projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Build: workaround inlining problems on Solaris
[exim.git] / src / src / tls-gnu.c
CommitLineData
059ec3d9
PH		 1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
f9ba5e22 5/* Copyright (c) University of Cambridge 1995 - 2018 */
059ec3d9
PH		 6/* See the file NOTICE for conditions of use and distribution. */
7
17c76198 8/* Copyright (c) Phil Pennock 2012 */
059ec3d9 9
17c76198
PP		 10/* This file provides TLS/SSL support for Exim using the GnuTLS library,
11one of the available supported implementations. This file is #included into
12tls.c when USE_GNUTLS has been set.
059ec3d9 13
17c76198
PP		 14The code herein is a revamp of GnuTLS integration using the current APIs; the
15original tls-gnu.c was based on a patch which was contributed by Nikos
6aa6fc9c 16Mavrogiannopoulos. The revamp is partially a rewrite, partially cut&paste as
17c76198 17appropriate.
059ec3d9 18
17c76198
PP		 19APIs current as of GnuTLS 2.12.18; note that the GnuTLS manual is for GnuTLS 3,
20which is not widely deployed by OS vendors. Will note issues below, which may
21assist in updating the code in the future. Another sources of hints is
22mod_gnutls for Apache (SNI callback registration and handling).
059ec3d9 23
17c76198
PP		 24Keeping client and server variables more split than before and is currently
25the norm, in anticipation of TLS in ACL callouts.
059ec3d9 26
17c76198
PP		 27I wanted to switch to gnutls_certificate_set_verify_function() so that
28certificate rejection could happen during handshake where it belongs, rather
29than being dropped afterwards, but that was introduced in 2.10.0 and Debian
30(6.0.5) is still on 2.8.6. So for now we have to stick with sub-par behaviour.
059ec3d9 31
17c76198
PP		 32(I wasn't looking for libraries quite that old, when updating to get rid of
33compiler warnings of deprecated APIs. If it turns out that a lot of the rest
34require current GnuTLS, then we'll drop support for the ancient libraries).
35*/
b5aea5e1 36
17c76198
PP		 37#include <gnutls/gnutls.h>
38/* needed for cert checks in verification and DN extraction: */
39#include <gnutls/x509.h>
40/* man-page is incorrect, gnutls_rnd() is not in gnutls.h: */
41#include <gnutls/crypto.h>
184384c3 42
a5f239e4
PP		 43/* needed to disable PKCS11 autoload unless requested */
44#if GNUTLS_VERSION_NUMBER >= 0x020c00
45# include <gnutls/pkcs11.h>
76075bb5 46# define SUPPORT_PARAM_TO_PK_BITS
a5f239e4 47#endif
7e07527a
JH		 48#if GNUTLS_VERSION_NUMBER < 0x030103 && !defined(DISABLE_OCSP)
49# warning "GnuTLS library version too old; define DISABLE_OCSP in Makefile"
50# define DISABLE_OCSP
51#endif
0cbf2b82 52#if GNUTLS_VERSION_NUMBER < 0x020a00 && !defined(DISABLE_EVENT)
774ef2d7 53# warning "GnuTLS library version too old; tls:cert event unsupported"
0cbf2b82 54# define DISABLE_EVENT
a7538db1 55#endif
a7fec7a7
JH		 56#if GNUTLS_VERSION_NUMBER >= 0x030306
57# define SUPPORT_CA_DIR
58#else
59# undef SUPPORT_CA_DIR
60#endif
11a04b5a 61#if GNUTLS_VERSION_NUMBER >= 0x030014
cb1d7830
JH		 62# define SUPPORT_SYSDEFAULT_CABUNDLE
63#endif
184384c3
JH		 64#if GNUTLS_VERSION_NUMBER >= 0x030104
65# define GNUTLS_CERT_VFY_STATUS_PRINT
66#endif
925ac8e4
JH		 67#if GNUTLS_VERSION_NUMBER >= 0x030109
68# define SUPPORT_CORK
69#endif
f20cfa4a
JH		 70#if GNUTLS_VERSION_NUMBER >= 0x03010a
71# define SUPPORT_GNUTLS_SESS_DESC
72#endif
73#if GNUTLS_VERSION_NUMBER >= 0x030500
74# define SUPPORT_GNUTLS_KEYLOG
75#endif
47195144
JH		 76#if GNUTLS_VERSION_NUMBER >= 0x030506 && !defined(DISABLE_OCSP)
77# define SUPPORT_SRV_OCSP_STACK
78#endif
c0635b6d
JH		 79
80#ifdef SUPPORT_DANE
81# if GNUTLS_VERSION_NUMBER >= 0x030000
82# define DANESSL_USAGE_DANE_TA 2
83# define DANESSL_USAGE_DANE_EE 3
84# else
85# error GnuTLS version too early for DANE
86# endif
87# if GNUTLS_VERSION_NUMBER < 0x999999
88# define GNUTLS_BROKEN_DANE_VALIDATION
89# endif
899b8bbc 90#endif
7e07527a 91
43e2db44
JH		 92#ifdef EXPERIMENTAL_TLS_RESUME
93# if GNUTLS_VERSION_NUMBER < 0x030603
94# error GNUTLS version too early for session-resumption
95# endif
96#endif
97
f2de3a33 98#ifndef DISABLE_OCSP
2b4a568d
JH		 99# include <gnutls/ocsp.h>
100#endif
899b8bbc
JH		 101#ifdef SUPPORT_DANE
102# include <gnutls/dane.h>
103#endif
059ec3d9 104
f1be21cf
JH		 105#include "tls-cipher-stdname.c"
106
107
b10c87b3
JH		 108#ifdef MACRO_PREDEF
109void
110options_tls(void)
111{
112# ifdef EXPERIMENTAL_TLS_RESUME
113builtin_macro_create_var(US"_RESUME_DECODE", RESUME_DECODE_STRING );
114# endif
115}
116#else
117
118
17c76198 119/* GnuTLS 2 vs 3
059ec3d9 120
17c76198
PP		 121GnuTLS 3 only:
122 gnutls_global_set_audit_log_function()
059ec3d9 123
17c76198
PP		 124Changes:
125 gnutls_certificate_verify_peers2(): is new, drop the 2 for old version
126*/
059ec3d9 127
17c76198 128/* Local static variables for GnuTLS */
059ec3d9 129
17c76198 130/* Values for verify_requirement */
059ec3d9 131
e51c7be2 132enum peer_verify_requirement
899b8bbc 133 { VERIFY_NONE, VERIFY_OPTIONAL, VERIFY_REQUIRED, VERIFY_DANE };
059ec3d9 134
17c76198
PP		 135/* This holds most state for server or client; with this, we can set up an
136outbound TLS-enabled connection in an ACL callout, while not stomping all
137over the TLS variables available for expansion.
059ec3d9 138
17c76198
PP		 139Some of these correspond to variables in globals.c; those variables will
140be set to point to content in one of these instances, as appropriate for
141the stage of the process lifetime.
059ec3d9 142
389ca47a 143Not handled here: global tls_channelbinding_b64.
17c76198 144*/
059ec3d9 145
17c76198 146typedef struct exim_gnutls_state {
9d1c15ef 147 gnutls_session_t session;
17c76198 148 gnutls_certificate_credentials_t x509_cred;
9d1c15ef 149 gnutls_priority_t priority_cache;
17c76198 150 enum peer_verify_requirement verify_requirement;
9d1c15ef
JH		 151 int fd_in;
152 int fd_out;
153 BOOL peer_cert_verified;
899b8bbc 154 BOOL peer_dane_verified;
9d1c15ef
JH		 155 BOOL trigger_sni_changes;
156 BOOL have_set_peerdn;
5fd28bb8 157 const struct host_item *host; /* NULL if server */
afdb5e9c 158 gnutls_x509_crt_t peercert;
9d1c15ef
JH		 159 uschar *peerdn;
160 uschar *ciphersuite;
161 uschar *received_sni;
17c76198
PP		 162
163 const uschar *tls_certificate;
164 const uschar *tls_privatekey;
165 const uschar *tls_sni; /* client send only, not received */
166 const uschar *tls_verify_certificates;
167 const uschar *tls_crl;
168 const uschar *tls_require_ciphers;
e51c7be2 169
17c76198
PP		 170 uschar *exp_tls_certificate;
171 uschar *exp_tls_privatekey;
17c76198
PP		 172 uschar *exp_tls_verify_certificates;
173 uschar *exp_tls_crl;
174 uschar *exp_tls_require_ciphers;
55414b25 175 const uschar *exp_tls_verify_cert_hostnames;
0cbf2b82 176#ifndef DISABLE_EVENT
a7538db1
JH		 177 uschar *event_action;
178#endif
899b8bbc
JH		 179#ifdef SUPPORT_DANE
180 char * const * dane_data;
181 const int * dane_data_len;
182#endif
17c76198 183
389ca47a 184 tls_support *tlsp; /* set in tls_init() */
817d9f57 185
17c76198
PP		 186 uschar *xfer_buffer;
187 int xfer_buffer_lwm;
188 int xfer_buffer_hwm;
8b77d27a
JH		 189 BOOL xfer_eof; /*XXX never gets set! */
190 BOOL xfer_error;
17c76198
PP		 191} exim_gnutls_state_st;
192
193static const exim_gnutls_state_st exim_gnutls_state_init = {
b10c87b3 194 /* all elements not explicitly intialised here get 0/NULL/FALSE */
f2ed27cf
JH		 195 .fd_in = -1,
196 .fd_out = -1,
17c76198 197};
83da1223 198
17c76198
PP		 199/* Not only do we have our own APIs which don't pass around state, assuming
200it's held in globals, GnuTLS doesn't appear to let us register callback data
201for callbacks, or as part of the session, so we have to keep a "this is the
202context we're currently dealing with" pointer and rely upon being
203single-threaded to keep from processing data on an inbound TLS connection while
204talking to another TLS connection for an outbound check. This does mean that
205there's no way for heart-beats to be responded to, for the duration of the
a7538db1
JH		 206second connection.
207XXX But see gnutls_session_get_ptr()
208*/
059ec3d9 209
74f1a423 210static exim_gnutls_state_st state_server;
059ec3d9 211
17c76198
PP		 212/* dh_params are initialised once within the lifetime of a process using TLS;
213if we used TLS in a long-lived daemon, we'd have to reconsider this. But we
214don't want to repeat this. */
83da1223 215
17c76198 216static gnutls_dh_params_t dh_server_params = NULL;
059ec3d9 217
dea4b568 218static int ssl_session_timeout = 7200; /* Two hours */
059ec3d9 219
fc243e94 220static const uschar * const exim_default_gnutls_priority = US"NORMAL";
83da1223 221
17c76198 222/* Guard library core initialisation */
83da1223 223
17c76198 224static BOOL exim_gnutls_base_init_done = FALSE;
059ec3d9 225
4fb7df6d 226#ifndef DISABLE_OCSP
9196d5bf 227static BOOL gnutls_buggy_ocsp = FALSE;
4fb7df6d 228#endif
9196d5bf 229
b10c87b3
JH		 230#ifdef EXPERIMENTAL_TLS_RESUME
231static gnutls_datum_t server_sessticket_key;
232#endif
059ec3d9 233
17c76198
PP		 234/* ------------------------------------------------------------------------ */
235/* macros */
83da1223 236
17c76198 237#define MAX_HOST_LEN 255
83da1223 238
17c76198
PP		 239/* Set this to control gnutls_global_set_log_level(); values 0 to 9 will setup
240the library logging; a value less than 0 disables the calls to set up logging
dc6d1769
JH		 241callbacks. GNuTLS also looks for an environment variable - except not for
242setuid binaries, making it useless - "GNUTLS_DEBUG_LEVEL".
243Allegedly the testscript line "GNUTLS_DEBUG_LEVEL=9 sudo exim ..." would work,
244but the env var must be added to /etc/sudoers too. */
2c17bb02 245#ifndef EXIM_GNUTLS_LIBRARY_LOG_LEVEL
b1a4f234 246# define EXIM_GNUTLS_LIBRARY_LOG_LEVEL -1
2c17bb02 247#endif
83da1223 248
2c17bb02 249#ifndef EXIM_CLIENT_DH_MIN_BITS
a7538db1 250# define EXIM_CLIENT_DH_MIN_BITS 1024
2c17bb02 251#endif
83da1223 252
af3498d6
PP		 253/* With GnuTLS 2.12.x+ we have gnutls_sec_param_to_pk_bits() with which we
254can ask for a bit-strength. Without that, we stick to the constant we had
255before, for now. */
2c17bb02 256#ifndef EXIM_SERVER_DH_BITS_PRE2_12
a7538db1 257# define EXIM_SERVER_DH_BITS_PRE2_12 1024
2c17bb02 258#endif
af3498d6 259
cf0c6164
JH		 260#define expand_check_tlsvar(Varname, errstr) \
261 expand_check(state->Varname, US #Varname, &state->exp_##Varname, errstr)
83da1223 262
17c76198 263#if GNUTLS_VERSION_NUMBER >= 0x020c00
e51c7be2
JH		 264# define HAVE_GNUTLS_SESSION_CHANNEL_BINDING
265# define HAVE_GNUTLS_SEC_PARAM_CONSTANTS
266# define HAVE_GNUTLS_RND
2519e60d
TL		 267/* The security fix we provide with the gnutls_allow_auto_pkcs11 option
268 * (4.82 PP/09) introduces a compatibility regression. The symbol simply
269 * isn't available sometimes, so this needs to become a conditional
270 * compilation; the sanest way to deal with this being a problem on
271 * older OSes is to block it in the Local/Makefile with this compiler
272 * definition */
e51c7be2
JH		 273# ifndef AVOID_GNUTLS_PKCS11
274# define HAVE_GNUTLS_PKCS11
275# endif /* AVOID_GNUTLS_PKCS11 */
17c76198 276#endif
83da1223 277
af3498d6
PP		 278
279
280
281/* ------------------------------------------------------------------------ */
282/* Callback declarations */
283
284#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
285static void exim_gnutls_logger_cb(int level, const char *message);
286#endif
287
288static int exim_sni_handling_cb(gnutls_session_t session);
289
f2de3a33 290#ifndef DISABLE_OCSP
44662487
JH		 291static int server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
292 gnutls_datum_t * ocsp_response);
293#endif
af3498d6
PP		 294
295
296
b10c87b3
JH		 297/* Daemon one-time initialisation */
298void
299tls_daemon_init(void)
300{
301#ifdef EXPERIMENTAL_TLS_RESUME
302/* We are dependent on the GnuTLS implementation of the Session Ticket
303encryption; both the strength and the key rotation period. We hope that
304the strength at least matches that of the ciphersuite (but GnuTLS does not
305document this). */
306
307static BOOL once = FALSE;
308if (once) return;
309once = TRUE;
310gnutls_session_ticket_key_generate(&server_sessticket_key); /* >= 2.10.0 */
311if (f.running_in_test_harness) ssl_session_timeout = 6;
312#endif
313}
314
17c76198
PP		 315/* ------------------------------------------------------------------------ */
316/* Static functions */
059ec3d9
PH		 317
318/*************************************************
319* Handle TLS error *
320*************************************************/
321
322/* Called from lots of places when errors occur before actually starting to do
323the TLS handshake, that is, while the session is still in clear. Always returns
324DEFER for a server and FAIL for a client so that most calls can use "return
325tls_error(...)" to do this processing and then give an appropriate return. A
326single function is used for both server and client, because it is called from
327some shared functions.
328
329Argument:
330 prefix text to include in the logged error
7199e1ee
TF		 331 msg additional error string (may be NULL)
332 usually obtained from gnutls_strerror()
17c76198
PP		 333 host NULL if setting up a server;
334 the connected host if setting up a client
cf0c6164 335 errstr pointer to returned error string
059ec3d9
PH		 336
337Returns: OK/DEFER/FAIL
338*/
339
340static int
48224640 341tls_error(const uschar *prefix, const uschar *msg, const host_item *host,
cf0c6164 342 uschar ** errstr)
059ec3d9 343{
cf0c6164 344if (errstr)
48224640 345 *errstr = string_sprintf("(%s)%s%s", prefix, msg ? ": " : "", msg ? msg : US"");
cf0c6164 346return host ? FAIL : DEFER;
059ec3d9
PH		 347}
348
349
452a164f
JH		 350static int
351tls_error_gnu(const uschar *prefix, int err, const host_item *host,
352 uschar ** errstr)
353{
354return tls_error(prefix, US gnutls_strerror(err), host, errstr);
355}
356
357static int
358tls_error_sys(const uschar *prefix, int err, const host_item *host,
359 uschar ** errstr)
360{
361return tls_error(prefix, US strerror(err), host, errstr);
362}
059ec3d9 363
17c76198 364
059ec3d9 365/*************************************************
17c76198 366* Deal with logging errors during I/O *
059ec3d9
PH		 367*************************************************/
368
17c76198 369/* We have to get the identity of the peer from saved data.
059ec3d9 370
17c76198
PP		 371Argument:
372 state the current GnuTLS exim state container
373 rc the GnuTLS error code, or 0 if it's a local error
374 when text identifying read or write
95f52235 375 text local error text when rc is 0
059ec3d9 376
17c76198 377Returns: nothing
059ec3d9
PH		 378*/
379
17c76198
PP		 380static void
381record_io_error(exim_gnutls_state_st *state, int rc, uschar *when, uschar *text)
059ec3d9 382{
48224640 383const uschar * msg;
cf0c6164 384uschar * errstr;
059ec3d9 385
17c76198 386if (rc == GNUTLS_E_FATAL_ALERT_RECEIVED)
95f52235 387 msg = string_sprintf("A TLS fatal alert has been received: %s",
17c76198
PP		 388 US gnutls_alert_get_name(gnutls_alert_get(state->session)));
389else
48224640 390 msg = US gnutls_strerror(rc);
059ec3d9 391
cf0c6164
JH		 392(void) tls_error(when, msg, state->host, &errstr);
393
394if (state->host)
395 log_write(0, LOG_MAIN, "H=%s [%s] TLS error on connection %s",
396 state->host->name, state->host->address, errstr);
397else
398 {
399 uschar * conn_info = smtp_get_connection_info();
400 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0) conn_info += 5;
401 /* I'd like to get separated H= here, but too hard for now */
402 log_write(0, LOG_MAIN, "TLS error on %s %s", conn_info, errstr);
403 }
17c76198 404}
059ec3d9 405
059ec3d9 406
059ec3d9 407
059ec3d9 408
17c76198
PP		 409/*************************************************
410* Set various Exim expansion vars *
411*************************************************/
059ec3d9 412
e51c7be2
JH		 413#define exim_gnutls_cert_err(Label) \
414 do \
415 { \
416 if (rc != GNUTLS_E_SUCCESS) \
417 { \
418 DEBUG(D_tls) debug_printf("TLS: cert problem: %s: %s\n", \
419 (Label), gnutls_strerror(rc)); \
420 return rc; \
421 } \
422 } while (0)
9d1c15ef
JH		 423
424static int
27f19eb4 425import_cert(const gnutls_datum_t * cert, gnutls_x509_crt_t * crtp)
9d1c15ef
JH		 426{
427int rc;
428
429rc = gnutls_x509_crt_init(crtp);
430exim_gnutls_cert_err(US"gnutls_x509_crt_init (crt)");
431
432rc = gnutls_x509_crt_import(*crtp, cert, GNUTLS_X509_FMT_DER);
433exim_gnutls_cert_err(US"failed to import certificate [gnutls_x509_crt_import(cert)]");
434
435return rc;
436}
437
438#undef exim_gnutls_cert_err
439
440
17c76198
PP		 441/* We set various Exim global variables from the state, once a session has
442been established. With TLS callouts, may need to change this to stack
443variables, or just re-call it with the server state after client callout
444has finished.
059ec3d9 445
9d1c15ef 446Make sure anything set here is unset in tls_getc().
17c76198
PP		 447
448Sets:
449 tls_active fd
450 tls_bits strength indicator
451 tls_certificate_verified bool indicator
452 tls_channelbinding_b64 for some SASL mechanisms
453 tls_cipher a string
9d1c15ef 454 tls_peercert pointer to library internal
17c76198
PP		 455 tls_peerdn a string
456 tls_sni a (UTF-8) string
9d1c15ef 457 tls_ourcert pointer to library internal
17c76198
PP		 458
459Argument:
460 state the relevant exim_gnutls_state_st *
461*/
462
463static void
9d1c15ef 464extract_exim_vars_from_tls_state(exim_gnutls_state_st * state)
17c76198 465{
17c76198
PP		 466#ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
467int old_pool;
468int rc;
469gnutls_datum_t channel;
470#endif
9d1c15ef 471tls_support * tlsp = state->tlsp;
17c76198 472
74f1a423
JH		 473tlsp->active.sock = state->fd_out;
474tlsp->active.tls_ctx = state;
17c76198 475
817d9f57 476DEBUG(D_tls) debug_printf("cipher: %s\n", state->ciphersuite);
17c76198 477
9d1c15ef 478tlsp->certificate_verified = state->peer_cert_verified;
899b8bbc
JH		 479#ifdef SUPPORT_DANE
480tlsp->dane_verified = state->peer_dane_verified;
481#endif
059ec3d9 482
17c76198
PP		 483/* note that tls_channelbinding_b64 is not saved to the spool file, since it's
484only available for use for authenticators while this TLS session is running. */
485
486tls_channelbinding_b64 = NULL;
487#ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
488channel.data = NULL;
489channel.size = 0;
1f20760b
JH		 490if ((rc = gnutls_session_channel_binding(state->session, GNUTLS_CB_TLS_UNIQUE, &channel)))
491 { DEBUG(D_tls) debug_printf("Channel binding error: %s\n", gnutls_strerror(rc)); }
492else
493 {
17c76198
PP		 494 old_pool = store_pool;
495 store_pool = POOL_PERM;
1f20760b 496 tls_channelbinding_b64 = b64encode(CUS channel.data, (int)channel.size);
17c76198
PP		 497 store_pool = old_pool;
498 DEBUG(D_tls) debug_printf("Have channel bindings cached for possible auth usage.\n");
1f20760b 499 }
17c76198
PP		 500#endif
501
9d1c15ef
JH		 502/* peercert is set in peer_status() */
503tlsp->peerdn = state->peerdn;
504tlsp->sni = state->received_sni;
505
506/* record our certificate */
507 {
27f19eb4 508 const gnutls_datum_t * cert = gnutls_certificate_get_ours(state->session);
9d1c15ef
JH		 509 gnutls_x509_crt_t crt;
510
511 tlsp->ourcert = cert && import_cert(cert, &crt)==0 ? crt : NULL;
512 }
059ec3d9
PH		 513}
514
515
516
17c76198 517
059ec3d9 518/*************************************************
575643cd 519* Setup up DH parameters *
059ec3d9
PH		 520*************************************************/
521
575643cd 522/* Generating the D-H parameters may take a long time. They only need to
059ec3d9
PH		 523be re-generated every so often, depending on security policy. What we do is to
524keep these parameters in a file in the spool directory. If the file does not
525exist, we generate them. This means that it is easy to cause a regeneration.
526
527The new file is written as a temporary file and renamed, so that an incomplete
528file is never present. If two processes both compute some new parameters, you
529waste a bit of effort, but it doesn't seem worth messing around with locking to
530prevent this.
531
059ec3d9
PH		 532Returns: OK/DEFER/FAIL
533*/
534
535static int
cf0c6164 536init_server_dh(uschar ** errstr)
059ec3d9 537{
17c76198
PP		 538int fd, rc;
539unsigned int dh_bits;
27f19eb4 540gnutls_datum_t m;
a799883d
PP		 541uschar filename_buf[PATH_MAX];
542uschar *filename = NULL;
17c76198 543size_t sz;
a799883d
PP		 544uschar *exp_tls_dhparam;
545BOOL use_file_in_spool = FALSE;
17c76198 546host_item *host = NULL; /* dummy for macros */
059ec3d9 547
17c76198 548DEBUG(D_tls) debug_printf("Initialising GnuTLS server params.\n");
059ec3d9 549
452a164f
JH		 550if ((rc = gnutls_dh_params_init(&dh_server_params)))
551 return tls_error_gnu(US"gnutls_dh_params_init", rc, host, errstr);
059ec3d9 552
a799883d
PP		 553m.data = NULL;
554m.size = 0;
555
cf0c6164 556if (!expand_check(tls_dhparam, US"tls_dhparam", &exp_tls_dhparam, errstr))
a799883d
PP		 557 return DEFER;
558
559if (!exp_tls_dhparam)
560 {
561 DEBUG(D_tls) debug_printf("Loading default hard-coded DH params\n");
562 m.data = US std_dh_prime_default();
563 m.size = Ustrlen(m.data);
564 }
565else if (Ustrcmp(exp_tls_dhparam, "historic") == 0)
566 use_file_in_spool = TRUE;
567else if (Ustrcmp(exp_tls_dhparam, "none") == 0)
568 {
569 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
570 return OK;
571 }
572else if (exp_tls_dhparam[0] != '/')
573 {
f5d25c2b 574 if (!(m.data = US std_dh_prime_named(exp_tls_dhparam)))
48224640 575 return tls_error(US"No standard prime named", exp_tls_dhparam, NULL, errstr);
a799883d
PP		 576 m.size = Ustrlen(m.data);
577 }
578else
a799883d 579 filename = exp_tls_dhparam;
a799883d
PP		 580
581if (m.data)
582 {
452a164f
JH		 583 if ((rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM)))
584 return tls_error_gnu(US"gnutls_dh_params_import_pkcs3", rc, host, errstr);
a799883d
PP		 585 DEBUG(D_tls) debug_printf("Loaded fixed standard D-H parameters\n");
586 return OK;
587 }
588
af3498d6
PP		 589#ifdef HAVE_GNUTLS_SEC_PARAM_CONSTANTS
590/* If you change this constant, also change dh_param_fn_ext so that we can use a
17c76198 591different filename and ensure we have sufficient bits. */
452a164f
JH		 592
593if (!(dh_bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL)))
cf0c6164 594 return tls_error(US"gnutls_sec_param_to_pk_bits() failed", NULL, NULL, errstr);
af3498d6 595DEBUG(D_tls)
b34fc30c 596 debug_printf("GnuTLS tells us that for D-H PK, NORMAL is %d bits.\n",
af3498d6
PP		 597 dh_bits);
598#else
599dh_bits = EXIM_SERVER_DH_BITS_PRE2_12;
600DEBUG(D_tls)
601 debug_printf("GnuTLS lacks gnutls_sec_param_to_pk_bits(), using %d bits.\n",
602 dh_bits);
603#endif
059ec3d9 604
3375e053
PP		 605/* Some clients have hard-coded limits. */
606if (dh_bits > tls_dh_max_bits)
607 {
608 DEBUG(D_tls)
609 debug_printf("tls_dh_max_bits clamping override, using %d bits instead.\n",
610 tls_dh_max_bits);
611 dh_bits = tls_dh_max_bits;
612 }
613
a799883d
PP		 614if (use_file_in_spool)
615 {
616 if (!string_format(filename_buf, sizeof(filename_buf),
617 "%s/gnutls-params-%d", spool_directory, dh_bits))
cf0c6164 618 return tls_error(US"overlong filename", NULL, NULL, errstr);
a799883d
PP		 619 filename = filename_buf;
620 }
059ec3d9 621
b5aea5e1 622/* Open the cache file for reading and if successful, read it and set up the
575643cd 623parameters. */
059ec3d9 624
f5d25c2b 625if ((fd = Uopen(filename, O_RDONLY, 0)) >= 0)
059ec3d9 626 {
b5aea5e1 627 struct stat statbuf;
17c76198
PP		 628 FILE *fp;
629 int saved_errno;
630
631 if (fstat(fd, &statbuf) < 0) /* EIO */
632 {
633 saved_errno = errno;
634 (void)close(fd);
452a164f 635 return tls_error_sys(US"TLS cache stat failed", saved_errno, NULL, errstr);
17c76198
PP		 636 }
637 if (!S_ISREG(statbuf.st_mode))
b5aea5e1
PH		 638 {
639 (void)close(fd);
cf0c6164 640 return tls_error(US"TLS cache not a file", NULL, NULL, errstr);
17c76198 641 }
40c90bca 642 if (!(fp = fdopen(fd, "rb")))
17c76198
PP		 643 {
644 saved_errno = errno;
645 (void)close(fd);
452a164f
JH		 646 return tls_error_sys(US"fdopen(TLS cache stat fd) failed",
647 saved_errno, NULL, errstr);
b5aea5e1 648 }
059ec3d9 649
b5aea5e1 650 m.size = statbuf.st_size;
f3ebb786 651 if (!(m.data = store_malloc(m.size)))
17c76198
PP		 652 {
653 fclose(fp);
452a164f 654 return tls_error_sys(US"malloc failed", errno, NULL, errstr);
17c76198 655 }
40c90bca 656 if (!(sz = fread(m.data, m.size, 1, fp)))
17c76198
PP		 657 {
658 saved_errno = errno;
659 fclose(fp);
f3ebb786 660 store_free(m.data);
452a164f 661 return tls_error_sys(US"fread failed", saved_errno, NULL, errstr);
17c76198
PP		 662 }
663 fclose(fp);
b5aea5e1 664
17c76198 665 rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM);
f3ebb786 666 store_free(m.data);
452a164f
JH		 667 if (rc)
668 return tls_error_gnu(US"gnutls_dh_params_import_pkcs3", rc, host, errstr);
17c76198 669 DEBUG(D_tls) debug_printf("read D-H parameters from file \"%s\"\n", filename);
b5aea5e1
PH		 670 }
671
672/* If the file does not exist, fall through to compute new data and cache it.
673If there was any other opening error, it is serious. */
674
182ad5cf
PH		 675else if (errno == ENOENT)
676 {
17c76198 677 rc = -1;
182ad5cf 678 DEBUG(D_tls)
17c76198 679 debug_printf("D-H parameter cache file \"%s\" does not exist\n", filename);
182ad5cf
PH		 680 }
681else
17c76198 682 return tls_error(string_open_failed(errno, "\"%s\" for reading", filename),
cf0c6164 683 NULL, NULL, errstr);
b5aea5e1
PH		 684
685/* If ret < 0, either the cache file does not exist, or the data it contains
686is not useful. One particular case of this is when upgrading from an older
687release of Exim in which the data was stored in a different format. We don't
688try to be clever and support both formats; we just regenerate new data in this
689case. */
690
17c76198 691if (rc < 0)
b5aea5e1 692 {
17c76198 693 uschar *temp_fn;
201f5254 694 unsigned int dh_bits_gen = dh_bits;
059ec3d9 695
17c76198
PP		 696 if ((PATH_MAX - Ustrlen(filename)) < 10)
697 return tls_error(US"Filename too long to generate replacement",
48224640 698 filename, NULL, errstr);
059ec3d9 699
48224640 700 temp_fn = string_copy(US"%s.XXXXXXX");
f5d25c2b 701 if ((fd = mkstemp(CS temp_fn)) < 0) /* modifies temp_fn */
452a164f 702 return tls_error_sys(US"Unable to open temp file", errno, NULL, errstr);
b66fecb4 703 (void)exim_chown(temp_fn, exim_uid, exim_gid); /* Probably not necessary */
059ec3d9 704
201f5254
PP		 705 /* GnuTLS overshoots!
706 * If we ask for 2236, we might get 2237 or more.
707 * But there's no way to ask GnuTLS how many bits there really are.
708 * We can ask how many bits were used in a TLS session, but that's it!
709 * The prime itself is hidden behind too much abstraction.
710 * So we ask for less, and proceed on a wing and a prayer.
711 * First attempt, subtracted 3 for 2233 and got 2240.
712 */
cae6e576 713 if (dh_bits >= EXIM_CLIENT_DH_MIN_BITS + 10)
201f5254
PP		 714 {
715 dh_bits_gen = dh_bits - 10;
716 DEBUG(D_tls)
717 debug_printf("being paranoid about DH generation, make it '%d' bits'\n",
718 dh_bits_gen);
719 }
720
721 DEBUG(D_tls)
722 debug_printf("requesting generation of %d bit Diffie-Hellman prime ...\n",
723 dh_bits_gen);
452a164f
JH		 724 if ((rc = gnutls_dh_params_generate2(dh_server_params, dh_bits_gen)))
725 return tls_error_gnu(US"gnutls_dh_params_generate2", rc, host, errstr);
17c76198
PP		 726
727 /* gnutls_dh_params_export_pkcs3() will tell us the exact size, every time,
728 and I confirmed that a NULL call to get the size first is how the GnuTLS
729 sample apps handle this. */
730
731 sz = 0;
732 m.data = NULL;
452a164f
JH		 733 if ( (rc = gnutls_dh_params_export_pkcs3(dh_server_params,
734 GNUTLS_X509_FMT_PEM, m.data, &sz))
735 && rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
736 return tls_error_gnu(US"gnutls_dh_params_export_pkcs3(NULL) sizing",
737 rc, host, errstr);
17c76198 738 m.size = sz;
f3ebb786 739 if (!(m.data = store_malloc(m.size)))
452a164f 740 return tls_error_sys(US"memory allocation failed", errno, NULL, errstr);
40c90bca 741
1f00591e 742 /* this will return a size 1 less than the allocation size above */
452a164f
JH		 743 if ((rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM,
744 m.data, &sz)))
17c76198 745 {
f3ebb786 746 store_free(m.data);
452a164f 747 return tls_error_gnu(US"gnutls_dh_params_export_pkcs3() real", rc, host, errstr);
17c76198 748 }
1f00591e 749 m.size = sz; /* shrink by 1, probably */
059ec3d9 750
f5d25c2b 751 if ((sz = write_to_fd_buf(fd, m.data, (size_t) m.size)) != m.size)
17c76198 752 {
f3ebb786 753 store_free(m.data);
452a164f
JH		 754 return tls_error_sys(US"TLS cache write D-H params failed",
755 errno, NULL, errstr);
17c76198 756 }
f3ebb786 757 store_free(m.data);
f5d25c2b 758 if ((sz = write_to_fd_buf(fd, US"\n", 1)) != 1)
452a164f
JH		 759 return tls_error_sys(US"TLS cache write D-H params final newline failed",
760 errno, NULL, errstr);
17c76198 761
f5d25c2b 762 if ((rc = close(fd)))
452a164f 763 return tls_error_sys(US"TLS cache write close() failed", errno, NULL, errstr);
059ec3d9 764
17c76198 765 if (Urename(temp_fn, filename) < 0)
452a164f
JH		 766 return tls_error_sys(string_sprintf("failed to rename \"%s\" as \"%s\"",
767 temp_fn, filename), errno, NULL, errstr);
059ec3d9 768
17c76198 769 DEBUG(D_tls) debug_printf("wrote D-H parameters to file \"%s\"\n", filename);
059ec3d9
PH		 770 }
771
17c76198 772DEBUG(D_tls) debug_printf("initialized server D-H parameters\n");
059ec3d9
PH		 773return OK;
774}
775
776
777
778
23bb6982
JH		 779/* Create and install a selfsigned certificate, for use in server mode */
780
781static int
cf0c6164 782tls_install_selfsign(exim_gnutls_state_st * state, uschar ** errstr)
23bb6982
JH		 783{
784gnutls_x509_crt_t cert = NULL;
785time_t now;
786gnutls_x509_privkey_t pkey = NULL;
787const uschar * where;
788int rc;
789
790where = US"initialising pkey";
791if ((rc = gnutls_x509_privkey_init(&pkey))) goto err;
792
793where = US"initialising cert";
794if ((rc = gnutls_x509_crt_init(&cert))) goto err;
795
796where = US"generating pkey";
797if ((rc = gnutls_x509_privkey_generate(pkey, GNUTLS_PK_RSA,
76075bb5 798#ifdef SUPPORT_PARAM_TO_PK_BITS
4312da48
JH		 799# ifndef GNUTLS_SEC_PARAM_MEDIUM
800# define GNUTLS_SEC_PARAM_MEDIUM GNUTLS_SEC_PARAM_HIGH
801# endif
6aac3239 802 gnutls_sec_param_to_pk_bits(GNUTLS_PK_RSA, GNUTLS_SEC_PARAM_MEDIUM),
76075bb5 803#else
6aac3239 804 2048,
76075bb5
JH		 805#endif
806 0)))
23bb6982
JH		 807 goto err;
808
809where = US"configuring cert";
1613fd68 810now = 1;
23bb6982
JH		 811if ( (rc = gnutls_x509_crt_set_version(cert, 3))
812 || (rc = gnutls_x509_crt_set_serial(cert, &now, sizeof(now)))
813 || (rc = gnutls_x509_crt_set_activation_time(cert, now = time(NULL)))
814 || (rc = gnutls_x509_crt_set_expiration_time(cert, now + 60 * 60)) /* 1 hr */
815 || (rc = gnutls_x509_crt_set_key(cert, pkey))
816
817 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
818 GNUTLS_OID_X520_COUNTRY_NAME, 0, "UK", 2))
819 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
820 GNUTLS_OID_X520_ORGANIZATION_NAME, 0, "Exim Developers", 15))
821 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
822 GNUTLS_OID_X520_COMMON_NAME, 0,
823 smtp_active_hostname, Ustrlen(smtp_active_hostname)))
824 )
825 goto err;
826
827where = US"signing cert";
828if ((rc = gnutls_x509_crt_sign(cert, cert, pkey))) goto err;
829
830where = US"installing selfsign cert";
831 /* Since: 2.4.0 */
832if ((rc = gnutls_certificate_set_x509_key(state->x509_cred, &cert, 1, pkey)))
833 goto err;
834
835rc = OK;
836
837out:
838 if (cert) gnutls_x509_crt_deinit(cert);
839 if (pkey) gnutls_x509_privkey_deinit(pkey);
840 return rc;
841
842err:
452a164f 843 rc = tls_error_gnu(where, rc, NULL, errstr);
23bb6982
JH		 844 goto out;
845}
846
847
848
849
47195144
JH		 850/* Add certificate and key, from files.
851
852Return:
853 Zero or negative: good. Negate value for certificate index if < 0.
854 Greater than zero: FAIL or DEFER code.
855*/
856
ba86e143
JH		 857static int
858tls_add_certfile(exim_gnutls_state_st * state, const host_item * host,
859 uschar * certfile, uschar * keyfile, uschar ** errstr)
860{
861int rc = gnutls_certificate_set_x509_key_file(state->x509_cred,
862 CS certfile, CS keyfile, GNUTLS_X509_FMT_PEM);
47195144 863if (rc < 0)
452a164f 864 return tls_error_gnu(
47195144 865 string_sprintf("cert/key setup: cert=%s key=%s", certfile, keyfile),
452a164f 866 rc, host, errstr);
47195144 867return -rc;
ba86e143
JH		 868}
869
870
059ec3d9 871/*************************************************
17c76198 872* Variables re-expanded post-SNI *
059ec3d9
PH		 873*************************************************/
874
17c76198
PP		 875/* Called from both server and client code, via tls_init(), and also from
876the SNI callback after receiving an SNI, if tls_certificate includes "tls_sni".
877
878We can tell the two apart by state->received_sni being non-NULL in callback.
879
880The callback should not call us unless state->trigger_sni_changes is true,
881which we are responsible for setting on the first pass through.
059ec3d9
PH		 882
883Arguments:
17c76198 884 state exim_gnutls_state_st *
cf0c6164 885 errstr error string pointer
059ec3d9
PH		 886
887Returns: OK/DEFER/FAIL
888*/
889
890static int
ba86e143 891tls_expand_session_files(exim_gnutls_state_st * state, uschar ** errstr)
059ec3d9 892{
1365611d 893struct stat statbuf;
059ec3d9 894int rc;
17c76198
PP		 895const host_item *host = state->host; /* macro should be reconsidered? */
896uschar *saved_tls_certificate = NULL;
897uschar *saved_tls_privatekey = NULL;
898uschar *saved_tls_verify_certificates = NULL;
899uschar *saved_tls_crl = NULL;
900int cert_count;
901
902/* We check for tls_sni *before* expansion. */
2b4a568d 903if (!host) /* server */
17c76198
PP		 904 if (!state->received_sni)
905 {
ba86e143
JH		 906 if ( state->tls_certificate
907 && ( Ustrstr(state->tls_certificate, US"tls_sni")
908 || Ustrstr(state->tls_certificate, US"tls_in_sni")
909 || Ustrstr(state->tls_certificate, US"tls_out_sni")
910 ) )
17c76198
PP		 911 {
912 DEBUG(D_tls) debug_printf("We will re-expand TLS session files if we receive SNI.\n");
913 state->trigger_sni_changes = TRUE;
914 }
915 }
916 else
917 {
1365611d 918 /* useful for debugging */
17c76198
PP		 919 saved_tls_certificate = state->exp_tls_certificate;
920 saved_tls_privatekey = state->exp_tls_privatekey;
921 saved_tls_verify_certificates = state->exp_tls_verify_certificates;
922 saved_tls_crl = state->exp_tls_crl;
923 }
059ec3d9 924
452a164f
JH		 925if ((rc = gnutls_certificate_allocate_credentials(&state->x509_cred)))
926 return tls_error_gnu(US"gnutls_certificate_allocate_credentials",
927 rc, host, errstr);
47195144
JH		 928
929#ifdef SUPPORT_SRV_OCSP_STACK
930gnutls_certificate_set_flags(state->x509_cred, GNUTLS_CERTIFICATE_API_V2);
931#endif
1365611d 932
17c76198
PP		 933/* remember: expand_check_tlsvar() is expand_check() but fiddling with
934state members, assuming consistent naming; and expand_check() returns
935false if expansion failed, unless expansion was forced to fail. */
059ec3d9 936
17c76198
PP		 937/* check if we at least have a certificate, before doing expensive
938D-H generation. */
059ec3d9 939
cf0c6164 940if (!expand_check_tlsvar(tls_certificate, errstr))
17c76198 941 return DEFER;
059ec3d9 942
17c76198 943/* certificate is mandatory in server, optional in client */
059ec3d9 944
23bb6982
JH		 945if ( !state->exp_tls_certificate
946 || !*state->exp_tls_certificate
947 )
2b4a568d 948 if (!host)
cf0c6164 949 return tls_install_selfsign(state, errstr);
17c76198
PP		 950 else
951 DEBUG(D_tls) debug_printf("TLS: no client certificate specified; okay\n");
059ec3d9 952
cf0c6164 953if (state->tls_privatekey && !expand_check_tlsvar(tls_privatekey, errstr))
059ec3d9
PH		 954 return DEFER;
955
17c76198
PP		 956/* tls_privatekey is optional, defaulting to same file as certificate */
957
958if (state->tls_privatekey == NULL || *state->tls_privatekey == '\0')
059ec3d9 959 {
17c76198
PP		 960 state->tls_privatekey = state->tls_certificate;
961 state->exp_tls_privatekey = state->exp_tls_certificate;
059ec3d9 962 }
c91535f3 963
059ec3d9 964
17c76198 965if (state->exp_tls_certificate && *state->exp_tls_certificate)
059ec3d9
PH		 966 {
967 DEBUG(D_tls) debug_printf("certificate file = %s\nkey file = %s\n",
17c76198
PP		 968 state->exp_tls_certificate, state->exp_tls_privatekey);
969
970 if (state->received_sni)
23bb6982
JH		 971 if ( Ustrcmp(state->exp_tls_certificate, saved_tls_certificate) == 0
972 && Ustrcmp(state->exp_tls_privatekey, saved_tls_privatekey) == 0
973 )
17c76198 974 {
b34fc30c 975 DEBUG(D_tls) debug_printf("TLS SNI: cert and key unchanged\n");
17c76198
PP		 976 }
977 else
978 {
b34fc30c 979 DEBUG(D_tls) debug_printf("TLS SNI: have a changed cert/key pair.\n");
17c76198 980 }
059ec3d9 981
ba86e143
JH		 982 if (!host) /* server */
983 {
984 const uschar * clist = state->exp_tls_certificate;
985 const uschar * klist = state->exp_tls_privatekey;
47195144
JH		 986 const uschar * olist;
987 int csep = 0, ksep = 0, osep = 0, cnt = 0;
988 uschar * cfile, * kfile, * ofile;
989
990#ifndef DISABLE_OCSP
991 if (!expand_check(tls_ocsp_file, US"tls_ocsp_file", &ofile, errstr))
992 return DEFER;
993 olist = ofile;
994#endif
ba86e143
JH		 995
996 while (cfile = string_nextinlist(&clist, &csep, NULL, 0))
47195144 997
ba86e143
JH		 998 if (!(kfile = string_nextinlist(&klist, &ksep, NULL, 0)))
999 return tls_error(US"cert/key setup: out of keys", NULL, host, errstr);
47195144 1000 else if (0 < (rc = tls_add_certfile(state, host, cfile, kfile, errstr)))
ba86e143
JH		 1001 return rc;
1002 else
47195144
JH		 1003 {
1004 int gnutls_cert_index = -rc;
ba86e143 1005 DEBUG(D_tls) debug_printf("TLS: cert/key %s registered\n", cfile);
47195144
JH		 1006
1007 /* Set the OCSP stapling server info */
1008
1009#ifndef DISABLE_OCSP
1010 if (tls_ocsp_file)
1011 if (gnutls_buggy_ocsp)
1012 {
1013 DEBUG(D_tls)
1014 debug_printf("GnuTLS library is buggy for OCSP; avoiding\n");
1015 }
1016 else if ((ofile = string_nextinlist(&olist, &osep, NULL, 0)))
1017 {
1018 /* Use the full callback method for stapling just to get
1019 observability. More efficient would be to read the file once only,
1020 if it never changed (due to SNI). Would need restart on file update,
1021 or watch datestamp. */
1022
1023# ifdef SUPPORT_SRV_OCSP_STACK
452a164f
JH		 1024 if ((rc = gnutls_certificate_set_ocsp_status_request_function2(
1025 state->x509_cred, gnutls_cert_index,
1026 server_ocsp_stapling_cb, ofile)))
1027 return tls_error_gnu(
1028 US"gnutls_certificate_set_ocsp_status_request_function2",
1029 rc, host, errstr);
47195144
JH		 1030# else
1031 if (cnt++ > 0)
1032 {
1033 DEBUG(D_tls)
1034 debug_printf("oops; multiple OCSP files not supported\n");
1035 break;
1036 }
1037 gnutls_certificate_set_ocsp_status_request_function(
1038 state->x509_cred, server_ocsp_stapling_cb, ofile);
1039# endif
1040
1041 DEBUG(D_tls) debug_printf("OCSP response file = %s\n", ofile);
1042 }
1043 else
1044 DEBUG(D_tls) debug_printf("ran out of OCSP response files in list\n");
1045#endif
1046 }
ba86e143
JH		 1047 }
1048 else
1049 {
47195144 1050 if (0 < (rc = tls_add_certfile(state, host,
ba86e143
JH		 1051 state->exp_tls_certificate, state->exp_tls_privatekey, errstr)))
1052 return rc;
1053 DEBUG(D_tls) debug_printf("TLS: cert/key registered\n");
1054 }
1055
b34fc30c 1056 } /* tls_certificate */
059ec3d9 1057
2b4a568d 1058
059ec3d9
PH		 1059/* Set the trusted CAs file if one is provided, and then add the CRL if one is
1060provided. Experiment shows that, if the certificate file is empty, an unhelpful
1061error message is provided. However, if we just refrain from setting anything up
1062in that case, certificate verification fails, which seems to be the correct
1063behaviour. */
1064
610ff438 1065if (state->tls_verify_certificates && *state->tls_verify_certificates)
059ec3d9 1066 {
cf0c6164 1067 if (!expand_check_tlsvar(tls_verify_certificates, errstr))
059ec3d9 1068 return DEFER;
610ff438
JH		 1069#ifndef SUPPORT_SYSDEFAULT_CABUNDLE
1070 if (Ustrcmp(state->exp_tls_verify_certificates, "system") == 0)
1071 state->exp_tls_verify_certificates = NULL;
1072#endif
17c76198 1073 if (state->tls_crl && *state->tls_crl)
cf0c6164 1074 if (!expand_check_tlsvar(tls_crl, errstr))
17c76198 1075 return DEFER;
059ec3d9 1076
1365611d
PP		 1077 if (!(state->exp_tls_verify_certificates &&
1078 *state->exp_tls_verify_certificates))
b34fc30c
PP		 1079 {
1080 DEBUG(D_tls)
1365611d
PP		 1081 debug_printf("TLS: tls_verify_certificates expanded empty, ignoring\n");
1082 /* With no tls_verify_certificates, we ignore tls_crl too */
17c76198 1083 return OK;
b34fc30c 1084 }
1365611d 1085 }
83e2f8a2
PP		 1086else
1087 {
1088 DEBUG(D_tls)
1089 debug_printf("TLS: tls_verify_certificates not set or empty, ignoring\n");
1090 return OK;
1091 }
17c76198 1092
cb1d7830
JH		 1093#ifdef SUPPORT_SYSDEFAULT_CABUNDLE
1094if (Ustrcmp(state->exp_tls_verify_certificates, "system") == 0)
1095 cert_count = gnutls_certificate_set_x509_system_trust(state->x509_cred);
1096else
1097#endif
1365611d 1098 {
cb1d7830
JH		 1099 if (Ustat(state->exp_tls_verify_certificates, &statbuf) < 0)
1100 {
1101 log_write(0, LOG_MAIN|LOG_PANIC, "could not stat %s "
1102 "(tls_verify_certificates): %s", state->exp_tls_verify_certificates,
1103 strerror(errno));
1104 return DEFER;
1105 }
17c76198 1106
a7fec7a7 1107#ifndef SUPPORT_CA_DIR
cb1d7830
JH		 1108 /* The test suite passes in /dev/null; we could check for that path explicitly,
1109 but who knows if someone has some weird FIFO which always dumps some certs, or
1110 other weirdness. The thing we really want to check is that it's not a
1111 directory, since while OpenSSL supports that, GnuTLS does not.
60f914bc 1112 So s/!S_ISREG/S_ISDIR/ and change some messaging ... */
cb1d7830
JH		 1113 if (S_ISDIR(statbuf.st_mode))
1114 {
1115 DEBUG(D_tls)
1116 debug_printf("verify certificates path is a dir: \"%s\"\n",
1117 state->exp_tls_verify_certificates);
1118 log_write(0, LOG_MAIN|LOG_PANIC,
1119 "tls_verify_certificates \"%s\" is a directory",
1120 state->exp_tls_verify_certificates);
1121 return DEFER;
1122 }
a7fec7a7 1123#endif
059ec3d9 1124
cb1d7830
JH		 1125 DEBUG(D_tls) debug_printf("verify certificates = %s size=" OFF_T_FMT "\n",
1126 state->exp_tls_verify_certificates, statbuf.st_size);
059ec3d9 1127
cb1d7830
JH		 1128 if (statbuf.st_size == 0)
1129 {
1130 DEBUG(D_tls)
1131 debug_printf("cert file empty, no certs, no verification, ignoring any CRL\n");
1132 return OK;
1133 }
059ec3d9 1134
cb1d7830 1135 cert_count =
a7fec7a7
JH		 1136
1137#ifdef SUPPORT_CA_DIR
cb1d7830
JH		 1138 (statbuf.st_mode & S_IFMT) == S_IFDIR
1139 ?
1140 gnutls_certificate_set_x509_trust_dir(state->x509_cred,
1141 CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM)
1142 :
a7fec7a7 1143#endif
cb1d7830
JH		 1144 gnutls_certificate_set_x509_trust_file(state->x509_cred,
1145 CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM);
12d95aa6
JH		 1146
1147#ifdef SUPPORT_CA_DIR
1148 /* Mimic the behaviour with OpenSSL of not advertising a usable-cert list
1149 when using the directory-of-certs config model. */
1150
1151 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
1152 gnutls_certificate_send_x509_rdn_sequence(state->session, 1);
1153#endif
cb1d7830 1154 }
a7fec7a7 1155
1365611d 1156if (cert_count < 0)
452a164f
JH		 1157 return tls_error_gnu(US"setting certificate trust", cert_count, host, errstr);
1158DEBUG(D_tls)
1159 debug_printf("Added %d certificate authorities.\n", cert_count);
059ec3d9 1160
5c8cda3a
PP		 1161if (state->tls_crl && *state->tls_crl &&
1162 state->exp_tls_crl && *state->exp_tls_crl)
1365611d 1163 {
5c8cda3a 1164 DEBUG(D_tls) debug_printf("loading CRL file = %s\n", state->exp_tls_crl);
452a164f
JH		 1165 if ((cert_count = gnutls_certificate_set_x509_crl_file(state->x509_cred,
1166 CS state->exp_tls_crl, GNUTLS_X509_FMT_PEM)) < 0)
1167 return tls_error_gnu(US"gnutls_certificate_set_x509_crl_file",
1168 cert_count, host, errstr);
1169
5c8cda3a 1170 DEBUG(D_tls) debug_printf("Processed %d CRLs.\n", cert_count);
1365611d 1171 }
059ec3d9 1172
059ec3d9
PH		 1173return OK;
1174}
1175
1176
1177
1178
1365611d
PP		 1179/*************************************************
1180* Set X.509 state variables *
1181*************************************************/
1182
1183/* In GnuTLS, the registered cert/key are not replaced by a later
1184set of a cert/key, so for SNI support we need a whole new x509_cred
1185structure. Which means various other non-re-expanded pieces of state
1186need to be re-set in the new struct, so the setting logic is pulled
1187out to this.
1188
1189Arguments:
1190 state exim_gnutls_state_st *
cf0c6164 1191 errstr error string pointer
1365611d
PP		 1192
1193Returns: OK/DEFER/FAIL
1194*/
1195
1196static int
cf0c6164 1197tls_set_remaining_x509(exim_gnutls_state_st *state, uschar ** errstr)
1365611d
PP		 1198{
1199int rc;
1200const host_item *host = state->host; /* macro should be reconsidered? */
1201
1202/* Create D-H parameters, or read them from the cache file. This function does
1203its own SMTP error messaging. This only happens for the server, TLS D-H ignores
1204client-side params. */
1205
1206if (!state->host)
1207 {
1208 if (!dh_server_params)
452a164f 1209 if ((rc = init_server_dh(errstr)) != OK) return rc;
1365611d
PP		 1210 gnutls_certificate_set_dh_params(state->x509_cred, dh_server_params);
1211 }
1212
1213/* Link the credentials to the session. */
1214
452a164f
JH		 1215if ((rc = gnutls_credentials_set(state->session,
1216 GNUTLS_CRD_CERTIFICATE, state->x509_cred)))
1217 return tls_error_gnu(US"gnutls_credentials_set", rc, host, errstr);
1365611d
PP		 1218
1219return OK;
1220}
1221
059ec3d9 1222/*************************************************
17c76198 1223* Initialize for GnuTLS *
059ec3d9
PH		 1224*************************************************/
1225
9196d5bf 1226
4fb7df6d
JH		 1227#ifndef DISABLE_OCSP
1228
9196d5bf
JH		 1229static BOOL
1230tls_is_buggy_ocsp(void)
1231{
1232const uschar * s;
1233uschar maj, mid, mic;
1234
1235s = CUS gnutls_check_version(NULL);
1236maj = atoi(CCS s);
1237if (maj == 3)
1238 {
1239 while (*s && *s != '.') s++;
1240 mid = atoi(CCS ++s);
1241 if (mid <= 2)
1242 return TRUE;
1243 else if (mid >= 5)
1244 return FALSE;
1245 else
1246 {
1247 while (*s && *s != '.') s++;
1248 mic = atoi(CCS ++s);
1249 return mic <= (mid == 3 ? 16 : 3);
1250 }
1251 }
1252return FALSE;
1253}
1254
4fb7df6d 1255#endif
9196d5bf
JH		 1256
1257
17c76198
PP		 1258/* Called from both server and client code. In the case of a server, errors
1259before actual TLS negotiation return DEFER.
059ec3d9
PH		 1260
1261Arguments:
17c76198
PP		 1262 host connected host, if client; NULL if server
1263 certificate certificate file
1264 privatekey private key file
1265 sni TLS SNI to send, sometimes when client; else NULL
1266 cas CA certs file
1267 crl CRL file
1268 require_ciphers tls_require_ciphers setting
817d9f57 1269 caller_state returned state-info structure
cf0c6164 1270 errstr error string pointer
059ec3d9 1271
17c76198 1272Returns: OK/DEFER/FAIL
059ec3d9
PH		 1273*/
1274
17c76198
PP		 1275static int
1276tls_init(
1277 const host_item *host,
1278 const uschar *certificate,
1279 const uschar *privatekey,
1280 const uschar *sni,
1281 const uschar *cas,
1282 const uschar *crl,
1283 const uschar *require_ciphers,
cf0c6164 1284 exim_gnutls_state_st **caller_state,
74f1a423 1285 tls_support * tlsp,
cf0c6164 1286 uschar ** errstr)
059ec3d9 1287{
00c0dd4e 1288exim_gnutls_state_st * state;
17c76198
PP		 1289int rc;
1290size_t sz;
00c0dd4e
JH		 1291const char * errpos;
1292const uschar * p;
17c76198
PP		 1293
1294if (!exim_gnutls_base_init_done)
059ec3d9 1295 {
17c76198
PP		 1296 DEBUG(D_tls) debug_printf("GnuTLS global init required.\n");
1297
a5f239e4
PP		 1298#ifdef HAVE_GNUTLS_PKCS11
1299 /* By default, gnutls_global_init will init PKCS11 support in auto mode,
1300 which loads modules from a config file, which sounds good and may be wanted
1301 by some sysadmin, but also means in common configurations that GNOME keyring
1302 environment variables are used and so breaks for users calling mailq.
1303 To prevent this, we init PKCS11 first, which is the documented approach. */
2519e60d 1304 if (!gnutls_allow_auto_pkcs11)
452a164f
JH		 1305 if ((rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL)))
1306 return tls_error_gnu(US"gnutls_pkcs11_init", rc, host, errstr);
a5f239e4
PP		 1307#endif
1308
452a164f
JH		 1309 if ((rc = gnutls_global_init()))
1310 return tls_error_gnu(US"gnutls_global_init", rc, host, errstr);
17c76198
PP		 1311
1312#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
1313 DEBUG(D_tls)
059ec3d9 1314 {
17c76198 1315 gnutls_global_set_log_function(exim_gnutls_logger_cb);
aded2255 1316 /* arbitrarily chosen level; bump up to 9 for more */
17c76198 1317 gnutls_global_set_log_level(EXIM_GNUTLS_LIBRARY_LOG_LEVEL);
059ec3d9 1318 }
17c76198
PP		 1319#endif
1320
4fb7df6d
JH		 1321#ifndef DISABLE_OCSP
1322 if (tls_ocsp_file && (gnutls_buggy_ocsp = tls_is_buggy_ocsp()))
9196d5bf 1323 log_write(0, LOG_MAIN, "OCSP unusable with this GnuTLS library version");
4fb7df6d 1324#endif
9196d5bf 1325
17c76198 1326 exim_gnutls_base_init_done = TRUE;
059ec3d9 1327 }
059ec3d9 1328
17c76198
PP		 1329if (host)
1330 {
74f1a423
JH		 1331 /* For client-side sessions we allocate a context. This lets us run
1332 several in parallel. */
1333 int old_pool = store_pool;
1334 store_pool = POOL_PERM;
f3ebb786 1335 state = store_get(sizeof(exim_gnutls_state_st), FALSE);
74f1a423
JH		 1336 store_pool = old_pool;
1337
17c76198 1338 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
74f1a423 1339 state->tlsp = tlsp;
17c76198
PP		 1340 DEBUG(D_tls) debug_printf("initialising GnuTLS client session\n");
1341 rc = gnutls_init(&state->session, GNUTLS_CLIENT);
1342 }
1343else
1344 {
1345 state = &state_server;
1346 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
74f1a423 1347 state->tlsp = tlsp;
17c76198
PP		 1348 DEBUG(D_tls) debug_printf("initialising GnuTLS server session\n");
1349 rc = gnutls_init(&state->session, GNUTLS_SERVER);
1350 }
452a164f
JH		 1351if (rc)
1352 return tls_error_gnu(US"gnutls_init", rc, host, errstr);
059ec3d9 1353
17c76198 1354state->host = host;
059ec3d9 1355
17c76198
PP		 1356state->tls_certificate = certificate;
1357state->tls_privatekey = privatekey;
5779e6aa 1358state->tls_require_ciphers = require_ciphers;
17c76198
PP		 1359state->tls_sni = sni;
1360state->tls_verify_certificates = cas;
1361state->tls_crl = crl;
059ec3d9 1362
17c76198
PP		 1363/* This handles the variables that might get re-expanded after TLS SNI;
1364that's tls_certificate, tls_privatekey, tls_verify_certificates, tls_crl */
059ec3d9 1365
17c76198
PP		 1366DEBUG(D_tls)
1367 debug_printf("Expanding various TLS configuration options for session credentials.\n");
cf0c6164 1368if ((rc = tls_expand_session_files(state, errstr)) != OK) return rc;
059ec3d9 1369
1365611d
PP		 1370/* These are all other parts of the x509_cred handling, since SNI in GnuTLS
1371requires a new structure afterwards. */
83da1223 1372
cf0c6164 1373if ((rc = tls_set_remaining_x509(state, errstr)) != OK) return rc;
83da1223 1374
17c76198
PP		 1375/* set SNI in client, only */
1376if (host)
1377 {
cf0c6164 1378 if (!expand_check(sni, US"tls_out_sni", &state->tlsp->sni, errstr))
17c76198 1379 return DEFER;
0df4ab80 1380 if (state->tlsp->sni && *state->tlsp->sni)
17c76198
PP		 1381 {
1382 DEBUG(D_tls)
0df4ab80
JH		 1383 debug_printf("Setting TLS client SNI to \"%s\"\n", state->tlsp->sni);
1384 sz = Ustrlen(state->tlsp->sni);
452a164f
JH		 1385 if ((rc = gnutls_server_name_set(state->session,
1386 GNUTLS_NAME_DNS, state->tlsp->sni, sz)))
1387 return tls_error_gnu(US"gnutls_server_name_set", rc, host, errstr);
17c76198
PP		 1388 }
1389 }
1390else if (state->tls_sni)
1391 DEBUG(D_tls) debug_printf("*** PROBABLY A BUG *** " \
ba86e143 1392 "have an SNI set for a server [%s]\n", state->tls_sni);
83da1223 1393
17c76198 1394/* This is the priority string support,
42bfef1e 1395http://www.gnutls.org/manual/html_node/Priority-Strings.html
17c76198
PP		 1396and replaces gnutls_require_kx, gnutls_require_mac & gnutls_require_protocols.
1397This was backwards incompatible, but means Exim no longer needs to track
1398all algorithms and provide string forms for them. */
83da1223 1399
fc243e94 1400p = NULL;
17c76198 1401if (state->tls_require_ciphers && *state->tls_require_ciphers)
83da1223 1402 {
cf0c6164 1403 if (!expand_check_tlsvar(tls_require_ciphers, errstr))
17c76198
PP		 1404 return DEFER;
1405 if (state->exp_tls_require_ciphers && *state->exp_tls_require_ciphers)
83da1223 1406 {
17c76198 1407 p = state->exp_tls_require_ciphers;
fc243e94 1408 DEBUG(D_tls) debug_printf("GnuTLS session cipher/priority \"%s\"\n", p);
83da1223
PH		 1409 }
1410 }
fc243e94 1411if (!p)
17c76198 1412 {
fc243e94 1413 p = exim_default_gnutls_priority;
83e2f8a2 1414 DEBUG(D_tls)
fc243e94 1415 debug_printf("GnuTLS using default session cipher/priority \"%s\"\n", p);
17c76198 1416 }
83da1223 1417
452a164f
JH		 1418if ((rc = gnutls_priority_init(&state->priority_cache, CCS p, &errpos)))
1419 return tls_error_gnu(string_sprintf(
1420 "gnutls_priority_init(%s) failed at offset %ld, \"%.6s..\"",
1421 p, errpos - CS p, errpos),
1422 rc, host, errstr);
17c76198 1423
452a164f
JH		 1424if ((rc = gnutls_priority_set(state->session, state->priority_cache)))
1425 return tls_error_gnu(US"gnutls_priority_set", rc, host, errstr);
17c76198 1426
b10c87b3
JH		 1427/* This also sets the server ticket expiration time to the same, and
1428the STEK rotation time to 3x. */
1429
17c76198
PP		 1430gnutls_db_set_cache_expiration(state->session, ssl_session_timeout);
1431
1432/* Reduce security in favour of increased compatibility, if the admin
1433decides to make that trade-off. */
1434if (gnutls_compat_mode)
83da1223 1435 {
17c76198
PP		 1436#if LIBGNUTLS_VERSION_NUMBER >= 0x020104
1437 DEBUG(D_tls) debug_printf("lowering GnuTLS security, compatibility mode\n");
1438 gnutls_session_enable_compatibility_mode(state->session);
1439#else
1440 DEBUG(D_tls) debug_printf("Unable to set gnutls_compat_mode - GnuTLS version too old\n");
1441#endif
83da1223
PH		 1442 }
1443
17c76198 1444*caller_state = state;
17c76198 1445return OK;
83da1223
PH		 1446}
1447
1448
1449
059ec3d9 1450/*************************************************
17c76198 1451* Extract peer information *
059ec3d9
PH		 1452*************************************************/
1453
f1be21cf
JH		 1454static const uschar *
1455cipher_stdname_kcm(gnutls_kx_algorithm_t kx, gnutls_cipher_algorithm_t cipher,
1456 gnutls_mac_algorithm_t mac)
1457{
1458uschar cs_id[2];
1459gnutls_kx_algorithm_t kx_i;
1460gnutls_cipher_algorithm_t cipher_i;
1461gnutls_mac_algorithm_t mac_i;
1462
1463for (size_t i = 0;
1464 gnutls_cipher_suite_info(i, cs_id, &kx_i, &cipher_i, &mac_i, NULL);
1465 i++)
1466 if (kx_i == kx && cipher_i == cipher && mac_i == mac)
1467 return cipher_stdname(cs_id[0], cs_id[1]);
1468return NULL;
1469}
1470
1471
1472
17c76198 1473/* Called from both server and client code.
4fe99a6c
PP		 1474Only this is allowed to set state->peerdn and state->have_set_peerdn
1475and we use that to detect double-calls.
059ec3d9 1476
75fe387d
PP		 1477NOTE: the state blocks last while the TLS connection is up, which is fine
1478for logging in the server side, but for the client side, we log after teardown
1479in src/deliver.c. While the session is up, we can twist about states and
1480repoint tls_* globals, but those variables used for logging or other variable
1481expansion that happens _after_ delivery need to have a longer life-time.
1482
1483So for those, we get the data from POOL_PERM; the re-invoke guard keeps us from
1484doing this more than once per generation of a state context. We set them in
1485the state context, and repoint tls_* to them. After the state goes away, the
1486tls_* copies of the pointers remain valid and client delivery logging is happy.
1487
1488tls_certificate_verified is a BOOL, so the tls_peerdn and tls_cipher issues
1489don't apply.
1490
059ec3d9 1491Arguments:
17c76198 1492 state exim_gnutls_state_st *
cf0c6164 1493 errstr pointer to error string
059ec3d9 1494
17c76198 1495Returns: OK/DEFER/FAIL
059ec3d9
PH		 1496*/
1497
17c76198 1498static int
b10c87b3 1499peer_status(exim_gnutls_state_st * state, uschar ** errstr)
059ec3d9 1500{
b10c87b3
JH		 1501gnutls_session_t session = state->session;
1502const gnutls_datum_t * cert_list;
75fe387d 1503int old_pool, rc;
17c76198 1504unsigned int cert_list_size = 0;
4fe99a6c
PP		 1505gnutls_protocol_t protocol;
1506gnutls_cipher_algorithm_t cipher;
1507gnutls_kx_algorithm_t kx;
1508gnutls_mac_algorithm_t mac;
17c76198
PP		 1509gnutls_certificate_type_t ct;
1510gnutls_x509_crt_t crt;
b10c87b3 1511uschar * dn_buf;
17c76198 1512size_t sz;
059ec3d9 1513
4fe99a6c 1514if (state->have_set_peerdn)
17c76198 1515 return OK;
4fe99a6c 1516state->have_set_peerdn = TRUE;
059ec3d9 1517
4fe99a6c 1518state->peerdn = NULL;
059ec3d9 1519
4fe99a6c 1520/* tls_cipher */
b10c87b3
JH		 1521cipher = gnutls_cipher_get(session);
1522protocol = gnutls_protocol_get_version(session);
1523mac = gnutls_mac_get(session);
b9c6f63c
JH		 1524kx =
1525#ifdef GNUTLS_TLS1_3
1526 protocol >= GNUTLS_TLS1_3 ? 0 :
1527#endif
b10c87b3 1528 gnutls_kx_get(session);
4fe99a6c 1529
75fe387d 1530old_pool = store_pool;
f1be21cf 1531 {
b10c87b3 1532 tls_support * tlsp = state->tlsp;
f1be21cf 1533 store_pool = POOL_PERM;
d9acfc1c
JH		 1534
1535#ifdef SUPPORT_GNUTLS_SESS_DESC
1536 {
1537 gstring * g = NULL;
b10c87b3 1538 uschar * s = US gnutls_session_get_desc(session), c;
d9acfc1c
JH		 1539
1540 /* Nikos M suggests we use this by preference. It returns like:
1541 (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
1542
1543 For partial back-compat, put a colon after the TLS version, replace the
1544 )-( grouping with __, replace in-group - with _ and append the :keysize. */
1545
1546 /* debug_printf("peer_status: gnutls_session_get_desc %s\n", s); */
1547
1548 for (s++; (c = *s) && c != ')'; s++) g = string_catn(g, s, 1);
1549 g = string_catn(g, US":", 1);
1550 if (*s) s++; /* now on _ between groups */
1551 while ((c = *s))
1552 {
1553 for (*++s && ++s; (c = *s) && c != ')'; s++) g = string_catn(g, c == '-' ? US"_" : s, 1);
1554 /* now on ) closing group */
1555 if ((c = *s) && *++s == '-') g = string_catn(g, US"__", 2);
1556 /* now on _ between groups */
1557 }
1558 g = string_catn(g, US":", 1);
1559 g = string_cat(g, string_sprintf("%d", (int) gnutls_cipher_get_key_size(cipher) * 8));
1560 state->ciphersuite = string_from_gstring(g);
1561 }
1562#else
f1be21cf
JH		 1563 state->ciphersuite = string_sprintf("%s:%s:%d",
1564 gnutls_protocol_get_name(protocol),
1565 gnutls_cipher_suite_get_name(kx, cipher, mac),
1566 (int) gnutls_cipher_get_key_size(cipher) * 8);
1567
1568 /* I don't see a way that spaces could occur, in the current GnuTLS
1569 code base, but it was a concern in the old code and perhaps older GnuTLS
1570 releases did return "TLS 1.0"; play it safe, just in case. */
1571
1572 for (uschar * p = state->ciphersuite; *p; p++) if (isspace(*p)) *p = '-';
d9acfc1c
JH		 1573#endif
1574
1575/* debug_printf("peer_status: ciphersuite %s\n", state->ciphersuite); */
1576
b10c87b3
JH		 1577 tlsp->cipher = state->ciphersuite;
1578 tlsp->bits = gnutls_cipher_get_key_size(cipher) * 8;
f1be21cf 1579
b10c87b3 1580 tlsp->cipher_stdname = cipher_stdname_kcm(kx, cipher, mac);
f1be21cf 1581 }
75fe387d 1582store_pool = old_pool;
4fe99a6c
PP		 1583
1584/* tls_peerdn */
b10c87b3 1585cert_list = gnutls_certificate_get_peers(session, &cert_list_size);
83da1223 1586
f1be21cf 1587if (!cert_list || cert_list_size == 0)
17c76198 1588 {
17c76198
PP		 1589 DEBUG(D_tls) debug_printf("TLS: no certificate from peer (%p & %d)\n",
1590 cert_list, cert_list_size);
e51c7be2 1591 if (state->verify_requirement >= VERIFY_REQUIRED)
17c76198 1592 return tls_error(US"certificate verification failed",
48224640 1593 US"no certificate received from peer", state->host, errstr);
17c76198
PP		 1594 return OK;
1595 }
059ec3d9 1596
b10c87b3 1597if ((ct = gnutls_certificate_type_get(session)) != GNUTLS_CRT_X509)
059ec3d9 1598 {
95f52235 1599 const uschar * ctn = US gnutls_certificate_type_get_name(ct);
17c76198
PP		 1600 DEBUG(D_tls)
1601 debug_printf("TLS: peer cert not X.509 but instead \"%s\"\n", ctn);
e51c7be2 1602 if (state->verify_requirement >= VERIFY_REQUIRED)
17c76198 1603 return tls_error(US"certificate verification not possible, unhandled type",
cf0c6164 1604 ctn, state->host, errstr);
17c76198 1605 return OK;
83da1223 1606 }
059ec3d9 1607
e51c7be2
JH		 1608#define exim_gnutls_peer_err(Label) \
1609 do { \
1610 if (rc != GNUTLS_E_SUCCESS) \
1611 { \
1612 DEBUG(D_tls) debug_printf("TLS: peer cert problem: %s: %s\n", \
1613 (Label), gnutls_strerror(rc)); \
1614 if (state->verify_requirement >= VERIFY_REQUIRED) \
452a164f 1615 return tls_error_gnu((Label), rc, state->host, errstr); \
e51c7be2
JH		 1616 return OK; \
1617 } \
1618 } while (0)
17c76198 1619
9d1c15ef
JH		 1620rc = import_cert(&cert_list[0], &crt);
1621exim_gnutls_peer_err(US"cert 0");
1622
1623state->tlsp->peercert = state->peercert = crt;
17c76198 1624
17c76198
PP		 1625sz = 0;
1626rc = gnutls_x509_crt_get_dn(crt, NULL, &sz);
1627if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
83da1223 1628 {
17c76198
PP		 1629 exim_gnutls_peer_err(US"getting size for cert DN failed");
1630 return FAIL; /* should not happen */
059ec3d9 1631 }
f3ebb786 1632dn_buf = store_get_perm(sz, TRUE); /* tainted */
17c76198
PP		 1633rc = gnutls_x509_crt_get_dn(crt, CS dn_buf, &sz);
1634exim_gnutls_peer_err(US"failed to extract certificate DN [gnutls_x509_crt_get_dn(cert 0)]");
9d1c15ef 1635
17c76198
PP		 1636state->peerdn = dn_buf;
1637
1638return OK;
1639#undef exim_gnutls_peer_err
1640}
059ec3d9 1641
059ec3d9 1642
059ec3d9 1643
059ec3d9 1644
17c76198
PP		 1645/*************************************************
1646* Verify peer certificate *
1647*************************************************/
059ec3d9 1648
17c76198
PP		 1649/* Called from both server and client code.
1650*Should* be using a callback registered with
1651gnutls_certificate_set_verify_function() to fail the handshake if we dislike
1652the peer information, but that's too new for some OSes.
059ec3d9 1653
17c76198 1654Arguments:
899b8bbc
JH		 1655 state exim_gnutls_state_st *
1656 errstr where to put an error message
059ec3d9 1657
17c76198
PP		 1658Returns:
1659 FALSE if the session should be rejected
1660 TRUE if the cert is okay or we just don't care
1661*/
059ec3d9 1662
17c76198 1663static BOOL
28646fa9 1664verify_certificate(exim_gnutls_state_st * state, uschar ** errstr)
17c76198
PP		 1665{
1666int rc;
899b8bbc
JH		 1667uint verify;
1668
8008accd 1669DEBUG(D_tls) debug_printf("TLS: checking peer certificate\n");
cf0c6164 1670*errstr = NULL;
b10c87b3 1671rc = peer_status(state, errstr);
17c76198 1672
b10c87b3
JH		 1673if (state->verify_requirement == VERIFY_NONE)
1674 return TRUE;
1675
1676if (rc != OK || !state->peerdn)
e6060e2c 1677 {
17c76198 1678 verify = GNUTLS_CERT_INVALID;
cf0c6164 1679 *errstr = US"certificate not supplied";
17c76198
PP		 1680 }
1681else
899b8bbc
JH		 1682
1683 {
1684#ifdef SUPPORT_DANE
1685 if (state->verify_requirement == VERIFY_DANE && state->host)
1686 {
1687 /* Using dane_verify_session_crt() would be easy, as it does it all for us
1688 including talking to a DNS resolver. But we want to do that bit ourselves
1689 as the testsuite intercepts and fakes its own DNS environment. */
1690
1691 dane_state_t s;
1692 dane_query_t r;
899b8bbc 1693 uint lsize;
94c13285
JH		 1694 const gnutls_datum_t * certlist =
1695 gnutls_certificate_get_peers(state->session, &lsize);
1696 int usage = tls_out.tlsa_usage;
1697
1698# ifdef GNUTLS_BROKEN_DANE_VALIDATION
1699 /* Split the TLSA records into two sets, TA and EE selectors. Run the
1700 dane-verification separately so that we know which selector verified;
570cb1bd 1701 then we know whether to do name-verification (needed for TA but not EE). */
94c13285
JH		 1702
1703 if (usage == ((1<<DANESSL_USAGE_DANE_TA) | (1<<DANESSL_USAGE_DANE_EE)))
bd5b3f3c 1704 { /* a mixed-usage bundle */
94c13285
JH		 1705 int i, j, nrec;
1706 const char ** dd;
1707 int * ddl;
1708
1709 for(nrec = 0; state->dane_data_len[nrec]; ) nrec++;
1710 nrec++;
1711
f3ebb786
JH		 1712 dd = store_get(nrec * sizeof(uschar *), FALSE);
1713 ddl = store_get(nrec * sizeof(int), FALSE);
94c13285
JH		 1714 nrec--;
1715
1716 if ((rc = dane_state_init(&s, 0)))
1717 goto tlsa_prob;
1718
1719 for (usage = DANESSL_USAGE_DANE_EE;
1720 usage >= DANESSL_USAGE_DANE_TA; usage--)
1721 { /* take records with this usage */
1722 for (j = i = 0; i < nrec; i++)
1723 if (state->dane_data[i][0] == usage)
1724 {
1725 dd[j] = state->dane_data[i];
1726 ddl[j++] = state->dane_data_len[i];
1727 }
1728 if (j)
1729 {
1730 dd[j] = NULL;
1731 ddl[j] = 0;
1732
1733 if ((rc = dane_raw_tlsa(s, &r, (char * const *)dd, ddl, 1, 0)))
1734 goto tlsa_prob;
1735
1736 if ((rc = dane_verify_crt_raw(s, certlist, lsize,
1737 gnutls_certificate_type_get(state->session),
1738 r, 0,
1739 usage == DANESSL_USAGE_DANE_EE
1740 ? DANE_VFLAG_ONLY_CHECK_EE_USAGE : 0,
1741 &verify)))
1742 {
1743 DEBUG(D_tls)
1744 debug_printf("TLSA record problem: %s\n", dane_strerror(rc));
1745 }
1746 else if (verify == 0) /* verification passed */
1747 {
1748 usage = 1 << usage;
1749 break;
1750 }
1751 }
1752 }
899b8bbc 1753
94c13285
JH		 1754 if (rc) goto tlsa_prob;
1755 }
1756 else
1757# endif
899b8bbc 1758 {
94c13285
JH		 1759 if ( (rc = dane_state_init(&s, 0))
1760 || (rc = dane_raw_tlsa(s, &r, state->dane_data, state->dane_data_len,
1761 1, 0))
1762 || (rc = dane_verify_crt_raw(s, certlist, lsize,
1763 gnutls_certificate_type_get(state->session),
5ec37a55 1764 r, 0,
94c13285
JH		 1765# ifdef GNUTLS_BROKEN_DANE_VALIDATION
1766 usage == (1 << DANESSL_USAGE_DANE_EE)
1767 ? DANE_VFLAG_ONLY_CHECK_EE_USAGE : 0,
1768# else
1769 0,
1770# endif
1771 &verify))
1772 )
1773 goto tlsa_prob;
899b8bbc 1774 }
94c13285
JH		 1775
1776 if (verify != 0) /* verification failed */
899b8bbc
JH		 1777 {
1778 gnutls_datum_t str;
1779 (void) dane_verification_status_print(verify, &str, 0);
1780 *errstr = US str.data; /* don't bother to free */
1781 goto badcert;
1782 }
28646fa9 1783
94c13285
JH		 1784# ifdef GNUTLS_BROKEN_DANE_VALIDATION
1785 /* If a TA-mode TLSA record was used for verification we must additionally
570cb1bd 1786 verify the cert name (but not the CA chain). For EE-mode, skip it. */
28646fa9 1787
94c13285
JH		 1788 if (usage & (1 << DANESSL_USAGE_DANE_EE))
1789# endif
28646fa9 1790 {
570cb1bd 1791 state->peer_dane_verified = state->peer_cert_verified = TRUE;
28646fa9
JH		 1792 goto goodcert;
1793 }
570cb1bd
JH		 1794# ifdef GNUTLS_BROKEN_DANE_VALIDATION
1795 /* Assume that the name on the A-record is the one that should be matching
1796 the cert. An alternate view is that the domain part of the email address
1797 is also permissible. */
1798
1799 if (gnutls_x509_crt_check_hostname(state->tlsp->peercert,
1800 CS state->host->name))
1801 {
1802 state->peer_dane_verified = state->peer_cert_verified = TRUE;
1803 goto goodcert;
1804 }
1805# endif
899b8bbc 1806 }
570cb1bd 1807#endif /*SUPPORT_DANE*/
899b8bbc 1808
17c76198 1809 rc = gnutls_certificate_verify_peers2(state->session, &verify);
899b8bbc 1810 }
e6060e2c 1811
899b8bbc 1812/* Handle the result of verification. INVALID is set if any others are. */
059ec3d9 1813
28646fa9 1814if (rc < 0 || verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED))
17c76198
PP		 1815 {
1816 state->peer_cert_verified = FALSE;
cf0c6164 1817 if (!*errstr)
184384c3
JH		 1818 {
1819#ifdef GNUTLS_CERT_VFY_STATUS_PRINT
1820 DEBUG(D_tls)
1821 {
1822 gnutls_datum_t txt;
1823
1824 if (gnutls_certificate_verification_status_print(verify,
1825 gnutls_certificate_type_get(state->session), &txt, 0)
1826 == GNUTLS_E_SUCCESS)
1827 {
1828 debug_printf("%s\n", txt.data);
1829 gnutls_free(txt.data);
1830 }
1831 }
1832#endif
cf0c6164
JH		 1833 *errstr = verify & GNUTLS_CERT_REVOKED
1834 ? US"certificate revoked" : US"certificate invalid";
184384c3 1835 }
059ec3d9 1836
17c76198 1837 DEBUG(D_tls)
e51c7be2 1838 debug_printf("TLS certificate verification failed (%s): peerdn=\"%s\"\n",
cf0c6164 1839 *errstr, state->peerdn ? state->peerdn : US"<unset>");
059ec3d9 1840
e51c7be2 1841 if (state->verify_requirement >= VERIFY_REQUIRED)
899b8bbc 1842 goto badcert;
17c76198 1843 DEBUG(D_tls)
4789da3a 1844 debug_printf("TLS verify failure overridden (host in tls_try_verify_hosts)\n");
17c76198 1845 }
e51c7be2 1846
17c76198
PP		 1847else
1848 {
5fd28bb8
JH		 1849 /* Client side, check the server's certificate name versus the name on the
1850 A-record for the connection we made. What to do for server side - what name
1851 to use for client? We document that there is no such checking for server
1852 side. */
1853
1854 if ( state->exp_tls_verify_cert_hostnames
1855 && !gnutls_x509_crt_check_hostname(state->tlsp->peercert,
1856 CS state->exp_tls_verify_cert_hostnames)
1857 )
e51c7be2 1858 {
5fd28bb8
JH		 1859 DEBUG(D_tls)
1860 debug_printf("TLS certificate verification failed: cert name mismatch\n");
1861 if (state->verify_requirement >= VERIFY_REQUIRED)
1862 goto badcert;
1863 return TRUE;
e51c7be2 1864 }
5fd28bb8 1865
17c76198 1866 state->peer_cert_verified = TRUE;
e51c7be2 1867 DEBUG(D_tls) debug_printf("TLS certificate verified: peerdn=\"%s\"\n",
4fe99a6c 1868 state->peerdn ? state->peerdn : US"<unset>");
17c76198 1869 }
059ec3d9 1870
28646fa9
JH		 1871goodcert:
1872 state->tlsp->peerdn = state->peerdn;
1873 return TRUE;
899b8bbc 1874
b83314e3 1875#ifdef SUPPORT_DANE
94c13285 1876tlsa_prob:
624f33df
JH		 1877 *errstr = string_sprintf("TLSA record problem: %s",
1878 rc == DANE_E_REQUESTED_DATA_NOT_AVAILABLE ? "none usable" : dane_strerror(rc));
b83314e3
JH		 1879#endif
1880
899b8bbc
JH		 1881badcert:
1882 gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_BAD_CERTIFICATE);
1883 return FALSE;
17c76198 1884}
059ec3d9 1885
17c76198
PP		 1886
1887
1888
1889/* ------------------------------------------------------------------------ */
1890/* Callbacks */
1891
1892/* Logging function which can be registered with
1893 * gnutls_global_set_log_function()
1894 * gnutls_global_set_log_level() 0..9
1895 */
af3498d6 1896#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
059ec3d9 1897static void
17c76198 1898exim_gnutls_logger_cb(int level, const char *message)
059ec3d9 1899{
8c79eebf
PP		 1900 size_t len = strlen(message);
1901 if (len < 1)
1902 {
1903 DEBUG(D_tls) debug_printf("GnuTLS<%d> empty debug message\n", level);
1904 return;
1905 }
1906 DEBUG(D_tls) debug_printf("GnuTLS<%d>: %s%s", level, message,
1907 message[len-1] == '\n' ? "" : "\n");
17c76198 1908}
af3498d6 1909#endif
059ec3d9 1910
059ec3d9 1911
17c76198
PP		 1912/* Called after client hello, should handle SNI work.
1913This will always set tls_sni (state->received_sni) if available,
1914and may trigger presenting different certificates,
1915if state->trigger_sni_changes is TRUE.
059ec3d9 1916
17c76198
PP		 1917Should be registered with
1918 gnutls_handshake_set_post_client_hello_function()
059ec3d9 1919
17c76198
PP		 1920"This callback must return 0 on success or a gnutls error code to terminate the
1921handshake.".
059ec3d9 1922
17c76198
PP		 1923For inability to get SNI information, we return 0.
1924We only return non-zero if re-setup failed.
817d9f57 1925Only used for server-side TLS.
17c76198 1926*/
44bbabb5 1927
17c76198
PP		 1928static int
1929exim_sni_handling_cb(gnutls_session_t session)
1930{
1931char sni_name[MAX_HOST_LEN];
1932size_t data_len = MAX_HOST_LEN;
817d9f57 1933exim_gnutls_state_st *state = &state_server;
17c76198
PP		 1934unsigned int sni_type;
1935int rc, old_pool;
cf0c6164 1936uschar * dummy_errstr;
17c76198
PP		 1937
1938rc = gnutls_server_name_get(session, sni_name, &data_len, &sni_type, 0);
b34fc30c
PP		 1939if (rc != GNUTLS_E_SUCCESS)
1940 {
1941 DEBUG(D_tls) {
1942 if (rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
1943 debug_printf("TLS: no SNI presented in handshake.\n");
1944 else
1945 debug_printf("TLS failure: gnutls_server_name_get(): %s [%d]\n",
1946 gnutls_strerror(rc), rc);
cf0c6164 1947 }
b34fc30c
PP		 1948 return 0;
1949 }
1950
17c76198
PP		 1951if (sni_type != GNUTLS_NAME_DNS)
1952 {
1953 DEBUG(D_tls) debug_printf("TLS: ignoring SNI of unhandled type %u\n", sni_type);
1954 return 0;
1955 }
44bbabb5 1956
17c76198
PP		 1957/* We now have a UTF-8 string in sni_name */
1958old_pool = store_pool;
1959store_pool = POOL_PERM;
1960state->received_sni = string_copyn(US sni_name, data_len);
1961store_pool = old_pool;
1962
1963/* We set this one now so that variable expansions below will work */
817d9f57 1964state->tlsp->sni = state->received_sni;
17c76198
PP		 1965
1966DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", sni_name,
1967 state->trigger_sni_changes ? "" : " (unused for certificate selection)");
1968
1969if (!state->trigger_sni_changes)
1970 return 0;
1971
cf0c6164 1972if ((rc = tls_expand_session_files(state, &dummy_errstr)) != OK)
17c76198
PP		 1973 {
1974 /* If the setup of certs/etc failed before handshake, TLS would not have
1975 been offered. The best we can do now is abort. */
1976 return GNUTLS_E_APPLICATION_ERROR_MIN;
1977 }
1978
cf0c6164 1979rc = tls_set_remaining_x509(state, &dummy_errstr);
1365611d
PP		 1980if (rc != OK) return GNUTLS_E_APPLICATION_ERROR_MIN;
1981
1982return 0;
059ec3d9
PH		 1983}
1984
1985
1986
f2de3a33 1987#ifndef DISABLE_OCSP
44662487
JH		 1988
1989static int
1990server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
1991 gnutls_datum_t * ocsp_response)
1992{
1993int ret;
47195144 1994DEBUG(D_tls) debug_printf("OCSP stapling callback: %s\n", US ptr);
44662487 1995
44662487
JH		 1996if ((ret = gnutls_load_file(ptr, ocsp_response)) < 0)
1997 {
1998 DEBUG(D_tls) debug_printf("Failed to load ocsp stapling file %s\n",
5903c6ff 1999 CS ptr);
018058b2 2000 tls_in.ocsp = OCSP_NOT_RESP;
44662487
JH		 2001 return GNUTLS_E_NO_CERTIFICATE_STATUS;
2002 }
2003
018058b2 2004tls_in.ocsp = OCSP_VFY_NOT_TRIED;
44662487
JH		 2005return 0;
2006}
2007
2008#endif
2009
2010
0cbf2b82 2011#ifndef DISABLE_EVENT
a7538db1
JH		 2012/*
2013We use this callback to get observability and detail-level control
723fe533
JH		 2014for an exim TLS connection (either direction), raising a tls:cert event
2015for each cert in the chain presented by the peer. Any event
a7538db1
JH		 2016can deny verification.
2017
2018Return 0 for the handshake to continue or non-zero to terminate.
2019*/
2020
2021static int
723fe533 2022verify_cb(gnutls_session_t session)
a7538db1 2023{
27f19eb4 2024const gnutls_datum_t * cert_list;
a7538db1
JH		 2025unsigned int cert_list_size = 0;
2026gnutls_x509_crt_t crt;
2027int rc;
b30275b8 2028uschar * yield;
a7538db1
JH		 2029exim_gnutls_state_st * state = gnutls_session_get_ptr(session);
2030
bd5b3f3c 2031if ((cert_list = gnutls_certificate_get_peers(session, &cert_list_size)))
a7538db1
JH		 2032 while (cert_list_size--)
2033 {
bd5b3f3c 2034 if ((rc = import_cert(&cert_list[cert_list_size], &crt)) != GNUTLS_E_SUCCESS)
a7538db1
JH		 2035 {
2036 DEBUG(D_tls) debug_printf("TLS: peer cert problem: depth %d: %s\n",
2037 cert_list_size, gnutls_strerror(rc));
2038 break;
2039 }
2040
2041 state->tlsp->peercert = crt;
b30275b8
JH		 2042 if ((yield = event_raise(state->event_action,
2043 US"tls:cert", string_sprintf("%d", cert_list_size))))
a7538db1
JH		 2044 {
2045 log_write(0, LOG_MAIN,
b30275b8
JH		 2046 "SSL verify denied by event-action: depth=%d: %s",
2047 cert_list_size, yield);
a7538db1
JH		 2048 return 1; /* reject */
2049 }
2050 state->tlsp->peercert = NULL;
2051 }
2052
2053return 0;
2054}
2055
2056#endif
44662487
JH		 2057
2058
f20cfa4a
JH		 2059static gstring *
2060ddump(gnutls_datum_t * d)
2061{
2062gstring * g = string_get((d->size+1) * 2);
2063uschar * s = d->data;
2064for (unsigned i = d->size; i > 0; i--, s++)
2065 {
2066 g = string_catn(g, US "0123456789abcdef" + (*s >> 4), 1);
2067 g = string_catn(g, US "0123456789abcdef" + (*s & 0xf), 1);
2068 }
2069return g;
2070}
17c76198 2071
dc6d1769
JH		 2072static void
2073post_handshake_debug(exim_gnutls_state_st * state)
2074{
dc6d1769
JH		 2075#ifdef SUPPORT_GNUTLS_SESS_DESC
2076debug_printf("%s\n", gnutls_session_get_desc(state->session));
2077#endif
2078#ifdef SUPPORT_GNUTLS_KEYLOG
a8af957d 2079# ifdef GNUTLS_TLS1_3
dc6d1769 2080if (gnutls_protocol_get_version(state->session) < GNUTLS_TLS1_3)
a8af957d
JH		 2081#else
2082if (TRUE)
2083#endif
dc6d1769
JH		 2084 {
2085 gnutls_datum_t c, s;
2086 gstring * gc, * gs;
2087 /* we only want the client random and the master secret */
2088 gnutls_session_get_random(state->session, &c, &s);
2089 gnutls_session_get_master_secret(state->session, &s);
2090 gc = ddump(&c);
2091 gs = ddump(&s);
2092 debug_printf("CLIENT_RANDOM %.*s %.*s\n", (int)gc->ptr, gc->s, (int)gs->ptr, gs->s);
2093 }
2094else
2095 debug_printf("To get keying info for TLS1.3 is hard:\n"
2096 " set environment variable SSLKEYLOGFILE to a filename writable by uid exim\n"
2097 " add SSLKEYLOGFILE to keep_environment in the exim config\n"
2098 " run exim as root\n"
2099 " if using sudo, add SSLKEYLOGFILE to env_keep in /etc/sudoers\n");
2100#endif
2101}
2102
b10c87b3
JH		 2103
2104#ifdef EXPERIMENTAL_TLS_RESUME
2105static int
2106tls_server_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
2107 unsigned incoming, const gnutls_datum_t * msg)
2108{
2109DEBUG(D_tls) debug_printf("newticket cb\n");
2110tls_in.resumption |= RESUME_CLIENT_REQUESTED;
2111return 0;
2112}
2113
2114static void
2115tls_server_resume_prehandshake(exim_gnutls_state_st * state)
2116{
2117/* Should the server offer session resumption? */
2118tls_in.resumption = RESUME_SUPPORTED;
2119if (verify_check_host(&tls_resumption_hosts) == OK)
2120 {
2121 int rc;
2122 /* GnuTLS appears to not do ticket overlap, but does emit a fresh ticket when
2123 an offered resumption is unacceptable. We lose one resumption per ticket
2124 lifetime, and sessions cannot be indefinitely re-used. There seems to be no
2125 way (3.6.7) of changing the default number of 2 TLS1.3 tickets issued, but at
2126 least they go out in a single packet. */
2127
2128 if (!(rc = gnutls_session_ticket_enable_server(state->session,
2129 &server_sessticket_key)))
2130 tls_in.resumption |= RESUME_SERVER_TICKET;
2131 else
2132 DEBUG(D_tls)
2133 debug_printf("enabling session tickets: %s\n", US gnutls_strerror(rc));
2134
2135 /* Try to tell if we see a ticket request */
2136 gnutls_handshake_set_hook_function(state->session,
2137 GNUTLS_HANDSHAKE_NEW_SESSION_TICKET, GNUTLS_HOOK_POST, tls_server_ticket_cb);
2138 }
2139}
2140
2141static void
2142tls_server_resume_posthandshake(exim_gnutls_state_st * state)
2143{
2144if (gnutls_session_resumption_requested(state->session))
2145 {
2146 /* This tells us the client sent a full ticket. We use a
2147 callback on session-ticket request, elsewhere, to tell
2148 if a client asked for a ticket. */
2149
2150 tls_in.resumption |= RESUME_CLIENT_SUGGESTED;
2151 DEBUG(D_tls) debug_printf("client requested resumption\n");
2152 }
2153if (gnutls_session_is_resumed(state->session))
2154 {
2155 tls_in.resumption |= RESUME_USED;
2156 DEBUG(D_tls) debug_printf("Session resumed\n");
2157 }
2158}
2159#endif
17c76198
PP		 2160/* ------------------------------------------------------------------------ */
2161/* Exported functions */
2162
2163
2164
2165
059ec3d9
PH		 2166/*************************************************
2167* Start a TLS session in a server *
2168*************************************************/
2169
2170/* This is called when Exim is running as a server, after having received
2171the STARTTLS command. It must respond to that command, and then negotiate
2172a TLS session.
2173
2174Arguments:
83da1223 2175 require_ciphers list of allowed ciphers or NULL
cf0c6164 2176 errstr pointer to error string
059ec3d9
PH		 2177
2178Returns: OK on success
2179 DEFER for errors before the start of the negotiation
4c04137d 2180 FAIL for errors during the negotiation; the server can't
059ec3d9
PH		 2181 continue running.
2182*/
2183
2184int
cf0c6164 2185tls_server_start(const uschar * require_ciphers, uschar ** errstr)
059ec3d9
PH		 2186{
2187int rc;
cf0c6164 2188exim_gnutls_state_st * state = NULL;
059ec3d9
PH		 2189
2190/* Check for previous activation */
74f1a423 2191if (tls_in.active.sock >= 0)
059ec3d9 2192 {
48224640 2193 tls_error(US"STARTTLS received after TLS started", US "", NULL, errstr);
925ac8e4 2194 smtp_printf("554 Already in TLS\r\n", FALSE);
059ec3d9
PH		 2195 return FAIL;
2196 }
2197
2198/* Initialize the library. If it fails, it will already have logged the error
2199and sent an SMTP response. */
2200
17c76198 2201DEBUG(D_tls) debug_printf("initialising GnuTLS as a server\n");
059ec3d9 2202
cf0c6164 2203if ((rc = tls_init(NULL, tls_certificate, tls_privatekey,
17c76198 2204 NULL, tls_verify_certificates, tls_crl,
74f1a423 2205 require_ciphers, &state, &tls_in, errstr)) != OK) return rc;
059ec3d9 2206
b10c87b3
JH		 2207#ifdef EXPERIMENTAL_TLS_RESUME
2208tls_server_resume_prehandshake(state);
2209#endif
2210
059ec3d9
PH		 2211/* If this is a host for which certificate verification is mandatory or
2212optional, set up appropriately. */
2213
059ec3d9 2214if (verify_check_host(&tls_verify_hosts) == OK)
17c76198 2215 {
e51c7be2
JH		 2216 DEBUG(D_tls)
2217 debug_printf("TLS: a client certificate will be required.\n");
17c76198
PP		 2218 state->verify_requirement = VERIFY_REQUIRED;
2219 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
2220 }
059ec3d9 2221else if (verify_check_host(&tls_try_verify_hosts) == OK)
17c76198 2222 {
e51c7be2
JH		 2223 DEBUG(D_tls)
2224 debug_printf("TLS: a client certificate will be requested but not required.\n");
17c76198
PP		 2225 state->verify_requirement = VERIFY_OPTIONAL;
2226 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
2227 }
2228else
2229 {
e51c7be2
JH		 2230 DEBUG(D_tls)
2231 debug_printf("TLS: a client certificate will not be requested.\n");
17c76198
PP		 2232 state->verify_requirement = VERIFY_NONE;
2233 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
2234 }
059ec3d9 2235
0cbf2b82 2236#ifndef DISABLE_EVENT
723fe533
JH		 2237if (event_action)
2238 {
2239 state->event_action = event_action;
2240 gnutls_session_set_ptr(state->session, state);
2241 gnutls_certificate_set_verify_function(state->x509_cred, verify_cb);
2242 }
2243#endif
2244
17c76198
PP		 2245/* Register SNI handling; always, even if not in tls_certificate, so that the
2246expansion variable $tls_sni is always available. */
059ec3d9 2247
17c76198
PP		 2248gnutls_handshake_set_post_client_hello_function(state->session,
2249 exim_sni_handling_cb);
059ec3d9
PH		 2250
2251/* Set context and tell client to go ahead, except in the case of TLS startup
2252on connection, where outputting anything now upsets the clients and tends to
2253make them disconnect. We need to have an explicit fflush() here, to force out
2254the response. Other smtp_printf() calls do not need it, because in non-TLS
2255mode, the fflush() happens when smtp_getc() is called. */
2256
817d9f57 2257if (!state->tlsp->on_connect)
059ec3d9 2258 {
925ac8e4 2259 smtp_printf("220 TLS go ahead\r\n", FALSE);
9d1c15ef 2260 fflush(smtp_out);
059ec3d9
PH		 2261 }
2262
2263/* Now negotiate the TLS session. We put our own timer on it, since it seems
8008accd
JH		 2264that the GnuTLS library doesn't.
2265From 3.1.0 there is gnutls_handshake_set_timeout() - but it requires you
2266to set (and clear down afterwards) up a pull-timeout callback function that does
2267a select, so we're no better off unless avoiding signals becomes an issue. */
059ec3d9 2268
17c76198 2269gnutls_transport_set_ptr2(state->session,
27f19eb4
JH		 2270 (gnutls_transport_ptr_t)(long) fileno(smtp_in),
2271 (gnutls_transport_ptr_t)(long) fileno(smtp_out));
17c76198
PP		 2272state->fd_in = fileno(smtp_in);
2273state->fd_out = fileno(smtp_out);
059ec3d9
PH		 2274
2275sigalrm_seen = FALSE;
c2a1bba0 2276if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
17c76198 2277do
17c76198 2278 rc = gnutls_handshake(state->session);
157a7880 2279while (rc == GNUTLS_E_AGAIN || rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen);
c2a1bba0 2280ALARM_CLR(0);
059ec3d9 2281
17c76198 2282if (rc != GNUTLS_E_SUCCESS)
059ec3d9 2283 {
059ec3d9
PH		 2284 /* It seems that, except in the case of a timeout, we have to close the
2285 connection right here; otherwise if the other end is running OpenSSL it hangs
2286 until the server times out. */
2287
60d10ce7 2288 if (sigalrm_seen)
ad7fc6eb 2289 {
48224640 2290 tls_error(US"gnutls_handshake", US"timed out", NULL, errstr);
ad7fc6eb
JH		 2291 gnutls_db_remove_session(state->session);
2292 }
60d10ce7 2293 else
059ec3d9 2294 {
452a164f 2295 tls_error_gnu(US"gnutls_handshake", rc, NULL, errstr);
f5d25c2b 2296 (void) gnutls_alert_send_appropriate(state->session, rc);
ad7fc6eb 2297 gnutls_deinit(state->session);
ed62aae3 2298 gnutls_certificate_free_credentials(state->x509_cred);
60d10ce7 2299 millisleep(500);
ad7fc6eb 2300 shutdown(state->fd_out, SHUT_WR);
d7978c0f 2301 for (int i = 1024; fgetc(smtp_in) != EOF && i > 0; ) i--; /* drain skt */
f1e894f3
PH		 2302 (void)fclose(smtp_out);
2303 (void)fclose(smtp_in);
60d10ce7 2304 smtp_out = smtp_in = NULL;
059ec3d9
PH		 2305 }
2306
2307 return FAIL;
2308 }
2309
b10c87b3
JH		 2310#ifdef EXPERIMENTAL_TLS_RESUME
2311tls_server_resume_posthandshake(state);
2312#endif
2313
dc6d1769 2314DEBUG(D_tls) post_handshake_debug(state);
059ec3d9 2315
17c76198
PP		 2316/* Verify after the fact */
2317
899b8bbc 2318if (!verify_certificate(state, errstr))
059ec3d9 2319 {
9d1c15ef 2320 if (state->verify_requirement != VERIFY_OPTIONAL)
17c76198 2321 {
cf0c6164 2322 (void) tls_error(US"certificate verification failed", *errstr, NULL, errstr);
9d1c15ef 2323 return FAIL;
17c76198 2324 }
9d1c15ef
JH		 2325 DEBUG(D_tls)
2326 debug_printf("TLS: continuing on only because verification was optional, after: %s\n",
cf0c6164 2327 *errstr);
059ec3d9
PH		 2328 }
2329
17c76198
PP		 2330/* Sets various Exim expansion variables; always safe within server */
2331
9d1c15ef 2332extract_exim_vars_from_tls_state(state);
059ec3d9
PH		 2333
2334/* TLS has been set up. Adjust the input functions to read via TLS,
2335and initialize appropriately. */
2336
17c76198 2337state->xfer_buffer = store_malloc(ssl_xfer_buffer_size);
059ec3d9
PH		 2338
2339receive_getc = tls_getc;
0d81dabc 2340receive_getbuf = tls_getbuf;
584e96c6 2341receive_get_cache = tls_get_cache;
059ec3d9
PH		 2342receive_ungetc = tls_ungetc;
2343receive_feof = tls_feof;
2344receive_ferror = tls_ferror;
58eb016e 2345receive_smtp_buffered = tls_smtp_buffered;
059ec3d9 2346
059ec3d9
PH		 2347return OK;
2348}
2349
2350
2351
2352
aa2a70ba
JH		 2353static void
2354tls_client_setup_hostname_checks(host_item * host, exim_gnutls_state_st * state,
2355 smtp_transport_options_block * ob)
2356{
3fb3231c 2357if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
aa2a70ba 2358 {
4af0d74a 2359 state->exp_tls_verify_cert_hostnames =
8c5d388a 2360#ifdef SUPPORT_I18N
4af0d74a
JH		 2361 string_domain_utf8_to_alabel(host->name, NULL);
2362#else
2363 host->name;
2364#endif
aa2a70ba
JH		 2365 DEBUG(D_tls)
2366 debug_printf("TLS: server cert verification includes hostname: \"%s\".\n",
2367 state->exp_tls_verify_cert_hostnames);
2368 }
2369}
aa2a70ba
JH		 2370
2371
899b8bbc
JH		 2372
2373
2374#ifdef SUPPORT_DANE
2375/* Given our list of RRs from the TLSA lookup, build a lookup block in
2376GnuTLS-DANE's preferred format. Hang it on the state str for later
2377use in DANE verification.
2378
2379We point at the dnsa data not copy it, so it must remain valid until
2380after verification is done.*/
2381
3674140c 2382static BOOL
899b8bbc
JH		 2383dane_tlsa_load(exim_gnutls_state_st * state, dns_answer * dnsa)
2384{
899b8bbc
JH		 2385dns_scan dnss;
2386int i;
2387const char ** dane_data;
2388int * dane_data_len;
2389
d7978c0f
JH		 2390i = 1;
2391for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
899b8bbc
JH		 2392 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
2393 ) if (rr->type == T_TLSA) i++;
2394
f3ebb786
JH		 2395dane_data = store_get(i * sizeof(uschar *), FALSE);
2396dane_data_len = store_get(i * sizeof(int), FALSE);
899b8bbc 2397
d7978c0f
JH		 2398i = 0;
2399for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
899b8bbc 2400 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
1b76ad22 2401 ) if (rr->type == T_TLSA && rr->size > 3)
899b8bbc
JH		 2402 {
2403 const uschar * p = rr->data;
f3ebb786 2404/*XXX need somehow to mark rr and its data as tainted. Doues this mean copying it? */
3674140c
JH		 2405 uint8_t usage = p[0], sel = p[1], type = p[2];
2406
2407 DEBUG(D_tls)
2408 debug_printf("TLSA: %d %d %d size %d\n", usage, sel, type, rr->size);
2409
94c13285
JH		 2410 if ( (usage != DANESSL_USAGE_DANE_TA && usage != DANESSL_USAGE_DANE_EE)
2411 || (sel != 0 && sel != 1)
2412 )
2413 continue;
3674140c
JH		 2414 switch(type)
2415 {
2416 case 0: /* Full: cannot check at present */
2417 break;
2418 case 1: if (rr->size != 3 + 256/8) continue; /* sha2-256 */
2419 break;
2420 case 2: if (rr->size != 3 + 512/8) continue; /* sha2-512 */
2421 break;
2422 default: continue;
2423 }
899b8bbc
JH		 2424
2425 tls_out.tlsa_usage |= 1<<usage;
48224640 2426 dane_data[i] = CS p;
899b8bbc
JH		 2427 dane_data_len[i++] = rr->size;
2428 }
3674140c
JH		 2429
2430if (!i) return FALSE;
2431
899b8bbc
JH		 2432dane_data[i] = NULL;
2433dane_data_len[i] = 0;
2434
2435state->dane_data = (char * const *)dane_data;
2436state->dane_data_len = dane_data_len;
3674140c 2437return TRUE;
899b8bbc
JH		 2438}
2439#endif
2440
2441
2442
b10c87b3
JH		 2443#ifdef EXPERIMENTAL_TLS_RESUME
2444/* On the client, get any stashed session for the given IP from hints db
2445and apply it to the ssl-connection for attempted resumption. Although
2446there is a gnutls_session_ticket_enable_client() interface it is
2447documented as unnecessary (as of 3.6.7) as "session tickets are emabled
2448by deafult". There seems to be no way to disable them, so even hosts not
2449enabled by the transport option will be sent a ticket request. We will
2450however avoid storing and retrieving session information. */
2451
2452static void
2453tls_retrieve_session(tls_support * tlsp, gnutls_session_t session,
2454 host_item * host, smtp_transport_options_block * ob)
2455{
2456tlsp->resumption = RESUME_SUPPORTED;
2457if (verify_check_given_host(CUSS &ob->tls_resumption_hosts, host) == OK)
2458 {
2459 dbdata_tls_session * dt;
2460 int len, rc;
2461 open_db dbblock, * dbm_file;
2462
2463 DEBUG(D_tls)
2464 debug_printf("check for resumable session for %s\n", host->address);
2465 tlsp->host_resumable = TRUE;
2466 tlsp->resumption |= RESUME_CLIENT_REQUESTED;
2467 if ((dbm_file = dbfn_open(US"tls", O_RDONLY, &dbblock, FALSE, FALSE)))
2468 {
dea4b568
JH		 2469 /* Key for the db is the IP. We'd like to filter the retrieved session
2470 for ticket advisory expiry, but 3.6.1 seems to give no access to that */
2471
b10c87b3
JH		 2472 if ((dt = dbfn_read_with_length(dbm_file, host->address, &len)))
2473 if (!(rc = gnutls_session_set_data(session,
2474 CUS dt->session, (size_t)len - sizeof(dbdata_tls_session))))
2475 {
2476 DEBUG(D_tls) debug_printf("good session\n");
2477 tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
2478 }
2479 else DEBUG(D_tls) debug_printf("setting session resumption data: %s\n",
2480 US gnutls_strerror(rc));
2481 dbfn_close(dbm_file);
2482 }
2483 }
2484}
2485
2486
2487static void
2488tls_save_session(tls_support * tlsp, gnutls_session_t session, const host_item * host)
2489{
2490/* TLS 1.2 - we get both the callback and the direct posthandshake call,
2491but this flag is not set until the second. TLS 1.3 it's the other way about.
2492Keep both calls as the session data cannot be extracted before handshake
2493completes. */
2494
2495if (gnutls_session_get_flags(session) & GNUTLS_SFLAGS_SESSION_TICKET)
2496 {
2497 gnutls_datum_t tkt;
2498 int rc;
2499
2500 DEBUG(D_tls) debug_printf("server offered session ticket\n");
2501 tlsp->ticket_received = TRUE;
2502 tlsp->resumption |= RESUME_SERVER_TICKET;
2503
2504 if (tlsp->host_resumable)
2505 if (!(rc = gnutls_session_get_data2(session, &tkt)))
2506 {
2507 open_db dbblock, * dbm_file;
2508 int dlen = sizeof(dbdata_tls_session) + tkt.size;
f3ebb786 2509 dbdata_tls_session * dt = store_get(dlen, TRUE);
b10c87b3
JH		 2510
2511 DEBUG(D_tls) debug_printf("session data size %u\n", (unsigned)tkt.size);
2512 memcpy(dt->session, tkt.data, tkt.size);
2513 gnutls_free(tkt.data);
2514
2515 if ((dbm_file = dbfn_open(US"tls", O_RDWR, &dbblock, FALSE, FALSE)))
2516 {
2517 /* key for the db is the IP */
2518 dbfn_delete(dbm_file, host->address);
2519 dbfn_write(dbm_file, host->address, dt, dlen);
2520 dbfn_close(dbm_file);
2521
2522 DEBUG(D_tls)
2523 debug_printf("wrote session db (len %u)\n", (unsigned)dlen);
2524 }
2525 }
2526 else DEBUG(D_tls)
2527 debug_printf("extract session data: %s\n", US gnutls_strerror(rc));
2528 }
2529}
2530
2531
2532/* With a TLS1.3 session, the ticket(s) are not seen until
2533the first data read is attempted. And there's often two of them.
2534Pick them up with this callback. We are also called for 1.2
2535but we do nothing.
2536*/
2537static int
2538tls_client_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
2539 unsigned incoming, const gnutls_datum_t * msg)
2540{
2541exim_gnutls_state_st * state = gnutls_session_get_ptr(sess);
2542tls_support * tlsp = state->tlsp;
2543
2544DEBUG(D_tls) debug_printf("newticket cb\n");
2545
2546if (!tlsp->ticket_received)
2547 tls_save_session(tlsp, sess, state->host);
2548return 0;
2549}
2550
2551
2552static void
2553tls_client_resume_prehandshake(exim_gnutls_state_st * state,
2554 tls_support * tlsp, host_item * host,
2555 smtp_transport_options_block * ob)
2556{
2557gnutls_session_set_ptr(state->session, state);
2558gnutls_handshake_set_hook_function(state->session,
2559 GNUTLS_HANDSHAKE_NEW_SESSION_TICKET, GNUTLS_HOOK_POST, tls_client_ticket_cb);
2560
2561tls_retrieve_session(tlsp, state->session, host, ob);
2562}
2563
2564static void
2565tls_client_resume_posthandshake(exim_gnutls_state_st * state,
2566 tls_support * tlsp, host_item * host)
2567{
2568if (gnutls_session_is_resumed(state->session))
2569 {
2570 DEBUG(D_tls) debug_printf("Session resumed\n");
2571 tlsp->resumption |= RESUME_USED;
2572 }
2573
2574tls_save_session(tlsp, state->session, host);
2575}
2576#endif /* EXPERIMENTAL_TLS_RESUME */
2577
2578
059ec3d9
PH		 2579/*************************************************
2580* Start a TLS session in a client *
2581*************************************************/
2582
2583/* Called from the smtp transport after STARTTLS has been accepted.
2584
2585Arguments:
c05bdbd6
JH		 2586 cctx connection context
2587 conn_args connection details
2588 cookie datum for randomness (not used)
2589 tlsp record details of channel configuration here; must be non-NULL
2590 errstr error string pointer
2591
2592Returns: TRUE for success with TLS session context set in smtp context,
2593 FALSE on error
059ec3d9
PH		 2594*/
2595
c05bdbd6
JH		 2596BOOL
2597tls_client_start(client_conn_ctx * cctx, smtp_connect_args * conn_args,
2598 void * cookie ARG_UNUSED,
2599 tls_support * tlsp, uschar ** errstr)
059ec3d9 2600{
c05bdbd6
JH		 2601host_item * host = conn_args->host; /* for msgs and option-tests */
2602transport_instance * tb = conn_args->tblock; /* always smtp or NULL */
2603smtp_transport_options_block * ob = tb
afdb5e9c
JH		 2604 ? (smtp_transport_options_block *)tb->options_block
2605 : &smtp_transport_option_defaults;
059ec3d9 2606int rc;
899b8bbc 2607exim_gnutls_state_st * state = NULL;
c05bdbd6 2608uschar * cipher_list = NULL;
74f1a423 2609
f2de3a33 2610#ifndef DISABLE_OCSP
5130845b 2611BOOL require_ocsp =
3fb3231c 2612 verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK;
44662487 2613BOOL request_ocsp = require_ocsp ? TRUE
3fb3231c 2614 : verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
2b4a568d 2615#endif
059ec3d9 2616
c05bdbd6 2617DEBUG(D_tls) debug_printf("initialising GnuTLS as a client on fd %d\n", cctx->sock);
059ec3d9 2618
5ec37a55 2619#ifdef SUPPORT_DANE
c05bdbd6
JH		 2620/* If dane is flagged, have either request or require dane for this host, and
2621a TLSA record found. Therefore, dane verify required. Which implies cert must
2622be requested and supplied, dane verify must pass, and cert verify irrelevant
2623(incl. hostnames), and (caller handled) require_tls */
2624
2625if (conn_args->dane && ob->dane_require_tls_ciphers)
5ec37a55
PP		 2626 {
2627 /* not using expand_check_tlsvar because not yet in state */
2628 if (!expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
2629 &cipher_list, errstr))
c05bdbd6 2630 return FALSE;
cf260049
JH		 2631 cipher_list = cipher_list && *cipher_list
2632 ? ob->dane_require_tls_ciphers : ob->tls_require_ciphers;
5ec37a55
PP		 2633 }
2634#endif
2635
2636if (!cipher_list)
2637 cipher_list = ob->tls_require_ciphers;
2638
74f1a423 2639if (tls_init(host, ob->tls_certificate, ob->tls_privatekey,
65867078 2640 ob->tls_sni, ob->tls_verify_certificates, ob->tls_crl,
74f1a423 2641 cipher_list, &state, tlsp, errstr) != OK)
c05bdbd6 2642 return FALSE;
059ec3d9 2643
54c90be1 2644 {
65867078
JH		 2645 int dh_min_bits = ob->tls_dh_min_bits;
2646 if (dh_min_bits < EXIM_CLIENT_DH_MIN_MIN_BITS)
2647 {
2648 DEBUG(D_tls)
2649 debug_printf("WARNING: tls_dh_min_bits far too low,"
2650 " clamping %d up to %d\n",
2651 dh_min_bits, EXIM_CLIENT_DH_MIN_MIN_BITS);
2652 dh_min_bits = EXIM_CLIENT_DH_MIN_MIN_BITS;
2653 }
54c90be1 2654
65867078
JH		 2655 DEBUG(D_tls) debug_printf("Setting D-H prime minimum"
2656 " acceptable bits to %d\n",
2657 dh_min_bits);
2658 gnutls_dh_set_prime_bits(state->session, dh_min_bits);
2659 }
83da1223 2660
94431adb 2661/* Stick to the old behaviour for compatibility if tls_verify_certificates is
2b4a568d
JH		 2662set but both tls_verify_hosts and tls_try_verify_hosts are unset. Check only
2663the specified host patterns if one of them is defined */
2664
899b8bbc 2665#ifdef SUPPORT_DANE
c05bdbd6 2666if (conn_args->dane && dane_tlsa_load(state, &conn_args->tlsa_dnsa))
899b8bbc
JH		 2667 {
2668 DEBUG(D_tls)
2669 debug_printf("TLS: server certificate DANE required.\n");
2670 state->verify_requirement = VERIFY_DANE;
2671 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
899b8bbc
JH		 2672 }
2673else
2674#endif
2675 if ( ( state->exp_tls_verify_certificates
2676 && !ob->tls_verify_hosts
2677 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
2678 )
3fb3231c 2679 || verify_check_given_host(CUSS &ob->tls_verify_hosts, host) == OK
899b8bbc 2680 )
17c76198 2681 {
aa2a70ba 2682 tls_client_setup_hostname_checks(host, state, ob);
aa2a70ba
JH		 2683 DEBUG(D_tls)
2684 debug_printf("TLS: server certificate verification required.\n");
2685 state->verify_requirement = VERIFY_REQUIRED;
52f93eed
WB		 2686 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
2687 }
3fb3231c 2688else if (verify_check_given_host(CUSS &ob->tls_try_verify_hosts, host) == OK)
52f93eed 2689 {
aa2a70ba 2690 tls_client_setup_hostname_checks(host, state, ob);
e51c7be2
JH		 2691 DEBUG(D_tls)
2692 debug_printf("TLS: server certificate verification optional.\n");
52f93eed 2693 state->verify_requirement = VERIFY_OPTIONAL;
17c76198
PP		 2694 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
2695 }
2696else
2697 {
e51c7be2
JH		 2698 DEBUG(D_tls)
2699 debug_printf("TLS: server certificate verification not required.\n");
52f93eed
WB		 2700 state->verify_requirement = VERIFY_NONE;
2701 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
17c76198 2702 }
059ec3d9 2703
f2de3a33
JH		 2704#ifndef DISABLE_OCSP
2705 /* supported since GnuTLS 3.1.3 */
44662487 2706if (request_ocsp)
9d1c15ef
JH		 2707 {
2708 DEBUG(D_tls) debug_printf("TLS: will request OCSP stapling\n");
65867078
JH		 2709 if ((rc = gnutls_ocsp_status_request_enable_client(state->session,
2710 NULL, 0, NULL)) != OK)
74f1a423 2711 {
452a164f 2712 tls_error_gnu(US"cert-status-req", rc, state->host, errstr);
c05bdbd6 2713 return FALSE;
74f1a423
JH		 2714 }
2715 tlsp->ocsp = OCSP_NOT_RESP;
9d1c15ef 2716 }
2b4a568d
JH		 2717#endif
2718
b10c87b3
JH		 2719#ifdef EXPERIMENTAL_TLS_RESUME
2720tls_client_resume_prehandshake(state, tlsp, host, ob);
2721#endif
2722
0cbf2b82 2723#ifndef DISABLE_EVENT
afdb5e9c 2724if (tb && tb->event_action)
a7538db1 2725 {
774ef2d7 2726 state->event_action = tb->event_action;
a7538db1 2727 gnutls_session_set_ptr(state->session, state);
723fe533 2728 gnutls_certificate_set_verify_function(state->x509_cred, verify_cb);
a7538db1
JH		 2729 }
2730#endif
2731
c05bdbd6
JH		 2732gnutls_transport_set_ptr(state->session, (gnutls_transport_ptr_t)(long) cctx->sock);
2733state->fd_in = cctx->sock;
2734state->fd_out = cctx->sock;
059ec3d9 2735
9d1c15ef 2736DEBUG(D_tls) debug_printf("about to gnutls_handshake\n");
059ec3d9
PH		 2737/* There doesn't seem to be a built-in timeout on connection. */
2738
2739sigalrm_seen = FALSE;
c2a1bba0 2740ALARM(ob->command_timeout);
17c76198 2741do
17c76198 2742 rc = gnutls_handshake(state->session);
f1fed05b 2743while (rc == GNUTLS_E_AGAIN || rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen);
c2a1bba0 2744ALARM_CLR(0);
059ec3d9 2745
4fe99a6c 2746if (rc != GNUTLS_E_SUCCESS)
74f1a423 2747 {
60d10ce7
JH		 2748 if (sigalrm_seen)
2749 {
2750 gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_USER_CANCELED);
48224640 2751 tls_error(US"gnutls_handshake", US"timed out", state->host, errstr);
60d10ce7
JH		 2752 }
2753 else
452a164f 2754 tls_error_gnu(US"gnutls_handshake", rc, state->host, errstr);
c05bdbd6 2755 return FALSE;
74f1a423 2756 }
4fe99a6c 2757
dc6d1769 2758DEBUG(D_tls) post_handshake_debug(state);
059ec3d9 2759
17c76198 2760/* Verify late */
059ec3d9 2761
899b8bbc 2762if (!verify_certificate(state, errstr))
74f1a423
JH		 2763 {
2764 tls_error(US"certificate verification failed", *errstr, state->host, errstr);
c05bdbd6 2765 return FALSE;
74f1a423 2766 }
059ec3d9 2767
f2de3a33 2768#ifndef DISABLE_OCSP
7a501c87 2769if (request_ocsp)
2b4a568d
JH		 2770 {
2771 DEBUG(D_tls)
2772 {
2773 gnutls_datum_t stapling;
2774 gnutls_ocsp_resp_t resp;
2775 gnutls_datum_t printed;
2776 if ( (rc= gnutls_ocsp_status_request_get(state->session, &stapling)) == 0
2777 && (rc= gnutls_ocsp_resp_init(&resp)) == 0
2778 && (rc= gnutls_ocsp_resp_import(resp, &stapling)) == 0
2779 && (rc= gnutls_ocsp_resp_print(resp, GNUTLS_OCSP_PRINT_FULL, &printed)) == 0
2780 )
2781 {
65867078 2782 debug_printf("%.4096s", printed.data);
2b4a568d
JH		 2783 gnutls_free(printed.data);
2784 }
2785 else
452a164f 2786 (void) tls_error_gnu(US"ocsp decode", rc, state->host, errstr);
2b4a568d
JH		 2787 }
2788
2b4a568d 2789 if (gnutls_ocsp_status_request_is_checked(state->session, 0) == 0)
018058b2 2790 {
74f1a423
JH		 2791 tlsp->ocsp = OCSP_FAILED;
2792 tls_error(US"certificate status check failed", NULL, state->host, errstr);
7a501c87
JH		 2793 if (require_ocsp)
2794 return FALSE;
2795 }
2796 else
2797 {
2798 DEBUG(D_tls) debug_printf("Passed OCSP checking\n");
2799 tlsp->ocsp = OCSP_VFIED;
018058b2 2800 }
2b4a568d
JH		 2801 }
2802#endif
2803
b10c87b3
JH		 2804#ifdef EXPERIMENTAL_TLS_RESUME
2805tls_client_resume_posthandshake(state, tlsp, host);
2806#endif
059ec3d9 2807
4fe99a6c 2808/* Sets various Exim expansion variables; may need to adjust for ACL callouts */
059ec3d9 2809
9d1c15ef 2810extract_exim_vars_from_tls_state(state);
059ec3d9 2811
c05bdbd6
JH		 2812cctx->tls_ctx = state;
2813return TRUE;
059ec3d9
PH		 2814}
2815
2816
2817
17c76198 2818
059ec3d9 2819/*************************************************
17c76198 2820* Close down a TLS session *
059ec3d9
PH		 2821*************************************************/
2822
17c76198
PP		 2823/* This is also called from within a delivery subprocess forked from the
2824daemon, to shut down the TLS library, without actually doing a shutdown (which
2825would tamper with the TLS session in the parent process).
059ec3d9 2826
dec766a1 2827Arguments:
74f1a423 2828 ct_ctx client context pointer, or NULL for the one global server context
dec766a1 2829 shutdown 1 if TLS close-alert is to be sent,
afdb5e9c 2830 2 if also response to be waited for
dec766a1 2831
17c76198 2832Returns: nothing
059ec3d9
PH		 2833*/
2834
17c76198 2835void
74f1a423 2836tls_close(void * ct_ctx, int shutdown)
059ec3d9 2837{
74f1a423 2838exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
059ec3d9 2839
74f1a423 2840if (!state->tlsp || state->tlsp->active.sock < 0) return; /* TLS was not active */
17c76198
PP		 2841
2842if (shutdown)
2843 {
dec766a1
WB		 2844 DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS%s\n",
2845 shutdown > 1 ? " (with response-wait)" : "");
2846
c2a1bba0 2847 ALARM(2);
dec766a1 2848 gnutls_bye(state->session, shutdown > 1 ? GNUTLS_SHUT_RDWR : GNUTLS_SHUT_WR);
c2a1bba0 2849 ALARM_CLR(0);
17c76198
PP		 2850 }
2851
2852gnutls_deinit(state->session);
ed62aae3
HSHR		 2853gnutls_certificate_free_credentials(state->x509_cred);
2854
17c76198 2855
74f1a423
JH		 2856state->tlsp->active.sock = -1;
2857state->tlsp->active.tls_ctx = NULL;
b808677c 2858if (state->xfer_buffer) store_free(state->xfer_buffer);
17c76198 2859memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
059ec3d9
PH		 2860}
2861
2862
2863
17c76198 2864
0d81dabc
JH		 2865static BOOL
2866tls_refill(unsigned lim)
2867{
2868exim_gnutls_state_st * state = &state_server;
2869ssize_t inbytes;
2870
2871DEBUG(D_tls) debug_printf("Calling gnutls_record_recv(%p, %p, %u)\n",
2872 state->session, state->xfer_buffer, ssl_xfer_buffer_size);
2873
f1fed05b 2874sigalrm_seen = FALSE;
c2a1bba0 2875if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
4896a319
AM		 2876
2877do
2878 inbytes = gnutls_record_recv(state->session, state->xfer_buffer,
2879 MIN(ssl_xfer_buffer_size, lim));
2880while (inbytes == GNUTLS_E_AGAIN);
2881
c2a1bba0 2882if (smtp_receive_timeout > 0) ALARM_CLR(0);
9723f966
JH		 2883
2884if (had_command_timeout) /* set by signal handler */
2885 smtp_command_timeout_exit(); /* does not return */
2886if (had_command_sigterm)
2887 smtp_command_sigterm_exit();
2888if (had_data_timeout)
2889 smtp_data_timeout_exit();
2890if (had_data_sigint)
2891 smtp_data_sigint_exit();
2892
2893/* Timeouts do not get this far. A zero-byte return appears to mean that the
2894TLS session has been closed down, not that the socket itself has been closed
2895down. Revert to non-TLS handling. */
0d81dabc
JH		 2896
2897if (sigalrm_seen)
2898 {
2899 DEBUG(D_tls) debug_printf("Got tls read timeout\n");
8b77d27a 2900 state->xfer_error = TRUE;
0d81dabc
JH		 2901 return FALSE;
2902 }
2903
2904else if (inbytes == 0)
2905 {
2906 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
2907
2908 receive_getc = smtp_getc;
2909 receive_getbuf = smtp_getbuf;
2910 receive_get_cache = smtp_get_cache;
2911 receive_ungetc = smtp_ungetc;
2912 receive_feof = smtp_feof;
2913 receive_ferror = smtp_ferror;
2914 receive_smtp_buffered = smtp_buffered;
2915
2916 gnutls_deinit(state->session);
2917 gnutls_certificate_free_credentials(state->x509_cred);
2918
2919 state->session = NULL;
74f1a423
JH		 2920 state->tlsp->active.sock = -1;
2921 state->tlsp->active.tls_ctx = NULL;
0d81dabc
JH		 2922 state->tlsp->bits = 0;
2923 state->tlsp->certificate_verified = FALSE;
2924 tls_channelbinding_b64 = NULL;
2925 state->tlsp->cipher = NULL;
2926 state->tlsp->peercert = NULL;
2927 state->tlsp->peerdn = NULL;
2928
2929 return FALSE;
2930 }
2931
2932/* Handle genuine errors */
2933
2934else if (inbytes < 0)
2935 {
95f52235 2936 DEBUG(D_tls) debug_printf("%s: err from gnutls_record_recv\n", __FUNCTION__);
0d81dabc 2937 record_io_error(state, (int) inbytes, US"recv", NULL);
8b77d27a 2938 state->xfer_error = TRUE;
0d81dabc
JH		 2939 return FALSE;
2940 }
2941#ifndef DISABLE_DKIM
2942dkim_exim_verify_feed(state->xfer_buffer, inbytes);
2943#endif
2944state->xfer_buffer_hwm = (int) inbytes;
2945state->xfer_buffer_lwm = 0;
2946return TRUE;
2947}
2948
059ec3d9
PH		 2949/*************************************************
2950* TLS version of getc *
2951*************************************************/
2952
2953/* This gets the next byte from the TLS input buffer. If the buffer is empty,
2954it refills the buffer via the GnuTLS reading function.
817d9f57 2955Only used by the server-side TLS.
059ec3d9 2956
17c76198
PP		 2957This feeds DKIM and should be used for all message-body reads.
2958
aded2255 2959Arguments: lim Maximum amount to read/buffer
059ec3d9
PH		 2960Returns: the next character or EOF
2961*/
2962
2963int
bd8fbe36 2964tls_getc(unsigned lim)
059ec3d9 2965{
0d81dabc 2966exim_gnutls_state_st * state = &state_server;
059ec3d9 2967
0d81dabc
JH		 2968if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
2969 if (!tls_refill(lim))
2970 return state->xfer_error ? EOF : smtp_getc(lim);
ed62aae3 2971
0d81dabc 2972/* Something in the buffer; return next uschar */
059ec3d9 2973
0d81dabc
JH		 2974return state->xfer_buffer[state->xfer_buffer_lwm++];
2975}
059ec3d9 2976
0d81dabc
JH		 2977uschar *
2978tls_getbuf(unsigned * len)
2979{
2980exim_gnutls_state_st * state = &state_server;
2981unsigned size;
2982uschar * buf;
059ec3d9 2983
0d81dabc
JH		 2984if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
2985 if (!tls_refill(*len))
059ec3d9 2986 {
0d81dabc
JH		 2987 if (!state->xfer_error) return smtp_getbuf(len);
2988 *len = 0;
2989 return NULL;
059ec3d9 2990 }
059ec3d9 2991
0d81dabc
JH		 2992if ((size = state->xfer_buffer_hwm - state->xfer_buffer_lwm) > *len)
2993 size = *len;
2994buf = &state->xfer_buffer[state->xfer_buffer_lwm];
2995state->xfer_buffer_lwm += size;
2996*len = size;
2997return buf;
059ec3d9
PH		 2998}
2999
0d81dabc 3000
584e96c6
JH		 3001void
3002tls_get_cache()
3003{
9960d1e5 3004#ifndef DISABLE_DKIM
584e96c6
JH		 3005exim_gnutls_state_st * state = &state_server;
3006int n = state->xfer_buffer_hwm - state->xfer_buffer_lwm;
3007if (n > 0)
3008 dkim_exim_verify_feed(state->xfer_buffer+state->xfer_buffer_lwm, n);
584e96c6 3009#endif
9960d1e5 3010}
584e96c6 3011
059ec3d9 3012
925ac8e4
JH		 3013BOOL
3014tls_could_read(void)
3015{
3016return state_server.xfer_buffer_lwm < state_server.xfer_buffer_hwm
3017 || gnutls_record_check_pending(state_server.session) > 0;
3018}
3019
3020
059ec3d9 3021
17c76198 3022
059ec3d9
PH		 3023/*************************************************
3024* Read bytes from TLS channel *
3025*************************************************/
3026
17c76198
PP		 3027/* This does not feed DKIM, so if the caller uses this for reading message body,
3028then the caller must feed DKIM.
817d9f57 3029
059ec3d9 3030Arguments:
74f1a423 3031 ct_ctx client context pointer, or NULL for the one global server context
059ec3d9
PH		 3032 buff buffer of data
3033 len size of buffer
3034
3035Returns: the number of bytes read
afdb5e9c 3036 -1 after a failed read, including EOF
059ec3d9
PH		 3037*/
3038
3039int
74f1a423 3040tls_read(void * ct_ctx, uschar *buff, size_t len)
059ec3d9 3041{
74f1a423 3042exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
17c76198 3043ssize_t inbytes;
059ec3d9 3044
17c76198
PP		 3045if (len > INT_MAX)
3046 len = INT_MAX;
059ec3d9 3047
17c76198
PP		 3048if (state->xfer_buffer_lwm < state->xfer_buffer_hwm)
3049 DEBUG(D_tls)
3050 debug_printf("*** PROBABLY A BUG *** " \
3051 "tls_read() called with data in the tls_getc() buffer, %d ignored\n",
3052 state->xfer_buffer_hwm - state->xfer_buffer_lwm);
3053
3054DEBUG(D_tls)
3055 debug_printf("Calling gnutls_record_recv(%p, %p, " SIZE_T_FMT ")\n",
3056 state->session, buff, len);
3057
4896a319
AM		 3058do
3059 inbytes = gnutls_record_recv(state->session, buff, len);
3060while (inbytes == GNUTLS_E_AGAIN);
3061
059ec3d9
PH		 3062if (inbytes > 0) return inbytes;
3063if (inbytes == 0)
3064 {
3065 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
3066 }
5fd28bb8 3067else
4896a319 3068 {
95f52235 3069 DEBUG(D_tls) debug_printf("%s: err from gnutls_record_recv\n", __FUNCTION__);
4896a319
AM		 3070 record_io_error(state, (int)inbytes, US"recv", NULL);
3071 }
059ec3d9
PH		 3072
3073return -1;
3074}
3075
3076
3077
17c76198 3078
059ec3d9
PH		 3079/*************************************************
3080* Write bytes down TLS channel *
3081*************************************************/
3082
3083/*
3084Arguments:
74f1a423 3085 ct_ctx client context pointer, or NULL for the one global server context
059ec3d9
PH		 3086 buff buffer of data
3087 len number of bytes
925ac8e4 3088 more more data expected soon
059ec3d9
PH		 3089
3090Returns: the number of bytes after a successful write,
3091 -1 after a failed write
3092*/
3093
3094int
74f1a423 3095tls_write(void * ct_ctx, const uschar * buff, size_t len, BOOL more)
059ec3d9 3096{
17c76198
PP		 3097ssize_t outbytes;
3098size_t left = len;
74f1a423 3099exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
925ac8e4
JH		 3100#ifdef SUPPORT_CORK
3101static BOOL corked = FALSE;
3102
3103if (more && !corked) gnutls_record_cork(state->session);
3104#endif
3105
3106DEBUG(D_tls) debug_printf("%s(%p, " SIZE_T_FMT "%s)\n", __FUNCTION__,
3107 buff, left, more ? ", more" : "");
059ec3d9 3108
059ec3d9
PH		 3109while (left > 0)
3110 {
17c76198
PP		 3111 DEBUG(D_tls) debug_printf("gnutls_record_send(SSL, %p, " SIZE_T_FMT ")\n",
3112 buff, left);
4896a319
AM		 3113
3114 do
3115 outbytes = gnutls_record_send(state->session, buff, left);
3116 while (outbytes == GNUTLS_E_AGAIN);
059ec3d9 3117
17c76198 3118 DEBUG(D_tls) debug_printf("outbytes=" SSIZE_T_FMT "\n", outbytes);
059ec3d9
PH		 3119 if (outbytes < 0)
3120 {
1b76ad22 3121 DEBUG(D_tls) debug_printf("%s: gnutls_record_send err\n", __FUNCTION__);
17c76198 3122 record_io_error(state, outbytes, US"send", NULL);
059ec3d9
PH		 3123 return -1;
3124 }
3125 if (outbytes == 0)
3126 {
17c76198 3127 record_io_error(state, 0, US"send", US"TLS channel closed on write");
059ec3d9
PH		 3128 return -1;
3129 }
3130
3131 left -= outbytes;
3132 buff += outbytes;
3133 }
3134
17c76198
PP		 3135if (len > INT_MAX)
3136 {
3137 DEBUG(D_tls)
3138 debug_printf("Whoops! Wrote more bytes (" SIZE_T_FMT ") than INT_MAX\n",
3139 len);
3140 len = INT_MAX;
3141 }
3142
925ac8e4
JH		 3143#ifdef SUPPORT_CORK
3144if (more != corked)
3145 {
3146 if (!more) (void) gnutls_record_uncork(state->session, 0);
3147 corked = more;
3148 }
3149#endif
3150
17c76198 3151return (int) len;
059ec3d9
PH		 3152}
3153
3154
3155
17c76198 3156
059ec3d9 3157/*************************************************
17c76198 3158* Random number generation *
059ec3d9
PH		 3159*************************************************/
3160
17c76198
PP		 3161/* Pseudo-random number generation. The result is not expected to be
3162cryptographically strong but not so weak that someone will shoot themselves
3163in the foot using it as a nonce in input in some email header scheme or
3164whatever weirdness they'll twist this into. The result should handle fork()
3165and avoid repeating sequences. OpenSSL handles that for us.
059ec3d9 3166
17c76198
PP		 3167Arguments:
3168 max range maximum
3169Returns a random number in range [0, max-1]
059ec3d9
PH		 3170*/
3171
af3498d6 3172#ifdef HAVE_GNUTLS_RND
17c76198
PP		 3173int
3174vaguely_random_number(int max)
059ec3d9 3175{
17c76198
PP		 3176unsigned int r;
3177int i, needed_len;
17c76198
PP		 3178uschar smallbuf[sizeof(r)];
3179
3180if (max <= 1)
3181 return 0;
3182
3183needed_len = sizeof(r);
3184/* Don't take 8 times more entropy than needed if int is 8 octets and we were
d7978c0f
JH		 3185asked for a number less than 10. */
3186
17c76198
PP		 3187for (r = max, i = 0; r; ++i)
3188 r >>= 1;
3189i = (i + 7) / 8;
3190if (i < needed_len)
3191 needed_len = i;
3192
3193i = gnutls_rnd(GNUTLS_RND_NONCE, smallbuf, needed_len);
3194if (i < 0)
059ec3d9 3195 {
17c76198
PP		 3196 DEBUG(D_all) debug_printf("gnutls_rnd() failed, using fallback.\n");
3197 return vaguely_random_number_fallback(max);
3198 }
3199r = 0;
d7978c0f
JH		 3200for (uschar * p = smallbuf; needed_len; --needed_len, ++p)
3201 r = r * 256 + *p;
059ec3d9 3202
17c76198
PP		 3203/* We don't particularly care about weighted results; if someone wants
3204 * smooth distribution and cares enough then they should submit a patch then. */
3205return r % max;
059ec3d9 3206}
af3498d6
PP		 3207#else /* HAVE_GNUTLS_RND */
3208int
3209vaguely_random_number(int max)
3210{
3211 return vaguely_random_number_fallback(max);
3212}
3213#endif /* HAVE_GNUTLS_RND */
059ec3d9 3214
36f12725
NM		 3215
3216
3217
3375e053
PP		 3218/*************************************************
3219* Let tls_require_ciphers be checked at startup *
3220*************************************************/
3221
3222/* The tls_require_ciphers option, if set, must be something which the
3223library can parse.
3224
3225Returns: NULL on success, or error message
3226*/
3227
3228uschar *
3229tls_validate_require_cipher(void)
3230{
3231int rc;
3232uschar *expciphers = NULL;
3233gnutls_priority_t priority_cache;
3234const char *errpos;
cf0c6164 3235uschar * dummy_errstr;
3375e053
PP		 3236
3237#define validate_check_rc(Label) do { \
3238 if (rc != GNUTLS_E_SUCCESS) { if (exim_gnutls_base_init_done) gnutls_global_deinit(); \
3239 return string_sprintf("%s failed: %s", (Label), gnutls_strerror(rc)); } } while (0)
3240#define return_deinit(Label) do { gnutls_global_deinit(); return (Label); } while (0)
3241
3242if (exim_gnutls_base_init_done)
3243 log_write(0, LOG_MAIN|LOG_PANIC,
3244 "already initialised GnuTLS, Exim developer bug");
3245
a5f239e4 3246#ifdef HAVE_GNUTLS_PKCS11
2519e60d 3247if (!gnutls_allow_auto_pkcs11)
a5f239e4
PP		 3248 {
3249 rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
3250 validate_check_rc(US"gnutls_pkcs11_init");
3251 }
3252#endif
3375e053
PP		 3253rc = gnutls_global_init();
3254validate_check_rc(US"gnutls_global_init()");
3255exim_gnutls_base_init_done = TRUE;
3256
3257if (!(tls_require_ciphers && *tls_require_ciphers))
3258 return_deinit(NULL);
3259
cf0c6164
JH		 3260if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers,
3261 &dummy_errstr))
3375e053
PP		 3262 return_deinit(US"failed to expand tls_require_ciphers");
3263
3264if (!(expciphers && *expciphers))
3265 return_deinit(NULL);
3266
3267DEBUG(D_tls)
3268 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
3269
3270rc = gnutls_priority_init(&priority_cache, CS expciphers, &errpos);
3271validate_check_rc(string_sprintf(
3272 "gnutls_priority_init(%s) failed at offset %ld, \"%.8s..\"",
3273 expciphers, errpos - CS expciphers, errpos));
3274
3275#undef return_deinit
3276#undef validate_check_rc
3277gnutls_global_deinit();
3278
3279return NULL;
3280}
3281
3282
3283
3284
36f12725
NM		 3285/*************************************************
3286* Report the library versions. *
3287*************************************************/
3288
3289/* See a description in tls-openssl.c for an explanation of why this exists.
3290
3291Arguments: a FILE* to print the results to
3292Returns: nothing
3293*/
3294
3295void
3296tls_version_report(FILE *f)
3297{
754a0503
PP		 3298fprintf(f, "Library version: GnuTLS: Compile: %s\n"
3299 " Runtime: %s\n",
3300 LIBGNUTLS_VERSION,
3301 gnutls_check_version(NULL));
36f12725
NM		 3302}
3303
b10c87b3 3304#endif /*!MACRO_PREDEF*/
2b4a568d
JH		 3305/* vi: aw ai sw=2
3306*/
059ec3d9 3307/* End of tls-gnu.c */
Unnamed repository; edit this file 'description' to name the repository.