projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
SPF: fix the explanation URL
[exim.git] / src / src / tls-gnu.c
CommitLineData
059ec3d9
PH		 1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
f9ba5e22 5/* Copyright (c) University of Cambridge 1995 - 2018 */
059ec3d9
PH		 6/* See the file NOTICE for conditions of use and distribution. */
7
17c76198 8/* Copyright (c) Phil Pennock 2012 */
059ec3d9 9
17c76198
PP		 10/* This file provides TLS/SSL support for Exim using the GnuTLS library,
11one of the available supported implementations. This file is #included into
12tls.c when USE_GNUTLS has been set.
059ec3d9 13
17c76198
PP		 14The code herein is a revamp of GnuTLS integration using the current APIs; the
15original tls-gnu.c was based on a patch which was contributed by Nikos
6aa6fc9c 16Mavrogiannopoulos. The revamp is partially a rewrite, partially cut&paste as
17c76198 17appropriate.
059ec3d9 18
17c76198
PP		 19APIs current as of GnuTLS 2.12.18; note that the GnuTLS manual is for GnuTLS 3,
20which is not widely deployed by OS vendors. Will note issues below, which may
21assist in updating the code in the future. Another sources of hints is
22mod_gnutls for Apache (SNI callback registration and handling).
059ec3d9 23
17c76198
PP		 24Keeping client and server variables more split than before and is currently
25the norm, in anticipation of TLS in ACL callouts.
059ec3d9 26
17c76198
PP		 27I wanted to switch to gnutls_certificate_set_verify_function() so that
28certificate rejection could happen during handshake where it belongs, rather
29than being dropped afterwards, but that was introduced in 2.10.0 and Debian
30(6.0.5) is still on 2.8.6. So for now we have to stick with sub-par behaviour.
059ec3d9 31
17c76198
PP		 32(I wasn't looking for libraries quite that old, when updating to get rid of
33compiler warnings of deprecated APIs. If it turns out that a lot of the rest
34require current GnuTLS, then we'll drop support for the ancient libraries).
35*/
b5aea5e1 36
17c76198
PP		 37#include <gnutls/gnutls.h>
38/* needed for cert checks in verification and DN extraction: */
39#include <gnutls/x509.h>
40/* man-page is incorrect, gnutls_rnd() is not in gnutls.h: */
41#include <gnutls/crypto.h>
184384c3 42
a5f239e4
PP		 43/* needed to disable PKCS11 autoload unless requested */
44#if GNUTLS_VERSION_NUMBER >= 0x020c00
45# include <gnutls/pkcs11.h>
76075bb5 46# define SUPPORT_PARAM_TO_PK_BITS
a5f239e4 47#endif
7e07527a
JH		 48#if GNUTLS_VERSION_NUMBER < 0x030103 && !defined(DISABLE_OCSP)
49# warning "GnuTLS library version too old; define DISABLE_OCSP in Makefile"
50# define DISABLE_OCSP
51#endif
0cbf2b82 52#if GNUTLS_VERSION_NUMBER < 0x020a00 && !defined(DISABLE_EVENT)
774ef2d7 53# warning "GnuTLS library version too old; tls:cert event unsupported"
0cbf2b82 54# define DISABLE_EVENT
a7538db1 55#endif
a7fec7a7
JH		 56#if GNUTLS_VERSION_NUMBER >= 0x030306
57# define SUPPORT_CA_DIR
58#else
59# undef SUPPORT_CA_DIR
60#endif
11a04b5a 61#if GNUTLS_VERSION_NUMBER >= 0x030014
cb1d7830
JH		 62# define SUPPORT_SYSDEFAULT_CABUNDLE
63#endif
184384c3
JH		 64#if GNUTLS_VERSION_NUMBER >= 0x030104
65# define GNUTLS_CERT_VFY_STATUS_PRINT
66#endif
925ac8e4
JH		 67#if GNUTLS_VERSION_NUMBER >= 0x030109
68# define SUPPORT_CORK
69#endif
f20cfa4a
JH		 70#if GNUTLS_VERSION_NUMBER >= 0x03010a
71# define SUPPORT_GNUTLS_SESS_DESC
72#endif
4d2a62a3
JH		 73#if GNUTLS_VERSION_NUMBER >= 0x030300
74# define GNUTLS_AUTO_GLOBAL_INIT
9f707b89 75# define GNUTLS_AUTO_PKCS11_MANUAL
4d2a62a3 76#endif
97277c1f
JH		 77#if (GNUTLS_VERSION_NUMBER >= 0x030404) \
78 || (GNUTLS_VERSION_NUMBER >= 0x030311) && (GNUTLS_VERSION_NUMBER & 0xffff00 == 0x030300)
79# ifndef DISABLE_OCSP
80# define EXIM_HAVE_OCSP
81# endif
82#endif
f20cfa4a
JH		 83#if GNUTLS_VERSION_NUMBER >= 0x030500
84# define SUPPORT_GNUTLS_KEYLOG
85#endif
47195144
JH		 86#if GNUTLS_VERSION_NUMBER >= 0x030506 && !defined(DISABLE_OCSP)
87# define SUPPORT_SRV_OCSP_STACK
88#endif
49132a3b
JH		 89#if GNUTLS_VERSION_NUMBER >= 0x030600
90# define GNUTLS_AUTO_DHPARAMS
91#endif
be427508 92#if GNUTLS_VERSION_NUMBER >= 0x030603
e326959e 93# define EXIM_HAVE_TLS1_3
be427508 94# define SUPPORT_GNUTLS_EXT_RAW_PARSE
e326959e 95# define GNUTLS_OCSP_STATUS_REQUEST_GET2
be427508 96#endif
c0635b6d
JH		 97
98#ifdef SUPPORT_DANE
99# if GNUTLS_VERSION_NUMBER >= 0x030000
100# define DANESSL_USAGE_DANE_TA 2
101# define DANESSL_USAGE_DANE_EE 3
102# else
103# error GnuTLS version too early for DANE
104# endif
105# if GNUTLS_VERSION_NUMBER < 0x999999
106# define GNUTLS_BROKEN_DANE_VALIDATION
107# endif
899b8bbc 108#endif
7e07527a 109
43e2db44
JH		 110#ifdef EXPERIMENTAL_TLS_RESUME
111# if GNUTLS_VERSION_NUMBER < 0x030603
112# error GNUTLS version too early for session-resumption
113# endif
114#endif
115
f2de3a33 116#ifndef DISABLE_OCSP
2b4a568d
JH		 117# include <gnutls/ocsp.h>
118#endif
899b8bbc
JH		 119#ifdef SUPPORT_DANE
120# include <gnutls/dane.h>
121#endif
059ec3d9 122
f1be21cf
JH		 123#include "tls-cipher-stdname.c"
124
125
b10c87b3
JH		 126#ifdef MACRO_PREDEF
127void
128options_tls(void)
129{
130# ifdef EXPERIMENTAL_TLS_RESUME
131builtin_macro_create_var(US"_RESUME_DECODE", RESUME_DECODE_STRING );
132# endif
e326959e
JH		 133# ifdef EXIM_HAVE_TLS1_3
134builtin_macro_create(US"_HAVE_TLS1_3");
135# endif
97277c1f
JH		 136# ifdef EXIM_HAVE_OCSP
137builtin_macro_create(US"_HAVE_TLS_OCSP");
138# endif
139# ifdef SUPPORT_SRV_OCSP_STACK
140builtin_macro_create(US"_HAVE_TLS_OCSP_LIST");
141# endif
b10c87b3
JH		 142}
143#else
144
145
17c76198 146/* GnuTLS 2 vs 3
059ec3d9 147
17c76198
PP		 148GnuTLS 3 only:
149 gnutls_global_set_audit_log_function()
059ec3d9 150
17c76198
PP		 151Changes:
152 gnutls_certificate_verify_peers2(): is new, drop the 2 for old version
153*/
059ec3d9 154
17c76198 155/* Local static variables for GnuTLS */
059ec3d9 156
17c76198 157/* Values for verify_requirement */
059ec3d9 158
e51c7be2 159enum peer_verify_requirement
899b8bbc 160 { VERIFY_NONE, VERIFY_OPTIONAL, VERIFY_REQUIRED, VERIFY_DANE };
059ec3d9 161
17c76198
PP		 162/* This holds most state for server or client; with this, we can set up an
163outbound TLS-enabled connection in an ACL callout, while not stomping all
164over the TLS variables available for expansion.
059ec3d9 165
17c76198
PP		 166Some of these correspond to variables in globals.c; those variables will
167be set to point to content in one of these instances, as appropriate for
168the stage of the process lifetime.
059ec3d9 169
389ca47a 170Not handled here: global tls_channelbinding_b64.
17c76198 171*/
059ec3d9 172
17c76198 173typedef struct exim_gnutls_state {
9d1c15ef 174 gnutls_session_t session;
17c76198 175 gnutls_certificate_credentials_t x509_cred;
9d1c15ef 176 gnutls_priority_t priority_cache;
17c76198 177 enum peer_verify_requirement verify_requirement;
9d1c15ef
JH		 178 int fd_in;
179 int fd_out;
180 BOOL peer_cert_verified;
899b8bbc 181 BOOL peer_dane_verified;
9d1c15ef
JH		 182 BOOL trigger_sni_changes;
183 BOOL have_set_peerdn;
5fd28bb8 184 const struct host_item *host; /* NULL if server */
afdb5e9c 185 gnutls_x509_crt_t peercert;
9d1c15ef
JH		 186 uschar *peerdn;
187 uschar *ciphersuite;
188 uschar *received_sni;
17c76198
PP		 189
190 const uschar *tls_certificate;
191 const uschar *tls_privatekey;
192 const uschar *tls_sni; /* client send only, not received */
193 const uschar *tls_verify_certificates;
194 const uschar *tls_crl;
195 const uschar *tls_require_ciphers;
e51c7be2 196
17c76198
PP		 197 uschar *exp_tls_certificate;
198 uschar *exp_tls_privatekey;
17c76198
PP		 199 uschar *exp_tls_verify_certificates;
200 uschar *exp_tls_crl;
201 uschar *exp_tls_require_ciphers;
55414b25 202 const uschar *exp_tls_verify_cert_hostnames;
0cbf2b82 203#ifndef DISABLE_EVENT
a7538db1
JH		 204 uschar *event_action;
205#endif
899b8bbc
JH		 206#ifdef SUPPORT_DANE
207 char * const * dane_data;
208 const int * dane_data_len;
209#endif
17c76198 210
389ca47a 211 tls_support *tlsp; /* set in tls_init() */
817d9f57 212
17c76198
PP		 213 uschar *xfer_buffer;
214 int xfer_buffer_lwm;
215 int xfer_buffer_hwm;
8b77d27a
JH		 216 BOOL xfer_eof; /*XXX never gets set! */
217 BOOL xfer_error;
17c76198
PP		 218} exim_gnutls_state_st;
219
220static const exim_gnutls_state_st exim_gnutls_state_init = {
b10c87b3 221 /* all elements not explicitly intialised here get 0/NULL/FALSE */
f2ed27cf
JH		 222 .fd_in = -1,
223 .fd_out = -1,
17c76198 224};
83da1223 225
17c76198
PP		 226/* Not only do we have our own APIs which don't pass around state, assuming
227it's held in globals, GnuTLS doesn't appear to let us register callback data
228for callbacks, or as part of the session, so we have to keep a "this is the
229context we're currently dealing with" pointer and rely upon being
230single-threaded to keep from processing data on an inbound TLS connection while
231talking to another TLS connection for an outbound check. This does mean that
232there's no way for heart-beats to be responded to, for the duration of the
a7538db1
JH		 233second connection.
234XXX But see gnutls_session_get_ptr()
235*/
059ec3d9 236
74f1a423 237static exim_gnutls_state_st state_server;
059ec3d9 238
49132a3b 239#ifndef GNUTLS_AUTO_DHPARAMS
17c76198
PP		 240/* dh_params are initialised once within the lifetime of a process using TLS;
241if we used TLS in a long-lived daemon, we'd have to reconsider this. But we
242don't want to repeat this. */
83da1223 243
17c76198 244static gnutls_dh_params_t dh_server_params = NULL;
49132a3b 245#endif
059ec3d9 246
dea4b568 247static int ssl_session_timeout = 7200; /* Two hours */
059ec3d9 248
fc243e94 249static const uschar * const exim_default_gnutls_priority = US"NORMAL";
83da1223 250
17c76198 251/* Guard library core initialisation */
83da1223 252
17c76198 253static BOOL exim_gnutls_base_init_done = FALSE;
059ec3d9 254
4fb7df6d 255#ifndef DISABLE_OCSP
9196d5bf 256static BOOL gnutls_buggy_ocsp = FALSE;
e5489333 257static BOOL exim_testharness_disable_ocsp_validity_check = FALSE;
4fb7df6d 258#endif
9196d5bf 259
b10c87b3
JH		 260#ifdef EXPERIMENTAL_TLS_RESUME
261static gnutls_datum_t server_sessticket_key;
262#endif
059ec3d9 263
17c76198
PP		 264/* ------------------------------------------------------------------------ */
265/* macros */
83da1223 266
17c76198 267#define MAX_HOST_LEN 255
83da1223 268
17c76198
PP		 269/* Set this to control gnutls_global_set_log_level(); values 0 to 9 will setup
270the library logging; a value less than 0 disables the calls to set up logging
dc6d1769
JH		 271callbacks. GNuTLS also looks for an environment variable - except not for
272setuid binaries, making it useless - "GNUTLS_DEBUG_LEVEL".
273Allegedly the testscript line "GNUTLS_DEBUG_LEVEL=9 sudo exim ..." would work,
274but the env var must be added to /etc/sudoers too. */
2c17bb02 275#ifndef EXIM_GNUTLS_LIBRARY_LOG_LEVEL
b1a4f234 276# define EXIM_GNUTLS_LIBRARY_LOG_LEVEL -1
2c17bb02 277#endif
83da1223 278
2c17bb02 279#ifndef EXIM_CLIENT_DH_MIN_BITS
a7538db1 280# define EXIM_CLIENT_DH_MIN_BITS 1024
2c17bb02 281#endif
83da1223 282
af3498d6
PP		 283/* With GnuTLS 2.12.x+ we have gnutls_sec_param_to_pk_bits() with which we
284can ask for a bit-strength. Without that, we stick to the constant we had
285before, for now. */
2c17bb02 286#ifndef EXIM_SERVER_DH_BITS_PRE2_12
a7538db1 287# define EXIM_SERVER_DH_BITS_PRE2_12 1024
2c17bb02 288#endif
af3498d6 289
cf0c6164
JH		 290#define expand_check_tlsvar(Varname, errstr) \
291 expand_check(state->Varname, US #Varname, &state->exp_##Varname, errstr)
83da1223 292
17c76198 293#if GNUTLS_VERSION_NUMBER >= 0x020c00
e51c7be2
JH		 294# define HAVE_GNUTLS_SESSION_CHANNEL_BINDING
295# define HAVE_GNUTLS_SEC_PARAM_CONSTANTS
296# define HAVE_GNUTLS_RND
2519e60d
TL		 297/* The security fix we provide with the gnutls_allow_auto_pkcs11 option
298 * (4.82 PP/09) introduces a compatibility regression. The symbol simply
299 * isn't available sometimes, so this needs to become a conditional
300 * compilation; the sanest way to deal with this being a problem on
301 * older OSes is to block it in the Local/Makefile with this compiler
302 * definition */
e51c7be2
JH		 303# ifndef AVOID_GNUTLS_PKCS11
304# define HAVE_GNUTLS_PKCS11
305# endif /* AVOID_GNUTLS_PKCS11 */
17c76198 306#endif
83da1223 307
af3498d6
PP		 308
309
310
311/* ------------------------------------------------------------------------ */
312/* Callback declarations */
313
314#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
315static void exim_gnutls_logger_cb(int level, const char *message);
316#endif
317
318static int exim_sni_handling_cb(gnutls_session_t session);
319
e5489333
JH		 320#ifdef EXPERIMENTAL_TLS_RESUME
321static int
322tls_server_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
323 unsigned incoming, const gnutls_datum_t * msg);
324#endif
af3498d6
PP		 325
326
b10c87b3
JH		 327/* Daemon one-time initialisation */
328void
329tls_daemon_init(void)
330{
331#ifdef EXPERIMENTAL_TLS_RESUME
332/* We are dependent on the GnuTLS implementation of the Session Ticket
333encryption; both the strength and the key rotation period. We hope that
334the strength at least matches that of the ciphersuite (but GnuTLS does not
335document this). */
336
337static BOOL once = FALSE;
338if (once) return;
339once = TRUE;
340gnutls_session_ticket_key_generate(&server_sessticket_key); /* >= 2.10.0 */
341if (f.running_in_test_harness) ssl_session_timeout = 6;
342#endif
343}
344
17c76198
PP		 345/* ------------------------------------------------------------------------ */
346/* Static functions */
059ec3d9
PH		 347
348/*************************************************
349* Handle TLS error *
350*************************************************/
351
352/* Called from lots of places when errors occur before actually starting to do
353the TLS handshake, that is, while the session is still in clear. Always returns
354DEFER for a server and FAIL for a client so that most calls can use "return
355tls_error(...)" to do this processing and then give an appropriate return. A
356single function is used for both server and client, because it is called from
357some shared functions.
358
359Argument:
360 prefix text to include in the logged error
7199e1ee
TF		 361 msg additional error string (may be NULL)
362 usually obtained from gnutls_strerror()
17c76198
PP		 363 host NULL if setting up a server;
364 the connected host if setting up a client
cf0c6164 365 errstr pointer to returned error string
059ec3d9
PH		 366
367Returns: OK/DEFER/FAIL
368*/
369
370static int
48224640 371tls_error(const uschar *prefix, const uschar *msg, const host_item *host,
cf0c6164 372 uschar ** errstr)
059ec3d9 373{
cf0c6164 374if (errstr)
48224640 375 *errstr = string_sprintf("(%s)%s%s", prefix, msg ? ": " : "", msg ? msg : US"");
cf0c6164 376return host ? FAIL : DEFER;
059ec3d9
PH		 377}
378
379
452a164f
JH		 380static int
381tls_error_gnu(const uschar *prefix, int err, const host_item *host,
382 uschar ** errstr)
383{
384return tls_error(prefix, US gnutls_strerror(err), host, errstr);
385}
386
387static int
388tls_error_sys(const uschar *prefix, int err, const host_item *host,
389 uschar ** errstr)
390{
391return tls_error(prefix, US strerror(err), host, errstr);
392}
059ec3d9 393
17c76198 394
059ec3d9 395/*************************************************
17c76198 396* Deal with logging errors during I/O *
059ec3d9
PH		 397*************************************************/
398
17c76198 399/* We have to get the identity of the peer from saved data.
059ec3d9 400
17c76198
PP		 401Argument:
402 state the current GnuTLS exim state container
403 rc the GnuTLS error code, or 0 if it's a local error
404 when text identifying read or write
95f52235 405 text local error text when rc is 0
059ec3d9 406
17c76198 407Returns: nothing
059ec3d9
PH		 408*/
409
17c76198
PP		 410static void
411record_io_error(exim_gnutls_state_st *state, int rc, uschar *when, uschar *text)
059ec3d9 412{
48224640 413const uschar * msg;
cf0c6164 414uschar * errstr;
059ec3d9 415
17c76198 416if (rc == GNUTLS_E_FATAL_ALERT_RECEIVED)
95f52235 417 msg = string_sprintf("A TLS fatal alert has been received: %s",
17c76198
PP		 418 US gnutls_alert_get_name(gnutls_alert_get(state->session)));
419else
48224640 420 msg = US gnutls_strerror(rc);
059ec3d9 421
cf0c6164
JH		 422(void) tls_error(when, msg, state->host, &errstr);
423
424if (state->host)
425 log_write(0, LOG_MAIN, "H=%s [%s] TLS error on connection %s",
426 state->host->name, state->host->address, errstr);
427else
428 {
429 uschar * conn_info = smtp_get_connection_info();
430 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0) conn_info += 5;
431 /* I'd like to get separated H= here, but too hard for now */
432 log_write(0, LOG_MAIN, "TLS error on %s %s", conn_info, errstr);
433 }
17c76198 434}
059ec3d9 435
059ec3d9 436
059ec3d9 437
059ec3d9 438
17c76198
PP		 439/*************************************************
440* Set various Exim expansion vars *
441*************************************************/
059ec3d9 442
e51c7be2
JH		 443#define exim_gnutls_cert_err(Label) \
444 do \
445 { \
446 if (rc != GNUTLS_E_SUCCESS) \
447 { \
448 DEBUG(D_tls) debug_printf("TLS: cert problem: %s: %s\n", \
449 (Label), gnutls_strerror(rc)); \
450 return rc; \
451 } \
452 } while (0)
9d1c15ef
JH		 453
454static int
27f19eb4 455import_cert(const gnutls_datum_t * cert, gnutls_x509_crt_t * crtp)
9d1c15ef
JH		 456{
457int rc;
458
459rc = gnutls_x509_crt_init(crtp);
460exim_gnutls_cert_err(US"gnutls_x509_crt_init (crt)");
461
462rc = gnutls_x509_crt_import(*crtp, cert, GNUTLS_X509_FMT_DER);
463exim_gnutls_cert_err(US"failed to import certificate [gnutls_x509_crt_import(cert)]");
464
465return rc;
466}
467
468#undef exim_gnutls_cert_err
469
470
17c76198
PP		 471/* We set various Exim global variables from the state, once a session has
472been established. With TLS callouts, may need to change this to stack
473variables, or just re-call it with the server state after client callout
474has finished.
059ec3d9 475
9d1c15ef 476Make sure anything set here is unset in tls_getc().
17c76198
PP		 477
478Sets:
479 tls_active fd
480 tls_bits strength indicator
481 tls_certificate_verified bool indicator
482 tls_channelbinding_b64 for some SASL mechanisms
483 tls_cipher a string
9d1c15ef 484 tls_peercert pointer to library internal
17c76198
PP		 485 tls_peerdn a string
486 tls_sni a (UTF-8) string
9d1c15ef 487 tls_ourcert pointer to library internal
17c76198
PP		 488
489Argument:
490 state the relevant exim_gnutls_state_st *
491*/
492
493static void
9d1c15ef 494extract_exim_vars_from_tls_state(exim_gnutls_state_st * state)
17c76198 495{
17c76198
PP		 496#ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
497int old_pool;
498int rc;
499gnutls_datum_t channel;
500#endif
9d1c15ef 501tls_support * tlsp = state->tlsp;
17c76198 502
74f1a423
JH		 503tlsp->active.sock = state->fd_out;
504tlsp->active.tls_ctx = state;
17c76198 505
817d9f57 506DEBUG(D_tls) debug_printf("cipher: %s\n", state->ciphersuite);
17c76198 507
9d1c15ef 508tlsp->certificate_verified = state->peer_cert_verified;
899b8bbc
JH		 509#ifdef SUPPORT_DANE
510tlsp->dane_verified = state->peer_dane_verified;
511#endif
059ec3d9 512
17c76198
PP		 513/* note that tls_channelbinding_b64 is not saved to the spool file, since it's
514only available for use for authenticators while this TLS session is running. */
515
516tls_channelbinding_b64 = NULL;
517#ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
518channel.data = NULL;
519channel.size = 0;
1f20760b
JH		 520if ((rc = gnutls_session_channel_binding(state->session, GNUTLS_CB_TLS_UNIQUE, &channel)))
521 { DEBUG(D_tls) debug_printf("Channel binding error: %s\n", gnutls_strerror(rc)); }
522else
523 {
17c76198
PP		 524 old_pool = store_pool;
525 store_pool = POOL_PERM;
1f20760b 526 tls_channelbinding_b64 = b64encode(CUS channel.data, (int)channel.size);
17c76198
PP		 527 store_pool = old_pool;
528 DEBUG(D_tls) debug_printf("Have channel bindings cached for possible auth usage.\n");
1f20760b 529 }
17c76198
PP		 530#endif
531
9d1c15ef
JH		 532/* peercert is set in peer_status() */
533tlsp->peerdn = state->peerdn;
534tlsp->sni = state->received_sni;
535
536/* record our certificate */
537 {
27f19eb4 538 const gnutls_datum_t * cert = gnutls_certificate_get_ours(state->session);
9d1c15ef
JH		 539 gnutls_x509_crt_t crt;
540
541 tlsp->ourcert = cert && import_cert(cert, &crt)==0 ? crt : NULL;
542 }
059ec3d9
PH		 543}
544
545
546
17c76198 547
49132a3b 548#ifndef GNUTLS_AUTO_DHPARAMS
059ec3d9 549/*************************************************
575643cd 550* Setup up DH parameters *
059ec3d9
PH		 551*************************************************/
552
575643cd 553/* Generating the D-H parameters may take a long time. They only need to
059ec3d9
PH		 554be re-generated every so often, depending on security policy. What we do is to
555keep these parameters in a file in the spool directory. If the file does not
556exist, we generate them. This means that it is easy to cause a regeneration.
557
558The new file is written as a temporary file and renamed, so that an incomplete
559file is never present. If two processes both compute some new parameters, you
560waste a bit of effort, but it doesn't seem worth messing around with locking to
561prevent this.
562
059ec3d9
PH		 563Returns: OK/DEFER/FAIL
564*/
565
566static int
cf0c6164 567init_server_dh(uschar ** errstr)
059ec3d9 568{
17c76198
PP		 569int fd, rc;
570unsigned int dh_bits;
49132a3b 571gnutls_datum_t m = {.data = NULL, .size = 0};
a799883d
PP		 572uschar filename_buf[PATH_MAX];
573uschar *filename = NULL;
17c76198 574size_t sz;
a799883d
PP		 575uschar *exp_tls_dhparam;
576BOOL use_file_in_spool = FALSE;
17c76198 577host_item *host = NULL; /* dummy for macros */
059ec3d9 578
17c76198 579DEBUG(D_tls) debug_printf("Initialising GnuTLS server params.\n");
059ec3d9 580
452a164f
JH		 581if ((rc = gnutls_dh_params_init(&dh_server_params)))
582 return tls_error_gnu(US"gnutls_dh_params_init", rc, host, errstr);
059ec3d9 583
cf0c6164 584if (!expand_check(tls_dhparam, US"tls_dhparam", &exp_tls_dhparam, errstr))
a799883d
PP		 585 return DEFER;
586
587if (!exp_tls_dhparam)
588 {
589 DEBUG(D_tls) debug_printf("Loading default hard-coded DH params\n");
590 m.data = US std_dh_prime_default();
591 m.size = Ustrlen(m.data);
592 }
593else if (Ustrcmp(exp_tls_dhparam, "historic") == 0)
594 use_file_in_spool = TRUE;
595else if (Ustrcmp(exp_tls_dhparam, "none") == 0)
596 {
597 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
598 return OK;
599 }
600else if (exp_tls_dhparam[0] != '/')
601 {
f5d25c2b 602 if (!(m.data = US std_dh_prime_named(exp_tls_dhparam)))
48224640 603 return tls_error(US"No standard prime named", exp_tls_dhparam, NULL, errstr);
a799883d
PP		 604 m.size = Ustrlen(m.data);
605 }
606else
a799883d 607 filename = exp_tls_dhparam;
a799883d
PP		 608
609if (m.data)
610 {
452a164f
JH		 611 if ((rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM)))
612 return tls_error_gnu(US"gnutls_dh_params_import_pkcs3", rc, host, errstr);
a799883d
PP		 613 DEBUG(D_tls) debug_printf("Loaded fixed standard D-H parameters\n");
614 return OK;
615 }
616
af3498d6
PP		 617#ifdef HAVE_GNUTLS_SEC_PARAM_CONSTANTS
618/* If you change this constant, also change dh_param_fn_ext so that we can use a
17c76198 619different filename and ensure we have sufficient bits. */
452a164f
JH		 620
621if (!(dh_bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL)))
cf0c6164 622 return tls_error(US"gnutls_sec_param_to_pk_bits() failed", NULL, NULL, errstr);
af3498d6 623DEBUG(D_tls)
b34fc30c 624 debug_printf("GnuTLS tells us that for D-H PK, NORMAL is %d bits.\n",
af3498d6
PP		 625 dh_bits);
626#else
627dh_bits = EXIM_SERVER_DH_BITS_PRE2_12;
628DEBUG(D_tls)
629 debug_printf("GnuTLS lacks gnutls_sec_param_to_pk_bits(), using %d bits.\n",
630 dh_bits);
631#endif
059ec3d9 632
3375e053
PP		 633/* Some clients have hard-coded limits. */
634if (dh_bits > tls_dh_max_bits)
635 {
636 DEBUG(D_tls)
637 debug_printf("tls_dh_max_bits clamping override, using %d bits instead.\n",
638 tls_dh_max_bits);
639 dh_bits = tls_dh_max_bits;
640 }
641
a799883d
PP		 642if (use_file_in_spool)
643 {
644 if (!string_format(filename_buf, sizeof(filename_buf),
645 "%s/gnutls-params-%d", spool_directory, dh_bits))
cf0c6164 646 return tls_error(US"overlong filename", NULL, NULL, errstr);
a799883d
PP		 647 filename = filename_buf;
648 }
059ec3d9 649
b5aea5e1 650/* Open the cache file for reading and if successful, read it and set up the
575643cd 651parameters. */
059ec3d9 652
f5d25c2b 653if ((fd = Uopen(filename, O_RDONLY, 0)) >= 0)
059ec3d9 654 {
b5aea5e1 655 struct stat statbuf;
17c76198
PP		 656 FILE *fp;
657 int saved_errno;
658
659 if (fstat(fd, &statbuf) < 0) /* EIO */
660 {
661 saved_errno = errno;
662 (void)close(fd);
452a164f 663 return tls_error_sys(US"TLS cache stat failed", saved_errno, NULL, errstr);
17c76198
PP		 664 }
665 if (!S_ISREG(statbuf.st_mode))
b5aea5e1
PH		 666 {
667 (void)close(fd);
cf0c6164 668 return tls_error(US"TLS cache not a file", NULL, NULL, errstr);
17c76198 669 }
40c90bca 670 if (!(fp = fdopen(fd, "rb")))
17c76198
PP		 671 {
672 saved_errno = errno;
673 (void)close(fd);
452a164f
JH		 674 return tls_error_sys(US"fdopen(TLS cache stat fd) failed",
675 saved_errno, NULL, errstr);
b5aea5e1 676 }
059ec3d9 677
b5aea5e1 678 m.size = statbuf.st_size;
f3ebb786 679 if (!(m.data = store_malloc(m.size)))
17c76198
PP		 680 {
681 fclose(fp);
452a164f 682 return tls_error_sys(US"malloc failed", errno, NULL, errstr);
17c76198 683 }
40c90bca 684 if (!(sz = fread(m.data, m.size, 1, fp)))
17c76198
PP		 685 {
686 saved_errno = errno;
687 fclose(fp);
f3ebb786 688 store_free(m.data);
452a164f 689 return tls_error_sys(US"fread failed", saved_errno, NULL, errstr);
17c76198
PP		 690 }
691 fclose(fp);
b5aea5e1 692
17c76198 693 rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM);
f3ebb786 694 store_free(m.data);
452a164f
JH		 695 if (rc)
696 return tls_error_gnu(US"gnutls_dh_params_import_pkcs3", rc, host, errstr);
17c76198 697 DEBUG(D_tls) debug_printf("read D-H parameters from file \"%s\"\n", filename);
b5aea5e1
PH		 698 }
699
700/* If the file does not exist, fall through to compute new data and cache it.
701If there was any other opening error, it is serious. */
702
182ad5cf
PH		 703else if (errno == ENOENT)
704 {
17c76198 705 rc = -1;
182ad5cf 706 DEBUG(D_tls)
17c76198 707 debug_printf("D-H parameter cache file \"%s\" does not exist\n", filename);
182ad5cf
PH		 708 }
709else
17c76198 710 return tls_error(string_open_failed(errno, "\"%s\" for reading", filename),
cf0c6164 711 NULL, NULL, errstr);
b5aea5e1
PH		 712
713/* If ret < 0, either the cache file does not exist, or the data it contains
714is not useful. One particular case of this is when upgrading from an older
715release of Exim in which the data was stored in a different format. We don't
716try to be clever and support both formats; we just regenerate new data in this
717case. */
718
17c76198 719if (rc < 0)
b5aea5e1 720 {
17c76198 721 uschar *temp_fn;
201f5254 722 unsigned int dh_bits_gen = dh_bits;
059ec3d9 723
17c76198
PP		 724 if ((PATH_MAX - Ustrlen(filename)) < 10)
725 return tls_error(US"Filename too long to generate replacement",
48224640 726 filename, NULL, errstr);
059ec3d9 727
48224640 728 temp_fn = string_copy(US"%s.XXXXXXX");
f5d25c2b 729 if ((fd = mkstemp(CS temp_fn)) < 0) /* modifies temp_fn */
452a164f 730 return tls_error_sys(US"Unable to open temp file", errno, NULL, errstr);
b66fecb4 731 (void)exim_chown(temp_fn, exim_uid, exim_gid); /* Probably not necessary */
059ec3d9 732
49132a3b
JH		 733 /* GnuTLS overshoots! If we ask for 2236, we might get 2237 or more. But
734 there's no way to ask GnuTLS how many bits there really are. We can ask
735 how many bits were used in a TLS session, but that's it! The prime itself
736 is hidden behind too much abstraction. So we ask for less, and proceed on
737 a wing and a prayer. First attempt, subtracted 3 for 2233 and got 2240. */
738
cae6e576 739 if (dh_bits >= EXIM_CLIENT_DH_MIN_BITS + 10)
201f5254
PP		 740 {
741 dh_bits_gen = dh_bits - 10;
742 DEBUG(D_tls)
743 debug_printf("being paranoid about DH generation, make it '%d' bits'\n",
744 dh_bits_gen);
745 }
746
747 DEBUG(D_tls)
748 debug_printf("requesting generation of %d bit Diffie-Hellman prime ...\n",
749 dh_bits_gen);
452a164f
JH		 750 if ((rc = gnutls_dh_params_generate2(dh_server_params, dh_bits_gen)))
751 return tls_error_gnu(US"gnutls_dh_params_generate2", rc, host, errstr);
17c76198
PP		 752
753 /* gnutls_dh_params_export_pkcs3() will tell us the exact size, every time,
754 and I confirmed that a NULL call to get the size first is how the GnuTLS
755 sample apps handle this. */
756
757 sz = 0;
758 m.data = NULL;
452a164f
JH		 759 if ( (rc = gnutls_dh_params_export_pkcs3(dh_server_params,
760 GNUTLS_X509_FMT_PEM, m.data, &sz))
761 && rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
762 return tls_error_gnu(US"gnutls_dh_params_export_pkcs3(NULL) sizing",
763 rc, host, errstr);
17c76198 764 m.size = sz;
f3ebb786 765 if (!(m.data = store_malloc(m.size)))
452a164f 766 return tls_error_sys(US"memory allocation failed", errno, NULL, errstr);
40c90bca 767
1f00591e 768 /* this will return a size 1 less than the allocation size above */
452a164f
JH		 769 if ((rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM,
770 m.data, &sz)))
17c76198 771 {
f3ebb786 772 store_free(m.data);
452a164f 773 return tls_error_gnu(US"gnutls_dh_params_export_pkcs3() real", rc, host, errstr);
17c76198 774 }
1f00591e 775 m.size = sz; /* shrink by 1, probably */
059ec3d9 776
f5d25c2b 777 if ((sz = write_to_fd_buf(fd, m.data, (size_t) m.size)) != m.size)
17c76198 778 {
f3ebb786 779 store_free(m.data);
452a164f
JH		 780 return tls_error_sys(US"TLS cache write D-H params failed",
781 errno, NULL, errstr);
17c76198 782 }
f3ebb786 783 store_free(m.data);
f5d25c2b 784 if ((sz = write_to_fd_buf(fd, US"\n", 1)) != 1)
452a164f
JH		 785 return tls_error_sys(US"TLS cache write D-H params final newline failed",
786 errno, NULL, errstr);
17c76198 787
f5d25c2b 788 if ((rc = close(fd)))
452a164f 789 return tls_error_sys(US"TLS cache write close() failed", errno, NULL, errstr);
059ec3d9 790
17c76198 791 if (Urename(temp_fn, filename) < 0)
452a164f
JH		 792 return tls_error_sys(string_sprintf("failed to rename \"%s\" as \"%s\"",
793 temp_fn, filename), errno, NULL, errstr);
059ec3d9 794
17c76198 795 DEBUG(D_tls) debug_printf("wrote D-H parameters to file \"%s\"\n", filename);
059ec3d9
PH		 796 }
797
17c76198 798DEBUG(D_tls) debug_printf("initialized server D-H parameters\n");
059ec3d9
PH		 799return OK;
800}
49132a3b 801#endif
059ec3d9
PH		 802
803
804
805
23bb6982
JH		 806/* Create and install a selfsigned certificate, for use in server mode */
807
808static int
cf0c6164 809tls_install_selfsign(exim_gnutls_state_st * state, uschar ** errstr)
23bb6982
JH		 810{
811gnutls_x509_crt_t cert = NULL;
812time_t now;
813gnutls_x509_privkey_t pkey = NULL;
814const uschar * where;
815int rc;
816
817where = US"initialising pkey";
818if ((rc = gnutls_x509_privkey_init(&pkey))) goto err;
819
820where = US"initialising cert";
821if ((rc = gnutls_x509_crt_init(&cert))) goto err;
822
823where = US"generating pkey";
824if ((rc = gnutls_x509_privkey_generate(pkey, GNUTLS_PK_RSA,
76075bb5 825#ifdef SUPPORT_PARAM_TO_PK_BITS
4312da48
JH		 826# ifndef GNUTLS_SEC_PARAM_MEDIUM
827# define GNUTLS_SEC_PARAM_MEDIUM GNUTLS_SEC_PARAM_HIGH
828# endif
6aac3239 829 gnutls_sec_param_to_pk_bits(GNUTLS_PK_RSA, GNUTLS_SEC_PARAM_MEDIUM),
76075bb5 830#else
6aac3239 831 2048,
76075bb5
JH		 832#endif
833 0)))
23bb6982
JH		 834 goto err;
835
836where = US"configuring cert";
1613fd68 837now = 1;
23bb6982
JH		 838if ( (rc = gnutls_x509_crt_set_version(cert, 3))
839 || (rc = gnutls_x509_crt_set_serial(cert, &now, sizeof(now)))
840 || (rc = gnutls_x509_crt_set_activation_time(cert, now = time(NULL)))
841 || (rc = gnutls_x509_crt_set_expiration_time(cert, now + 60 * 60)) /* 1 hr */
842 || (rc = gnutls_x509_crt_set_key(cert, pkey))
843
844 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
845 GNUTLS_OID_X520_COUNTRY_NAME, 0, "UK", 2))
846 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
847 GNUTLS_OID_X520_ORGANIZATION_NAME, 0, "Exim Developers", 15))
848 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
849 GNUTLS_OID_X520_COMMON_NAME, 0,
850 smtp_active_hostname, Ustrlen(smtp_active_hostname)))
851 )
852 goto err;
853
854where = US"signing cert";
855if ((rc = gnutls_x509_crt_sign(cert, cert, pkey))) goto err;
856
857where = US"installing selfsign cert";
858 /* Since: 2.4.0 */
859if ((rc = gnutls_certificate_set_x509_key(state->x509_cred, &cert, 1, pkey)))
860 goto err;
861
862rc = OK;
863
864out:
865 if (cert) gnutls_x509_crt_deinit(cert);
866 if (pkey) gnutls_x509_privkey_deinit(pkey);
867 return rc;
868
869err:
452a164f 870 rc = tls_error_gnu(where, rc, NULL, errstr);
23bb6982
JH		 871 goto out;
872}
873
874
875
876
47195144
JH		 877/* Add certificate and key, from files.
878
879Return:
880 Zero or negative: good. Negate value for certificate index if < 0.
881 Greater than zero: FAIL or DEFER code.
882*/
883
ba86e143
JH		 884static int
885tls_add_certfile(exim_gnutls_state_st * state, const host_item * host,
886 uschar * certfile, uschar * keyfile, uschar ** errstr)
887{
888int rc = gnutls_certificate_set_x509_key_file(state->x509_cred,
889 CS certfile, CS keyfile, GNUTLS_X509_FMT_PEM);
47195144 890if (rc < 0)
452a164f 891 return tls_error_gnu(
47195144 892 string_sprintf("cert/key setup: cert=%s key=%s", certfile, keyfile),
452a164f 893 rc, host, errstr);
47195144 894return -rc;
ba86e143
JH		 895}
896
897
d896cef5
JH		 898#if !defined(DISABLE_OCSP) && !defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
899/* Load an OCSP proof from file for sending by the server. Called
900on getting a status-request handshake message, for earlier versions
901of GnuTLS. */
902
903static int
904server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
905 gnutls_datum_t * ocsp_response)
906{
907int ret;
908DEBUG(D_tls) debug_printf("OCSP stapling callback: %s\n", US ptr);
909
910if ((ret = gnutls_load_file(ptr, ocsp_response)) < 0)
911 {
912 DEBUG(D_tls) debug_printf("Failed to load ocsp stapling file %s\n",
913 CS ptr);
914 tls_in.ocsp = OCSP_NOT_RESP;
915 return GNUTLS_E_NO_CERTIFICATE_STATUS;
916 }
917
918tls_in.ocsp = OCSP_VFY_NOT_TRIED;
919return 0;
920}
921#endif
922
923
be427508 924#ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
e5489333
JH		 925/* Make a note that we saw a status-request */
926static int
927tls_server_clienthello_ext(void * ctx, unsigned tls_id,
928 const unsigned char *data, unsigned size)
929{
930/* https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml */
931if (tls_id == 5) /* status_request */
932 {
e326959e 933 DEBUG(D_tls) debug_printf("Seen status_request extension from client\n");
e5489333
JH		 934 tls_in.ocsp = OCSP_NOT_RESP;
935 }
936return 0;
937}
938
939/* Callback for client-hello, on server, if we think we might serve stapled-OCSP */
940static int
941tls_server_clienthello_cb(gnutls_session_t session, unsigned int htype,
942 unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
943{
944/* Call fn for each extension seen. 3.6.3 onwards */
945return gnutls_ext_raw_parse(NULL, tls_server_clienthello_ext, msg,
946 GNUTLS_EXT_RAW_FLAG_TLS_CLIENT_HELLO);
947}
e326959e
JH		 948
949
950/* Make a note that we saw a status-response */
951static int
952tls_server_servercerts_ext(void * ctx, unsigned tls_id,
953 const unsigned char *data, unsigned size)
954{
955/* debug_printf("%s %u\n", __FUNCTION__, tls_id); */
956/* https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml */
957if (FALSE && tls_id == 5) /* status_request */
958 {
959 DEBUG(D_tls) debug_printf("Seen status_request extension\n");
960 tls_in.ocsp = exim_testharness_disable_ocsp_validity_check
961 ? OCSP_VFY_NOT_TRIED : OCSP_VFIED; /* We know that GnuTLS verifies responses */
962 }
963return 0;
964}
965
966/* Callback for certificates packet, on server, if we think we might serve stapled-OCSP */
967static int
968tls_server_servercerts_cb(gnutls_session_t session, unsigned int htype,
969 unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
970{
971/* Call fn for each extension seen. 3.6.3 onwards */
972#ifdef notdef
973/*XXX crashes */
974return gnutls_ext_raw_parse(NULL, tls_server_servercerts_ext, msg, 0);
975#endif
976}
be427508 977#endif
e5489333 978
e326959e
JH		 979/*XXX in tls1.3 the cert-status travel as an extension next to the cert, in the
980 "Handshake Protocol: Certificate" record.
981So we need to spot the Certificate handshake message, parse it and spot any status_request extension(s)
982
983This is different to tls1.2 - where it is a separate record (wireshake term) / handshake message (gnutls term).
984*/
985
727a5d25 986#if defined(EXPERIMENTAL_TLS_RESUME) || defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
e5489333
JH		 987/* Callback for certificate-status, on server. We sent stapled OCSP. */
988static int
989tls_server_certstatus_cb(gnutls_session_t session, unsigned int htype,
990 unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
991{
e326959e 992DEBUG(D_tls) debug_printf("Sending certificate-status\n"); /*XXX we get this for tls1.2 but not for 1.3 */
e5489333
JH		 993#ifdef SUPPORT_SRV_OCSP_STACK
994tls_in.ocsp = exim_testharness_disable_ocsp_validity_check
995 ? OCSP_VFY_NOT_TRIED : OCSP_VFIED; /* We know that GnuTLS verifies responses */
996#else
997tls_in.ocsp = OCSP_VFY_NOT_TRIED;
998#endif
999return 0;
1000}
1001
1002/* Callback for handshake messages, on server */
1003static int
1004tls_server_hook_cb(gnutls_session_t sess, u_int htype, unsigned when,
1005 unsigned incoming, const gnutls_datum_t * msg)
1006{
e326959e 1007/* debug_printf("%s: htype %u\n", __FUNCTION__, htype); */
e5489333
JH		 1008switch (htype)
1009 {
727a5d25 1010# ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
e5489333
JH		 1011 case GNUTLS_HANDSHAKE_CLIENT_HELLO:
1012 return tls_server_clienthello_cb(sess, htype, when, incoming, msg);
e326959e
JH		 1013 case GNUTLS_HANDSHAKE_CERTIFICATE_PKT:
1014 return tls_server_servercerts_cb(sess, htype, when, incoming, msg);
727a5d25 1015# endif
e5489333
JH		 1016 case GNUTLS_HANDSHAKE_CERTIFICATE_STATUS:
1017 return tls_server_certstatus_cb(sess, htype, when, incoming, msg);
727a5d25 1018# ifdef EXPERIMENTAL_TLS_RESUME
e5489333
JH		 1019 case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET:
1020 return tls_server_ticket_cb(sess, htype, when, incoming, msg);
727a5d25 1021# endif
e5489333
JH		 1022 default:
1023 return 0;
1024 }
1025}
727a5d25 1026#endif
e5489333
JH		 1027
1028
727a5d25 1029#if !defined(DISABLE_OCSP) && defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
e5489333
JH		 1030static void
1031tls_server_testharness_ocsp_fiddle(void)
1032{
1033extern char ** environ;
1034if (environ) for (uschar ** p = USS environ; *p; p++)
1035 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
1036 {
1037 DEBUG(D_tls) debug_printf("Permitting known bad OCSP response\n");
1038 exim_testharness_disable_ocsp_validity_check = TRUE;
1039 }
1040}
727a5d25 1041#endif
e5489333 1042
059ec3d9 1043/*************************************************
17c76198 1044* Variables re-expanded post-SNI *
059ec3d9
PH		 1045*************************************************/
1046
17c76198
PP		 1047/* Called from both server and client code, via tls_init(), and also from
1048the SNI callback after receiving an SNI, if tls_certificate includes "tls_sni".
1049
1050We can tell the two apart by state->received_sni being non-NULL in callback.
1051
1052The callback should not call us unless state->trigger_sni_changes is true,
1053which we are responsible for setting on the first pass through.
059ec3d9
PH		 1054
1055Arguments:
17c76198 1056 state exim_gnutls_state_st *
cf0c6164 1057 errstr error string pointer
059ec3d9
PH		 1058
1059Returns: OK/DEFER/FAIL
1060*/
1061
1062static int
ba86e143 1063tls_expand_session_files(exim_gnutls_state_st * state, uschar ** errstr)
059ec3d9 1064{
1365611d 1065struct stat statbuf;
059ec3d9 1066int rc;
17c76198
PP		 1067const host_item *host = state->host; /* macro should be reconsidered? */
1068uschar *saved_tls_certificate = NULL;
1069uschar *saved_tls_privatekey = NULL;
1070uschar *saved_tls_verify_certificates = NULL;
1071uschar *saved_tls_crl = NULL;
1072int cert_count;
1073
1074/* We check for tls_sni *before* expansion. */
2b4a568d 1075if (!host) /* server */
17c76198
PP		 1076 if (!state->received_sni)
1077 {
ba86e143
JH		 1078 if ( state->tls_certificate
1079 && ( Ustrstr(state->tls_certificate, US"tls_sni")
1080 || Ustrstr(state->tls_certificate, US"tls_in_sni")
1081 || Ustrstr(state->tls_certificate, US"tls_out_sni")
1082 ) )
17c76198
PP		 1083 {
1084 DEBUG(D_tls) debug_printf("We will re-expand TLS session files if we receive SNI.\n");
1085 state->trigger_sni_changes = TRUE;
1086 }
1087 }
1088 else
1089 {
1365611d 1090 /* useful for debugging */
17c76198
PP		 1091 saved_tls_certificate = state->exp_tls_certificate;
1092 saved_tls_privatekey = state->exp_tls_privatekey;
1093 saved_tls_verify_certificates = state->exp_tls_verify_certificates;
1094 saved_tls_crl = state->exp_tls_crl;
1095 }
059ec3d9 1096
452a164f
JH		 1097if ((rc = gnutls_certificate_allocate_credentials(&state->x509_cred)))
1098 return tls_error_gnu(US"gnutls_certificate_allocate_credentials",
1099 rc, host, errstr);
47195144
JH		 1100
1101#ifdef SUPPORT_SRV_OCSP_STACK
1102gnutls_certificate_set_flags(state->x509_cred, GNUTLS_CERTIFICATE_API_V2);
e326959e
JH		 1103
1104# if !defined(DISABLE_OCSP) && defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
1105if (!host && tls_ocsp_file)
1106 {
1107 if (f.running_in_test_harness)
1108 tls_server_testharness_ocsp_fiddle();
1109
1110 if (exim_testharness_disable_ocsp_validity_check)
1111 gnutls_certificate_set_flags(state->x509_cred,
1112 GNUTLS_CERTIFICATE_API_V2 | GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK);
1113 }
1114# endif
47195144 1115#endif
1365611d 1116
17c76198
PP		 1117/* remember: expand_check_tlsvar() is expand_check() but fiddling with
1118state members, assuming consistent naming; and expand_check() returns
1119false if expansion failed, unless expansion was forced to fail. */
059ec3d9 1120
17c76198
PP		 1121/* check if we at least have a certificate, before doing expensive
1122D-H generation. */
059ec3d9 1123
cf0c6164 1124if (!expand_check_tlsvar(tls_certificate, errstr))
17c76198 1125 return DEFER;
059ec3d9 1126
17c76198 1127/* certificate is mandatory in server, optional in client */
059ec3d9 1128
23bb6982
JH		 1129if ( !state->exp_tls_certificate
1130 || !*state->exp_tls_certificate
1131 )
2b4a568d 1132 if (!host)
cf0c6164 1133 return tls_install_selfsign(state, errstr);
17c76198
PP		 1134 else
1135 DEBUG(D_tls) debug_printf("TLS: no client certificate specified; okay\n");
059ec3d9 1136
cf0c6164 1137if (state->tls_privatekey && !expand_check_tlsvar(tls_privatekey, errstr))
059ec3d9
PH		 1138 return DEFER;
1139
17c76198
PP		 1140/* tls_privatekey is optional, defaulting to same file as certificate */
1141
e326959e 1142if (!state->tls_privatekey || !*state->tls_privatekey)
059ec3d9 1143 {
17c76198
PP		 1144 state->tls_privatekey = state->tls_certificate;
1145 state->exp_tls_privatekey = state->exp_tls_certificate;
059ec3d9 1146 }
c91535f3 1147
059ec3d9 1148
17c76198 1149if (state->exp_tls_certificate && *state->exp_tls_certificate)
059ec3d9
PH		 1150 {
1151 DEBUG(D_tls) debug_printf("certificate file = %s\nkey file = %s\n",
17c76198
PP		 1152 state->exp_tls_certificate, state->exp_tls_privatekey);
1153
1154 if (state->received_sni)
23bb6982
JH		 1155 if ( Ustrcmp(state->exp_tls_certificate, saved_tls_certificate) == 0
1156 && Ustrcmp(state->exp_tls_privatekey, saved_tls_privatekey) == 0
1157 )
17c76198 1158 {
b34fc30c 1159 DEBUG(D_tls) debug_printf("TLS SNI: cert and key unchanged\n");
17c76198
PP		 1160 }
1161 else
1162 {
b34fc30c 1163 DEBUG(D_tls) debug_printf("TLS SNI: have a changed cert/key pair.\n");
17c76198 1164 }
059ec3d9 1165
ba86e143
JH		 1166 if (!host) /* server */
1167 {
1168 const uschar * clist = state->exp_tls_certificate;
1169 const uschar * klist = state->exp_tls_privatekey;
47195144
JH		 1170 const uschar * olist;
1171 int csep = 0, ksep = 0, osep = 0, cnt = 0;
1172 uschar * cfile, * kfile, * ofile;
47195144 1173#ifndef DISABLE_OCSP
e326959e
JH		 1174# ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
1175 gnutls_x509_crt_fmt_t ocsp_fmt = GNUTLS_X509_FMT_DER;
1176# endif
1177
47195144
JH		 1178 if (!expand_check(tls_ocsp_file, US"tls_ocsp_file", &ofile, errstr))
1179 return DEFER;
1180 olist = ofile;
1181#endif
ba86e143
JH		 1182
1183 while (cfile = string_nextinlist(&clist, &csep, NULL, 0))
47195144 1184
ba86e143
JH		 1185 if (!(kfile = string_nextinlist(&klist, &ksep, NULL, 0)))
1186 return tls_error(US"cert/key setup: out of keys", NULL, host, errstr);
47195144 1187 else if (0 < (rc = tls_add_certfile(state, host, cfile, kfile, errstr)))
ba86e143
JH		 1188 return rc;
1189 else
47195144
JH		 1190 {
1191 int gnutls_cert_index = -rc;
e326959e
JH		 1192 DEBUG(D_tls) debug_printf("TLS: cert/key %d %s registered\n",
1193 gnutls_cert_index, cfile);
47195144
JH		 1194
1195#ifndef DISABLE_OCSP
1196 if (tls_ocsp_file)
e5489333 1197 {
e326959e 1198 /* Set the OCSP stapling server info */
47195144
JH		 1199 if (gnutls_buggy_ocsp)
1200 {
1201 DEBUG(D_tls)
1202 debug_printf("GnuTLS library is buggy for OCSP; avoiding\n");
1203 }
1204 else if ((ofile = string_nextinlist(&olist, &osep, NULL, 0)))
1205 {
e326959e
JH		 1206 DEBUG(D_tls) debug_printf("OCSP response file %d = %s\n",
1207 gnutls_cert_index, ofile);
be427508 1208# ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
e326959e 1209 if (Ustrncmp(ofile, US"PEM ", 4) == 0)
47195144 1210 {
e326959e
JH		 1211 ocsp_fmt = GNUTLS_X509_FMT_PEM;
1212 ofile += 4;
1213 }
1214 else if (Ustrncmp(ofile, US"DER ", 4) == 0)
1215 {
1216 ocsp_fmt = GNUTLS_X509_FMT_DER;
1217 ofile += 4;
1218 }
e5489333 1219
e326959e
JH		 1220 if ((rc = gnutls_certificate_set_ocsp_status_request_file2(
1221 state->x509_cred, CCS ofile, gnutls_cert_index,
1222 ocsp_fmt)) < 0)
1223 return tls_error_gnu(
1224 US"gnutls_certificate_set_ocsp_status_request_file2",
1225 rc, host, errstr);
1226 DEBUG(D_tls)
1227 debug_printf(" %d response%s loaded\n", rc, rc>1 ? "s":"");
e5489333 1228
e326959e
JH		 1229 /* Arrange callbacks for OCSP request observability */
1230
1231 gnutls_handshake_set_hook_function(state->session,
1232 GNUTLS_HANDSHAKE_ANY, GNUTLS_HOOK_POST, tls_server_hook_cb);
1233
1234# else
1235# if defined(SUPPORT_SRV_OCSP_STACK)
be427508
JH		 1236 if ((rc = gnutls_certificate_set_ocsp_status_request_function2(
1237 state->x509_cred, gnutls_cert_index,
1238 server_ocsp_stapling_cb, ofile)))
1239 return tls_error_gnu(
1240 US"gnutls_certificate_set_ocsp_status_request_function2",
1241 rc, host, errstr);
1242 else
e326959e 1243# endif
e5489333
JH		 1244 {
1245 if (cnt++ > 0)
1246 {
1247 DEBUG(D_tls)
1248 debug_printf("oops; multiple OCSP files not supported\n");
1249 break;
1250 }
d896cef5
JH		 1251 gnutls_certificate_set_ocsp_status_request_function(
1252 state->x509_cred, server_ocsp_stapling_cb, ofile);
e5489333 1253 }
e326959e 1254# endif /* SUPPORT_GNUTLS_EXT_RAW_PARSE */
47195144
JH		 1255 }
1256 else
1257 DEBUG(D_tls) debug_printf("ran out of OCSP response files in list\n");
e5489333 1258 }
fd71e7b8 1259#endif /* DISABLE_OCSP */
47195144 1260 }
ba86e143 1261 }
e5489333 1262 else /* client */
ba86e143 1263 {
47195144 1264 if (0 < (rc = tls_add_certfile(state, host,
ba86e143
JH		 1265 state->exp_tls_certificate, state->exp_tls_privatekey, errstr)))
1266 return rc;
1267 DEBUG(D_tls) debug_printf("TLS: cert/key registered\n");
1268 }
1269
b34fc30c 1270 } /* tls_certificate */
059ec3d9 1271
2b4a568d 1272
059ec3d9
PH		 1273/* Set the trusted CAs file if one is provided, and then add the CRL if one is
1274provided. Experiment shows that, if the certificate file is empty, an unhelpful
1275error message is provided. However, if we just refrain from setting anything up
1276in that case, certificate verification fails, which seems to be the correct
1277behaviour. */
1278
610ff438 1279if (state->tls_verify_certificates && *state->tls_verify_certificates)
059ec3d9 1280 {
cf0c6164 1281 if (!expand_check_tlsvar(tls_verify_certificates, errstr))
059ec3d9 1282 return DEFER;
610ff438
JH		 1283#ifndef SUPPORT_SYSDEFAULT_CABUNDLE
1284 if (Ustrcmp(state->exp_tls_verify_certificates, "system") == 0)
1285 state->exp_tls_verify_certificates = NULL;
1286#endif
17c76198 1287 if (state->tls_crl && *state->tls_crl)
cf0c6164 1288 if (!expand_check_tlsvar(tls_crl, errstr))
17c76198 1289 return DEFER;
059ec3d9 1290
1365611d
PP		 1291 if (!(state->exp_tls_verify_certificates &&
1292 *state->exp_tls_verify_certificates))
b34fc30c
PP		 1293 {
1294 DEBUG(D_tls)
1365611d
PP		 1295 debug_printf("TLS: tls_verify_certificates expanded empty, ignoring\n");
1296 /* With no tls_verify_certificates, we ignore tls_crl too */
17c76198 1297 return OK;
b34fc30c 1298 }
1365611d 1299 }
83e2f8a2
PP		 1300else
1301 {
1302 DEBUG(D_tls)
1303 debug_printf("TLS: tls_verify_certificates not set or empty, ignoring\n");
1304 return OK;
1305 }
17c76198 1306
cb1d7830
JH		 1307#ifdef SUPPORT_SYSDEFAULT_CABUNDLE
1308if (Ustrcmp(state->exp_tls_verify_certificates, "system") == 0)
1309 cert_count = gnutls_certificate_set_x509_system_trust(state->x509_cred);
1310else
1311#endif
1365611d 1312 {
cb1d7830
JH		 1313 if (Ustat(state->exp_tls_verify_certificates, &statbuf) < 0)
1314 {
d896cef5 1315 log_write(0, LOG_MAIN|LOG_PANIC, "could not stat '%s' "
cb1d7830
JH		 1316 "(tls_verify_certificates): %s", state->exp_tls_verify_certificates,
1317 strerror(errno));
1318 return DEFER;
1319 }
17c76198 1320
a7fec7a7 1321#ifndef SUPPORT_CA_DIR
cb1d7830
JH		 1322 /* The test suite passes in /dev/null; we could check for that path explicitly,
1323 but who knows if someone has some weird FIFO which always dumps some certs, or
1324 other weirdness. The thing we really want to check is that it's not a
1325 directory, since while OpenSSL supports that, GnuTLS does not.
60f914bc 1326 So s/!S_ISREG/S_ISDIR/ and change some messaging ... */
cb1d7830
JH		 1327 if (S_ISDIR(statbuf.st_mode))
1328 {
1329 DEBUG(D_tls)
1330 debug_printf("verify certificates path is a dir: \"%s\"\n",
1331 state->exp_tls_verify_certificates);
1332 log_write(0, LOG_MAIN|LOG_PANIC,
1333 "tls_verify_certificates \"%s\" is a directory",
1334 state->exp_tls_verify_certificates);
1335 return DEFER;
1336 }
a7fec7a7 1337#endif
059ec3d9 1338
cb1d7830
JH		 1339 DEBUG(D_tls) debug_printf("verify certificates = %s size=" OFF_T_FMT "\n",
1340 state->exp_tls_verify_certificates, statbuf.st_size);
059ec3d9 1341
cb1d7830
JH		 1342 if (statbuf.st_size == 0)
1343 {
1344 DEBUG(D_tls)
1345 debug_printf("cert file empty, no certs, no verification, ignoring any CRL\n");
1346 return OK;
1347 }
059ec3d9 1348
cb1d7830 1349 cert_count =
a7fec7a7
JH		 1350
1351#ifdef SUPPORT_CA_DIR
cb1d7830
JH		 1352 (statbuf.st_mode & S_IFMT) == S_IFDIR
1353 ?
1354 gnutls_certificate_set_x509_trust_dir(state->x509_cred,
1355 CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM)
1356 :
a7fec7a7 1357#endif
cb1d7830
JH		 1358 gnutls_certificate_set_x509_trust_file(state->x509_cred,
1359 CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM);
12d95aa6
JH		 1360
1361#ifdef SUPPORT_CA_DIR
1362 /* Mimic the behaviour with OpenSSL of not advertising a usable-cert list
1363 when using the directory-of-certs config model. */
1364
1365 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
1366 gnutls_certificate_send_x509_rdn_sequence(state->session, 1);
1367#endif
cb1d7830 1368 }
a7fec7a7 1369
1365611d 1370if (cert_count < 0)
452a164f
JH		 1371 return tls_error_gnu(US"setting certificate trust", cert_count, host, errstr);
1372DEBUG(D_tls)
1373 debug_printf("Added %d certificate authorities.\n", cert_count);
059ec3d9 1374
5c8cda3a
PP		 1375if (state->tls_crl && *state->tls_crl &&
1376 state->exp_tls_crl && *state->exp_tls_crl)
1365611d 1377 {
5c8cda3a 1378 DEBUG(D_tls) debug_printf("loading CRL file = %s\n", state->exp_tls_crl);
452a164f
JH		 1379 if ((cert_count = gnutls_certificate_set_x509_crl_file(state->x509_cred,
1380 CS state->exp_tls_crl, GNUTLS_X509_FMT_PEM)) < 0)
1381 return tls_error_gnu(US"gnutls_certificate_set_x509_crl_file",
1382 cert_count, host, errstr);
1383
5c8cda3a 1384 DEBUG(D_tls) debug_printf("Processed %d CRLs.\n", cert_count);
1365611d 1385 }
059ec3d9 1386
059ec3d9
PH		 1387return OK;
1388}
1389
1390
1391
1392
1365611d
PP		 1393/*************************************************
1394* Set X.509 state variables *
1395*************************************************/
1396
1397/* In GnuTLS, the registered cert/key are not replaced by a later
1398set of a cert/key, so for SNI support we need a whole new x509_cred
1399structure. Which means various other non-re-expanded pieces of state
1400need to be re-set in the new struct, so the setting logic is pulled
1401out to this.
1402
1403Arguments:
1404 state exim_gnutls_state_st *
cf0c6164 1405 errstr error string pointer
1365611d
PP		 1406
1407Returns: OK/DEFER/FAIL
1408*/
1409
1410static int
cf0c6164 1411tls_set_remaining_x509(exim_gnutls_state_st *state, uschar ** errstr)
1365611d
PP		 1412{
1413int rc;
1414const host_item *host = state->host; /* macro should be reconsidered? */
1415
49132a3b 1416#ifndef GNUTLS_AUTO_DHPARAMS
1365611d
PP		 1417/* Create D-H parameters, or read them from the cache file. This function does
1418its own SMTP error messaging. This only happens for the server, TLS D-H ignores
1419client-side params. */
1420
1421if (!state->host)
1422 {
1423 if (!dh_server_params)
452a164f 1424 if ((rc = init_server_dh(errstr)) != OK) return rc;
49132a3b
JH		 1425
1426 /* Unnecessary & discouraged with 3.6.0 or later */
1365611d
PP		 1427 gnutls_certificate_set_dh_params(state->x509_cred, dh_server_params);
1428 }
49132a3b 1429#endif
1365611d
PP		 1430
1431/* Link the credentials to the session. */
1432
452a164f
JH		 1433if ((rc = gnutls_credentials_set(state->session,
1434 GNUTLS_CRD_CERTIFICATE, state->x509_cred)))
1435 return tls_error_gnu(US"gnutls_credentials_set", rc, host, errstr);
1365611d
PP		 1436
1437return OK;
1438}
1439
059ec3d9 1440/*************************************************
17c76198 1441* Initialize for GnuTLS *
059ec3d9
PH		 1442*************************************************/
1443
9196d5bf 1444
4fb7df6d
JH		 1445#ifndef DISABLE_OCSP
1446
9196d5bf
JH		 1447static BOOL
1448tls_is_buggy_ocsp(void)
1449{
1450const uschar * s;
1451uschar maj, mid, mic;
1452
1453s = CUS gnutls_check_version(NULL);
1454maj = atoi(CCS s);
1455if (maj == 3)
1456 {
1457 while (*s && *s != '.') s++;
1458 mid = atoi(CCS ++s);
1459 if (mid <= 2)
1460 return TRUE;
1461 else if (mid >= 5)
1462 return FALSE;
1463 else
1464 {
1465 while (*s && *s != '.') s++;
1466 mic = atoi(CCS ++s);
1467 return mic <= (mid == 3 ? 16 : 3);
1468 }
1469 }
1470return FALSE;
1471}
1472
4fb7df6d 1473#endif
9196d5bf
JH		 1474
1475
17c76198
PP		 1476/* Called from both server and client code. In the case of a server, errors
1477before actual TLS negotiation return DEFER.
059ec3d9
PH		 1478
1479Arguments:
17c76198
PP		 1480 host connected host, if client; NULL if server
1481 certificate certificate file
1482 privatekey private key file
1483 sni TLS SNI to send, sometimes when client; else NULL
1484 cas CA certs file
1485 crl CRL file
1486 require_ciphers tls_require_ciphers setting
817d9f57 1487 caller_state returned state-info structure
cf0c6164 1488 errstr error string pointer
059ec3d9 1489
17c76198 1490Returns: OK/DEFER/FAIL
059ec3d9
PH		 1491*/
1492
17c76198
PP		 1493static int
1494tls_init(
1495 const host_item *host,
1496 const uschar *certificate,
1497 const uschar *privatekey,
1498 const uschar *sni,
1499 const uschar *cas,
1500 const uschar *crl,
1501 const uschar *require_ciphers,
cf0c6164 1502 exim_gnutls_state_st **caller_state,
74f1a423 1503 tls_support * tlsp,
cf0c6164 1504 uschar ** errstr)
059ec3d9 1505{
00c0dd4e 1506exim_gnutls_state_st * state;
17c76198
PP		 1507int rc;
1508size_t sz;
00c0dd4e
JH		 1509const char * errpos;
1510const uschar * p;
17c76198
PP		 1511
1512if (!exim_gnutls_base_init_done)
059ec3d9 1513 {
17c76198
PP		 1514 DEBUG(D_tls) debug_printf("GnuTLS global init required.\n");
1515
9f707b89 1516#if defined(HAVE_GNUTLS_PKCS11) && !defined(GNUTLS_AUTO_PKCS11_MANUAL)
a5f239e4
PP		 1517 /* By default, gnutls_global_init will init PKCS11 support in auto mode,
1518 which loads modules from a config file, which sounds good and may be wanted
1519 by some sysadmin, but also means in common configurations that GNOME keyring
1520 environment variables are used and so breaks for users calling mailq.
1521 To prevent this, we init PKCS11 first, which is the documented approach. */
2519e60d 1522 if (!gnutls_allow_auto_pkcs11)
452a164f
JH		 1523 if ((rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL)))
1524 return tls_error_gnu(US"gnutls_pkcs11_init", rc, host, errstr);
a5f239e4
PP		 1525#endif
1526
4d2a62a3 1527#ifndef GNUTLS_AUTO_GLOBAL_INIT
452a164f
JH		 1528 if ((rc = gnutls_global_init()))
1529 return tls_error_gnu(US"gnutls_global_init", rc, host, errstr);
4d2a62a3 1530#endif
17c76198
PP		 1531
1532#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
1533 DEBUG(D_tls)
059ec3d9 1534 {
17c76198 1535 gnutls_global_set_log_function(exim_gnutls_logger_cb);
aded2255 1536 /* arbitrarily chosen level; bump up to 9 for more */
17c76198 1537 gnutls_global_set_log_level(EXIM_GNUTLS_LIBRARY_LOG_LEVEL);
059ec3d9 1538 }
17c76198
PP		 1539#endif
1540
4fb7df6d
JH		 1541#ifndef DISABLE_OCSP
1542 if (tls_ocsp_file && (gnutls_buggy_ocsp = tls_is_buggy_ocsp()))
9196d5bf 1543 log_write(0, LOG_MAIN, "OCSP unusable with this GnuTLS library version");
4fb7df6d 1544#endif
9196d5bf 1545
17c76198 1546 exim_gnutls_base_init_done = TRUE;
059ec3d9 1547 }
059ec3d9 1548
17c76198
PP		 1549if (host)
1550 {
74f1a423
JH		 1551 /* For client-side sessions we allocate a context. This lets us run
1552 several in parallel. */
1553 int old_pool = store_pool;
1554 store_pool = POOL_PERM;
f3ebb786 1555 state = store_get(sizeof(exim_gnutls_state_st), FALSE);
74f1a423
JH		 1556 store_pool = old_pool;
1557
17c76198 1558 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
74f1a423 1559 state->tlsp = tlsp;
17c76198
PP		 1560 DEBUG(D_tls) debug_printf("initialising GnuTLS client session\n");
1561 rc = gnutls_init(&state->session, GNUTLS_CLIENT);
1562 }
1563else
1564 {
1565 state = &state_server;
1566 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
74f1a423 1567 state->tlsp = tlsp;
17c76198
PP		 1568 DEBUG(D_tls) debug_printf("initialising GnuTLS server session\n");
1569 rc = gnutls_init(&state->session, GNUTLS_SERVER);
1570 }
452a164f
JH		 1571if (rc)
1572 return tls_error_gnu(US"gnutls_init", rc, host, errstr);
059ec3d9 1573
17c76198 1574state->host = host;
059ec3d9 1575
17c76198
PP		 1576state->tls_certificate = certificate;
1577state->tls_privatekey = privatekey;
5779e6aa 1578state->tls_require_ciphers = require_ciphers;
17c76198
PP		 1579state->tls_sni = sni;
1580state->tls_verify_certificates = cas;
1581state->tls_crl = crl;
059ec3d9 1582
17c76198
PP		 1583/* This handles the variables that might get re-expanded after TLS SNI;
1584that's tls_certificate, tls_privatekey, tls_verify_certificates, tls_crl */
059ec3d9 1585
17c76198
PP		 1586DEBUG(D_tls)
1587 debug_printf("Expanding various TLS configuration options for session credentials.\n");
cf0c6164 1588if ((rc = tls_expand_session_files(state, errstr)) != OK) return rc;
059ec3d9 1589
1365611d
PP		 1590/* These are all other parts of the x509_cred handling, since SNI in GnuTLS
1591requires a new structure afterwards. */
83da1223 1592
cf0c6164 1593if ((rc = tls_set_remaining_x509(state, errstr)) != OK) return rc;
83da1223 1594
17c76198
PP		 1595/* set SNI in client, only */
1596if (host)
1597 {
cf0c6164 1598 if (!expand_check(sni, US"tls_out_sni", &state->tlsp->sni, errstr))
17c76198 1599 return DEFER;
0df4ab80 1600 if (state->tlsp->sni && *state->tlsp->sni)
17c76198
PP		 1601 {
1602 DEBUG(D_tls)
0df4ab80
JH		 1603 debug_printf("Setting TLS client SNI to \"%s\"\n", state->tlsp->sni);
1604 sz = Ustrlen(state->tlsp->sni);
452a164f
JH		 1605 if ((rc = gnutls_server_name_set(state->session,
1606 GNUTLS_NAME_DNS, state->tlsp->sni, sz)))
1607 return tls_error_gnu(US"gnutls_server_name_set", rc, host, errstr);
17c76198
PP		 1608 }
1609 }
1610else if (state->tls_sni)
1611 DEBUG(D_tls) debug_printf("*** PROBABLY A BUG *** " \
ba86e143 1612 "have an SNI set for a server [%s]\n", state->tls_sni);
83da1223 1613
17c76198 1614/* This is the priority string support,
42bfef1e 1615http://www.gnutls.org/manual/html_node/Priority-Strings.html
17c76198
PP		 1616and replaces gnutls_require_kx, gnutls_require_mac & gnutls_require_protocols.
1617This was backwards incompatible, but means Exim no longer needs to track
1618all algorithms and provide string forms for them. */
83da1223 1619
fc243e94 1620p = NULL;
17c76198 1621if (state->tls_require_ciphers && *state->tls_require_ciphers)
83da1223 1622 {
cf0c6164 1623 if (!expand_check_tlsvar(tls_require_ciphers, errstr))
17c76198
PP		 1624 return DEFER;
1625 if (state->exp_tls_require_ciphers && *state->exp_tls_require_ciphers)
83da1223 1626 {
17c76198 1627 p = state->exp_tls_require_ciphers;
fc243e94 1628 DEBUG(D_tls) debug_printf("GnuTLS session cipher/priority \"%s\"\n", p);
83da1223
PH		 1629 }
1630 }
fc243e94 1631if (!p)
17c76198 1632 {
fc243e94 1633 p = exim_default_gnutls_priority;
83e2f8a2 1634 DEBUG(D_tls)
fc243e94 1635 debug_printf("GnuTLS using default session cipher/priority \"%s\"\n", p);
17c76198 1636 }
83da1223 1637
452a164f
JH		 1638if ((rc = gnutls_priority_init(&state->priority_cache, CCS p, &errpos)))
1639 return tls_error_gnu(string_sprintf(
1640 "gnutls_priority_init(%s) failed at offset %ld, \"%.6s..\"",
1641 p, errpos - CS p, errpos),
1642 rc, host, errstr);
17c76198 1643
452a164f
JH		 1644if ((rc = gnutls_priority_set(state->session, state->priority_cache)))
1645 return tls_error_gnu(US"gnutls_priority_set", rc, host, errstr);
17c76198 1646
b10c87b3
JH		 1647/* This also sets the server ticket expiration time to the same, and
1648the STEK rotation time to 3x. */
1649
17c76198
PP		 1650gnutls_db_set_cache_expiration(state->session, ssl_session_timeout);
1651
1652/* Reduce security in favour of increased compatibility, if the admin
1653decides to make that trade-off. */
1654if (gnutls_compat_mode)
83da1223 1655 {
17c76198
PP		 1656#if LIBGNUTLS_VERSION_NUMBER >= 0x020104
1657 DEBUG(D_tls) debug_printf("lowering GnuTLS security, compatibility mode\n");
1658 gnutls_session_enable_compatibility_mode(state->session);
1659#else
1660 DEBUG(D_tls) debug_printf("Unable to set gnutls_compat_mode - GnuTLS version too old\n");
1661#endif
83da1223
PH		 1662 }
1663
17c76198 1664*caller_state = state;
17c76198 1665return OK;
83da1223
PH		 1666}
1667
1668
1669
059ec3d9 1670/*************************************************
17c76198 1671* Extract peer information *
059ec3d9
PH		 1672*************************************************/
1673
f1be21cf
JH		 1674static const uschar *
1675cipher_stdname_kcm(gnutls_kx_algorithm_t kx, gnutls_cipher_algorithm_t cipher,
1676 gnutls_mac_algorithm_t mac)
1677{
1678uschar cs_id[2];
1679gnutls_kx_algorithm_t kx_i;
1680gnutls_cipher_algorithm_t cipher_i;
1681gnutls_mac_algorithm_t mac_i;
1682
1683for (size_t i = 0;
1684 gnutls_cipher_suite_info(i, cs_id, &kx_i, &cipher_i, &mac_i, NULL);
1685 i++)
1686 if (kx_i == kx && cipher_i == cipher && mac_i == mac)
1687 return cipher_stdname(cs_id[0], cs_id[1]);
1688return NULL;
1689}
1690
1691
1692
17c76198 1693/* Called from both server and client code.
4fe99a6c
PP		 1694Only this is allowed to set state->peerdn and state->have_set_peerdn
1695and we use that to detect double-calls.
059ec3d9 1696
75fe387d
PP		 1697NOTE: the state blocks last while the TLS connection is up, which is fine
1698for logging in the server side, but for the client side, we log after teardown
1699in src/deliver.c. While the session is up, we can twist about states and
1700repoint tls_* globals, but those variables used for logging or other variable
1701expansion that happens _after_ delivery need to have a longer life-time.
1702
1703So for those, we get the data from POOL_PERM; the re-invoke guard keeps us from
1704doing this more than once per generation of a state context. We set them in
1705the state context, and repoint tls_* to them. After the state goes away, the
1706tls_* copies of the pointers remain valid and client delivery logging is happy.
1707
1708tls_certificate_verified is a BOOL, so the tls_peerdn and tls_cipher issues
1709don't apply.
1710
059ec3d9 1711Arguments:
17c76198 1712 state exim_gnutls_state_st *
cf0c6164 1713 errstr pointer to error string
059ec3d9 1714
17c76198 1715Returns: OK/DEFER/FAIL
059ec3d9
PH		 1716*/
1717
17c76198 1718static int
b10c87b3 1719peer_status(exim_gnutls_state_st * state, uschar ** errstr)
059ec3d9 1720{
b10c87b3
JH		 1721gnutls_session_t session = state->session;
1722const gnutls_datum_t * cert_list;
75fe387d 1723int old_pool, rc;
17c76198 1724unsigned int cert_list_size = 0;
4fe99a6c
PP		 1725gnutls_protocol_t protocol;
1726gnutls_cipher_algorithm_t cipher;
1727gnutls_kx_algorithm_t kx;
1728gnutls_mac_algorithm_t mac;
17c76198
PP		 1729gnutls_certificate_type_t ct;
1730gnutls_x509_crt_t crt;
b10c87b3 1731uschar * dn_buf;
17c76198 1732size_t sz;
059ec3d9 1733
4fe99a6c 1734if (state->have_set_peerdn)
17c76198 1735 return OK;
4fe99a6c 1736state->have_set_peerdn = TRUE;
059ec3d9 1737
4fe99a6c 1738state->peerdn = NULL;
059ec3d9 1739
4fe99a6c 1740/* tls_cipher */
b10c87b3
JH		 1741cipher = gnutls_cipher_get(session);
1742protocol = gnutls_protocol_get_version(session);
1743mac = gnutls_mac_get(session);
b9c6f63c
JH		 1744kx =
1745#ifdef GNUTLS_TLS1_3
1746 protocol >= GNUTLS_TLS1_3 ? 0 :
1747#endif
b10c87b3 1748 gnutls_kx_get(session);
4fe99a6c 1749
75fe387d 1750old_pool = store_pool;
f1be21cf 1751 {
b10c87b3 1752 tls_support * tlsp = state->tlsp;
f1be21cf 1753 store_pool = POOL_PERM;
d9acfc1c
JH		 1754
1755#ifdef SUPPORT_GNUTLS_SESS_DESC
1756 {
1757 gstring * g = NULL;
b10c87b3 1758 uschar * s = US gnutls_session_get_desc(session), c;
d9acfc1c
JH		 1759
1760 /* Nikos M suggests we use this by preference. It returns like:
1761 (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
1762
1763 For partial back-compat, put a colon after the TLS version, replace the
1764 )-( grouping with __, replace in-group - with _ and append the :keysize. */
1765
1766 /* debug_printf("peer_status: gnutls_session_get_desc %s\n", s); */
1767
1768 for (s++; (c = *s) && c != ')'; s++) g = string_catn(g, s, 1);
1769 g = string_catn(g, US":", 1);
1770 if (*s) s++; /* now on _ between groups */
1771 while ((c = *s))
1772 {
1773 for (*++s && ++s; (c = *s) && c != ')'; s++) g = string_catn(g, c == '-' ? US"_" : s, 1);
1774 /* now on ) closing group */
1775 if ((c = *s) && *++s == '-') g = string_catn(g, US"__", 2);
1776 /* now on _ between groups */
1777 }
1778 g = string_catn(g, US":", 1);
1779 g = string_cat(g, string_sprintf("%d", (int) gnutls_cipher_get_key_size(cipher) * 8));
1780 state->ciphersuite = string_from_gstring(g);
1781 }
1782#else
f1be21cf
JH		 1783 state->ciphersuite = string_sprintf("%s:%s:%d",
1784 gnutls_protocol_get_name(protocol),
1785 gnutls_cipher_suite_get_name(kx, cipher, mac),
1786 (int) gnutls_cipher_get_key_size(cipher) * 8);
1787
1788 /* I don't see a way that spaces could occur, in the current GnuTLS
1789 code base, but it was a concern in the old code and perhaps older GnuTLS
1790 releases did return "TLS 1.0"; play it safe, just in case. */
1791
1792 for (uschar * p = state->ciphersuite; *p; p++) if (isspace(*p)) *p = '-';
d9acfc1c
JH		 1793#endif
1794
1795/* debug_printf("peer_status: ciphersuite %s\n", state->ciphersuite); */
1796
b10c87b3
JH		 1797 tlsp->cipher = state->ciphersuite;
1798 tlsp->bits = gnutls_cipher_get_key_size(cipher) * 8;
f1be21cf 1799
b10c87b3 1800 tlsp->cipher_stdname = cipher_stdname_kcm(kx, cipher, mac);
f1be21cf 1801 }
75fe387d 1802store_pool = old_pool;
4fe99a6c
PP		 1803
1804/* tls_peerdn */
b10c87b3 1805cert_list = gnutls_certificate_get_peers(session, &cert_list_size);
83da1223 1806
f1be21cf 1807if (!cert_list || cert_list_size == 0)
17c76198 1808 {
17c76198
PP		 1809 DEBUG(D_tls) debug_printf("TLS: no certificate from peer (%p & %d)\n",
1810 cert_list, cert_list_size);
e51c7be2 1811 if (state->verify_requirement >= VERIFY_REQUIRED)
17c76198 1812 return tls_error(US"certificate verification failed",
48224640 1813 US"no certificate received from peer", state->host, errstr);
17c76198
PP		 1814 return OK;
1815 }
059ec3d9 1816
b10c87b3 1817if ((ct = gnutls_certificate_type_get(session)) != GNUTLS_CRT_X509)
059ec3d9 1818 {
95f52235 1819 const uschar * ctn = US gnutls_certificate_type_get_name(ct);
17c76198
PP		 1820 DEBUG(D_tls)
1821 debug_printf("TLS: peer cert not X.509 but instead \"%s\"\n", ctn);
e51c7be2 1822 if (state->verify_requirement >= VERIFY_REQUIRED)
17c76198 1823 return tls_error(US"certificate verification not possible, unhandled type",
cf0c6164 1824 ctn, state->host, errstr);
17c76198 1825 return OK;
83da1223 1826 }
059ec3d9 1827
e51c7be2
JH		 1828#define exim_gnutls_peer_err(Label) \
1829 do { \
1830 if (rc != GNUTLS_E_SUCCESS) \
1831 { \
1832 DEBUG(D_tls) debug_printf("TLS: peer cert problem: %s: %s\n", \
1833 (Label), gnutls_strerror(rc)); \
1834 if (state->verify_requirement >= VERIFY_REQUIRED) \
452a164f 1835 return tls_error_gnu((Label), rc, state->host, errstr); \
e51c7be2
JH		 1836 return OK; \
1837 } \
1838 } while (0)
17c76198 1839
9d1c15ef
JH		 1840rc = import_cert(&cert_list[0], &crt);
1841exim_gnutls_peer_err(US"cert 0");
1842
1843state->tlsp->peercert = state->peercert = crt;
17c76198 1844
17c76198
PP		 1845sz = 0;
1846rc = gnutls_x509_crt_get_dn(crt, NULL, &sz);
1847if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
83da1223 1848 {
17c76198
PP		 1849 exim_gnutls_peer_err(US"getting size for cert DN failed");
1850 return FAIL; /* should not happen */
059ec3d9 1851 }
f3ebb786 1852dn_buf = store_get_perm(sz, TRUE); /* tainted */
17c76198
PP		 1853rc = gnutls_x509_crt_get_dn(crt, CS dn_buf, &sz);
1854exim_gnutls_peer_err(US"failed to extract certificate DN [gnutls_x509_crt_get_dn(cert 0)]");
9d1c15ef 1855
17c76198
PP		 1856state->peerdn = dn_buf;
1857
1858return OK;
1859#undef exim_gnutls_peer_err
1860}
059ec3d9 1861
059ec3d9 1862
059ec3d9 1863
059ec3d9 1864
17c76198
PP		 1865/*************************************************
1866* Verify peer certificate *
1867*************************************************/
059ec3d9 1868
17c76198
PP		 1869/* Called from both server and client code.
1870*Should* be using a callback registered with
1871gnutls_certificate_set_verify_function() to fail the handshake if we dislike
1872the peer information, but that's too new for some OSes.
059ec3d9 1873
17c76198 1874Arguments:
899b8bbc
JH		 1875 state exim_gnutls_state_st *
1876 errstr where to put an error message
059ec3d9 1877
17c76198
PP		 1878Returns:
1879 FALSE if the session should be rejected
1880 TRUE if the cert is okay or we just don't care
1881*/
059ec3d9 1882
17c76198 1883static BOOL
28646fa9 1884verify_certificate(exim_gnutls_state_st * state, uschar ** errstr)
17c76198
PP		 1885{
1886int rc;
899b8bbc
JH		 1887uint verify;
1888
8008accd 1889DEBUG(D_tls) debug_printf("TLS: checking peer certificate\n");
cf0c6164 1890*errstr = NULL;
b10c87b3 1891rc = peer_status(state, errstr);
17c76198 1892
b10c87b3
JH		 1893if (state->verify_requirement == VERIFY_NONE)
1894 return TRUE;
1895
1896if (rc != OK || !state->peerdn)
e6060e2c 1897 {
17c76198 1898 verify = GNUTLS_CERT_INVALID;
cf0c6164 1899 *errstr = US"certificate not supplied";
17c76198
PP		 1900 }
1901else
899b8bbc
JH		 1902
1903 {
1904#ifdef SUPPORT_DANE
1905 if (state->verify_requirement == VERIFY_DANE && state->host)
1906 {
1907 /* Using dane_verify_session_crt() would be easy, as it does it all for us
1908 including talking to a DNS resolver. But we want to do that bit ourselves
1909 as the testsuite intercepts and fakes its own DNS environment. */
1910
1911 dane_state_t s;
1912 dane_query_t r;
899b8bbc 1913 uint lsize;
94c13285
JH		 1914 const gnutls_datum_t * certlist =
1915 gnutls_certificate_get_peers(state->session, &lsize);
1916 int usage = tls_out.tlsa_usage;
1917
1918# ifdef GNUTLS_BROKEN_DANE_VALIDATION
1919 /* Split the TLSA records into two sets, TA and EE selectors. Run the
1920 dane-verification separately so that we know which selector verified;
570cb1bd 1921 then we know whether to do name-verification (needed for TA but not EE). */
94c13285
JH		 1922
1923 if (usage == ((1<<DANESSL_USAGE_DANE_TA) | (1<<DANESSL_USAGE_DANE_EE)))
bd5b3f3c 1924 { /* a mixed-usage bundle */
94c13285
JH		 1925 int i, j, nrec;
1926 const char ** dd;
1927 int * ddl;
1928
1929 for(nrec = 0; state->dane_data_len[nrec]; ) nrec++;
1930 nrec++;
1931
f3ebb786
JH		 1932 dd = store_get(nrec * sizeof(uschar *), FALSE);
1933 ddl = store_get(nrec * sizeof(int), FALSE);
94c13285
JH		 1934 nrec--;
1935
1936 if ((rc = dane_state_init(&s, 0)))
1937 goto tlsa_prob;
1938
1939 for (usage = DANESSL_USAGE_DANE_EE;
1940 usage >= DANESSL_USAGE_DANE_TA; usage--)
1941 { /* take records with this usage */
1942 for (j = i = 0; i < nrec; i++)
1943 if (state->dane_data[i][0] == usage)
1944 {
1945 dd[j] = state->dane_data[i];
1946 ddl[j++] = state->dane_data_len[i];
1947 }
1948 if (j)
1949 {
1950 dd[j] = NULL;
1951 ddl[j] = 0;
1952
1953 if ((rc = dane_raw_tlsa(s, &r, (char * const *)dd, ddl, 1, 0)))
1954 goto tlsa_prob;
1955
1956 if ((rc = dane_verify_crt_raw(s, certlist, lsize,
1957 gnutls_certificate_type_get(state->session),
1958 r, 0,
1959 usage == DANESSL_USAGE_DANE_EE
1960 ? DANE_VFLAG_ONLY_CHECK_EE_USAGE : 0,
1961 &verify)))
1962 {
1963 DEBUG(D_tls)
1964 debug_printf("TLSA record problem: %s\n", dane_strerror(rc));
1965 }
1966 else if (verify == 0) /* verification passed */
1967 {
1968 usage = 1 << usage;
1969 break;
1970 }
1971 }
1972 }
899b8bbc 1973
94c13285
JH		 1974 if (rc) goto tlsa_prob;
1975 }
1976 else
1977# endif
899b8bbc 1978 {
94c13285
JH		 1979 if ( (rc = dane_state_init(&s, 0))
1980 || (rc = dane_raw_tlsa(s, &r, state->dane_data, state->dane_data_len,
1981 1, 0))
1982 || (rc = dane_verify_crt_raw(s, certlist, lsize,
1983 gnutls_certificate_type_get(state->session),
5ec37a55 1984 r, 0,
94c13285
JH		 1985# ifdef GNUTLS_BROKEN_DANE_VALIDATION
1986 usage == (1 << DANESSL_USAGE_DANE_EE)
1987 ? DANE_VFLAG_ONLY_CHECK_EE_USAGE : 0,
1988# else
1989 0,
1990# endif
1991 &verify))
1992 )
1993 goto tlsa_prob;
899b8bbc 1994 }
94c13285
JH		 1995
1996 if (verify != 0) /* verification failed */
899b8bbc
JH		 1997 {
1998 gnutls_datum_t str;
1999 (void) dane_verification_status_print(verify, &str, 0);
2000 *errstr = US str.data; /* don't bother to free */
2001 goto badcert;
2002 }
28646fa9 2003
94c13285
JH		 2004# ifdef GNUTLS_BROKEN_DANE_VALIDATION
2005 /* If a TA-mode TLSA record was used for verification we must additionally
570cb1bd 2006 verify the cert name (but not the CA chain). For EE-mode, skip it. */
28646fa9 2007
94c13285
JH		 2008 if (usage & (1 << DANESSL_USAGE_DANE_EE))
2009# endif
28646fa9 2010 {
570cb1bd 2011 state->peer_dane_verified = state->peer_cert_verified = TRUE;
28646fa9
JH		 2012 goto goodcert;
2013 }
570cb1bd
JH		 2014# ifdef GNUTLS_BROKEN_DANE_VALIDATION
2015 /* Assume that the name on the A-record is the one that should be matching
2016 the cert. An alternate view is that the domain part of the email address
2017 is also permissible. */
2018
2019 if (gnutls_x509_crt_check_hostname(state->tlsp->peercert,
2020 CS state->host->name))
2021 {
2022 state->peer_dane_verified = state->peer_cert_verified = TRUE;
2023 goto goodcert;
2024 }
2025# endif
899b8bbc 2026 }
570cb1bd 2027#endif /*SUPPORT_DANE*/
899b8bbc 2028
17c76198 2029 rc = gnutls_certificate_verify_peers2(state->session, &verify);
899b8bbc 2030 }
e6060e2c 2031
899b8bbc 2032/* Handle the result of verification. INVALID is set if any others are. */
059ec3d9 2033
28646fa9 2034if (rc < 0 || verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED))
17c76198
PP		 2035 {
2036 state->peer_cert_verified = FALSE;
cf0c6164 2037 if (!*errstr)
184384c3
JH		 2038 {
2039#ifdef GNUTLS_CERT_VFY_STATUS_PRINT
2040 DEBUG(D_tls)
2041 {
2042 gnutls_datum_t txt;
2043
2044 if (gnutls_certificate_verification_status_print(verify,
2045 gnutls_certificate_type_get(state->session), &txt, 0)
2046 == GNUTLS_E_SUCCESS)
2047 {
2048 debug_printf("%s\n", txt.data);
2049 gnutls_free(txt.data);
2050 }
2051 }
2052#endif
cf0c6164
JH		 2053 *errstr = verify & GNUTLS_CERT_REVOKED
2054 ? US"certificate revoked" : US"certificate invalid";
184384c3 2055 }
059ec3d9 2056
17c76198 2057 DEBUG(D_tls)
e51c7be2 2058 debug_printf("TLS certificate verification failed (%s): peerdn=\"%s\"\n",
cf0c6164 2059 *errstr, state->peerdn ? state->peerdn : US"<unset>");
059ec3d9 2060
e51c7be2 2061 if (state->verify_requirement >= VERIFY_REQUIRED)
899b8bbc 2062 goto badcert;
17c76198 2063 DEBUG(D_tls)
4789da3a 2064 debug_printf("TLS verify failure overridden (host in tls_try_verify_hosts)\n");
17c76198 2065 }
e51c7be2 2066
17c76198
PP		 2067else
2068 {
5fd28bb8
JH		 2069 /* Client side, check the server's certificate name versus the name on the
2070 A-record for the connection we made. What to do for server side - what name
2071 to use for client? We document that there is no such checking for server
2072 side. */
2073
2074 if ( state->exp_tls_verify_cert_hostnames
2075 && !gnutls_x509_crt_check_hostname(state->tlsp->peercert,
2076 CS state->exp_tls_verify_cert_hostnames)
2077 )
e51c7be2 2078 {
5fd28bb8
JH		 2079 DEBUG(D_tls)
2080 debug_printf("TLS certificate verification failed: cert name mismatch\n");
2081 if (state->verify_requirement >= VERIFY_REQUIRED)
2082 goto badcert;
2083 return TRUE;
e51c7be2 2084 }
5fd28bb8 2085
17c76198 2086 state->peer_cert_verified = TRUE;
e51c7be2 2087 DEBUG(D_tls) debug_printf("TLS certificate verified: peerdn=\"%s\"\n",
4fe99a6c 2088 state->peerdn ? state->peerdn : US"<unset>");
17c76198 2089 }
059ec3d9 2090
28646fa9
JH		 2091goodcert:
2092 state->tlsp->peerdn = state->peerdn;
2093 return TRUE;
899b8bbc 2094
b83314e3 2095#ifdef SUPPORT_DANE
94c13285 2096tlsa_prob:
624f33df
JH		 2097 *errstr = string_sprintf("TLSA record problem: %s",
2098 rc == DANE_E_REQUESTED_DATA_NOT_AVAILABLE ? "none usable" : dane_strerror(rc));
b83314e3
JH		 2099#endif
2100
899b8bbc
JH		 2101badcert:
2102 gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_BAD_CERTIFICATE);
2103 return FALSE;
17c76198 2104}
059ec3d9 2105
17c76198
PP		 2106
2107
2108
2109/* ------------------------------------------------------------------------ */
2110/* Callbacks */
2111
2112/* Logging function which can be registered with
2113 * gnutls_global_set_log_function()
2114 * gnutls_global_set_log_level() 0..9
2115 */
af3498d6 2116#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
059ec3d9 2117static void
17c76198 2118exim_gnutls_logger_cb(int level, const char *message)
059ec3d9 2119{
8c79eebf
PP		 2120 size_t len = strlen(message);
2121 if (len < 1)
2122 {
2123 DEBUG(D_tls) debug_printf("GnuTLS<%d> empty debug message\n", level);
2124 return;
2125 }
2126 DEBUG(D_tls) debug_printf("GnuTLS<%d>: %s%s", level, message,
2127 message[len-1] == '\n' ? "" : "\n");
17c76198 2128}
af3498d6 2129#endif
059ec3d9 2130
059ec3d9 2131
17c76198
PP		 2132/* Called after client hello, should handle SNI work.
2133This will always set tls_sni (state->received_sni) if available,
2134and may trigger presenting different certificates,
2135if state->trigger_sni_changes is TRUE.
059ec3d9 2136
17c76198
PP		 2137Should be registered with
2138 gnutls_handshake_set_post_client_hello_function()
059ec3d9 2139
17c76198
PP		 2140"This callback must return 0 on success or a gnutls error code to terminate the
2141handshake.".
059ec3d9 2142
17c76198
PP		 2143For inability to get SNI information, we return 0.
2144We only return non-zero if re-setup failed.
817d9f57 2145Only used for server-side TLS.
17c76198 2146*/
44bbabb5 2147
17c76198
PP		 2148static int
2149exim_sni_handling_cb(gnutls_session_t session)
2150{
2151char sni_name[MAX_HOST_LEN];
2152size_t data_len = MAX_HOST_LEN;
817d9f57 2153exim_gnutls_state_st *state = &state_server;
17c76198
PP		 2154unsigned int sni_type;
2155int rc, old_pool;
cf0c6164 2156uschar * dummy_errstr;
17c76198
PP		 2157
2158rc = gnutls_server_name_get(session, sni_name, &data_len, &sni_type, 0);
b34fc30c
PP		 2159if (rc != GNUTLS_E_SUCCESS)
2160 {
8775d84f 2161 DEBUG(D_tls)
b34fc30c
PP		 2162 if (rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
2163 debug_printf("TLS: no SNI presented in handshake.\n");
2164 else
2165 debug_printf("TLS failure: gnutls_server_name_get(): %s [%d]\n",
2166 gnutls_strerror(rc), rc);
b34fc30c
PP		 2167 return 0;
2168 }
2169
17c76198
PP		 2170if (sni_type != GNUTLS_NAME_DNS)
2171 {
2172 DEBUG(D_tls) debug_printf("TLS: ignoring SNI of unhandled type %u\n", sni_type);
2173 return 0;
2174 }
44bbabb5 2175
17c76198
PP		 2176/* We now have a UTF-8 string in sni_name */
2177old_pool = store_pool;
2178store_pool = POOL_PERM;
89a80675 2179state->received_sni = string_copy_taint(US sni_name, TRUE);
17c76198
PP		 2180store_pool = old_pool;
2181
2182/* We set this one now so that variable expansions below will work */
817d9f57 2183state->tlsp->sni = state->received_sni;
17c76198
PP		 2184
2185DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", sni_name,
2186 state->trigger_sni_changes ? "" : " (unused for certificate selection)");
2187
2188if (!state->trigger_sni_changes)
2189 return 0;
2190
cf0c6164 2191if ((rc = tls_expand_session_files(state, &dummy_errstr)) != OK)
17c76198
PP		 2192 {
2193 /* If the setup of certs/etc failed before handshake, TLS would not have
2194 been offered. The best we can do now is abort. */
2195 return GNUTLS_E_APPLICATION_ERROR_MIN;
2196 }
2197
cf0c6164 2198rc = tls_set_remaining_x509(state, &dummy_errstr);
1365611d
PP		 2199if (rc != OK) return GNUTLS_E_APPLICATION_ERROR_MIN;
2200
2201return 0;
059ec3d9
PH		 2202}
2203
2204
2205
0cbf2b82 2206#ifndef DISABLE_EVENT
a7538db1
JH		 2207/*
2208We use this callback to get observability and detail-level control
723fe533
JH		 2209for an exim TLS connection (either direction), raising a tls:cert event
2210for each cert in the chain presented by the peer. Any event
a7538db1
JH		 2211can deny verification.
2212
2213Return 0 for the handshake to continue or non-zero to terminate.
2214*/
2215
2216static int
723fe533 2217verify_cb(gnutls_session_t session)
a7538db1 2218{
27f19eb4 2219const gnutls_datum_t * cert_list;
a7538db1
JH		 2220unsigned int cert_list_size = 0;
2221gnutls_x509_crt_t crt;
2222int rc;
b30275b8 2223uschar * yield;
a7538db1
JH		 2224exim_gnutls_state_st * state = gnutls_session_get_ptr(session);
2225
bd5b3f3c 2226if ((cert_list = gnutls_certificate_get_peers(session, &cert_list_size)))
a7538db1
JH		 2227 while (cert_list_size--)
2228 {
bd5b3f3c 2229 if ((rc = import_cert(&cert_list[cert_list_size], &crt)) != GNUTLS_E_SUCCESS)
a7538db1
JH		 2230 {
2231 DEBUG(D_tls) debug_printf("TLS: peer cert problem: depth %d: %s\n",
2232 cert_list_size, gnutls_strerror(rc));
2233 break;
2234 }
2235
2236 state->tlsp->peercert = crt;
b30275b8
JH		 2237 if ((yield = event_raise(state->event_action,
2238 US"tls:cert", string_sprintf("%d", cert_list_size))))
a7538db1
JH		 2239 {
2240 log_write(0, LOG_MAIN,
b30275b8
JH		 2241 "SSL verify denied by event-action: depth=%d: %s",
2242 cert_list_size, yield);
a7538db1
JH		 2243 return 1; /* reject */
2244 }
2245 state->tlsp->peercert = NULL;
2246 }
2247
2248return 0;
2249}
2250
2251#endif
44662487
JH		 2252
2253
f20cfa4a
JH		 2254static gstring *
2255ddump(gnutls_datum_t * d)
2256{
2257gstring * g = string_get((d->size+1) * 2);
2258uschar * s = d->data;
2259for (unsigned i = d->size; i > 0; i--, s++)
2260 {
2261 g = string_catn(g, US "0123456789abcdef" + (*s >> 4), 1);
2262 g = string_catn(g, US "0123456789abcdef" + (*s & 0xf), 1);
2263 }
2264return g;
2265}
17c76198 2266
dc6d1769
JH		 2267static void
2268post_handshake_debug(exim_gnutls_state_st * state)
2269{
dc6d1769
JH		 2270#ifdef SUPPORT_GNUTLS_SESS_DESC
2271debug_printf("%s\n", gnutls_session_get_desc(state->session));
2272#endif
e326959e 2273
86ede124 2274#ifdef SUPPORT_GNUTLS_KEYLOG
e326959e 2275# ifdef EXIM_HAVE_TLS1_3
dc6d1769 2276if (gnutls_protocol_get_version(state->session) < GNUTLS_TLS1_3)
86ede124 2277# else
a8af957d 2278if (TRUE)
86ede124 2279# endif
dc6d1769
JH		 2280 {
2281 gnutls_datum_t c, s;
2282 gstring * gc, * gs;
86ede124 2283 /* For TLS1.2 we only want the client random and the master secret */
dc6d1769
JH		 2284 gnutls_session_get_random(state->session, &c, &s);
2285 gnutls_session_get_master_secret(state->session, &s);
2286 gc = ddump(&c);
2287 gs = ddump(&s);
2288 debug_printf("CLIENT_RANDOM %.*s %.*s\n", (int)gc->ptr, gc->s, (int)gs->ptr, gs->s);
2289 }
2290else
2291 debug_printf("To get keying info for TLS1.3 is hard:\n"
2292 " set environment variable SSLKEYLOGFILE to a filename writable by uid exim\n"
2293 " add SSLKEYLOGFILE to keep_environment in the exim config\n"
2294 " run exim as root\n"
e326959e 2295 " if using sudo, add SSLKEYLOGFILE to env_keep in /etc/sudoers\n"
86ede124
JH		 2296 " (works for TLS1.2 also, and saves cut-paste into file)"
2297 " Trying to use add_environment for this will not work\n");
dc6d1769
JH		 2298#endif
2299}
2300
b10c87b3
JH		 2301
2302#ifdef EXPERIMENTAL_TLS_RESUME
2303static int
2304tls_server_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
2305 unsigned incoming, const gnutls_datum_t * msg)
2306{
2307DEBUG(D_tls) debug_printf("newticket cb\n");
2308tls_in.resumption |= RESUME_CLIENT_REQUESTED;
2309return 0;
2310}
2311
2312static void
2313tls_server_resume_prehandshake(exim_gnutls_state_st * state)
2314{
2315/* Should the server offer session resumption? */
2316tls_in.resumption = RESUME_SUPPORTED;
2317if (verify_check_host(&tls_resumption_hosts) == OK)
2318 {
2319 int rc;
2320 /* GnuTLS appears to not do ticket overlap, but does emit a fresh ticket when
2321 an offered resumption is unacceptable. We lose one resumption per ticket
2322 lifetime, and sessions cannot be indefinitely re-used. There seems to be no
2323 way (3.6.7) of changing the default number of 2 TLS1.3 tickets issued, but at
2324 least they go out in a single packet. */
2325
2326 if (!(rc = gnutls_session_ticket_enable_server(state->session,
2327 &server_sessticket_key)))
2328 tls_in.resumption |= RESUME_SERVER_TICKET;
2329 else
2330 DEBUG(D_tls)
2331 debug_printf("enabling session tickets: %s\n", US gnutls_strerror(rc));
2332
2333 /* Try to tell if we see a ticket request */
2334 gnutls_handshake_set_hook_function(state->session,
e5489333 2335 GNUTLS_HANDSHAKE_ANY, GNUTLS_HOOK_POST, tls_server_hook_cb);
b10c87b3
JH		 2336 }
2337}
2338
2339static void
2340tls_server_resume_posthandshake(exim_gnutls_state_st * state)
2341{
2342if (gnutls_session_resumption_requested(state->session))
2343 {
2344 /* This tells us the client sent a full ticket. We use a
2345 callback on session-ticket request, elsewhere, to tell
2346 if a client asked for a ticket. */
2347
2348 tls_in.resumption |= RESUME_CLIENT_SUGGESTED;
2349 DEBUG(D_tls) debug_printf("client requested resumption\n");
2350 }
2351if (gnutls_session_is_resumed(state->session))
2352 {
2353 tls_in.resumption |= RESUME_USED;
2354 DEBUG(D_tls) debug_printf("Session resumed\n");
2355 }
2356}
2357#endif
17c76198
PP		 2358/* ------------------------------------------------------------------------ */
2359/* Exported functions */
2360
2361
2362
2363
059ec3d9
PH		 2364/*************************************************
2365* Start a TLS session in a server *
2366*************************************************/
2367
2368/* This is called when Exim is running as a server, after having received
2369the STARTTLS command. It must respond to that command, and then negotiate
2370a TLS session.
2371
2372Arguments:
83da1223 2373 require_ciphers list of allowed ciphers or NULL
cf0c6164 2374 errstr pointer to error string
059ec3d9
PH		 2375
2376Returns: OK on success
2377 DEFER for errors before the start of the negotiation
4c04137d 2378 FAIL for errors during the negotiation; the server can't
059ec3d9
PH		 2379 continue running.
2380*/
2381
2382int
cf0c6164 2383tls_server_start(const uschar * require_ciphers, uschar ** errstr)
059ec3d9
PH		 2384{
2385int rc;
cf0c6164 2386exim_gnutls_state_st * state = NULL;
059ec3d9
PH		 2387
2388/* Check for previous activation */
74f1a423 2389if (tls_in.active.sock >= 0)
059ec3d9 2390 {
48224640 2391 tls_error(US"STARTTLS received after TLS started", US "", NULL, errstr);
925ac8e4 2392 smtp_printf("554 Already in TLS\r\n", FALSE);
059ec3d9
PH		 2393 return FAIL;
2394 }
2395
2396/* Initialize the library. If it fails, it will already have logged the error
2397and sent an SMTP response. */
2398
17c76198 2399DEBUG(D_tls) debug_printf("initialising GnuTLS as a server\n");
059ec3d9 2400
cf0c6164 2401if ((rc = tls_init(NULL, tls_certificate, tls_privatekey,
17c76198 2402 NULL, tls_verify_certificates, tls_crl,
74f1a423 2403 require_ciphers, &state, &tls_in, errstr)) != OK) return rc;
059ec3d9 2404
b10c87b3
JH		 2405#ifdef EXPERIMENTAL_TLS_RESUME
2406tls_server_resume_prehandshake(state);
2407#endif
2408
059ec3d9
PH		 2409/* If this is a host for which certificate verification is mandatory or
2410optional, set up appropriately. */
2411
059ec3d9 2412if (verify_check_host(&tls_verify_hosts) == OK)
17c76198 2413 {
e51c7be2
JH		 2414 DEBUG(D_tls)
2415 debug_printf("TLS: a client certificate will be required.\n");
17c76198
PP		 2416 state->verify_requirement = VERIFY_REQUIRED;
2417 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
2418 }
059ec3d9 2419else if (verify_check_host(&tls_try_verify_hosts) == OK)
17c76198 2420 {
e51c7be2
JH		 2421 DEBUG(D_tls)
2422 debug_printf("TLS: a client certificate will be requested but not required.\n");
17c76198
PP		 2423 state->verify_requirement = VERIFY_OPTIONAL;
2424 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
2425 }
2426else
2427 {
e51c7be2
JH		 2428 DEBUG(D_tls)
2429 debug_printf("TLS: a client certificate will not be requested.\n");
17c76198
PP		 2430 state->verify_requirement = VERIFY_NONE;
2431 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
2432 }
059ec3d9 2433
0cbf2b82 2434#ifndef DISABLE_EVENT
723fe533
JH		 2435if (event_action)
2436 {
2437 state->event_action = event_action;
2438 gnutls_session_set_ptr(state->session, state);
2439 gnutls_certificate_set_verify_function(state->x509_cred, verify_cb);
2440 }
2441#endif
2442
17c76198
PP		 2443/* Register SNI handling; always, even if not in tls_certificate, so that the
2444expansion variable $tls_sni is always available. */
059ec3d9 2445
17c76198
PP		 2446gnutls_handshake_set_post_client_hello_function(state->session,
2447 exim_sni_handling_cb);
059ec3d9
PH		 2448
2449/* Set context and tell client to go ahead, except in the case of TLS startup
2450on connection, where outputting anything now upsets the clients and tends to
2451make them disconnect. We need to have an explicit fflush() here, to force out
2452the response. Other smtp_printf() calls do not need it, because in non-TLS
2453mode, the fflush() happens when smtp_getc() is called. */
2454
817d9f57 2455if (!state->tlsp->on_connect)
059ec3d9 2456 {
925ac8e4 2457 smtp_printf("220 TLS go ahead\r\n", FALSE);
9d1c15ef 2458 fflush(smtp_out);
059ec3d9
PH		 2459 }
2460
2461/* Now negotiate the TLS session. We put our own timer on it, since it seems
8008accd
JH		 2462that the GnuTLS library doesn't.
2463From 3.1.0 there is gnutls_handshake_set_timeout() - but it requires you
2464to set (and clear down afterwards) up a pull-timeout callback function that does
2465a select, so we're no better off unless avoiding signals becomes an issue. */
059ec3d9 2466
17c76198 2467gnutls_transport_set_ptr2(state->session,
27f19eb4
JH		 2468 (gnutls_transport_ptr_t)(long) fileno(smtp_in),
2469 (gnutls_transport_ptr_t)(long) fileno(smtp_out));
17c76198
PP		 2470state->fd_in = fileno(smtp_in);
2471state->fd_out = fileno(smtp_out);
059ec3d9
PH		 2472
2473sigalrm_seen = FALSE;
c2a1bba0 2474if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
17c76198 2475do
17c76198 2476 rc = gnutls_handshake(state->session);
157a7880 2477while (rc == GNUTLS_E_AGAIN || rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen);
c2a1bba0 2478ALARM_CLR(0);
059ec3d9 2479
17c76198 2480if (rc != GNUTLS_E_SUCCESS)
059ec3d9 2481 {
059ec3d9
PH		 2482 /* It seems that, except in the case of a timeout, we have to close the
2483 connection right here; otherwise if the other end is running OpenSSL it hangs
2484 until the server times out. */
2485
60d10ce7 2486 if (sigalrm_seen)
ad7fc6eb 2487 {
48224640 2488 tls_error(US"gnutls_handshake", US"timed out", NULL, errstr);
ad7fc6eb
JH		 2489 gnutls_db_remove_session(state->session);
2490 }
60d10ce7 2491 else
059ec3d9 2492 {
452a164f 2493 tls_error_gnu(US"gnutls_handshake", rc, NULL, errstr);
f5d25c2b 2494 (void) gnutls_alert_send_appropriate(state->session, rc);
ad7fc6eb 2495 gnutls_deinit(state->session);
ed62aae3 2496 gnutls_certificate_free_credentials(state->x509_cred);
60d10ce7 2497 millisleep(500);
ad7fc6eb 2498 shutdown(state->fd_out, SHUT_WR);
d7978c0f 2499 for (int i = 1024; fgetc(smtp_in) != EOF && i > 0; ) i--; /* drain skt */
f1e894f3
PH		 2500 (void)fclose(smtp_out);
2501 (void)fclose(smtp_in);
60d10ce7 2502 smtp_out = smtp_in = NULL;
059ec3d9
PH		 2503 }
2504
2505 return FAIL;
2506 }
2507
b10c87b3
JH		 2508#ifdef EXPERIMENTAL_TLS_RESUME
2509tls_server_resume_posthandshake(state);
2510#endif
2511
dc6d1769 2512DEBUG(D_tls) post_handshake_debug(state);
059ec3d9 2513
17c76198
PP		 2514/* Verify after the fact */
2515
899b8bbc 2516if (!verify_certificate(state, errstr))
059ec3d9 2517 {
9d1c15ef 2518 if (state->verify_requirement != VERIFY_OPTIONAL)
17c76198 2519 {
cf0c6164 2520 (void) tls_error(US"certificate verification failed", *errstr, NULL, errstr);
9d1c15ef 2521 return FAIL;
17c76198 2522 }
9d1c15ef
JH		 2523 DEBUG(D_tls)
2524 debug_printf("TLS: continuing on only because verification was optional, after: %s\n",
cf0c6164 2525 *errstr);
059ec3d9
PH		 2526 }
2527
17c76198
PP		 2528/* Sets various Exim expansion variables; always safe within server */
2529
9d1c15ef 2530extract_exim_vars_from_tls_state(state);
059ec3d9
PH		 2531
2532/* TLS has been set up. Adjust the input functions to read via TLS,
2533and initialize appropriately. */
2534
17c76198 2535state->xfer_buffer = store_malloc(ssl_xfer_buffer_size);
059ec3d9
PH		 2536
2537receive_getc = tls_getc;
0d81dabc 2538receive_getbuf = tls_getbuf;
584e96c6 2539receive_get_cache = tls_get_cache;
059ec3d9
PH		 2540receive_ungetc = tls_ungetc;
2541receive_feof = tls_feof;
2542receive_ferror = tls_ferror;
58eb016e 2543receive_smtp_buffered = tls_smtp_buffered;
059ec3d9 2544
059ec3d9
PH		 2545return OK;
2546}
2547
2548
2549
2550
aa2a70ba
JH		 2551static void
2552tls_client_setup_hostname_checks(host_item * host, exim_gnutls_state_st * state,
2553 smtp_transport_options_block * ob)
2554{
3fb3231c 2555if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
aa2a70ba 2556 {
4af0d74a 2557 state->exp_tls_verify_cert_hostnames =
8c5d388a 2558#ifdef SUPPORT_I18N
4af0d74a
JH		 2559 string_domain_utf8_to_alabel(host->name, NULL);
2560#else
2561 host->name;
2562#endif
aa2a70ba
JH		 2563 DEBUG(D_tls)
2564 debug_printf("TLS: server cert verification includes hostname: \"%s\".\n",
2565 state->exp_tls_verify_cert_hostnames);
2566 }
2567}
aa2a70ba
JH		 2568
2569
899b8bbc
JH		 2570
2571
2572#ifdef SUPPORT_DANE
2573/* Given our list of RRs from the TLSA lookup, build a lookup block in
2574GnuTLS-DANE's preferred format. Hang it on the state str for later
2575use in DANE verification.
2576
2577We point at the dnsa data not copy it, so it must remain valid until
2578after verification is done.*/
2579
3674140c 2580static BOOL
899b8bbc
JH		 2581dane_tlsa_load(exim_gnutls_state_st * state, dns_answer * dnsa)
2582{
899b8bbc
JH		 2583dns_scan dnss;
2584int i;
2585const char ** dane_data;
2586int * dane_data_len;
2587
d7978c0f
JH		 2588i = 1;
2589for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
899b8bbc
JH		 2590 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
2591 ) if (rr->type == T_TLSA) i++;
2592
f3ebb786
JH		 2593dane_data = store_get(i * sizeof(uschar *), FALSE);
2594dane_data_len = store_get(i * sizeof(int), FALSE);
899b8bbc 2595
d7978c0f
JH		 2596i = 0;
2597for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
899b8bbc 2598 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
1b76ad22 2599 ) if (rr->type == T_TLSA && rr->size > 3)
899b8bbc
JH		 2600 {
2601 const uschar * p = rr->data;
f3ebb786 2602/*XXX need somehow to mark rr and its data as tainted. Doues this mean copying it? */
3674140c
JH		 2603 uint8_t usage = p[0], sel = p[1], type = p[2];
2604
2605 DEBUG(D_tls)
2606 debug_printf("TLSA: %d %d %d size %d\n", usage, sel, type, rr->size);
2607
94c13285
JH		 2608 if ( (usage != DANESSL_USAGE_DANE_TA && usage != DANESSL_USAGE_DANE_EE)
2609 || (sel != 0 && sel != 1)
2610 )
2611 continue;
3674140c
JH		 2612 switch(type)
2613 {
2614 case 0: /* Full: cannot check at present */
2615 break;
2616 case 1: if (rr->size != 3 + 256/8) continue; /* sha2-256 */
2617 break;
2618 case 2: if (rr->size != 3 + 512/8) continue; /* sha2-512 */
2619 break;
2620 default: continue;
2621 }
899b8bbc
JH		 2622
2623 tls_out.tlsa_usage |= 1<<usage;
48224640 2624 dane_data[i] = CS p;
899b8bbc
JH		 2625 dane_data_len[i++] = rr->size;
2626 }
3674140c
JH		 2627
2628if (!i) return FALSE;
2629
899b8bbc
JH		 2630dane_data[i] = NULL;
2631dane_data_len[i] = 0;
2632
2633state->dane_data = (char * const *)dane_data;
2634state->dane_data_len = dane_data_len;
3674140c 2635return TRUE;
899b8bbc
JH		 2636}
2637#endif
2638
2639
2640
b10c87b3
JH		 2641#ifdef EXPERIMENTAL_TLS_RESUME
2642/* On the client, get any stashed session for the given IP from hints db
2643and apply it to the ssl-connection for attempted resumption. Although
2644there is a gnutls_session_ticket_enable_client() interface it is
2645documented as unnecessary (as of 3.6.7) as "session tickets are emabled
2646by deafult". There seems to be no way to disable them, so even hosts not
2647enabled by the transport option will be sent a ticket request. We will
2648however avoid storing and retrieving session information. */
2649
2650static void
2651tls_retrieve_session(tls_support * tlsp, gnutls_session_t session,
2652 host_item * host, smtp_transport_options_block * ob)
2653{
2654tlsp->resumption = RESUME_SUPPORTED;
2655if (verify_check_given_host(CUSS &ob->tls_resumption_hosts, host) == OK)
2656 {
2657 dbdata_tls_session * dt;
2658 int len, rc;
2659 open_db dbblock, * dbm_file;
2660
2661 DEBUG(D_tls)
2662 debug_printf("check for resumable session for %s\n", host->address);
2663 tlsp->host_resumable = TRUE;
2664 tlsp->resumption |= RESUME_CLIENT_REQUESTED;
2665 if ((dbm_file = dbfn_open(US"tls", O_RDONLY, &dbblock, FALSE, FALSE)))
2666 {
dea4b568
JH		 2667 /* Key for the db is the IP. We'd like to filter the retrieved session
2668 for ticket advisory expiry, but 3.6.1 seems to give no access to that */
2669
b10c87b3
JH		 2670 if ((dt = dbfn_read_with_length(dbm_file, host->address, &len)))
2671 if (!(rc = gnutls_session_set_data(session,
2672 CUS dt->session, (size_t)len - sizeof(dbdata_tls_session))))
2673 {
2674 DEBUG(D_tls) debug_printf("good session\n");
2675 tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
2676 }
2677 else DEBUG(D_tls) debug_printf("setting session resumption data: %s\n",
2678 US gnutls_strerror(rc));
2679 dbfn_close(dbm_file);
2680 }
2681 }
2682}
2683
2684
2685static void
2686tls_save_session(tls_support * tlsp, gnutls_session_t session, const host_item * host)
2687{
2688/* TLS 1.2 - we get both the callback and the direct posthandshake call,
2689but this flag is not set until the second. TLS 1.3 it's the other way about.
2690Keep both calls as the session data cannot be extracted before handshake
2691completes. */
2692
2693if (gnutls_session_get_flags(session) & GNUTLS_SFLAGS_SESSION_TICKET)
2694 {
2695 gnutls_datum_t tkt;
2696 int rc;
2697
2698 DEBUG(D_tls) debug_printf("server offered session ticket\n");
2699 tlsp->ticket_received = TRUE;
2700 tlsp->resumption |= RESUME_SERVER_TICKET;
2701
2702 if (tlsp->host_resumable)
2703 if (!(rc = gnutls_session_get_data2(session, &tkt)))
2704 {
2705 open_db dbblock, * dbm_file;
2706 int dlen = sizeof(dbdata_tls_session) + tkt.size;
f3ebb786 2707 dbdata_tls_session * dt = store_get(dlen, TRUE);
b10c87b3
JH		 2708
2709 DEBUG(D_tls) debug_printf("session data size %u\n", (unsigned)tkt.size);
2710 memcpy(dt->session, tkt.data, tkt.size);
2711 gnutls_free(tkt.data);
2712
2713 if ((dbm_file = dbfn_open(US"tls", O_RDWR, &dbblock, FALSE, FALSE)))
2714 {
2715 /* key for the db is the IP */
2716 dbfn_delete(dbm_file, host->address);
2717 dbfn_write(dbm_file, host->address, dt, dlen);
2718 dbfn_close(dbm_file);
2719
2720 DEBUG(D_tls)
2721 debug_printf("wrote session db (len %u)\n", (unsigned)dlen);
2722 }
2723 }
2724 else DEBUG(D_tls)
2725 debug_printf("extract session data: %s\n", US gnutls_strerror(rc));
2726 }
2727}
2728
2729
2730/* With a TLS1.3 session, the ticket(s) are not seen until
2731the first data read is attempted. And there's often two of them.
2732Pick them up with this callback. We are also called for 1.2
2733but we do nothing.
2734*/
2735static int
2736tls_client_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
2737 unsigned incoming, const gnutls_datum_t * msg)
2738{
2739exim_gnutls_state_st * state = gnutls_session_get_ptr(sess);
2740tls_support * tlsp = state->tlsp;
2741
2742DEBUG(D_tls) debug_printf("newticket cb\n");
2743
2744if (!tlsp->ticket_received)
2745 tls_save_session(tlsp, sess, state->host);
2746return 0;
2747}
2748
2749
2750static void
2751tls_client_resume_prehandshake(exim_gnutls_state_st * state,
2752 tls_support * tlsp, host_item * host,
2753 smtp_transport_options_block * ob)
2754{
2755gnutls_session_set_ptr(state->session, state);
2756gnutls_handshake_set_hook_function(state->session,
2757 GNUTLS_HANDSHAKE_NEW_SESSION_TICKET, GNUTLS_HOOK_POST, tls_client_ticket_cb);
2758
2759tls_retrieve_session(tlsp, state->session, host, ob);
2760}
2761
2762static void
2763tls_client_resume_posthandshake(exim_gnutls_state_st * state,
2764 tls_support * tlsp, host_item * host)
2765{
2766if (gnutls_session_is_resumed(state->session))
2767 {
2768 DEBUG(D_tls) debug_printf("Session resumed\n");
2769 tlsp->resumption |= RESUME_USED;
2770 }
2771
2772tls_save_session(tlsp, state->session, host);
2773}
2774#endif /* EXPERIMENTAL_TLS_RESUME */
2775
2776
059ec3d9
PH		 2777/*************************************************
2778* Start a TLS session in a client *
2779*************************************************/
2780
2781/* Called from the smtp transport after STARTTLS has been accepted.
2782
2783Arguments:
c05bdbd6
JH		 2784 cctx connection context
2785 conn_args connection details
2786 cookie datum for randomness (not used)
2787 tlsp record details of channel configuration here; must be non-NULL
2788 errstr error string pointer
2789
2790Returns: TRUE for success with TLS session context set in smtp context,
2791 FALSE on error
059ec3d9
PH		 2792*/
2793
c05bdbd6
JH		 2794BOOL
2795tls_client_start(client_conn_ctx * cctx, smtp_connect_args * conn_args,
2796 void * cookie ARG_UNUSED,
2797 tls_support * tlsp, uschar ** errstr)
059ec3d9 2798{
c05bdbd6
JH		 2799host_item * host = conn_args->host; /* for msgs and option-tests */
2800transport_instance * tb = conn_args->tblock; /* always smtp or NULL */
2801smtp_transport_options_block * ob = tb
afdb5e9c
JH		 2802 ? (smtp_transport_options_block *)tb->options_block
2803 : &smtp_transport_option_defaults;
059ec3d9 2804int rc;
899b8bbc 2805exim_gnutls_state_st * state = NULL;
c05bdbd6 2806uschar * cipher_list = NULL;
74f1a423 2807
f2de3a33 2808#ifndef DISABLE_OCSP
5130845b 2809BOOL require_ocsp =
3fb3231c 2810 verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK;
44662487 2811BOOL request_ocsp = require_ocsp ? TRUE
3fb3231c 2812 : verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
2b4a568d 2813#endif
059ec3d9 2814
c05bdbd6 2815DEBUG(D_tls) debug_printf("initialising GnuTLS as a client on fd %d\n", cctx->sock);
059ec3d9 2816
5ec37a55 2817#ifdef SUPPORT_DANE
c05bdbd6
JH		 2818/* If dane is flagged, have either request or require dane for this host, and
2819a TLSA record found. Therefore, dane verify required. Which implies cert must
2820be requested and supplied, dane verify must pass, and cert verify irrelevant
2821(incl. hostnames), and (caller handled) require_tls */
2822
2823if (conn_args->dane && ob->dane_require_tls_ciphers)
5ec37a55
PP		 2824 {
2825 /* not using expand_check_tlsvar because not yet in state */
2826 if (!expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
2827 &cipher_list, errstr))
c05bdbd6 2828 return FALSE;
cf260049
JH		 2829 cipher_list = cipher_list && *cipher_list
2830 ? ob->dane_require_tls_ciphers : ob->tls_require_ciphers;
5ec37a55
PP		 2831 }
2832#endif
2833
2834if (!cipher_list)
2835 cipher_list = ob->tls_require_ciphers;
2836
74f1a423 2837if (tls_init(host, ob->tls_certificate, ob->tls_privatekey,
65867078 2838 ob->tls_sni, ob->tls_verify_certificates, ob->tls_crl,
74f1a423 2839 cipher_list, &state, tlsp, errstr) != OK)
c05bdbd6 2840 return FALSE;
059ec3d9 2841
54c90be1 2842 {
65867078
JH		 2843 int dh_min_bits = ob->tls_dh_min_bits;
2844 if (dh_min_bits < EXIM_CLIENT_DH_MIN_MIN_BITS)
2845 {
2846 DEBUG(D_tls)
2847 debug_printf("WARNING: tls_dh_min_bits far too low,"
2848 " clamping %d up to %d\n",
2849 dh_min_bits, EXIM_CLIENT_DH_MIN_MIN_BITS);
2850 dh_min_bits = EXIM_CLIENT_DH_MIN_MIN_BITS;
2851 }
54c90be1 2852
65867078
JH		 2853 DEBUG(D_tls) debug_printf("Setting D-H prime minimum"
2854 " acceptable bits to %d\n",
2855 dh_min_bits);
2856 gnutls_dh_set_prime_bits(state->session, dh_min_bits);
2857 }
83da1223 2858
94431adb 2859/* Stick to the old behaviour for compatibility if tls_verify_certificates is
2b4a568d
JH		 2860set but both tls_verify_hosts and tls_try_verify_hosts are unset. Check only
2861the specified host patterns if one of them is defined */
2862
899b8bbc 2863#ifdef SUPPORT_DANE
c05bdbd6 2864if (conn_args->dane && dane_tlsa_load(state, &conn_args->tlsa_dnsa))
899b8bbc
JH		 2865 {
2866 DEBUG(D_tls)
2867 debug_printf("TLS: server certificate DANE required.\n");
2868 state->verify_requirement = VERIFY_DANE;
2869 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
899b8bbc
JH		 2870 }
2871else
2872#endif
2873 if ( ( state->exp_tls_verify_certificates
2874 && !ob->tls_verify_hosts
2875 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
2876 )
3fb3231c 2877 || verify_check_given_host(CUSS &ob->tls_verify_hosts, host) == OK
899b8bbc 2878 )
17c76198 2879 {
aa2a70ba 2880 tls_client_setup_hostname_checks(host, state, ob);
aa2a70ba
JH		 2881 DEBUG(D_tls)
2882 debug_printf("TLS: server certificate verification required.\n");
2883 state->verify_requirement = VERIFY_REQUIRED;
52f93eed
WB		 2884 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
2885 }
3fb3231c 2886else if (verify_check_given_host(CUSS &ob->tls_try_verify_hosts, host) == OK)
52f93eed 2887 {
aa2a70ba 2888 tls_client_setup_hostname_checks(host, state, ob);
e51c7be2
JH		 2889 DEBUG(D_tls)
2890 debug_printf("TLS: server certificate verification optional.\n");
52f93eed 2891 state->verify_requirement = VERIFY_OPTIONAL;
17c76198
PP		 2892 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
2893 }
2894else
2895 {
e51c7be2
JH		 2896 DEBUG(D_tls)
2897 debug_printf("TLS: server certificate verification not required.\n");
52f93eed
WB		 2898 state->verify_requirement = VERIFY_NONE;
2899 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
17c76198 2900 }
059ec3d9 2901
f2de3a33
JH		 2902#ifndef DISABLE_OCSP
2903 /* supported since GnuTLS 3.1.3 */
44662487 2904if (request_ocsp)
9d1c15ef
JH		 2905 {
2906 DEBUG(D_tls) debug_printf("TLS: will request OCSP stapling\n");
65867078
JH		 2907 if ((rc = gnutls_ocsp_status_request_enable_client(state->session,
2908 NULL, 0, NULL)) != OK)
74f1a423 2909 {
452a164f 2910 tls_error_gnu(US"cert-status-req", rc, state->host, errstr);
c05bdbd6 2911 return FALSE;
74f1a423
JH		 2912 }
2913 tlsp->ocsp = OCSP_NOT_RESP;
9d1c15ef 2914 }
2b4a568d
JH		 2915#endif
2916
b10c87b3
JH		 2917#ifdef EXPERIMENTAL_TLS_RESUME
2918tls_client_resume_prehandshake(state, tlsp, host, ob);
2919#endif
2920
0cbf2b82 2921#ifndef DISABLE_EVENT
afdb5e9c 2922if (tb && tb->event_action)
a7538db1 2923 {
774ef2d7 2924 state->event_action = tb->event_action;
a7538db1 2925 gnutls_session_set_ptr(state->session, state);
723fe533 2926 gnutls_certificate_set_verify_function(state->x509_cred, verify_cb);
a7538db1
JH		 2927 }
2928#endif
2929
c05bdbd6
JH		 2930gnutls_transport_set_ptr(state->session, (gnutls_transport_ptr_t)(long) cctx->sock);
2931state->fd_in = cctx->sock;
2932state->fd_out = cctx->sock;
059ec3d9 2933
9d1c15ef 2934DEBUG(D_tls) debug_printf("about to gnutls_handshake\n");
059ec3d9
PH		 2935/* There doesn't seem to be a built-in timeout on connection. */
2936
2937sigalrm_seen = FALSE;
c2a1bba0 2938ALARM(ob->command_timeout);
17c76198 2939do
17c76198 2940 rc = gnutls_handshake(state->session);
f1fed05b 2941while (rc == GNUTLS_E_AGAIN || rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen);
c2a1bba0 2942ALARM_CLR(0);
059ec3d9 2943
4fe99a6c 2944if (rc != GNUTLS_E_SUCCESS)
74f1a423 2945 {
60d10ce7
JH		 2946 if (sigalrm_seen)
2947 {
2948 gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_USER_CANCELED);
48224640 2949 tls_error(US"gnutls_handshake", US"timed out", state->host, errstr);
60d10ce7
JH		 2950 }
2951 else
452a164f 2952 tls_error_gnu(US"gnutls_handshake", rc, state->host, errstr);
c05bdbd6 2953 return FALSE;
74f1a423 2954 }
4fe99a6c 2955
dc6d1769 2956DEBUG(D_tls) post_handshake_debug(state);
059ec3d9 2957
17c76198 2958/* Verify late */
059ec3d9 2959
899b8bbc 2960if (!verify_certificate(state, errstr))
74f1a423
JH		 2961 {
2962 tls_error(US"certificate verification failed", *errstr, state->host, errstr);
c05bdbd6 2963 return FALSE;
74f1a423 2964 }
059ec3d9 2965
f2de3a33 2966#ifndef DISABLE_OCSP
7a501c87 2967if (request_ocsp)
2b4a568d
JH		 2968 {
2969 DEBUG(D_tls)
2970 {
2971 gnutls_datum_t stapling;
2972 gnutls_ocsp_resp_t resp;
2973 gnutls_datum_t printed;
e326959e
JH		 2974 unsigned idx = 0;
2975
2976 for (;
2977# ifdef GNUTLS_OCSP_STATUS_REQUEST_GET2
2978 (rc = gnutls_ocsp_status_request_get2(state->session, idx, &stapling)) == 0;
2979#else
2980 (rc = gnutls_ocsp_status_request_get(state->session, &stapling)) == 0;
2981#endif
2982 idx++)
2983 if ( (rc= gnutls_ocsp_resp_init(&resp)) == 0
2984 && (rc= gnutls_ocsp_resp_import(resp, &stapling)) == 0
2985 && (rc= gnutls_ocsp_resp_print(resp, GNUTLS_OCSP_PRINT_COMPACT, &printed)) == 0
2986 )
2987 {
2988 debug_printf("%.4096s", printed.data);
2989 gnutls_free(printed.data);
2990 }
2991 else
2992 (void) tls_error_gnu(US"ocsp decode", rc, state->host, errstr);
2993 if (idx == 0 && rc)
452a164f 2994 (void) tls_error_gnu(US"ocsp decode", rc, state->host, errstr);
2b4a568d
JH		 2995 }
2996
2b4a568d 2997 if (gnutls_ocsp_status_request_is_checked(state->session, 0) == 0)
018058b2 2998 {
74f1a423
JH		 2999 tlsp->ocsp = OCSP_FAILED;
3000 tls_error(US"certificate status check failed", NULL, state->host, errstr);
7a501c87
JH		 3001 if (require_ocsp)
3002 return FALSE;
3003 }
3004 else
3005 {
3006 DEBUG(D_tls) debug_printf("Passed OCSP checking\n");
3007 tlsp->ocsp = OCSP_VFIED;
018058b2 3008 }
2b4a568d
JH		 3009 }
3010#endif
3011
b10c87b3
JH		 3012#ifdef EXPERIMENTAL_TLS_RESUME
3013tls_client_resume_posthandshake(state, tlsp, host);
3014#endif
059ec3d9 3015
4fe99a6c 3016/* Sets various Exim expansion variables; may need to adjust for ACL callouts */
059ec3d9 3017
9d1c15ef 3018extract_exim_vars_from_tls_state(state);
059ec3d9 3019
c05bdbd6
JH		 3020cctx->tls_ctx = state;
3021return TRUE;
059ec3d9
PH		 3022}
3023
3024
3025
17c76198 3026
059ec3d9 3027/*************************************************
17c76198 3028* Close down a TLS session *
059ec3d9
PH		 3029*************************************************/
3030
17c76198
PP		 3031/* This is also called from within a delivery subprocess forked from the
3032daemon, to shut down the TLS library, without actually doing a shutdown (which
3033would tamper with the TLS session in the parent process).
059ec3d9 3034
dec766a1 3035Arguments:
74f1a423 3036 ct_ctx client context pointer, or NULL for the one global server context
dec766a1 3037 shutdown 1 if TLS close-alert is to be sent,
afdb5e9c 3038 2 if also response to be waited for
dec766a1 3039
17c76198 3040Returns: nothing
059ec3d9
PH		 3041*/
3042
17c76198 3043void
74f1a423 3044tls_close(void * ct_ctx, int shutdown)
059ec3d9 3045{
74f1a423 3046exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
bd231acd 3047tls_support * tlsp = state->tlsp;
059ec3d9 3048
bd231acd 3049if (!tlsp || tlsp->active.sock < 0) return; /* TLS was not active */
17c76198
PP		 3050
3051if (shutdown)
3052 {
dec766a1
WB		 3053 DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS%s\n",
3054 shutdown > 1 ? " (with response-wait)" : "");
3055
c2a1bba0 3056 ALARM(2);
dec766a1 3057 gnutls_bye(state->session, shutdown > 1 ? GNUTLS_SHUT_RDWR : GNUTLS_SHUT_WR);
c2a1bba0 3058 ALARM_CLR(0);
17c76198
PP		 3059 }
3060
bd231acd
JH		 3061if (!ct_ctx) /* server */
3062 {
3063 receive_getc = smtp_getc;
3064 receive_getbuf = smtp_getbuf;
3065 receive_get_cache = smtp_get_cache;
3066 receive_ungetc = smtp_ungetc;
3067 receive_feof = smtp_feof;
3068 receive_ferror = smtp_ferror;
3069 receive_smtp_buffered = smtp_buffered;
3070 }
3071
17c76198 3072gnutls_deinit(state->session);
ed62aae3
HSHR		 3073gnutls_certificate_free_credentials(state->x509_cred);
3074
bd231acd
JH		 3075tlsp->active.sock = -1;
3076tlsp->active.tls_ctx = NULL;
3077/* Leave bits, peercert, cipher, peerdn, certificate_verified set, for logging */
3078tls_channelbinding_b64 = NULL;
3079
17c76198 3080
b808677c 3081if (state->xfer_buffer) store_free(state->xfer_buffer);
17c76198 3082memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
059ec3d9
PH		 3083}
3084
3085
3086
17c76198 3087
0d81dabc
JH		 3088static BOOL
3089tls_refill(unsigned lim)
3090{
3091exim_gnutls_state_st * state = &state_server;
3092ssize_t inbytes;
3093
3094DEBUG(D_tls) debug_printf("Calling gnutls_record_recv(%p, %p, %u)\n",
3095 state->session, state->xfer_buffer, ssl_xfer_buffer_size);
3096
f1fed05b 3097sigalrm_seen = FALSE;
c2a1bba0 3098if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
4896a319
AM		 3099
3100do
3101 inbytes = gnutls_record_recv(state->session, state->xfer_buffer,
3102 MIN(ssl_xfer_buffer_size, lim));
3103while (inbytes == GNUTLS_E_AGAIN);
3104
c2a1bba0 3105if (smtp_receive_timeout > 0) ALARM_CLR(0);
9723f966
JH		 3106
3107if (had_command_timeout) /* set by signal handler */
3108 smtp_command_timeout_exit(); /* does not return */
3109if (had_command_sigterm)
3110 smtp_command_sigterm_exit();
3111if (had_data_timeout)
3112 smtp_data_timeout_exit();
3113if (had_data_sigint)
3114 smtp_data_sigint_exit();
3115
3116/* Timeouts do not get this far. A zero-byte return appears to mean that the
3117TLS session has been closed down, not that the socket itself has been closed
3118down. Revert to non-TLS handling. */
0d81dabc
JH		 3119
3120if (sigalrm_seen)
3121 {
3122 DEBUG(D_tls) debug_printf("Got tls read timeout\n");
8b77d27a 3123 state->xfer_error = TRUE;
0d81dabc
JH		 3124 return FALSE;
3125 }
3126
3127else if (inbytes == 0)
3128 {
3129 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
bd231acd 3130 tls_close(NULL, TLS_NO_SHUTDOWN);
0d81dabc
JH		 3131 return FALSE;
3132 }
3133
3134/* Handle genuine errors */
3135
3136else if (inbytes < 0)
3137 {
95f52235 3138 DEBUG(D_tls) debug_printf("%s: err from gnutls_record_recv\n", __FUNCTION__);
0d81dabc 3139 record_io_error(state, (int) inbytes, US"recv", NULL);
8b77d27a 3140 state->xfer_error = TRUE;
0d81dabc
JH		 3141 return FALSE;
3142 }
3143#ifndef DISABLE_DKIM
3144dkim_exim_verify_feed(state->xfer_buffer, inbytes);
3145#endif
3146state->xfer_buffer_hwm = (int) inbytes;
3147state->xfer_buffer_lwm = 0;
3148return TRUE;
3149}
3150
059ec3d9
PH		 3151/*************************************************
3152* TLS version of getc *
3153*************************************************/
3154
3155/* This gets the next byte from the TLS input buffer. If the buffer is empty,
3156it refills the buffer via the GnuTLS reading function.
817d9f57 3157Only used by the server-side TLS.
059ec3d9 3158
17c76198
PP		 3159This feeds DKIM and should be used for all message-body reads.
3160
aded2255 3161Arguments: lim Maximum amount to read/buffer
059ec3d9
PH		 3162Returns: the next character or EOF
3163*/
3164
3165int
bd8fbe36 3166tls_getc(unsigned lim)
059ec3d9 3167{
0d81dabc 3168exim_gnutls_state_st * state = &state_server;
059ec3d9 3169
0d81dabc
JH		 3170if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
3171 if (!tls_refill(lim))
3172 return state->xfer_error ? EOF : smtp_getc(lim);
ed62aae3 3173
0d81dabc 3174/* Something in the buffer; return next uschar */
059ec3d9 3175
0d81dabc
JH		 3176return state->xfer_buffer[state->xfer_buffer_lwm++];
3177}
059ec3d9 3178
0d81dabc
JH		 3179uschar *
3180tls_getbuf(unsigned * len)
3181{
3182exim_gnutls_state_st * state = &state_server;
3183unsigned size;
3184uschar * buf;
059ec3d9 3185
0d81dabc
JH		 3186if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
3187 if (!tls_refill(*len))
059ec3d9 3188 {
0d81dabc
JH		 3189 if (!state->xfer_error) return smtp_getbuf(len);
3190 *len = 0;
3191 return NULL;
059ec3d9 3192 }
059ec3d9 3193
0d81dabc
JH		 3194if ((size = state->xfer_buffer_hwm - state->xfer_buffer_lwm) > *len)
3195 size = *len;
3196buf = &state->xfer_buffer[state->xfer_buffer_lwm];
3197state->xfer_buffer_lwm += size;
3198*len = size;
3199return buf;
059ec3d9
PH		 3200}
3201
0d81dabc 3202
584e96c6
JH		 3203void
3204tls_get_cache()
3205{
9960d1e5 3206#ifndef DISABLE_DKIM
584e96c6
JH		 3207exim_gnutls_state_st * state = &state_server;
3208int n = state->xfer_buffer_hwm - state->xfer_buffer_lwm;
3209if (n > 0)
3210 dkim_exim_verify_feed(state->xfer_buffer+state->xfer_buffer_lwm, n);
584e96c6 3211#endif
9960d1e5 3212}
584e96c6 3213
059ec3d9 3214
925ac8e4
JH		 3215BOOL
3216tls_could_read(void)
3217{
3218return state_server.xfer_buffer_lwm < state_server.xfer_buffer_hwm
3219 || gnutls_record_check_pending(state_server.session) > 0;
3220}
3221
3222
059ec3d9 3223
17c76198 3224
059ec3d9
PH		 3225/*************************************************
3226* Read bytes from TLS channel *
3227*************************************************/
3228
17c76198
PP		 3229/* This does not feed DKIM, so if the caller uses this for reading message body,
3230then the caller must feed DKIM.
817d9f57 3231
059ec3d9 3232Arguments:
74f1a423 3233 ct_ctx client context pointer, or NULL for the one global server context
059ec3d9
PH		 3234 buff buffer of data
3235 len size of buffer
3236
3237Returns: the number of bytes read
afdb5e9c 3238 -1 after a failed read, including EOF
059ec3d9
PH		 3239*/
3240
3241int
74f1a423 3242tls_read(void * ct_ctx, uschar *buff, size_t len)
059ec3d9 3243{
74f1a423 3244exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
17c76198 3245ssize_t inbytes;
059ec3d9 3246
17c76198
PP		 3247if (len > INT_MAX)
3248 len = INT_MAX;
059ec3d9 3249
17c76198
PP		 3250if (state->xfer_buffer_lwm < state->xfer_buffer_hwm)
3251 DEBUG(D_tls)
3252 debug_printf("*** PROBABLY A BUG *** " \
3253 "tls_read() called with data in the tls_getc() buffer, %d ignored\n",
3254 state->xfer_buffer_hwm - state->xfer_buffer_lwm);
3255
3256DEBUG(D_tls)
3257 debug_printf("Calling gnutls_record_recv(%p, %p, " SIZE_T_FMT ")\n",
3258 state->session, buff, len);
3259
4896a319
AM		 3260do
3261 inbytes = gnutls_record_recv(state->session, buff, len);
3262while (inbytes == GNUTLS_E_AGAIN);
3263
059ec3d9
PH		 3264if (inbytes > 0) return inbytes;
3265if (inbytes == 0)
3266 {
3267 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
3268 }
5fd28bb8 3269else
4896a319 3270 {
95f52235 3271 DEBUG(D_tls) debug_printf("%s: err from gnutls_record_recv\n", __FUNCTION__);
4896a319
AM		 3272 record_io_error(state, (int)inbytes, US"recv", NULL);
3273 }
059ec3d9
PH		 3274
3275return -1;
3276}
3277
3278
3279
17c76198 3280
059ec3d9
PH		 3281/*************************************************
3282* Write bytes down TLS channel *
3283*************************************************/
3284
3285/*
3286Arguments:
74f1a423 3287 ct_ctx client context pointer, or NULL for the one global server context
059ec3d9
PH		 3288 buff buffer of data
3289 len number of bytes
925ac8e4 3290 more more data expected soon
059ec3d9
PH		 3291
3292Returns: the number of bytes after a successful write,
3293 -1 after a failed write
3294*/
3295
3296int
74f1a423 3297tls_write(void * ct_ctx, const uschar * buff, size_t len, BOOL more)
059ec3d9 3298{
17c76198
PP		 3299ssize_t outbytes;
3300size_t left = len;
74f1a423 3301exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
925ac8e4
JH		 3302#ifdef SUPPORT_CORK
3303static BOOL corked = FALSE;
3304
3305if (more && !corked) gnutls_record_cork(state->session);
3306#endif
3307
3308DEBUG(D_tls) debug_printf("%s(%p, " SIZE_T_FMT "%s)\n", __FUNCTION__,
3309 buff, left, more ? ", more" : "");
059ec3d9 3310
059ec3d9
PH		 3311while (left > 0)
3312 {
17c76198
PP		 3313 DEBUG(D_tls) debug_printf("gnutls_record_send(SSL, %p, " SIZE_T_FMT ")\n",
3314 buff, left);
4896a319
AM		 3315
3316 do
3317 outbytes = gnutls_record_send(state->session, buff, left);
3318 while (outbytes == GNUTLS_E_AGAIN);
059ec3d9 3319
17c76198 3320 DEBUG(D_tls) debug_printf("outbytes=" SSIZE_T_FMT "\n", outbytes);
059ec3d9
PH		 3321 if (outbytes < 0)
3322 {
1b76ad22 3323 DEBUG(D_tls) debug_printf("%s: gnutls_record_send err\n", __FUNCTION__);
17c76198 3324 record_io_error(state, outbytes, US"send", NULL);
059ec3d9
PH		 3325 return -1;
3326 }
3327 if (outbytes == 0)
3328 {
17c76198 3329 record_io_error(state, 0, US"send", US"TLS channel closed on write");
059ec3d9
PH		 3330 return -1;
3331 }
3332
3333 left -= outbytes;
3334 buff += outbytes;
3335 }
3336
17c76198
PP		 3337if (len > INT_MAX)
3338 {
3339 DEBUG(D_tls)
3340 debug_printf("Whoops! Wrote more bytes (" SIZE_T_FMT ") than INT_MAX\n",
3341 len);
3342 len = INT_MAX;
3343 }
3344
925ac8e4
JH		 3345#ifdef SUPPORT_CORK
3346if (more != corked)
3347 {
3348 if (!more) (void) gnutls_record_uncork(state->session, 0);
3349 corked = more;
3350 }
3351#endif
3352
17c76198 3353return (int) len;
059ec3d9
PH		 3354}
3355
3356
3357
17c76198 3358
059ec3d9 3359/*************************************************
17c76198 3360* Random number generation *
059ec3d9
PH		 3361*************************************************/
3362
17c76198
PP		 3363/* Pseudo-random number generation. The result is not expected to be
3364cryptographically strong but not so weak that someone will shoot themselves
3365in the foot using it as a nonce in input in some email header scheme or
3366whatever weirdness they'll twist this into. The result should handle fork()
3367and avoid repeating sequences. OpenSSL handles that for us.
059ec3d9 3368
17c76198
PP		 3369Arguments:
3370 max range maximum
3371Returns a random number in range [0, max-1]
059ec3d9
PH		 3372*/
3373
af3498d6 3374#ifdef HAVE_GNUTLS_RND
17c76198
PP		 3375int
3376vaguely_random_number(int max)
059ec3d9 3377{
17c76198
PP		 3378unsigned int r;
3379int i, needed_len;
17c76198
PP		 3380uschar smallbuf[sizeof(r)];
3381
3382if (max <= 1)
3383 return 0;
3384
3385needed_len = sizeof(r);
3386/* Don't take 8 times more entropy than needed if int is 8 octets and we were
d7978c0f
JH		 3387asked for a number less than 10. */
3388
17c76198
PP		 3389for (r = max, i = 0; r; ++i)
3390 r >>= 1;
3391i = (i + 7) / 8;
3392if (i < needed_len)
3393 needed_len = i;
3394
3395i = gnutls_rnd(GNUTLS_RND_NONCE, smallbuf, needed_len);
3396if (i < 0)
059ec3d9 3397 {
17c76198
PP		 3398 DEBUG(D_all) debug_printf("gnutls_rnd() failed, using fallback.\n");
3399 return vaguely_random_number_fallback(max);
3400 }
3401r = 0;
d7978c0f
JH		 3402for (uschar * p = smallbuf; needed_len; --needed_len, ++p)
3403 r = r * 256 + *p;
059ec3d9 3404
17c76198
PP		 3405/* We don't particularly care about weighted results; if someone wants
3406 * smooth distribution and cares enough then they should submit a patch then. */
3407return r % max;
059ec3d9 3408}
af3498d6
PP		 3409#else /* HAVE_GNUTLS_RND */
3410int
3411vaguely_random_number(int max)
3412{
3413 return vaguely_random_number_fallback(max);
3414}
3415#endif /* HAVE_GNUTLS_RND */
059ec3d9 3416
36f12725
NM		 3417
3418
3419
3375e053
PP		 3420/*************************************************
3421* Let tls_require_ciphers be checked at startup *
3422*************************************************/
3423
3424/* The tls_require_ciphers option, if set, must be something which the
3425library can parse.
3426
3427Returns: NULL on success, or error message
3428*/
3429
3430uschar *
3431tls_validate_require_cipher(void)
3432{
3433int rc;
3434uschar *expciphers = NULL;
3435gnutls_priority_t priority_cache;
3436const char *errpos;
cf0c6164 3437uschar * dummy_errstr;
3375e053 3438
4d2a62a3
JH		 3439#ifdef GNUTLS_AUTO_GLOBAL_INIT
3440# define validate_check_rc(Label) do { \
3441 if (rc != GNUTLS_E_SUCCESS) { if (exim_gnutls_base_init_done) \
3442 return string_sprintf("%s failed: %s", (Label), gnutls_strerror(rc)); } } while (0)
3443# define return_deinit(Label) do { return (Label); } while (0)
3444#else
3445# define validate_check_rc(Label) do { \
3375e053 3446 if (rc != GNUTLS_E_SUCCESS) { if (exim_gnutls_base_init_done) gnutls_global_deinit(); \
4d2a62a3
JH		 3447 return string_sprintf("%s failed: %s", (Label), gnutls_strerror(rc)); } } while (0)
3448# define return_deinit(Label) do { gnutls_global_deinit(); return (Label); } while (0)
3449#endif
3375e053
PP		 3450
3451if (exim_gnutls_base_init_done)
3452 log_write(0, LOG_MAIN|LOG_PANIC,
3453 "already initialised GnuTLS, Exim developer bug");
3454
9f707b89 3455#if defined(HAVE_GNUTLS_PKCS11) && !defined(GNUTLS_AUTO_PKCS11_MANUAL)
2519e60d 3456if (!gnutls_allow_auto_pkcs11)
a5f239e4
PP		 3457 {
3458 rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
3459 validate_check_rc(US"gnutls_pkcs11_init");
3460 }
3461#endif
4d2a62a3 3462#ifndef GNUTLS_AUTO_GLOBAL_INIT
3375e053
PP		 3463rc = gnutls_global_init();
3464validate_check_rc(US"gnutls_global_init()");
4d2a62a3 3465#endif
3375e053
PP		 3466exim_gnutls_base_init_done = TRUE;
3467
3468if (!(tls_require_ciphers && *tls_require_ciphers))
3469 return_deinit(NULL);
3470
cf0c6164
JH		 3471if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers,
3472 &dummy_errstr))
3375e053
PP		 3473 return_deinit(US"failed to expand tls_require_ciphers");
3474
3475if (!(expciphers && *expciphers))
3476 return_deinit(NULL);
3477
3478DEBUG(D_tls)
3479 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
3480
3481rc = gnutls_priority_init(&priority_cache, CS expciphers, &errpos);
3482validate_check_rc(string_sprintf(
3483 "gnutls_priority_init(%s) failed at offset %ld, \"%.8s..\"",
3484 expciphers, errpos - CS expciphers, errpos));
3485
3486#undef return_deinit
3487#undef validate_check_rc
4d2a62a3 3488#ifndef GNUTLS_AUTO_GLOBAL_INIT
3375e053 3489gnutls_global_deinit();
4d2a62a3 3490#endif
3375e053
PP		 3491
3492return NULL;
3493}
3494
3495
3496
3497
36f12725
NM		 3498/*************************************************
3499* Report the library versions. *
3500*************************************************/
3501
3502/* See a description in tls-openssl.c for an explanation of why this exists.
3503
3504Arguments: a FILE* to print the results to
3505Returns: nothing
3506*/
3507
3508void
3509tls_version_report(FILE *f)
3510{
754a0503
PP		 3511fprintf(f, "Library version: GnuTLS: Compile: %s\n"
3512 " Runtime: %s\n",
3513 LIBGNUTLS_VERSION,
3514 gnutls_check_version(NULL));
36f12725
NM		 3515}
3516
b10c87b3 3517#endif /*!MACRO_PREDEF*/
2b4a568d
JH		 3518/* vi: aw ai sw=2
3519*/
059ec3d9 3520/* End of tls-gnu.c */
Unnamed repository; edit this file 'description' to name the repository.