47195144
JH		 979
980 /* Set the OCSP stapling server info */
981
982#ifndef DISABLE_OCSP
983 if (tls_ocsp_file)
984 if (gnutls_buggy_ocsp)
985 {
986 DEBUG(D_tls)
987 debug_printf("GnuTLS library is buggy for OCSP; avoiding\n");
988 }
989 else if ((ofile = string_nextinlist(&olist, &osep, NULL, 0)))
990 {
991 /* Use the full callback method for stapling just to get
992 observability. More efficient would be to read the file once only,
993 if it never changed (due to SNI). Would need restart on file update,
994 or watch datestamp. */
995
996# ifdef SUPPORT_SRV_OCSP_STACK
997 rc = gnutls_certificate_set_ocsp_status_request_function2(
998 state->x509_cred, gnutls_cert_index,
999 server_ocsp_stapling_cb, ofile);
1000
1001 exim_gnutls_err_check(rc,
1002 US"gnutls_certificate_set_ocsp_status_request_function2");
1003# else
1004 if (cnt++ > 0)
1005 {
1006 DEBUG(D_tls)
1007 debug_printf("oops; multiple OCSP files not supported\n");
1008 break;
1009 }
1010 gnutls_certificate_set_ocsp_status_request_function(
1011 state->x509_cred, server_ocsp_stapling_cb, ofile);
1012# endif
1013
1014 DEBUG(D_tls) debug_printf("OCSP response file = %s\n", ofile);
1015 }
1016 else
1017 DEBUG(D_tls) debug_printf("ran out of OCSP response files in list\n");
1018#endif
1019 }
ba86e143
JH		 1020 }
1021 else
1022 {
47195144 1023 if (0 < (rc = tls_add_certfile(state, host,
ba86e143
JH		 1024 state->exp_tls_certificate, state->exp_tls_privatekey, errstr)))
1025 return rc;
1026 DEBUG(D_tls) debug_printf("TLS: cert/key registered\n");
1027 }
1028
b34fc30c 1029 } /* tls_certificate */
059ec3d9 1030
2b4a568d 1031
059ec3d9
PH		 1032/* Set the trusted CAs file if one is provided, and then add the CRL if one is
1033provided. Experiment shows that, if the certificate file is empty, an unhelpful
1034error message is provided. However, if we just refrain from setting anything up
1035in that case, certificate verification fails, which seems to be the correct
1036behaviour. */
1037
610ff438 1038if (state->tls_verify_certificates && *state->tls_verify_certificates)
059ec3d9 1039 {
cf0c6164 1040 if (!expand_check_tlsvar(tls_verify_certificates, errstr))
059ec3d9 1041 return DEFER;
610ff438
JH		 1042#ifndef SUPPORT_SYSDEFAULT_CABUNDLE
1043 if (Ustrcmp(state->exp_tls_verify_certificates, "system") == 0)
1044 state->exp_tls_verify_certificates = NULL;
1045#endif
17c76198 1046 if (state->tls_crl && *state->tls_crl)
cf0c6164 1047 if (!expand_check_tlsvar(tls_crl, errstr))
17c76198 1048 return DEFER;
059ec3d9 1049
1365611d
PP		 1050 if (!(state->exp_tls_verify_certificates &&
1051 *state->exp_tls_verify_certificates))
b34fc30c
PP		 1052 {
1053 DEBUG(D_tls)
1365611d
PP		 1054 debug_printf("TLS: tls_verify_certificates expanded empty, ignoring\n");
1055 /* With no tls_verify_certificates, we ignore tls_crl too */
17c76198 1056 return OK;
b34fc30c 1057 }
1365611d 1058 }
83e2f8a2
PP		 1059else
1060 {
1061 DEBUG(D_tls)
1062 debug_printf("TLS: tls_verify_certificates not set or empty, ignoring\n");
1063 return OK;
1064 }
17c76198 1065
cb1d7830
JH		 1066#ifdef SUPPORT_SYSDEFAULT_CABUNDLE
1067if (Ustrcmp(state->exp_tls_verify_certificates, "system") == 0)
1068 cert_count = gnutls_certificate_set_x509_system_trust(state->x509_cred);
1069else
1070#endif
1365611d 1071 {
cb1d7830
JH		 1072 if (Ustat(state->exp_tls_verify_certificates, &statbuf) < 0)
1073 {
1074 log_write(0, LOG_MAIN|LOG_PANIC, "could not stat %s "
1075 "(tls_verify_certificates): %s", state->exp_tls_verify_certificates,
1076 strerror(errno));
1077 return DEFER;
1078 }
17c76198 1079
a7fec7a7 1080#ifndef SUPPORT_CA_DIR
cb1d7830
JH		 1081 /* The test suite passes in /dev/null; we could check for that path explicitly,
1082 but who knows if someone has some weird FIFO which always dumps some certs, or
1083 other weirdness. The thing we really want to check is that it's not a
1084 directory, since while OpenSSL supports that, GnuTLS does not.
60f914bc 1085 So s/!S_ISREG/S_ISDIR/ and change some messaging ... */
cb1d7830
JH		 1086 if (S_ISDIR(statbuf.st_mode))
1087 {
1088 DEBUG(D_tls)
1089 debug_printf("verify certificates path is a dir: \"%s\"\n",
1090 state->exp_tls_verify_certificates);
1091 log_write(0, LOG_MAIN|LOG_PANIC,
1092 "tls_verify_certificates \"%s\" is a directory",
1093 state->exp_tls_verify_certificates);
1094 return DEFER;
1095 }
a7fec7a7 1096#endif
059ec3d9 1097
cb1d7830
JH		 1098 DEBUG(D_tls) debug_printf("verify certificates = %s size=" OFF_T_FMT "\n",
1099 state->exp_tls_verify_certificates, statbuf.st_size);
059ec3d9 1100
cb1d7830
JH		 1101 if (statbuf.st_size == 0)
1102 {
1103 DEBUG(D_tls)
1104 debug_printf("cert file empty, no certs, no verification, ignoring any CRL\n");
1105 return OK;
1106 }
059ec3d9 1107
cb1d7830 1108 cert_count =
a7fec7a7
JH		 1109
1110#ifdef SUPPORT_CA_DIR
cb1d7830
JH		 1111 (statbuf.st_mode & S_IFMT) == S_IFDIR
1112 ?
1113 gnutls_certificate_set_x509_trust_dir(state->x509_cred,
1114 CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM)
1115 :
a7fec7a7 1116#endif
cb1d7830
JH		 1117 gnutls_certificate_set_x509_trust_file(state->x509_cred,
1118 CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM);
1119 }
a7fec7a7 1120
1365611d
PP		 1121if (cert_count < 0)
1122 {
1123 rc = cert_count;
47195144 1124 exim_gnutls_err_check(rc, US"setting certificate trust");
1365611d
PP		 1125 }
1126DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n", cert_count);
059ec3d9 1127
5c8cda3a
PP		 1128if (state->tls_crl && *state->tls_crl &&
1129 state->exp_tls_crl && *state->exp_tls_crl)
1365611d 1130 {
5c8cda3a
PP		 1131 DEBUG(D_tls) debug_printf("loading CRL file = %s\n", state->exp_tls_crl);
1132 cert_count = gnutls_certificate_set_x509_crl_file(state->x509_cred,
1133 CS state->exp_tls_crl, GNUTLS_X509_FMT_PEM);
1134 if (cert_count < 0)
1365611d 1135 {
5c8cda3a 1136 rc = cert_count;
47195144 1137 exim_gnutls_err_check(rc, US"gnutls_certificate_set_x509_crl_file");
1365611d 1138 }
5c8cda3a 1139 DEBUG(D_tls) debug_printf("Processed %d CRLs.\n", cert_count);
1365611d 1140 }
059ec3d9 1141
059ec3d9
PH		 1142return OK;
1143}
1144
1145
1146
1147
1365611d
PP		 1148/*************************************************
1149* Set X.509 state variables *
1150*************************************************/
1151
1152/* In GnuTLS, the registered cert/key are not replaced by a later
1153set of a cert/key, so for SNI support we need a whole new x509_cred
1154structure. Which means various other non-re-expanded pieces of state
1155need to be re-set in the new struct, so the setting logic is pulled
1156out to this.
1157
1158Arguments:
1159 state exim_gnutls_state_st *
cf0c6164 1160 errstr error string pointer
1365611d
PP		 1161
1162Returns: OK/DEFER/FAIL
1163*/
1164
1165static int
cf0c6164 1166tls_set_remaining_x509(exim_gnutls_state_st *state, uschar ** errstr)
1365611d
PP		 1167{
1168int rc;
1169const host_item *host = state->host; /* macro should be reconsidered? */
1170
1171/* Create D-H parameters, or read them from the cache file. This function does
1172its own SMTP error messaging. This only happens for the server, TLS D-H ignores
1173client-side params. */
1174
1175if (!state->host)
1176 {
1177 if (!dh_server_params)
1178 {
cf0c6164 1179 rc = init_server_dh(errstr);
1365611d
PP		 1180 if (rc != OK) return rc;
1181 }
1182 gnutls_certificate_set_dh_params(state->x509_cred, dh_server_params);
1183 }
1184
1185/* Link the credentials to the session. */
1186
1187rc = gnutls_credentials_set(state->session, GNUTLS_CRD_CERTIFICATE, state->x509_cred);
47195144 1188exim_gnutls_err_check(rc, US"gnutls_credentials_set");
1365611d
PP		 1189
1190return OK;
1191}
1192
059ec3d9 1193/*************************************************
17c76198 1194* Initialize for GnuTLS *
059ec3d9
PH		 1195*************************************************/
1196
9196d5bf 1197
4fb7df6d
JH		 1198#ifndef DISABLE_OCSP
1199
9196d5bf
JH		 1200static BOOL
1201tls_is_buggy_ocsp(void)
1202{
1203const uschar * s;
1204uschar maj, mid, mic;
1205
1206s = CUS gnutls_check_version(NULL);
1207maj = atoi(CCS s);
1208if (maj == 3)
1209 {
1210 while (*s && *s != '.') s++;
1211 mid = atoi(CCS ++s);
1212 if (mid <= 2)
1213 return TRUE;
1214 else if (mid >= 5)
1215 return FALSE;
1216 else
1217 {
1218 while (*s && *s != '.') s++;
1219 mic = atoi(CCS ++s);
1220 return mic <= (mid == 3 ? 16 : 3);
1221 }
1222 }
1223return FALSE;
1224}
1225
4fb7df6d 1226#endif
9196d5bf
JH		 1227
1228
17c76198
PP		 1229/* Called from both server and client code. In the case of a server, errors
1230before actual TLS negotiation return DEFER.
059ec3d9
PH		 1231
1232Arguments:
17c76198
PP		 1233 host connected host, if client; NULL if server
1234 certificate certificate file
1235 privatekey private key file
1236 sni TLS SNI to send, sometimes when client; else NULL
1237 cas CA certs file
1238 crl CRL file
1239 require_ciphers tls_require_ciphers setting
817d9f57 1240 caller_state returned state-info structure
cf0c6164 1241 errstr error string pointer
059ec3d9 1242
17c76198 1243Returns: OK/DEFER/FAIL
059ec3d9
PH		 1244*/
1245
17c76198
PP		 1246static int
1247tls_init(
1248 const host_item *host,
1249 const uschar *certificate,
1250 const uschar *privatekey,
1251 const uschar *sni,
1252 const uschar *cas,
1253 const uschar *crl,
1254 const uschar *require_ciphers,
cf0c6164
JH		 1255 exim_gnutls_state_st **caller_state,
1256 uschar ** errstr)
059ec3d9 1257{
17c76198
PP		 1258exim_gnutls_state_st *state;
1259int rc;
1260size_t sz;
1261const char *errpos;
1262uschar *p;
1263BOOL want_default_priorities;
1264
1265if (!exim_gnutls_base_init_done)
059ec3d9 1266 {
17c76198
PP		 1267 DEBUG(D_tls) debug_printf("GnuTLS global init required.\n");
1268
a5f239e4
PP		 1269#ifdef HAVE_GNUTLS_PKCS11
1270 /* By default, gnutls_global_init will init PKCS11 support in auto mode,
1271 which loads modules from a config file, which sounds good and may be wanted
1272 by some sysadmin, but also means in common configurations that GNOME keyring
1273 environment variables are used and so breaks for users calling mailq.
1274 To prevent this, we init PKCS11 first, which is the documented approach. */
2519e60d 1275 if (!gnutls_allow_auto_pkcs11)
a5f239e4
PP		 1276 {
1277 rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
47195144 1278 exim_gnutls_err_check(rc, US"gnutls_pkcs11_init");
a5f239e4
PP		 1279 }
1280#endif
1281
17c76198 1282 rc = gnutls_global_init();
47195144 1283 exim_gnutls_err_check(rc, US"gnutls_global_init");
17c76198
PP		 1284
1285#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
1286 DEBUG(D_tls)
059ec3d9 1287 {
17c76198
PP		 1288 gnutls_global_set_log_function(exim_gnutls_logger_cb);
1289 /* arbitrarily chosen level; bump upto 9 for more */
1290 gnutls_global_set_log_level(EXIM_GNUTLS_LIBRARY_LOG_LEVEL);
059ec3d9 1291 }
17c76198
PP		 1292#endif
1293
4fb7df6d
JH		 1294#ifndef DISABLE_OCSP
1295 if (tls_ocsp_file && (gnutls_buggy_ocsp = tls_is_buggy_ocsp()))
9196d5bf 1296 log_write(0, LOG_MAIN, "OCSP unusable with this GnuTLS library version");
4fb7df6d 1297#endif
9196d5bf 1298
17c76198 1299 exim_gnutls_base_init_done = TRUE;
059ec3d9 1300 }
059ec3d9 1301
17c76198
PP		 1302if (host)
1303 {
1304 state = &state_client;
1305 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
817d9f57 1306 state->tlsp = &tls_out;
17c76198
PP		 1307 DEBUG(D_tls) debug_printf("initialising GnuTLS client session\n");
1308 rc = gnutls_init(&state->session, GNUTLS_CLIENT);
1309 }
1310else
1311 {
1312 state = &state_server;
1313 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
817d9f57 1314 state->tlsp = &tls_in;
17c76198
PP		 1315 DEBUG(D_tls) debug_printf("initialising GnuTLS server session\n");
1316 rc = gnutls_init(&state->session, GNUTLS_SERVER);
1317 }
47195144 1318exim_gnutls_err_check(rc, US"gnutls_init");
059ec3d9 1319
17c76198 1320state->host = host;
059ec3d9 1321
17c76198
PP		 1322state->tls_certificate = certificate;
1323state->tls_privatekey = privatekey;
5779e6aa 1324state->tls_require_ciphers = require_ciphers;
17c76198
PP		 1325state->tls_sni = sni;
1326state->tls_verify_certificates = cas;
1327state->tls_crl = crl;
059ec3d9 1328
17c76198
PP		 1329/* This handles the variables that might get re-expanded after TLS SNI;
1330that's tls_certificate, tls_privatekey, tls_verify_certificates, tls_crl */
059ec3d9 1331
17c76198
PP		 1332DEBUG(D_tls)
1333 debug_printf("Expanding various TLS configuration options for session credentials.\n");
cf0c6164 1334if ((rc = tls_expand_session_files(state, errstr)) != OK) return rc;
059ec3d9 1335
1365611d
PP		 1336/* These are all other parts of the x509_cred handling, since SNI in GnuTLS
1337requires a new structure afterwards. */
83da1223 1338
cf0c6164 1339if ((rc = tls_set_remaining_x509(state, errstr)) != OK) return rc;
83da1223 1340
17c76198
PP		 1341/* set SNI in client, only */
1342if (host)
1343 {
cf0c6164 1344 if (!expand_check(sni, US"tls_out_sni", &state->tlsp->sni, errstr))
17c76198 1345 return DEFER;
0df4ab80 1346 if (state->tlsp->sni && *state->tlsp->sni)
17c76198
PP		 1347 {
1348 DEBUG(D_tls)
0df4ab80
JH		 1349 debug_printf("Setting TLS client SNI to \"%s\"\n", state->tlsp->sni);
1350 sz = Ustrlen(state->tlsp->sni);
17c76198 1351 rc = gnutls_server_name_set(state->session,
0df4ab80 1352 GNUTLS_NAME_DNS, state->tlsp->sni, sz);
47195144 1353 exim_gnutls_err_check(rc, US"gnutls_server_name_set");
17c76198
PP		 1354 }
1355 }
1356else if (state->tls_sni)
1357 DEBUG(D_tls) debug_printf("*** PROBABLY A BUG *** " \
ba86e143 1358 "have an SNI set for a server [%s]\n", state->tls_sni);
83da1223 1359
17c76198 1360/* This is the priority string support,
42bfef1e 1361http://www.gnutls.org/manual/html_node/Priority-Strings.html
17c76198
PP		 1362and replaces gnutls_require_kx, gnutls_require_mac & gnutls_require_protocols.
1363This was backwards incompatible, but means Exim no longer needs to track
1364all algorithms and provide string forms for them. */
83da1223 1365
17c76198 1366want_default_priorities = TRUE;
83da1223 1367
17c76198 1368if (state->tls_require_ciphers && *state->tls_require_ciphers)
83da1223 1369 {
cf0c6164 1370 if (!expand_check_tlsvar(tls_require_ciphers, errstr))
17c76198
PP		 1371 return DEFER;
1372 if (state->exp_tls_require_ciphers && *state->exp_tls_require_ciphers)
83da1223 1373 {
17c76198
PP		 1374 DEBUG(D_tls) debug_printf("GnuTLS session cipher/priority \"%s\"\n",
1375 state->exp_tls_require_ciphers);
1376
1377 rc = gnutls_priority_init(&state->priority_cache,
1378 CS state->exp_tls_require_ciphers, &errpos);
1379 want_default_priorities = FALSE;
1380 p = state->exp_tls_require_ciphers;
83da1223
PH		 1381 }
1382 }
17c76198
PP		 1383if (want_default_priorities)
1384 {
83e2f8a2
PP		 1385 DEBUG(D_tls)
1386 debug_printf("GnuTLS using default session cipher/priority \"%s\"\n",
1387 exim_default_gnutls_priority);
17c76198
PP		 1388 rc = gnutls_priority_init(&state->priority_cache,
1389 exim_default_gnutls_priority, &errpos);
1390 p = US exim_default_gnutls_priority;
1391 }
83da1223 1392
47195144 1393exim_gnutls_err_check(rc, string_sprintf(
17c76198
PP		 1394 "gnutls_priority_init(%s) failed at offset %ld, \"%.6s..\"",
1395 p, errpos - CS p, errpos));
1396
1397rc = gnutls_priority_set(state->session, state->priority_cache);
47195144 1398exim_gnutls_err_check(rc, US"gnutls_priority_set");
17c76198
PP		 1399
1400gnutls_db_set_cache_expiration(state->session, ssl_session_timeout);
1401
1402/* Reduce security in favour of increased compatibility, if the admin
1403decides to make that trade-off. */
1404if (gnutls_compat_mode)
83da1223 1405 {
17c76198
PP		 1406#if LIBGNUTLS_VERSION_NUMBER >= 0x020104
1407 DEBUG(D_tls) debug_printf("lowering GnuTLS security, compatibility mode\n");
1408 gnutls_session_enable_compatibility_mode(state->session);
1409#else
1410 DEBUG(D_tls) debug_printf("Unable to set gnutls_compat_mode - GnuTLS version too old\n");
1411#endif
83da1223
PH		 1412 }
1413
17c76198 1414*caller_state = state;
17c76198 1415return OK;
83da1223
PH		 1416}
1417
1418
1419
059ec3d9 1420/*************************************************
17c76198 1421* Extract peer information *
059ec3d9
PH		 1422*************************************************/
1423
17c76198 1424/* Called from both server and client code.
4fe99a6c
PP		 1425Only this is allowed to set state->peerdn and state->have_set_peerdn
1426and we use that to detect double-calls.
059ec3d9 1427
75fe387d
PP		 1428NOTE: the state blocks last while the TLS connection is up, which is fine
1429for logging in the server side, but for the client side, we log after teardown
1430in src/deliver.c. While the session is up, we can twist about states and
1431repoint tls_* globals, but those variables used for logging or other variable
1432expansion that happens _after_ delivery need to have a longer life-time.
1433
1434So for those, we get the data from POOL_PERM; the re-invoke guard keeps us from
1435doing this more than once per generation of a state context. We set them in
1436the state context, and repoint tls_* to them. After the state goes away, the
1437tls_* copies of the pointers remain valid and client delivery logging is happy.
1438
1439tls_certificate_verified is a BOOL, so the tls_peerdn and tls_cipher issues
1440don't apply.
1441
059ec3d9 1442Arguments:
17c76198 1443 state exim_gnutls_state_st *
cf0c6164 1444 errstr pointer to error string
059ec3d9 1445
17c76198 1446Returns: OK/DEFER/FAIL
059ec3d9
PH		 1447*/
1448
17c76198 1449static int
cf0c6164 1450peer_status(exim_gnutls_state_st *state, uschar ** errstr)
059ec3d9 1451{
75fe387d 1452uschar cipherbuf[256];
27f19eb4 1453const gnutls_datum_t *cert_list;
75fe387d 1454int old_pool, rc;
17c76198 1455unsigned int cert_list_size = 0;
4fe99a6c
PP		 1456gnutls_protocol_t protocol;
1457gnutls_cipher_algorithm_t cipher;
1458gnutls_kx_algorithm_t kx;
1459gnutls_mac_algorithm_t mac;
17c76198
PP		 1460gnutls_certificate_type_t ct;
1461gnutls_x509_crt_t crt;
4fe99a6c 1462uschar *p, *dn_buf;
17c76198 1463size_t sz;
059ec3d9 1464
4fe99a6c 1465if (state->have_set_peerdn)
17c76198 1466 return OK;
4fe99a6c 1467state->have_set_peerdn = TRUE;
059ec3d9 1468
4fe99a6c 1469state->peerdn = NULL;
059ec3d9 1470
4fe99a6c
PP		 1471/* tls_cipher */
1472cipher = gnutls_cipher_get(state->session);
1473protocol = gnutls_protocol_get_version(state->session);
1474mac = gnutls_mac_get(state->session);
1475kx = gnutls_kx_get(state->session);
1476
75fe387d 1477string_format(cipherbuf, sizeof(cipherbuf),
4fe99a6c
PP		 1478 "%s:%s:%d",
1479 gnutls_protocol_get_name(protocol),
1480 gnutls_cipher_suite_get_name(kx, cipher, mac),
1481 (int) gnutls_cipher_get_key_size(cipher) * 8);
1482
1483/* I don't see a way that spaces could occur, in the current GnuTLS
1484code base, but it was a concern in the old code and perhaps older GnuTLS
1485releases did return "TLS 1.0"; play it safe, just in case. */
75fe387d 1486for (p = cipherbuf; *p != '\0'; ++p)
4fe99a6c
PP		 1487 if (isspace(*p))
1488 *p = '-';
75fe387d
PP		 1489old_pool = store_pool;
1490store_pool = POOL_PERM;
1491state->ciphersuite = string_copy(cipherbuf);
1492store_pool = old_pool;
817d9f57 1493state->tlsp->cipher = state->ciphersuite;
4fe99a6c
PP		 1494
1495/* tls_peerdn */
17c76198 1496cert_list = gnutls_certificate_get_peers(state->session, &cert_list_size);
83da1223 1497
17c76198
PP		 1498if (cert_list == NULL || cert_list_size == 0)
1499 {
17c76198
PP		 1500 DEBUG(D_tls) debug_printf("TLS: no certificate from peer (%p & %d)\n",
1501 cert_list, cert_list_size);
e51c7be2 1502 if (state->verify_requirement >= VERIFY_REQUIRED)
17c76198 1503 return tls_error(US"certificate verification failed",
cf0c6164 1504 "no certificate received from peer", state->host, errstr);
17c76198
PP		 1505 return OK;
1506 }
059ec3d9 1507
17c76198
PP		 1508ct = gnutls_certificate_type_get(state->session);
1509if (ct != GNUTLS_CRT_X509)
059ec3d9 1510 {
17c76198 1511 const char *ctn = gnutls_certificate_type_get_name(ct);
17c76198
PP		 1512 DEBUG(D_tls)
1513 debug_printf("TLS: peer cert not X.509 but instead \"%s\"\n", ctn);
e51c7be2 1514 if (state->verify_requirement >= VERIFY_REQUIRED)
17c76198 1515 return tls_error(US"certificate verification not possible, unhandled type",
cf0c6164 1516 ctn, state->host, errstr);
17c76198 1517 return OK;
83da1223 1518 }
059ec3d9 1519
e51c7be2
JH		 1520#define exim_gnutls_peer_err(Label) \
1521 do { \
1522 if (rc != GNUTLS_E_SUCCESS) \
1523 { \
1524 DEBUG(D_tls) debug_printf("TLS: peer cert problem: %s: %s\n", \
1525 (Label), gnutls_strerror(rc)); \
1526 if (state->verify_requirement >= VERIFY_REQUIRED) \
cf0c6164 1527 return tls_error((Label), gnutls_strerror(rc), state->host, errstr); \
e51c7be2
JH		 1528 return OK; \
1529 } \
1530 } while (0)
17c76198 1531
9d1c15ef
JH		 1532rc = import_cert(&cert_list[0], &crt);
1533exim_gnutls_peer_err(US"cert 0");
1534
1535state->tlsp->peercert = state->peercert = crt;
17c76198 1536
17c76198
PP		 1537sz = 0;
1538rc = gnutls_x509_crt_get_dn(crt, NULL, &sz);
1539if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
83da1223 1540 {
17c76198
PP		 1541 exim_gnutls_peer_err(US"getting size for cert DN failed");
1542 return FAIL; /* should not happen */
059ec3d9 1543 }
17c76198
PP		 1544dn_buf = store_get_perm(sz);
1545rc = gnutls_x509_crt_get_dn(crt, CS dn_buf, &sz);
1546exim_gnutls_peer_err(US"failed to extract certificate DN [gnutls_x509_crt_get_dn(cert 0)]");
9d1c15ef 1547
17c76198
PP		 1548state->peerdn = dn_buf;
1549
1550return OK;
1551#undef exim_gnutls_peer_err
1552}
059ec3d9 1553
059ec3d9 1554
059ec3d9 1555
059ec3d9 1556
17c76198
PP		 1557/*************************************************
1558* Verify peer certificate *
1559*************************************************/
059ec3d9 1560
17c76198
PP		 1561/* Called from both server and client code.
1562*Should* be using a callback registered with
1563gnutls_certificate_set_verify_function() to fail the handshake if we dislike
1564the peer information, but that's too new for some OSes.
059ec3d9 1565
17c76198 1566Arguments:
899b8bbc
JH		 1567 state exim_gnutls_state_st *
1568 errstr where to put an error message
059ec3d9 1569
17c76198
PP		 1570Returns:
1571 FALSE if the session should be rejected
1572 TRUE if the cert is okay or we just don't care
1573*/
059ec3d9 1574
17c76198 1575static BOOL
cf0c6164 1576verify_certificate(exim_gnutls_state_st *state, uschar ** errstr)
17c76198
PP		 1577{
1578int rc;
899b8bbc
JH		 1579uint verify;
1580
1581if (state->verify_requirement == VERIFY_NONE)
1582 return TRUE;
17c76198 1583
cf0c6164 1584*errstr = NULL;
17c76198 1585
cf0c6164 1586if ((rc = peer_status(state, errstr)) != OK)
e6060e2c 1587 {
17c76198 1588 verify = GNUTLS_CERT_INVALID;
cf0c6164 1589 *errstr = US"certificate not supplied";
17c76198
PP		 1590 }
1591else
899b8bbc
JH		 1592
1593 {
1594#ifdef SUPPORT_DANE
1595 if (state->verify_requirement == VERIFY_DANE && state->host)
1596 {
1597 /* Using dane_verify_session_crt() would be easy, as it does it all for us
1598 including talking to a DNS resolver. But we want to do that bit ourselves
1599 as the testsuite intercepts and fakes its own DNS environment. */
1600
1601 dane_state_t s;
1602 dane_query_t r;
1603 const gnutls_datum_t * certlist;
1604 uint lsize;
1605
1606 certlist = gnutls_certificate_get_peers(state->session, &lsize);
1607
1608 if ( (rc = dane_state_init(&s, 0))
1609 || (rc = dane_raw_tlsa(s, &r, state->dane_data, state->dane_data_len,
1610 1, 0))
1611 || (rc = dane_verify_crt_raw(s, certlist, lsize,
1612 gnutls_certificate_type_get(state->session),
1613 r, 0, 0, &verify))
1614 )
1615
1616 {
1617 *errstr = string_sprintf("TLSA record problem: %s", dane_strerror(rc));
1618 goto badcert;
1619 }
1620 if (verify != 0)
1621 {
1622 gnutls_datum_t str;
1623 (void) dane_verification_status_print(verify, &str, 0);
1624 *errstr = US str.data; /* don't bother to free */
1625 goto badcert;
1626 }
1627 state->peer_dane_verified = TRUE;
1628 }
1629#endif
1630
17c76198 1631 rc = gnutls_certificate_verify_peers2(state->session, &verify);
899b8bbc 1632 }
e6060e2c 1633
899b8bbc 1634/* Handle the result of verification. INVALID is set if any others are. */
059ec3d9 1635
e51c7be2
JH		 1636if (rc < 0 ||
1637 verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED)
1638 )
17c76198
PP		 1639 {
1640 state->peer_cert_verified = FALSE;
cf0c6164
JH		 1641 if (!*errstr)
1642 *errstr = verify & GNUTLS_CERT_REVOKED
1643 ? US"certificate revoked" : US"certificate invalid";
059ec3d9 1644
17c76198 1645 DEBUG(D_tls)
e51c7be2 1646 debug_printf("TLS certificate verification failed (%s): peerdn=\"%s\"\n",
cf0c6164 1647 *errstr, state->peerdn ? state->peerdn : US"<unset>");
059ec3d9 1648
e51c7be2 1649 if (state->verify_requirement >= VERIFY_REQUIRED)
899b8bbc 1650 goto badcert;
17c76198 1651 DEBUG(D_tls)
4789da3a 1652 debug_printf("TLS verify failure overridden (host in tls_try_verify_hosts)\n");
17c76198 1653 }
e51c7be2 1654
17c76198
PP		 1655else
1656 {
aa2a70ba 1657 if (state->exp_tls_verify_cert_hostnames)
e51c7be2
JH		 1658 {
1659 int sep = 0;
55414b25 1660 const uschar * list = state->exp_tls_verify_cert_hostnames;
e51c7be2 1661 uschar * name;
76075bb5 1662 while ((name = string_nextinlist(&list, &sep, NULL, 0)))
e51c7be2
JH		 1663 if (gnutls_x509_crt_check_hostname(state->tlsp->peercert, CS name))
1664 break;
1665 if (!name)
1666 {
1667 DEBUG(D_tls)
1668 debug_printf("TLS certificate verification failed: cert name mismatch\n");
aa2a70ba 1669 if (state->verify_requirement >= VERIFY_REQUIRED)
899b8bbc 1670 goto badcert;
aa2a70ba 1671 return TRUE;
e51c7be2
JH		 1672 }
1673 }
17c76198 1674 state->peer_cert_verified = TRUE;
e51c7be2 1675 DEBUG(D_tls) debug_printf("TLS certificate verified: peerdn=\"%s\"\n",
4fe99a6c 1676 state->peerdn ? state->peerdn : US"<unset>");
17c76198 1677 }
059ec3d9 1678
817d9f57 1679state->tlsp->peerdn = state->peerdn;
17c76198 1680return TRUE;
899b8bbc
JH		 1681
1682badcert:
1683 gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_BAD_CERTIFICATE);
1684 return FALSE;
17c76198 1685}
059ec3d9 1686
17c76198
PP		 1687
1688
1689
1690/* ------------------------------------------------------------------------ */
1691/* Callbacks */
1692
1693/* Logging function which can be registered with
1694 * gnutls_global_set_log_function()
1695 * gnutls_global_set_log_level() 0..9
1696 */
af3498d6 1697#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
059ec3d9 1698static void
17c76198 1699exim_gnutls_logger_cb(int level, const char *message)
059ec3d9 1700{
8c79eebf
PP		 1701 size_t len = strlen(message);
1702 if (len < 1)
1703 {
1704 DEBUG(D_tls) debug_printf("GnuTLS<%d> empty debug message\n", level);
1705 return;
1706 }
1707 DEBUG(D_tls) debug_printf("GnuTLS<%d>: %s%s", level, message,
1708 message[len-1] == '\n' ? "" : "\n");
17c76198 1709}
af3498d6 1710#endif
059ec3d9 1711
059ec3d9 1712
17c76198
PP		 1713/* Called after client hello, should handle SNI work.
1714This will always set tls_sni (state->received_sni) if available,
1715and may trigger presenting different certificates,
1716if state->trigger_sni_changes is TRUE.
059ec3d9 1717
17c76198
PP		 1718Should be registered with
1719 gnutls_handshake_set_post_client_hello_function()
059ec3d9 1720
17c76198
PP		 1721"This callback must return 0 on success or a gnutls error code to terminate the
1722handshake.".
059ec3d9 1723
17c76198
PP		 1724For inability to get SNI information, we return 0.
1725We only return non-zero if re-setup failed.
817d9f57 1726Only used for server-side TLS.
17c76198 1727*/
44bbabb5 1728
17c76198
PP		 1729static int
1730exim_sni_handling_cb(gnutls_session_t session)
1731{
1732char sni_name[MAX_HOST_LEN];
1733size_t data_len = MAX_HOST_LEN;
817d9f57 1734exim_gnutls_state_st *state = &state_server;
17c76198
PP		 1735unsigned int sni_type;
1736int rc, old_pool;
cf0c6164 1737uschar * dummy_errstr;
17c76198
PP		 1738
1739rc = gnutls_server_name_get(session, sni_name, &data_len, &sni_type, 0);
b34fc30c
PP		 1740if (rc != GNUTLS_E_SUCCESS)
1741 {
1742 DEBUG(D_tls) {
1743 if (rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
1744 debug_printf("TLS: no SNI presented in handshake.\n");
1745 else
1746 debug_printf("TLS failure: gnutls_server_name_get(): %s [%d]\n",
1747 gnutls_strerror(rc), rc);
cf0c6164 1748 }
b34fc30c
PP		 1749 return 0;
1750 }
1751
17c76198
PP		 1752if (sni_type != GNUTLS_NAME_DNS)
1753 {
1754 DEBUG(D_tls) debug_printf("TLS: ignoring SNI of unhandled type %u\n", sni_type);
1755 return 0;
1756 }
44bbabb5 1757
17c76198
PP		 1758/* We now have a UTF-8 string in sni_name */
1759old_pool = store_pool;
1760store_pool = POOL_PERM;
1761state->received_sni = string_copyn(US sni_name, data_len);
1762store_pool = old_pool;
1763
1764/* We set this one now so that variable expansions below will work */
817d9f57 1765state->tlsp->sni = state->received_sni;
17c76198
PP		 1766
1767DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", sni_name,
1768 state->trigger_sni_changes ? "" : " (unused for certificate selection)");
1769
1770if (!state->trigger_sni_changes)
1771 return 0;
1772
cf0c6164 1773if ((rc = tls_expand_session_files(state, &dummy_errstr)) != OK)
17c76198
PP		 1774 {
1775 /* If the setup of certs/etc failed before handshake, TLS would not have
1776 been offered. The best we can do now is abort. */
1777 return GNUTLS_E_APPLICATION_ERROR_MIN;
1778 }
1779
cf0c6164 1780rc = tls_set_remaining_x509(state, &dummy_errstr);
1365611d
PP		 1781if (rc != OK) return GNUTLS_E_APPLICATION_ERROR_MIN;
1782
1783return 0;
059ec3d9
PH		 1784}
1785
1786
1787
f2de3a33 1788#ifndef DISABLE_OCSP
44662487
JH		 1789
1790static int
1791server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
1792 gnutls_datum_t * ocsp_response)
1793{
1794int ret;
47195144 1795DEBUG(D_tls) debug_printf("OCSP stapling callback: %s\n", US ptr);
44662487 1796
44662487
JH		 1797if ((ret = gnutls_load_file(ptr, ocsp_response)) < 0)
1798 {
1799 DEBUG(D_tls) debug_printf("Failed to load ocsp stapling file %s\n",
5903c6ff 1800 CS ptr);
018058b2 1801 tls_in.ocsp = OCSP_NOT_RESP;
44662487
JH		 1802 return GNUTLS_E_NO_CERTIFICATE_STATUS;
1803 }
1804
018058b2 1805tls_in.ocsp = OCSP_VFY_NOT_TRIED;
44662487
JH		 1806return 0;
1807}
1808
1809#endif
1810
1811
0cbf2b82 1812#ifndef DISABLE_EVENT
a7538db1
JH		 1813/*
1814We use this callback to get observability and detail-level control
723fe533
JH		 1815for an exim TLS connection (either direction), raising a tls:cert event
1816for each cert in the chain presented by the peer. Any event
a7538db1
JH		 1817can deny verification.
1818
1819Return 0 for the handshake to continue or non-zero to terminate.
1820*/
1821
1822static int
723fe533 1823verify_cb(gnutls_session_t session)
a7538db1 1824{
27f19eb4 1825const gnutls_datum_t * cert_list;
a7538db1
JH		 1826unsigned int cert_list_size = 0;
1827gnutls_x509_crt_t crt;
1828int rc;
b30275b8 1829uschar * yield;
a7538db1
JH		 1830exim_gnutls_state_st * state = gnutls_session_get_ptr(session);
1831
1832cert_list = gnutls_certificate_get_peers(session, &cert_list_size);
1833if (cert_list)
1834 while (cert_list_size--)
1835 {
1836 rc = import_cert(&cert_list[cert_list_size], &crt);
1837 if (rc != GNUTLS_E_SUCCESS)
1838 {
1839 DEBUG(D_tls) debug_printf("TLS: peer cert problem: depth %d: %s\n",
1840 cert_list_size, gnutls_strerror(rc));
1841 break;
1842 }
1843
1844 state->tlsp->peercert = crt;
b30275b8
JH		 1845 if ((yield = event_raise(state->event_action,
1846 US"tls:cert", string_sprintf("%d", cert_list_size))))
a7538db1
JH		 1847 {
1848 log_write(0, LOG_MAIN,
b30275b8
JH		 1849 "SSL verify denied by event-action: depth=%d: %s",
1850 cert_list_size, yield);
a7538db1
JH		 1851 return 1; /* reject */
1852 }
1853 state->tlsp->peercert = NULL;
1854 }
1855
1856return 0;
1857}
1858
1859#endif
44662487
JH		 1860
1861
17c76198
PP		 1862
1863/* ------------------------------------------------------------------------ */
1864/* Exported functions */
1865
1866
1867
1868
059ec3d9
PH		 1869/*************************************************
1870* Start a TLS session in a server *
1871*************************************************/
1872
1873/* This is called when Exim is running as a server, after having received
1874the STARTTLS command. It must respond to that command, and then negotiate
1875a TLS session.
1876
1877Arguments:
83da1223 1878 require_ciphers list of allowed ciphers or NULL
cf0c6164 1879 errstr pointer to error string
059ec3d9
PH		 1880
1881Returns: OK on success
1882 DEFER for errors before the start of the negotiation
4c04137d 1883 FAIL for errors during the negotiation; the server can't
059ec3d9
PH		 1884 continue running.
1885*/
1886
1887int
cf0c6164 1888tls_server_start(const uschar * require_ciphers, uschar ** errstr)
059ec3d9
PH		 1889{
1890int rc;
cf0c6164 1891exim_gnutls_state_st * state = NULL;
059ec3d9
PH		 1892
1893/* Check for previous activation */
817d9f57 1894if (tls_in.active >= 0)
059ec3d9 1895 {
cf0c6164 1896 tls_error(US"STARTTLS received after TLS started", "", NULL, errstr);
925ac8e4 1897 smtp_printf("554 Already in TLS\r\n", FALSE);
059ec3d9
PH		 1898 return FAIL;
1899 }
1900
1901/* Initialize the library. If it fails, it will already have logged the error
1902and sent an SMTP response. */
1903
17c76198 1904DEBUG(D_tls) debug_printf("initialising GnuTLS as a server\n");
059ec3d9 1905
cf0c6164 1906if ((rc = tls_init(NULL, tls_certificate, tls_privatekey,
17c76198 1907 NULL, tls_verify_certificates, tls_crl,
cf0c6164 1908 require_ciphers, &state, errstr)) != OK) return rc;
059ec3d9 1909
059ec3d9
PH		 1910/* If this is a host for which certificate verification is mandatory or
1911optional, set up appropriately. */
1912
059ec3d9 1913if (verify_check_host(&tls_verify_hosts) == OK)
17c76198 1914 {
e51c7be2
JH		 1915 DEBUG(D_tls)
1916 debug_printf("TLS: a client certificate will be required.\n");
17c76198
PP		 1917 state->verify_requirement = VERIFY_REQUIRED;
1918 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
1919 }
059ec3d9 1920else if (verify_check_host(&tls_try_verify_hosts) == OK)
17c76198 1921 {
e51c7be2
JH		 1922 DEBUG(D_tls)
1923 debug_printf("TLS: a client certificate will be requested but not required.\n");
17c76198
PP		 1924 state->verify_requirement = VERIFY_OPTIONAL;
1925 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
1926 }
1927else
1928 {
e51c7be2
JH		 1929 DEBUG(D_tls)
1930 debug_printf("TLS: a client certificate will not be requested.\n");
17c76198
PP		 1931 state->verify_requirement = VERIFY_NONE;
1932 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
1933 }
059ec3d9 1934
0cbf2b82 1935#ifndef DISABLE_EVENT
723fe533
JH		 1936if (event_action)
1937 {
1938 state->event_action = event_action;
1939 gnutls_session_set_ptr(state->session, state);
1940 gnutls_certificate_set_verify_function(state->x509_cred, verify_cb);
1941 }
1942#endif
1943
17c76198
PP		 1944/* Register SNI handling; always, even if not in tls_certificate, so that the
1945expansion variable $tls_sni is always available. */
059ec3d9 1946
17c76198
PP		 1947gnutls_handshake_set_post_client_hello_function(state->session,
1948 exim_sni_handling_cb);
059ec3d9
PH		 1949
1950/* Set context and tell client to go ahead, except in the case of TLS startup
1951on connection, where outputting anything now upsets the clients and tends to
1952make them disconnect. We need to have an explicit fflush() here, to force out
1953the response. Other smtp_printf() calls do not need it, because in non-TLS
1954mode, the fflush() happens when smtp_getc() is called. */
1955
817d9f57 1956if (!state->tlsp->on_connect)
059ec3d9 1957 {
925ac8e4 1958 smtp_printf("220 TLS go ahead\r\n", FALSE);
9d1c15ef 1959 fflush(smtp_out);
059ec3d9
PH		 1960 }
1961
1962/* Now negotiate the TLS session. We put our own timer on it, since it seems
1963that the GnuTLS library doesn't. */
1964
17c76198 1965gnutls_transport_set_ptr2(state->session,
27f19eb4
JH		 1966 (gnutls_transport_ptr_t)(long) fileno(smtp_in),
1967 (gnutls_transport_ptr_t)(long) fileno(smtp_out));
17c76198
PP		 1968state->fd_in = fileno(smtp_in);
1969state->fd_out = fileno(smtp_out);
059ec3d9
PH		 1970
1971sigalrm_seen = FALSE;
1972if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
17c76198 1973do
17c76198 1974 rc = gnutls_handshake(state->session);
157a7880 1975while (rc == GNUTLS_E_AGAIN || rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen);
059ec3d9
PH		 1976alarm(0);
1977
17c76198 1978if (rc != GNUTLS_E_SUCCESS)
059ec3d9 1979 {
059ec3d9
PH		 1980 /* It seems that, except in the case of a timeout, we have to close the
1981 connection right here; otherwise if the other end is running OpenSSL it hangs
1982 until the server times out. */
1983
60d10ce7 1984 if (sigalrm_seen)
ad7fc6eb 1985 {
cf0c6164 1986 tls_error(US"gnutls_handshake", "timed out", NULL, errstr);
ad7fc6eb
JH		 1987 gnutls_db_remove_session(state->session);
1988 }
60d10ce7 1989 else
059ec3d9 1990 {
cf0c6164 1991 tls_error(US"gnutls_handshake", gnutls_strerror(rc), NULL, errstr);
f5d25c2b 1992 (void) gnutls_alert_send_appropriate(state->session, rc);
ad7fc6eb 1993 gnutls_deinit(state->session);
ed62aae3 1994 gnutls_certificate_free_credentials(state->x509_cred);
60d10ce7 1995 millisleep(500);
ad7fc6eb 1996 shutdown(state->fd_out, SHUT_WR);
60d10ce7 1997 for (rc = 1024; fgetc(smtp_in) != EOF && rc > 0; ) rc--; /* drain skt */
f1e894f3
PH		 1998 (void)fclose(smtp_out);
1999 (void)fclose(smtp_in);
60d10ce7 2000 smtp_out = smtp_in = NULL;
059ec3d9
PH		 2001 }
2002
2003 return FAIL;
2004 }
2005
2006DEBUG(D_tls) debug_printf("gnutls_handshake was successful\n");
2007
17c76198
PP		 2008/* Verify after the fact */
2009
899b8bbc 2010if (!verify_certificate(state, errstr))
059ec3d9 2011 {
9d1c15ef 2012 if (state->verify_requirement != VERIFY_OPTIONAL)
17c76198 2013 {
cf0c6164 2014 (void) tls_error(US"certificate verification failed", *errstr, NULL, errstr);
9d1c15ef 2015 return FAIL;
17c76198 2016 }
9d1c15ef
JH		 2017 DEBUG(D_tls)
2018 debug_printf("TLS: continuing on only because verification was optional, after: %s\n",
cf0c6164 2019 *errstr);
059ec3d9
PH		 2020 }
2021
17c76198
PP		 2022/* Figure out peer DN, and if authenticated, etc. */
2023
cf0c6164 2024if ((rc = peer_status(state, NULL)) != OK) return rc;
17c76198
PP		 2025
2026/* Sets various Exim expansion variables; always safe within server */
2027
9d1c15ef 2028extract_exim_vars_from_tls_state(state);
059ec3d9
PH		 2029
2030/* TLS has been set up. Adjust the input functions to read via TLS,
2031and initialize appropriately. */
2032
17c76198 2033state->xfer_buffer = store_malloc(ssl_xfer_buffer_size);
059ec3d9
PH		 2034
2035receive_getc = tls_getc;
0d81dabc 2036receive_getbuf = tls_getbuf;
584e96c6 2037receive_get_cache = tls_get_cache;
059ec3d9
PH		 2038receive_ungetc = tls_ungetc;
2039receive_feof = tls_feof;
2040receive_ferror = tls_ferror;
58eb016e 2041receive_smtp_buffered = tls_smtp_buffered;
059ec3d9 2042
059ec3d9
PH		 2043return OK;
2044}
2045
2046
2047
2048
aa2a70ba
JH		 2049static void
2050tls_client_setup_hostname_checks(host_item * host, exim_gnutls_state_st * state,
2051 smtp_transport_options_block * ob)
2052{
5130845b 2053if (verify_check_given_host(&ob->tls_verify_cert_hostnames, host) == OK)
aa2a70ba 2054 {
4af0d74a 2055 state->exp_tls_verify_cert_hostnames =
8c5d388a 2056#ifdef SUPPORT_I18N
4af0d74a
JH		 2057 string_domain_utf8_to_alabel(host->name, NULL);
2058#else
2059 host->name;
2060#endif
aa2a70ba
JH		 2061 DEBUG(D_tls)
2062 debug_printf("TLS: server cert verification includes hostname: \"%s\".\n",
2063 state->exp_tls_verify_cert_hostnames);
2064 }
2065}
aa2a70ba
JH		 2066
2067
899b8bbc
JH		 2068
2069
2070#ifdef SUPPORT_DANE
2071/* Given our list of RRs from the TLSA lookup, build a lookup block in
2072GnuTLS-DANE's preferred format. Hang it on the state str for later
2073use in DANE verification.
2074
2075We point at the dnsa data not copy it, so it must remain valid until
2076after verification is done.*/
2077
2078static void
2079dane_tlsa_load(exim_gnutls_state_st * state, dns_answer * dnsa)
2080{
2081dns_record * rr;
2082dns_scan dnss;
2083int i;
2084const char ** dane_data;
2085int * dane_data_len;
2086
2087for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS), i = 1;
2088 rr;
2089 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
2090 ) if (rr->type == T_TLSA) i++;
2091
2092dane_data = store_get(i * sizeof(uschar *));
2093dane_data_len = store_get(i * sizeof(int));
2094
2095for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS), i = 0;
2096 rr;
2097 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
2098 ) if (rr->type == T_TLSA)
2099 {
2100 const uschar * p = rr->data;
2101 uint8_t usage = *p;
2102
2103 tls_out.tlsa_usage |= 1<<usage;
2104 dane_data[i] = p;
2105 dane_data_len[i++] = rr->size;
2106 }
2107dane_data[i] = NULL;
2108dane_data_len[i] = 0;
2109
2110state->dane_data = (char * const *)dane_data;
2111state->dane_data_len = dane_data_len;
2112}
2113#endif
2114
2115
2116
059ec3d9
PH		 2117/*************************************************
2118* Start a TLS session in a client *
2119*************************************************/
2120
2121/* Called from the smtp transport after STARTTLS has been accepted.
2122
2123Arguments:
2124 fd the fd of the connection
2125 host connected host (for messages)
83da1223 2126 addr the first address (not used)
a7538db1 2127 tb transport (always smtp)
899b8bbc
JH		 2128 tlsa_dnsa non-NULL, either request or require dane for this host, and
2129 a TLSA record found. Therefore, dane verify required.
2130 Which implies cert must be requested and supplied, dane
2131 verify must pass, and cert verify irrelevant (incl.
2132 hostnames), and (caller handled) require_tls
cf0c6164
JH		 2133 errstr error string pointer
2134
059ec3d9
PH		 2135Returns: OK/DEFER/FAIL (because using common functions),
2136 but for a client, DEFER and FAIL have the same meaning
2137*/
2138
2139int
17c76198 2140tls_client_start(int fd, host_item *host,
f5d78688 2141 address_item *addr ARG_UNUSED,
cf0c6164 2142 transport_instance * tb,
0e66b3b6 2143#ifdef EXPERIMENTAL_DANE
899b8bbc 2144 dns_answer * tlsa_dnsa,
0e66b3b6 2145#endif
cf0c6164 2146 uschar ** errstr)
059ec3d9 2147{
a7538db1
JH		 2148smtp_transport_options_block *ob =
2149 (smtp_transport_options_block *)tb->options_block;
059ec3d9 2150int rc;
899b8bbc 2151exim_gnutls_state_st * state = NULL;
f2de3a33 2152#ifndef DISABLE_OCSP
5130845b
JH		 2153BOOL require_ocsp =
2154 verify_check_given_host(&ob->hosts_require_ocsp, host) == OK;
44662487 2155BOOL request_ocsp = require_ocsp ? TRUE
5130845b 2156 : verify_check_given_host(&ob->hosts_request_ocsp, host) == OK;
2b4a568d 2157#endif
059ec3d9 2158
17c76198 2159DEBUG(D_tls) debug_printf("initialising GnuTLS as a client on fd %d\n", fd);
059ec3d9 2160
65867078
JH		 2161if ((rc = tls_init(host, ob->tls_certificate, ob->tls_privatekey,
2162 ob->tls_sni, ob->tls_verify_certificates, ob->tls_crl,
cf0c6164 2163 ob->tls_require_ciphers, &state, errstr)) != OK)
2b4a568d 2164 return rc;
059ec3d9 2165
54c90be1 2166 {
65867078
JH		 2167 int dh_min_bits = ob->tls_dh_min_bits;
2168 if (dh_min_bits < EXIM_CLIENT_DH_MIN_MIN_BITS)
2169 {
2170 DEBUG(D_tls)
2171 debug_printf("WARNING: tls_dh_min_bits far too low,"
2172 " clamping %d up to %d\n",
2173 dh_min_bits, EXIM_CLIENT_DH_MIN_MIN_BITS);
2174 dh_min_bits = EXIM_CLIENT_DH_MIN_MIN_BITS;
2175 }
54c90be1 2176
65867078
JH		 2177 DEBUG(D_tls) debug_printf("Setting D-H prime minimum"
2178 " acceptable bits to %d\n",
2179 dh_min_bits);
2180 gnutls_dh_set_prime_bits(state->session, dh_min_bits);
2181 }
83da1223 2182
94431adb 2183/* Stick to the old behaviour for compatibility if tls_verify_certificates is
2b4a568d
JH		 2184set but both tls_verify_hosts and tls_try_verify_hosts are unset. Check only
2185the specified host patterns if one of them is defined */
2186
899b8bbc
JH		 2187#ifdef SUPPORT_DANE
2188if (tlsa_dnsa)
2189 {
2190 DEBUG(D_tls)
2191 debug_printf("TLS: server certificate DANE required.\n");
2192 state->verify_requirement = VERIFY_DANE;
2193 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
2194 dane_tlsa_load(state, tlsa_dnsa);
2195 }
2196else
2197#endif
2198 if ( ( state->exp_tls_verify_certificates
2199 && !ob->tls_verify_hosts
2200 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
2201 )
2202 || verify_check_given_host(&ob->tls_verify_hosts, host) == OK
2203 )
17c76198 2204 {
aa2a70ba 2205 tls_client_setup_hostname_checks(host, state, ob);
aa2a70ba
JH		 2206 DEBUG(D_tls)
2207 debug_printf("TLS: server certificate verification required.\n");
2208 state->verify_requirement = VERIFY_REQUIRED;
52f93eed
WB		 2209 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
2210 }
5130845b 2211else if (verify_check_given_host(&ob->tls_try_verify_hosts, host) == OK)
52f93eed 2212 {
aa2a70ba 2213 tls_client_setup_hostname_checks(host, state, ob);
e51c7be2
JH		 2214 DEBUG(D_tls)
2215 debug_printf("TLS: server certificate verification optional.\n");
52f93eed 2216 state->verify_requirement = VERIFY_OPTIONAL;
17c76198
PP		 2217 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
2218 }
2219else
2220 {
e51c7be2
JH		 2221 DEBUG(D_tls)
2222 debug_printf("TLS: server certificate verification not required.\n");
52f93eed
WB		 2223 state->verify_requirement = VERIFY_NONE;
2224 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
17c76198 2225 }
059ec3d9 2226
f2de3a33
JH		 2227#ifndef DISABLE_OCSP
2228 /* supported since GnuTLS 3.1.3 */
44662487 2229if (request_ocsp)
9d1c15ef
JH		 2230 {
2231 DEBUG(D_tls) debug_printf("TLS: will request OCSP stapling\n");
65867078
JH		 2232 if ((rc = gnutls_ocsp_status_request_enable_client(state->session,
2233 NULL, 0, NULL)) != OK)
9d1c15ef 2234 return tls_error(US"cert-status-req",
cf0c6164 2235 gnutls_strerror(rc), state->host, errstr);
44662487 2236 tls_out.ocsp = OCSP_NOT_RESP;
9d1c15ef 2237 }
2b4a568d
JH		 2238#endif
2239
0cbf2b82 2240#ifndef DISABLE_EVENT
774ef2d7 2241if (tb->event_action)
a7538db1 2242 {
774ef2d7 2243 state->event_action = tb->event_action;
a7538db1 2244 gnutls_session_set_ptr(state->session, state);
723fe533 2245 gnutls_certificate_set_verify_function(state->x509_cred, verify_cb);
a7538db1
JH		 2246 }
2247#endif
2248
27f19eb4 2249gnutls_transport_set_ptr(state->session, (gnutls_transport_ptr_t)(long) fd);
17c76198
PP		 2250state->fd_in = fd;
2251state->fd_out = fd;
059ec3d9 2252
9d1c15ef 2253DEBUG(D_tls) debug_printf("about to gnutls_handshake\n");
059ec3d9
PH		 2254/* There doesn't seem to be a built-in timeout on connection. */
2255
2256sigalrm_seen = FALSE;
65867078 2257alarm(ob->command_timeout);
17c76198
PP		 2258do
2259 {
2260 rc = gnutls_handshake(state->session);
619b2b25
PP		 2261 } while ((rc == GNUTLS_E_AGAIN) ||
2262 (rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen));
059ec3d9
PH		 2263alarm(0);
2264
4fe99a6c 2265if (rc != GNUTLS_E_SUCCESS)
60d10ce7
JH		 2266 if (sigalrm_seen)
2267 {
2268 gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_USER_CANCELED);
cf0c6164 2269 return tls_error(US"gnutls_handshake", "timed out", state->host, errstr);
60d10ce7
JH		 2270 }
2271 else
cf0c6164 2272 return tls_error(US"gnutls_handshake", gnutls_strerror(rc), state->host, errstr);
4fe99a6c 2273
17c76198 2274DEBUG(D_tls) debug_printf("gnutls_handshake was successful\n");
059ec3d9 2275
17c76198 2276/* Verify late */
059ec3d9 2277
899b8bbc 2278if (!verify_certificate(state, errstr))
cf0c6164 2279 return tls_error(US"certificate verification failed", *errstr, state->host, errstr);
059ec3d9 2280
f2de3a33 2281#ifndef DISABLE_OCSP
2b4a568d
JH		 2282if (require_ocsp)
2283 {
2284 DEBUG(D_tls)
2285 {
2286 gnutls_datum_t stapling;
2287 gnutls_ocsp_resp_t resp;
2288 gnutls_datum_t printed;
2289 if ( (rc= gnutls_ocsp_status_request_get(state->session, &stapling)) == 0
2290 && (rc= gnutls_ocsp_resp_init(&resp)) == 0
2291 && (rc= gnutls_ocsp_resp_import(resp, &stapling)) == 0
2292 && (rc= gnutls_ocsp_resp_print(resp, GNUTLS_OCSP_PRINT_FULL, &printed)) == 0
2293 )
2294 {
65867078 2295 debug_printf("%.4096s", printed.data);
2b4a568d
JH		 2296 gnutls_free(printed.data);
2297 }
2298 else
cf0c6164 2299 (void) tls_error(US"ocsp decode", gnutls_strerror(rc), state->host, errstr);
2b4a568d
JH		 2300 }
2301
2b4a568d 2302 if (gnutls_ocsp_status_request_is_checked(state->session, 0) == 0)
018058b2
JH		 2303 {
2304 tls_out.ocsp = OCSP_FAILED;
cf0c6164 2305 return tls_error(US"certificate status check failed", NULL, state->host, errstr);
018058b2 2306 }
2b4a568d 2307 DEBUG(D_tls) debug_printf("Passed OCSP checking\n");
44662487 2308 tls_out.ocsp = OCSP_VFIED;
2b4a568d
JH		 2309 }
2310#endif
2311
17c76198 2312/* Figure out peer DN, and if authenticated, etc. */
059ec3d9 2313
cf0c6164 2314if ((rc = peer_status(state, errstr)) != OK)
2b4a568d 2315 return rc;
059ec3d9 2316
4fe99a6c 2317/* Sets various Exim expansion variables; may need to adjust for ACL callouts */
059ec3d9 2318
9d1c15ef 2319extract_exim_vars_from_tls_state(state);
059ec3d9 2320
059ec3d9
PH		 2321return OK;
2322}
2323
2324
2325
17c76198 2326
059ec3d9 2327/*************************************************
17c76198 2328* Close down a TLS session *
059ec3d9
PH		 2329*************************************************/
2330
17c76198
PP		 2331/* This is also called from within a delivery subprocess forked from the
2332daemon, to shut down the TLS library, without actually doing a shutdown (which
2333would tamper with the TLS session in the parent process).
059ec3d9 2334
17c76198
PP		 2335Arguments: TRUE if gnutls_bye is to be called
2336Returns: nothing
059ec3d9
PH		 2337*/
2338
17c76198 2339void
817d9f57 2340tls_close(BOOL is_server, BOOL shutdown)
059ec3d9 2341{
817d9f57 2342exim_gnutls_state_st *state = is_server ? &state_server : &state_client;
059ec3d9 2343
389ca47a 2344if (!state->tlsp || state->tlsp->active < 0) return; /* TLS was not active */
17c76198
PP		 2345
2346if (shutdown)
2347 {
f5723109 2348 DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS\n");
17c76198
PP		 2349 gnutls_bye(state->session, GNUTLS_SHUT_WR);
2350 }
2351
2352gnutls_deinit(state->session);
ed62aae3
HSHR		 2353gnutls_certificate_free_credentials(state->x509_cred);
2354
17c76198 2355
389ca47a 2356state->tlsp->active = -1;
17c76198
PP		 2357memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
2358
2359if ((state_server.session == NULL) && (state_client.session == NULL))
2360 {
2361 gnutls_global_deinit();
2362 exim_gnutls_base_init_done = FALSE;
2363 }
059ec3d9
PH		 2364}
2365
2366
2367
17c76198 2368
0d81dabc
JH		 2369static BOOL
2370tls_refill(unsigned lim)
2371{
2372exim_gnutls_state_st * state = &state_server;
2373ssize_t inbytes;
2374
2375DEBUG(D_tls) debug_printf("Calling gnutls_record_recv(%p, %p, %u)\n",
2376 state->session, state->xfer_buffer, ssl_xfer_buffer_size);
2377
2378if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
2379inbytes = gnutls_record_recv(state->session, state->xfer_buffer,
2380 MIN(ssl_xfer_buffer_size, lim));
2381alarm(0);
2382
2383/* Timeouts do not get this far; see command_timeout_handler().
2384 A zero-byte return appears to mean that the TLS session has been
2385 closed down, not that the socket itself has been closed down. Revert to
2386 non-TLS handling. */
2387
2388if (sigalrm_seen)
2389 {
2390 DEBUG(D_tls) debug_printf("Got tls read timeout\n");
2391 state->xfer_error = 1;
2392 return FALSE;
2393 }
2394
2395else if (inbytes == 0)
2396 {
2397 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
2398
2399 receive_getc = smtp_getc;
2400 receive_getbuf = smtp_getbuf;
2401 receive_get_cache = smtp_get_cache;
2402 receive_ungetc = smtp_ungetc;
2403 receive_feof = smtp_feof;
2404 receive_ferror = smtp_ferror;
2405 receive_smtp_buffered = smtp_buffered;
2406
2407 gnutls_deinit(state->session);
2408 gnutls_certificate_free_credentials(state->x509_cred);
2409
2410 state->session = NULL;
2411 state->tlsp->active = -1;
2412 state->tlsp->bits = 0;
2413 state->tlsp->certificate_verified = FALSE;
2414 tls_channelbinding_b64 = NULL;
2415 state->tlsp->cipher = NULL;
2416 state->tlsp->peercert = NULL;
2417 state->tlsp->peerdn = NULL;
2418
2419 return FALSE;
2420 }
2421
2422/* Handle genuine errors */
2423
2424else if (inbytes < 0)
2425 {
2426 record_io_error(state, (int) inbytes, US"recv", NULL);
2427 state->xfer_error = 1;
2428 return FALSE;
2429 }
2430#ifndef DISABLE_DKIM
2431dkim_exim_verify_feed(state->xfer_buffer, inbytes);
2432#endif
2433state->xfer_buffer_hwm = (int) inbytes;
2434state->xfer_buffer_lwm = 0;
2435return TRUE;
2436}
2437
059ec3d9
PH		 2438/*************************************************
2439* TLS version of getc *
2440*************************************************/
2441
2442/* This gets the next byte from the TLS input buffer. If the buffer is empty,
2443it refills the buffer via the GnuTLS reading function.
817d9f57 2444Only used by the server-side TLS.
059ec3d9 2445
17c76198
PP		 2446This feeds DKIM and should be used for all message-body reads.
2447
bd8fbe36 2448Arguments: lim Maximum amount to read/bufffer
059ec3d9
PH		 2449Returns: the next character or EOF
2450*/
2451
2452int
bd8fbe36 2453tls_getc(unsigned lim)
059ec3d9 2454{
0d81dabc 2455exim_gnutls_state_st * state = &state_server;
059ec3d9 2456
0d81dabc
JH		 2457if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
2458 if (!tls_refill(lim))
2459 return state->xfer_error ? EOF : smtp_getc(lim);
ed62aae3 2460
0d81dabc 2461/* Something in the buffer; return next uschar */
059ec3d9 2462
0d81dabc
JH		 2463return state->xfer_buffer[state->xfer_buffer_lwm++];
2464}
059ec3d9 2465
0d81dabc
JH		 2466uschar *
2467tls_getbuf(unsigned * len)
2468{
2469exim_gnutls_state_st * state = &state_server;
2470unsigned size;
2471uschar * buf;
059ec3d9 2472
0d81dabc
JH		 2473if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
2474 if (!tls_refill(*len))
059ec3d9 2475 {
0d81dabc
JH		 2476 if (!state->xfer_error) return smtp_getbuf(len);
2477 *len = 0;
2478 return NULL;
059ec3d9 2479 }
059ec3d9 2480
0d81dabc
JH		 2481if ((size = state->xfer_buffer_hwm - state->xfer_buffer_lwm) > *len)
2482 size = *len;
2483buf = &state->xfer_buffer[state->xfer_buffer_lwm];
2484state->xfer_buffer_lwm += size;
2485*len = size;
2486return buf;
059ec3d9
PH		 2487}
2488
0d81dabc 2489
584e96c6
JH		 2490void
2491tls_get_cache()
2492{
9960d1e5 2493#ifndef DISABLE_DKIM
584e96c6
JH		 2494exim_gnutls_state_st * state = &state_server;
2495int n = state->xfer_buffer_hwm - state->xfer_buffer_lwm;
2496if (n > 0)
2497 dkim_exim_verify_feed(state->xfer_buffer+state->xfer_buffer_lwm, n);
584e96c6 2498#endif
9960d1e5 2499}
584e96c6 2500
059ec3d9 2501
925ac8e4
JH		 2502BOOL
2503tls_could_read(void)
2504{
2505return state_server.xfer_buffer_lwm < state_server.xfer_buffer_hwm
2506 || gnutls_record_check_pending(state_server.session) > 0;
2507}
2508
2509
059ec3d9 2510
17c76198 2511
059ec3d9
PH		 2512/*************************************************
2513* Read bytes from TLS channel *
2514*************************************************/
2515
17c76198
PP		 2516/* This does not feed DKIM, so if the caller uses this for reading message body,
2517then the caller must feed DKIM.
817d9f57 2518
059ec3d9
PH		 2519Arguments:
2520 buff buffer of data
2521 len size of buffer
2522
2523Returns: the number of bytes read
2524 -1 after a failed read
2525*/
2526
2527int
817d9f57 2528tls_read(BOOL is_server, uschar *buff, size_t len)
059ec3d9 2529{
817d9f57 2530exim_gnutls_state_st *state = is_server ? &state_server : &state_client;
17c76198 2531ssize_t inbytes;
059ec3d9 2532
17c76198
PP		 2533if (len > INT_MAX)
2534 len = INT_MAX;
059ec3d9 2535
17c76198
PP		 2536if (state->xfer_buffer_lwm < state->xfer_buffer_hwm)
2537 DEBUG(D_tls)
2538 debug_printf("*** PROBABLY A BUG *** " \
2539 "tls_read() called with data in the tls_getc() buffer, %d ignored\n",
2540 state->xfer_buffer_hwm - state->xfer_buffer_lwm);
2541
2542DEBUG(D_tls)
2543 debug_printf("Calling gnutls_record_recv(%p, %p, " SIZE_T_FMT ")\n",
2544 state->session, buff, len);
2545
2546inbytes = gnutls_record_recv(state->session, buff, len);
059ec3d9
PH		 2547if (inbytes > 0) return inbytes;
2548if (inbytes == 0)
2549 {
2550 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
2551 }
17c76198 2552else record_io_error(state, (int)inbytes, US"recv", NULL);
059ec3d9
PH		 2553
2554return -1;
2555}
2556
2557
2558
17c76198 2559
059ec3d9
PH		 2560/*************************************************
2561* Write bytes down TLS channel *
2562*************************************************/
2563
2564/*
2565Arguments:
817d9f57 2566 is_server channel specifier
059ec3d9
PH		 2567 buff buffer of data
2568 len number of bytes
925ac8e4 2569 more more data expected soon
059ec3d9
PH		 2570
2571Returns: the number of bytes after a successful write,
2572 -1 after a failed write
2573*/
2574
2575int
925ac8e4 2576tls_write(BOOL is_server, const uschar *buff, size_t len, BOOL more)
059ec3d9 2577{
17c76198
PP		 2578ssize_t outbytes;
2579size_t left = len;
817d9f57 2580exim_gnutls_state_st *state = is_server ? &state_server : &state_client;
925ac8e4
JH		 2581#ifdef SUPPORT_CORK
2582static BOOL corked = FALSE;
2583
2584if (more && !corked) gnutls_record_cork(state->session);
2585#endif
2586
2587DEBUG(D_tls) debug_printf("%s(%p, " SIZE_T_FMT "%s)\n", __FUNCTION__,
2588 buff, left, more ? ", more" : "");
059ec3d9 2589
059ec3d9
PH		 2590while (left > 0)
2591 {
17c76198
PP		 2592 DEBUG(D_tls) debug_printf("gnutls_record_send(SSL, %p, " SIZE_T_FMT ")\n",
2593 buff, left);
2594 outbytes = gnutls_record_send(state->session, buff, left);
059ec3d9 2595
17c76198 2596 DEBUG(D_tls) debug_printf("outbytes=" SSIZE_T_FMT "\n", outbytes);
059ec3d9
PH		 2597 if (outbytes < 0)
2598 {
17c76198 2599 record_io_error(state, outbytes, US"send", NULL);
059ec3d9
PH		 2600 return -1;
2601 }
2602 if (outbytes == 0)
2603 {
17c76198 2604 record_io_error(state, 0, US"send", US"TLS channel closed on write");
059ec3d9
PH		 2605 return -1;
2606 }
2607
2608 left -= outbytes;
2609 buff += outbytes;
2610 }
2611
17c76198
PP		 2612if (len > INT_MAX)
2613 {
2614 DEBUG(D_tls)
2615 debug_printf("Whoops! Wrote more bytes (" SIZE_T_FMT ") than INT_MAX\n",
2616 len);
2617 len = INT_MAX;
2618 }
2619
925ac8e4
JH		 2620#ifdef SUPPORT_CORK
2621if (more != corked)
2622 {
2623 if (!more) (void) gnutls_record_uncork(state->session, 0);
2624 corked = more;
2625 }
2626#endif
2627
17c76198 2628return (int) len;
059ec3d9
PH		 2629}
2630
2631
2632
17c76198 2633
059ec3d9 2634/*************************************************
17c76198 2635* Random number generation *
059ec3d9
PH		 2636*************************************************/
2637
17c76198
PP		 2638/* Pseudo-random number generation. The result is not expected to be
2639cryptographically strong but not so weak that someone will shoot themselves
2640in the foot using it as a nonce in input in some email header scheme or
2641whatever weirdness they'll twist this into. The result should handle fork()
2642and avoid repeating sequences. OpenSSL handles that for us.
059ec3d9 2643
17c76198
PP		 2644Arguments:
2645 max range maximum
2646Returns a random number in range [0, max-1]
059ec3d9
PH		 2647*/
2648
af3498d6 2649#ifdef HAVE_GNUTLS_RND
17c76198
PP		 2650int
2651vaguely_random_number(int max)
059ec3d9 2652{
17c76198
PP		 2653unsigned int r;
2654int i, needed_len;
2655uschar *p;
2656uschar smallbuf[sizeof(r)];
2657
2658if (max <= 1)
2659 return 0;
2660
2661needed_len = sizeof(r);
2662/* Don't take 8 times more entropy than needed if int is 8 octets and we were
2663 * asked for a number less than 10. */
2664for (r = max, i = 0; r; ++i)
2665 r >>= 1;
2666i = (i + 7) / 8;
2667if (i < needed_len)
2668 needed_len = i;
2669
2670i = gnutls_rnd(GNUTLS_RND_NONCE, smallbuf, needed_len);
2671if (i < 0)
059ec3d9 2672 {
17c76198
PP		 2673 DEBUG(D_all) debug_printf("gnutls_rnd() failed, using fallback.\n");
2674 return vaguely_random_number_fallback(max);
2675 }
2676r = 0;
2677for (p = smallbuf; needed_len; --needed_len, ++p)
2678 {
2679 r *= 256;
2680 r += *p;
059ec3d9
PH		 2681 }
2682
17c76198
PP		 2683/* We don't particularly care about weighted results; if someone wants
2684 * smooth distribution and cares enough then they should submit a patch then. */
2685return r % max;
059ec3d9 2686}
af3498d6
PP		 2687#else /* HAVE_GNUTLS_RND */
2688int
2689vaguely_random_number(int max)
2690{
2691 return vaguely_random_number_fallback(max);
2692}
2693#endif /* HAVE_GNUTLS_RND */
059ec3d9 2694
36f12725
NM		 2695
2696
2697
3375e053
PP		 2698/*************************************************
2699* Let tls_require_ciphers be checked at startup *
2700*************************************************/
2701
2702/* The tls_require_ciphers option, if set, must be something which the
2703library can parse.
2704
2705Returns: NULL on success, or error message
2706*/
2707
2708uschar *
2709tls_validate_require_cipher(void)
2710{
2711int rc;
2712uschar *expciphers = NULL;
2713gnutls_priority_t priority_cache;
2714const char *errpos;
cf0c6164 2715uschar * dummy_errstr;
3375e053
PP		 2716
2717#define validate_check_rc(Label) do { \
2718 if (rc != GNUTLS_E_SUCCESS) { if (exim_gnutls_base_init_done) gnutls_global_deinit(); \
2719 return string_sprintf("%s failed: %s", (Label), gnutls_strerror(rc)); } } while (0)
2720#define return_deinit(Label) do { gnutls_global_deinit(); return (Label); } while (0)
2721
2722if (exim_gnutls_base_init_done)
2723 log_write(0, LOG_MAIN|LOG_PANIC,
2724 "already initialised GnuTLS, Exim developer bug");
2725
a5f239e4 2726#ifdef HAVE_GNUTLS_PKCS11
2519e60d 2727if (!gnutls_allow_auto_pkcs11)
a5f239e4
PP		 2728 {
2729 rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
2730 validate_check_rc(US"gnutls_pkcs11_init");
2731 }
2732#endif
3375e053
PP		 2733rc = gnutls_global_init();
2734validate_check_rc(US"gnutls_global_init()");
2735exim_gnutls_base_init_done = TRUE;
2736
2737if (!(tls_require_ciphers && *tls_require_ciphers))
2738 return_deinit(NULL);
2739
cf0c6164
JH		 2740if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers,
2741 &dummy_errstr))
3375e053
PP		 2742 return_deinit(US"failed to expand tls_require_ciphers");
2743
2744if (!(expciphers && *expciphers))
2745 return_deinit(NULL);
2746
2747DEBUG(D_tls)
2748 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
2749
2750rc = gnutls_priority_init(&priority_cache, CS expciphers, &errpos);
2751validate_check_rc(string_sprintf(
2752 "gnutls_priority_init(%s) failed at offset %ld, \"%.8s..\"",
2753 expciphers, errpos - CS expciphers, errpos));
2754
2755#undef return_deinit
2756#undef validate_check_rc
2757gnutls_global_deinit();
2758
2759return NULL;
2760}
2761
2762
2763
2764
36f12725
NM		 2765/*************************************************
2766* Report the library versions. *
2767*************************************************/
2768
2769/* See a description in tls-openssl.c for an explanation of why this exists.
2770
2771Arguments: a FILE* to print the results to
2772Returns: nothing
2773*/
2774
2775void
2776tls_version_report(FILE *f)
2777{
754a0503
PP		 2778fprintf(f, "Library version: GnuTLS: Compile: %s\n"
2779 " Runtime: %s\n",
2780 LIBGNUTLS_VERSION,
2781 gnutls_check_version(NULL));
36f12725
NM		 2782}
2783
2b4a568d
JH		 2784/* vi: aw ai sw=2
2785*/
059ec3d9 2786/* End of tls-gnu.c */
Unnamed repository; edit this file 'description' to name the repository.