Copyright updates:
[exim.git] / src / src / tls-gnu.c
CommitLineData
059ec3d9
PH
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
f9ba5e22 5/* Copyright (c) University of Cambridge 1995 - 2018 */
1e1ddfac 6/* Copyright (c) The Exim Maintainers 2020 */
059ec3d9
PH
7/* See the file NOTICE for conditions of use and distribution. */
8
17c76198 9/* Copyright (c) Phil Pennock 2012 */
059ec3d9 10
17c76198
PP
11/* This file provides TLS/SSL support for Exim using the GnuTLS library,
12one of the available supported implementations. This file is #included into
13tls.c when USE_GNUTLS has been set.
059ec3d9 14
17c76198
PP
15The code herein is a revamp of GnuTLS integration using the current APIs; the
16original tls-gnu.c was based on a patch which was contributed by Nikos
6aa6fc9c 17Mavrogiannopoulos. The revamp is partially a rewrite, partially cut&paste as
17c76198 18appropriate.
059ec3d9 19
17c76198
PP
20APIs current as of GnuTLS 2.12.18; note that the GnuTLS manual is for GnuTLS 3,
21which is not widely deployed by OS vendors. Will note issues below, which may
22assist in updating the code in the future. Another sources of hints is
23mod_gnutls for Apache (SNI callback registration and handling).
059ec3d9 24
17c76198
PP
25Keeping client and server variables more split than before and is currently
26the norm, in anticipation of TLS in ACL callouts.
059ec3d9 27
17c76198
PP
28I wanted to switch to gnutls_certificate_set_verify_function() so that
29certificate rejection could happen during handshake where it belongs, rather
30than being dropped afterwards, but that was introduced in 2.10.0 and Debian
31(6.0.5) is still on 2.8.6. So for now we have to stick with sub-par behaviour.
059ec3d9 32
17c76198
PP
33(I wasn't looking for libraries quite that old, when updating to get rid of
34compiler warnings of deprecated APIs. If it turns out that a lot of the rest
35require current GnuTLS, then we'll drop support for the ancient libraries).
36*/
b5aea5e1 37
17c76198
PP
38#include <gnutls/gnutls.h>
39/* needed for cert checks in verification and DN extraction: */
40#include <gnutls/x509.h>
41/* man-page is incorrect, gnutls_rnd() is not in gnutls.h: */
42#include <gnutls/crypto.h>
184384c3 43
a5f239e4
PP
44/* needed to disable PKCS11 autoload unless requested */
45#if GNUTLS_VERSION_NUMBER >= 0x020c00
46# include <gnutls/pkcs11.h>
76075bb5 47# define SUPPORT_PARAM_TO_PK_BITS
a5f239e4 48#endif
7e07527a
JH
49#if GNUTLS_VERSION_NUMBER < 0x030103 && !defined(DISABLE_OCSP)
50# warning "GnuTLS library version too old; define DISABLE_OCSP in Makefile"
51# define DISABLE_OCSP
52#endif
0cbf2b82 53#if GNUTLS_VERSION_NUMBER < 0x020a00 && !defined(DISABLE_EVENT)
774ef2d7 54# warning "GnuTLS library version too old; tls:cert event unsupported"
0cbf2b82 55# define DISABLE_EVENT
a7538db1 56#endif
c1cea16d
JH
57#if GNUTLS_VERSION_NUMBER >= 0x030000
58# define SUPPORT_SELFSIGN /* Uncertain what version is first usable but 2.12.23 is not */
59#endif
a7fec7a7
JH
60#if GNUTLS_VERSION_NUMBER >= 0x030306
61# define SUPPORT_CA_DIR
62#else
63# undef SUPPORT_CA_DIR
64#endif
11a04b5a 65#if GNUTLS_VERSION_NUMBER >= 0x030014
cb1d7830
JH
66# define SUPPORT_SYSDEFAULT_CABUNDLE
67#endif
184384c3
JH
68#if GNUTLS_VERSION_NUMBER >= 0x030104
69# define GNUTLS_CERT_VFY_STATUS_PRINT
70#endif
925ac8e4
JH
71#if GNUTLS_VERSION_NUMBER >= 0x030109
72# define SUPPORT_CORK
73#endif
f20cfa4a
JH
74#if GNUTLS_VERSION_NUMBER >= 0x03010a
75# define SUPPORT_GNUTLS_SESS_DESC
76#endif
4d2a62a3
JH
77#if GNUTLS_VERSION_NUMBER >= 0x030300
78# define GNUTLS_AUTO_GLOBAL_INIT
9f707b89 79# define GNUTLS_AUTO_PKCS11_MANUAL
4d2a62a3 80#endif
97277c1f
JH
81#if (GNUTLS_VERSION_NUMBER >= 0x030404) \
82 || (GNUTLS_VERSION_NUMBER >= 0x030311) && (GNUTLS_VERSION_NUMBER & 0xffff00 == 0x030300)
83# ifndef DISABLE_OCSP
84# define EXIM_HAVE_OCSP
85# endif
86#endif
f20cfa4a
JH
87#if GNUTLS_VERSION_NUMBER >= 0x030500
88# define SUPPORT_GNUTLS_KEYLOG
89#endif
47195144
JH
90#if GNUTLS_VERSION_NUMBER >= 0x030506 && !defined(DISABLE_OCSP)
91# define SUPPORT_SRV_OCSP_STACK
92#endif
49132a3b
JH
93#if GNUTLS_VERSION_NUMBER >= 0x030600
94# define GNUTLS_AUTO_DHPARAMS
95#endif
be427508 96#if GNUTLS_VERSION_NUMBER >= 0x030603
e326959e 97# define EXIM_HAVE_TLS1_3
be427508 98# define SUPPORT_GNUTLS_EXT_RAW_PARSE
e326959e 99# define GNUTLS_OCSP_STATUS_REQUEST_GET2
be427508 100#endif
c0635b6d
JH
101
102#ifdef SUPPORT_DANE
103# if GNUTLS_VERSION_NUMBER >= 0x030000
104# define DANESSL_USAGE_DANE_TA 2
105# define DANESSL_USAGE_DANE_EE 3
106# else
107# error GnuTLS version too early for DANE
108# endif
109# if GNUTLS_VERSION_NUMBER < 0x999999
110# define GNUTLS_BROKEN_DANE_VALIDATION
111# endif
899b8bbc 112#endif
7e07527a 113
43e2db44
JH
114#ifdef EXPERIMENTAL_TLS_RESUME
115# if GNUTLS_VERSION_NUMBER < 0x030603
116# error GNUTLS version too early for session-resumption
117# endif
118#endif
119
f2de3a33 120#ifndef DISABLE_OCSP
2b4a568d
JH
121# include <gnutls/ocsp.h>
122#endif
899b8bbc
JH
123#ifdef SUPPORT_DANE
124# include <gnutls/dane.h>
125#endif
059ec3d9 126
f1be21cf
JH
127#include "tls-cipher-stdname.c"
128
129
b10c87b3
JH
130#ifdef MACRO_PREDEF
131void
132options_tls(void)
133{
134# ifdef EXPERIMENTAL_TLS_RESUME
135builtin_macro_create_var(US"_RESUME_DECODE", RESUME_DECODE_STRING );
136# endif
e326959e
JH
137# ifdef EXIM_HAVE_TLS1_3
138builtin_macro_create(US"_HAVE_TLS1_3");
139# endif
97277c1f
JH
140# ifdef EXIM_HAVE_OCSP
141builtin_macro_create(US"_HAVE_TLS_OCSP");
142# endif
143# ifdef SUPPORT_SRV_OCSP_STACK
144builtin_macro_create(US"_HAVE_TLS_OCSP_LIST");
145# endif
b10c87b3
JH
146}
147#else
148
149
17c76198 150/* GnuTLS 2 vs 3
059ec3d9 151
17c76198
PP
152GnuTLS 3 only:
153 gnutls_global_set_audit_log_function()
059ec3d9 154
17c76198
PP
155Changes:
156 gnutls_certificate_verify_peers2(): is new, drop the 2 for old version
157*/
059ec3d9 158
17c76198 159/* Local static variables for GnuTLS */
059ec3d9 160
17c76198 161/* Values for verify_requirement */
059ec3d9 162
e51c7be2 163enum peer_verify_requirement
899b8bbc 164 { VERIFY_NONE, VERIFY_OPTIONAL, VERIFY_REQUIRED, VERIFY_DANE };
059ec3d9 165
17c76198
PP
166/* This holds most state for server or client; with this, we can set up an
167outbound TLS-enabled connection in an ACL callout, while not stomping all
168over the TLS variables available for expansion.
059ec3d9 169
17c76198
PP
170Some of these correspond to variables in globals.c; those variables will
171be set to point to content in one of these instances, as appropriate for
172the stage of the process lifetime.
059ec3d9 173
b1a32a3c 174Not handled here: global tlsp->tls_channelbinding.
17c76198 175*/
059ec3d9 176
17c76198 177typedef struct exim_gnutls_state {
9d1c15ef 178 gnutls_session_t session;
17c76198 179 gnutls_certificate_credentials_t x509_cred;
9d1c15ef 180 gnutls_priority_t priority_cache;
17c76198 181 enum peer_verify_requirement verify_requirement;
9d1c15ef
JH
182 int fd_in;
183 int fd_out;
bd95ffc2
JH
184
185 BOOL peer_cert_verified:1;
186 BOOL peer_dane_verified:1;
187 BOOL trigger_sni_changes:1;
188 BOOL have_set_peerdn:1;
189 BOOL xfer_eof:1; /*XXX never gets set! */
190 BOOL xfer_error:1;
191#ifdef SUPPORT_CORK
192 BOOL corked:1;
193#endif
194
5fd28bb8 195 const struct host_item *host; /* NULL if server */
afdb5e9c 196 gnutls_x509_crt_t peercert;
9d1c15ef
JH
197 uschar *peerdn;
198 uschar *ciphersuite;
199 uschar *received_sni;
17c76198
PP
200
201 const uschar *tls_certificate;
202 const uschar *tls_privatekey;
203 const uschar *tls_sni; /* client send only, not received */
204 const uschar *tls_verify_certificates;
205 const uschar *tls_crl;
206 const uschar *tls_require_ciphers;
e51c7be2 207
17c76198
PP
208 uschar *exp_tls_certificate;
209 uschar *exp_tls_privatekey;
17c76198
PP
210 uschar *exp_tls_verify_certificates;
211 uschar *exp_tls_crl;
212 uschar *exp_tls_require_ciphers;
55414b25 213 const uschar *exp_tls_verify_cert_hostnames;
0cbf2b82 214#ifndef DISABLE_EVENT
a7538db1
JH
215 uschar *event_action;
216#endif
899b8bbc
JH
217#ifdef SUPPORT_DANE
218 char * const * dane_data;
219 const int * dane_data_len;
220#endif
17c76198 221
389ca47a 222 tls_support *tlsp; /* set in tls_init() */
817d9f57 223
17c76198
PP
224 uschar *xfer_buffer;
225 int xfer_buffer_lwm;
226 int xfer_buffer_hwm;
17c76198
PP
227} exim_gnutls_state_st;
228
229static const exim_gnutls_state_st exim_gnutls_state_init = {
b10c87b3 230 /* all elements not explicitly intialised here get 0/NULL/FALSE */
f2ed27cf
JH
231 .fd_in = -1,
232 .fd_out = -1,
17c76198 233};
83da1223 234
17c76198
PP
235/* Not only do we have our own APIs which don't pass around state, assuming
236it's held in globals, GnuTLS doesn't appear to let us register callback data
237for callbacks, or as part of the session, so we have to keep a "this is the
238context we're currently dealing with" pointer and rely upon being
239single-threaded to keep from processing data on an inbound TLS connection while
240talking to another TLS connection for an outbound check. This does mean that
241there's no way for heart-beats to be responded to, for the duration of the
a7538db1
JH
242second connection.
243XXX But see gnutls_session_get_ptr()
244*/
059ec3d9 245
74f1a423 246static exim_gnutls_state_st state_server;
059ec3d9 247
49132a3b 248#ifndef GNUTLS_AUTO_DHPARAMS
17c76198
PP
249/* dh_params are initialised once within the lifetime of a process using TLS;
250if we used TLS in a long-lived daemon, we'd have to reconsider this. But we
251don't want to repeat this. */
83da1223 252
17c76198 253static gnutls_dh_params_t dh_server_params = NULL;
49132a3b 254#endif
059ec3d9 255
dea4b568 256static int ssl_session_timeout = 7200; /* Two hours */
059ec3d9 257
fc243e94 258static const uschar * const exim_default_gnutls_priority = US"NORMAL";
83da1223 259
17c76198 260/* Guard library core initialisation */
83da1223 261
17c76198 262static BOOL exim_gnutls_base_init_done = FALSE;
059ec3d9 263
4fb7df6d 264#ifndef DISABLE_OCSP
9196d5bf 265static BOOL gnutls_buggy_ocsp = FALSE;
e5489333 266static BOOL exim_testharness_disable_ocsp_validity_check = FALSE;
4fb7df6d 267#endif
9196d5bf 268
b10c87b3
JH
269#ifdef EXPERIMENTAL_TLS_RESUME
270static gnutls_datum_t server_sessticket_key;
271#endif
059ec3d9 272
17c76198 273/* ------------------------------------------------------------------------ */
17c76198 274/* macros */
83da1223 275
17c76198 276#define MAX_HOST_LEN 255
83da1223 277
17c76198
PP
278/* Set this to control gnutls_global_set_log_level(); values 0 to 9 will setup
279the library logging; a value less than 0 disables the calls to set up logging
dc6d1769
JH
280callbacks. GNuTLS also looks for an environment variable - except not for
281setuid binaries, making it useless - "GNUTLS_DEBUG_LEVEL".
282Allegedly the testscript line "GNUTLS_DEBUG_LEVEL=9 sudo exim ..." would work,
283but the env var must be added to /etc/sudoers too. */
2c17bb02 284#ifndef EXIM_GNUTLS_LIBRARY_LOG_LEVEL
b1a4f234 285# define EXIM_GNUTLS_LIBRARY_LOG_LEVEL -1
2c17bb02 286#endif
83da1223 287
2c17bb02 288#ifndef EXIM_CLIENT_DH_MIN_BITS
a7538db1 289# define EXIM_CLIENT_DH_MIN_BITS 1024
2c17bb02 290#endif
83da1223 291
af3498d6
PP
292/* With GnuTLS 2.12.x+ we have gnutls_sec_param_to_pk_bits() with which we
293can ask for a bit-strength. Without that, we stick to the constant we had
294before, for now. */
2c17bb02 295#ifndef EXIM_SERVER_DH_BITS_PRE2_12
a7538db1 296# define EXIM_SERVER_DH_BITS_PRE2_12 1024
2c17bb02 297#endif
af3498d6 298
cf0c6164
JH
299#define expand_check_tlsvar(Varname, errstr) \
300 expand_check(state->Varname, US #Varname, &state->exp_##Varname, errstr)
83da1223 301
17c76198 302#if GNUTLS_VERSION_NUMBER >= 0x020c00
e51c7be2
JH
303# define HAVE_GNUTLS_SESSION_CHANNEL_BINDING
304# define HAVE_GNUTLS_SEC_PARAM_CONSTANTS
305# define HAVE_GNUTLS_RND
2519e60d
TL
306/* The security fix we provide with the gnutls_allow_auto_pkcs11 option
307 * (4.82 PP/09) introduces a compatibility regression. The symbol simply
308 * isn't available sometimes, so this needs to become a conditional
309 * compilation; the sanest way to deal with this being a problem on
310 * older OSes is to block it in the Local/Makefile with this compiler
311 * definition */
e51c7be2
JH
312# ifndef AVOID_GNUTLS_PKCS11
313# define HAVE_GNUTLS_PKCS11
314# endif /* AVOID_GNUTLS_PKCS11 */
17c76198 315#endif
83da1223 316
af3498d6
PP
317
318
319
320/* ------------------------------------------------------------------------ */
321/* Callback declarations */
322
323#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
324static void exim_gnutls_logger_cb(int level, const char *message);
325#endif
326
327static int exim_sni_handling_cb(gnutls_session_t session);
328
e5489333
JH
329#ifdef EXPERIMENTAL_TLS_RESUME
330static int
331tls_server_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
332 unsigned incoming, const gnutls_datum_t * msg);
333#endif
af3498d6
PP
334
335
b10c87b3
JH
336/* Daemon one-time initialisation */
337void
338tls_daemon_init(void)
339{
340#ifdef EXPERIMENTAL_TLS_RESUME
341/* We are dependent on the GnuTLS implementation of the Session Ticket
342encryption; both the strength and the key rotation period. We hope that
343the strength at least matches that of the ciphersuite (but GnuTLS does not
344document this). */
345
346static BOOL once = FALSE;
347if (once) return;
348once = TRUE;
349gnutls_session_ticket_key_generate(&server_sessticket_key); /* >= 2.10.0 */
350if (f.running_in_test_harness) ssl_session_timeout = 6;
351#endif
352}
353
17c76198
PP
354/* ------------------------------------------------------------------------ */
355/* Static functions */
059ec3d9
PH
356
357/*************************************************
358* Handle TLS error *
359*************************************************/
360
361/* Called from lots of places when errors occur before actually starting to do
362the TLS handshake, that is, while the session is still in clear. Always returns
363DEFER for a server and FAIL for a client so that most calls can use "return
364tls_error(...)" to do this processing and then give an appropriate return. A
365single function is used for both server and client, because it is called from
366some shared functions.
367
368Argument:
369 prefix text to include in the logged error
7199e1ee
TF
370 msg additional error string (may be NULL)
371 usually obtained from gnutls_strerror()
17c76198
PP
372 host NULL if setting up a server;
373 the connected host if setting up a client
cf0c6164 374 errstr pointer to returned error string
059ec3d9
PH
375
376Returns: OK/DEFER/FAIL
377*/
378
379static int
48224640 380tls_error(const uschar *prefix, const uschar *msg, const host_item *host,
cf0c6164 381 uschar ** errstr)
059ec3d9 382{
cf0c6164 383if (errstr)
48224640 384 *errstr = string_sprintf("(%s)%s%s", prefix, msg ? ": " : "", msg ? msg : US"");
cf0c6164 385return host ? FAIL : DEFER;
059ec3d9
PH
386}
387
388
452a164f
JH
389static int
390tls_error_gnu(const uschar *prefix, int err, const host_item *host,
391 uschar ** errstr)
392{
393return tls_error(prefix, US gnutls_strerror(err), host, errstr);
394}
395
396static int
397tls_error_sys(const uschar *prefix, int err, const host_item *host,
398 uschar ** errstr)
399{
400return tls_error(prefix, US strerror(err), host, errstr);
401}
059ec3d9 402
17c76198 403
059ec3d9 404/*************************************************
17c76198 405* Deal with logging errors during I/O *
059ec3d9
PH
406*************************************************/
407
17c76198 408/* We have to get the identity of the peer from saved data.
059ec3d9 409
17c76198
PP
410Argument:
411 state the current GnuTLS exim state container
412 rc the GnuTLS error code, or 0 if it's a local error
413 when text identifying read or write
95f52235 414 text local error text when rc is 0
059ec3d9 415
17c76198 416Returns: nothing
059ec3d9
PH
417*/
418
17c76198
PP
419static void
420record_io_error(exim_gnutls_state_st *state, int rc, uschar *when, uschar *text)
059ec3d9 421{
48224640 422const uschar * msg;
cf0c6164 423uschar * errstr;
059ec3d9 424
17c76198 425if (rc == GNUTLS_E_FATAL_ALERT_RECEIVED)
95f52235 426 msg = string_sprintf("A TLS fatal alert has been received: %s",
17c76198
PP
427 US gnutls_alert_get_name(gnutls_alert_get(state->session)));
428else
48224640 429 msg = US gnutls_strerror(rc);
059ec3d9 430
cf0c6164
JH
431(void) tls_error(when, msg, state->host, &errstr);
432
433if (state->host)
434 log_write(0, LOG_MAIN, "H=%s [%s] TLS error on connection %s",
435 state->host->name, state->host->address, errstr);
436else
437 {
438 uschar * conn_info = smtp_get_connection_info();
439 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0) conn_info += 5;
440 /* I'd like to get separated H= here, but too hard for now */
441 log_write(0, LOG_MAIN, "TLS error on %s %s", conn_info, errstr);
442 }
17c76198 443}
059ec3d9 444
059ec3d9 445
059ec3d9 446
059ec3d9 447
17c76198
PP
448/*************************************************
449* Set various Exim expansion vars *
450*************************************************/
059ec3d9 451
e51c7be2
JH
452#define exim_gnutls_cert_err(Label) \
453 do \
454 { \
455 if (rc != GNUTLS_E_SUCCESS) \
456 { \
457 DEBUG(D_tls) debug_printf("TLS: cert problem: %s: %s\n", \
458 (Label), gnutls_strerror(rc)); \
459 return rc; \
460 } \
461 } while (0)
9d1c15ef
JH
462
463static int
27f19eb4 464import_cert(const gnutls_datum_t * cert, gnutls_x509_crt_t * crtp)
9d1c15ef
JH
465{
466int rc;
467
468rc = gnutls_x509_crt_init(crtp);
469exim_gnutls_cert_err(US"gnutls_x509_crt_init (crt)");
470
471rc = gnutls_x509_crt_import(*crtp, cert, GNUTLS_X509_FMT_DER);
472exim_gnutls_cert_err(US"failed to import certificate [gnutls_x509_crt_import(cert)]");
473
474return rc;
475}
476
477#undef exim_gnutls_cert_err
478
479
17c76198
PP
480/* We set various Exim global variables from the state, once a session has
481been established. With TLS callouts, may need to change this to stack
482variables, or just re-call it with the server state after client callout
483has finished.
059ec3d9 484
9d1c15ef 485Make sure anything set here is unset in tls_getc().
17c76198
PP
486
487Sets:
488 tls_active fd
489 tls_bits strength indicator
490 tls_certificate_verified bool indicator
b1a32a3c 491 tls_channelbinding for some SASL mechanisms
da40b1ec 492 tls_ver a string
17c76198 493 tls_cipher a string
9d1c15ef 494 tls_peercert pointer to library internal
17c76198
PP
495 tls_peerdn a string
496 tls_sni a (UTF-8) string
9d1c15ef 497 tls_ourcert pointer to library internal
17c76198
PP
498
499Argument:
500 state the relevant exim_gnutls_state_st *
501*/
502
503static void
9d1c15ef 504extract_exim_vars_from_tls_state(exim_gnutls_state_st * state)
17c76198 505{
17c76198
PP
506#ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
507int old_pool;
508int rc;
509gnutls_datum_t channel;
510#endif
9d1c15ef 511tls_support * tlsp = state->tlsp;
17c76198 512
74f1a423
JH
513tlsp->active.sock = state->fd_out;
514tlsp->active.tls_ctx = state;
17c76198 515
817d9f57 516DEBUG(D_tls) debug_printf("cipher: %s\n", state->ciphersuite);
17c76198 517
9d1c15ef 518tlsp->certificate_verified = state->peer_cert_verified;
899b8bbc
JH
519#ifdef SUPPORT_DANE
520tlsp->dane_verified = state->peer_dane_verified;
521#endif
059ec3d9 522
b1a32a3c 523/* note that tls_channelbinding is not saved to the spool file, since it's
17c76198
PP
524only available for use for authenticators while this TLS session is running. */
525
b1a32a3c 526tlsp->channelbinding = NULL;
17c76198
PP
527#ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
528channel.data = NULL;
529channel.size = 0;
1f20760b
JH
530if ((rc = gnutls_session_channel_binding(state->session, GNUTLS_CB_TLS_UNIQUE, &channel)))
531 { DEBUG(D_tls) debug_printf("Channel binding error: %s\n", gnutls_strerror(rc)); }
532else
533 {
b1a32a3c
JH
534 /* Declare the taintedness of the binding info. On server, untainted; on
535 client, tainted - being the Finish msg from the server. */
536
17c76198
PP
537 old_pool = store_pool;
538 store_pool = POOL_PERM;
b1a32a3c
JH
539 tlsp->channelbinding = b64encode_taint(CUS channel.data, (int)channel.size,
540 !!state->host);
17c76198 541 store_pool = old_pool;
b1a32a3c 542 DEBUG(D_tls) debug_printf("Have channel bindings cached for possible auth usage\n");
1f20760b 543 }
17c76198
PP
544#endif
545
9d1c15ef
JH
546/* peercert is set in peer_status() */
547tlsp->peerdn = state->peerdn;
548tlsp->sni = state->received_sni;
549
550/* record our certificate */
551 {
27f19eb4 552 const gnutls_datum_t * cert = gnutls_certificate_get_ours(state->session);
9d1c15ef
JH
553 gnutls_x509_crt_t crt;
554
555 tlsp->ourcert = cert && import_cert(cert, &crt)==0 ? crt : NULL;
556 }
059ec3d9
PH
557}
558
559
560
17c76198 561
49132a3b 562#ifndef GNUTLS_AUTO_DHPARAMS
059ec3d9 563/*************************************************
575643cd 564* Setup up DH parameters *
059ec3d9
PH
565*************************************************/
566
575643cd 567/* Generating the D-H parameters may take a long time. They only need to
059ec3d9
PH
568be re-generated every so often, depending on security policy. What we do is to
569keep these parameters in a file in the spool directory. If the file does not
570exist, we generate them. This means that it is easy to cause a regeneration.
571
572The new file is written as a temporary file and renamed, so that an incomplete
573file is never present. If two processes both compute some new parameters, you
574waste a bit of effort, but it doesn't seem worth messing around with locking to
575prevent this.
576
059ec3d9
PH
577Returns: OK/DEFER/FAIL
578*/
579
580static int
cf0c6164 581init_server_dh(uschar ** errstr)
059ec3d9 582{
17c76198
PP
583int fd, rc;
584unsigned int dh_bits;
49132a3b 585gnutls_datum_t m = {.data = NULL, .size = 0};
a799883d
PP
586uschar filename_buf[PATH_MAX];
587uschar *filename = NULL;
17c76198 588size_t sz;
a799883d
PP
589uschar *exp_tls_dhparam;
590BOOL use_file_in_spool = FALSE;
17c76198 591host_item *host = NULL; /* dummy for macros */
059ec3d9 592
17c76198 593DEBUG(D_tls) debug_printf("Initialising GnuTLS server params.\n");
059ec3d9 594
452a164f
JH
595if ((rc = gnutls_dh_params_init(&dh_server_params)))
596 return tls_error_gnu(US"gnutls_dh_params_init", rc, host, errstr);
059ec3d9 597
cf0c6164 598if (!expand_check(tls_dhparam, US"tls_dhparam", &exp_tls_dhparam, errstr))
a799883d
PP
599 return DEFER;
600
601if (!exp_tls_dhparam)
602 {
603 DEBUG(D_tls) debug_printf("Loading default hard-coded DH params\n");
604 m.data = US std_dh_prime_default();
605 m.size = Ustrlen(m.data);
606 }
607else if (Ustrcmp(exp_tls_dhparam, "historic") == 0)
608 use_file_in_spool = TRUE;
609else if (Ustrcmp(exp_tls_dhparam, "none") == 0)
610 {
611 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
612 return OK;
613 }
614else if (exp_tls_dhparam[0] != '/')
615 {
f5d25c2b 616 if (!(m.data = US std_dh_prime_named(exp_tls_dhparam)))
48224640 617 return tls_error(US"No standard prime named", exp_tls_dhparam, NULL, errstr);
a799883d
PP
618 m.size = Ustrlen(m.data);
619 }
620else
a799883d 621 filename = exp_tls_dhparam;
a799883d
PP
622
623if (m.data)
624 {
452a164f
JH
625 if ((rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM)))
626 return tls_error_gnu(US"gnutls_dh_params_import_pkcs3", rc, host, errstr);
a799883d
PP
627 DEBUG(D_tls) debug_printf("Loaded fixed standard D-H parameters\n");
628 return OK;
629 }
630
af3498d6
PP
631#ifdef HAVE_GNUTLS_SEC_PARAM_CONSTANTS
632/* If you change this constant, also change dh_param_fn_ext so that we can use a
17c76198 633different filename and ensure we have sufficient bits. */
452a164f
JH
634
635if (!(dh_bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL)))
cf0c6164 636 return tls_error(US"gnutls_sec_param_to_pk_bits() failed", NULL, NULL, errstr);
af3498d6 637DEBUG(D_tls)
b34fc30c 638 debug_printf("GnuTLS tells us that for D-H PK, NORMAL is %d bits.\n",
af3498d6
PP
639 dh_bits);
640#else
641dh_bits = EXIM_SERVER_DH_BITS_PRE2_12;
642DEBUG(D_tls)
643 debug_printf("GnuTLS lacks gnutls_sec_param_to_pk_bits(), using %d bits.\n",
644 dh_bits);
645#endif
059ec3d9 646
3375e053
PP
647/* Some clients have hard-coded limits. */
648if (dh_bits > tls_dh_max_bits)
649 {
650 DEBUG(D_tls)
651 debug_printf("tls_dh_max_bits clamping override, using %d bits instead.\n",
652 tls_dh_max_bits);
653 dh_bits = tls_dh_max_bits;
654 }
655
a799883d
PP
656if (use_file_in_spool)
657 {
658 if (!string_format(filename_buf, sizeof(filename_buf),
659 "%s/gnutls-params-%d", spool_directory, dh_bits))
cf0c6164 660 return tls_error(US"overlong filename", NULL, NULL, errstr);
a799883d
PP
661 filename = filename_buf;
662 }
059ec3d9 663
b5aea5e1 664/* Open the cache file for reading and if successful, read it and set up the
575643cd 665parameters. */
059ec3d9 666
f5d25c2b 667if ((fd = Uopen(filename, O_RDONLY, 0)) >= 0)
059ec3d9 668 {
b5aea5e1 669 struct stat statbuf;
17c76198
PP
670 FILE *fp;
671 int saved_errno;
672
673 if (fstat(fd, &statbuf) < 0) /* EIO */
674 {
675 saved_errno = errno;
676 (void)close(fd);
452a164f 677 return tls_error_sys(US"TLS cache stat failed", saved_errno, NULL, errstr);
17c76198
PP
678 }
679 if (!S_ISREG(statbuf.st_mode))
b5aea5e1
PH
680 {
681 (void)close(fd);
cf0c6164 682 return tls_error(US"TLS cache not a file", NULL, NULL, errstr);
17c76198 683 }
40c90bca 684 if (!(fp = fdopen(fd, "rb")))
17c76198
PP
685 {
686 saved_errno = errno;
687 (void)close(fd);
452a164f
JH
688 return tls_error_sys(US"fdopen(TLS cache stat fd) failed",
689 saved_errno, NULL, errstr);
b5aea5e1 690 }
059ec3d9 691
b5aea5e1 692 m.size = statbuf.st_size;
f3ebb786 693 if (!(m.data = store_malloc(m.size)))
17c76198
PP
694 {
695 fclose(fp);
452a164f 696 return tls_error_sys(US"malloc failed", errno, NULL, errstr);
17c76198 697 }
40c90bca 698 if (!(sz = fread(m.data, m.size, 1, fp)))
17c76198
PP
699 {
700 saved_errno = errno;
701 fclose(fp);
f3ebb786 702 store_free(m.data);
452a164f 703 return tls_error_sys(US"fread failed", saved_errno, NULL, errstr);
17c76198
PP
704 }
705 fclose(fp);
b5aea5e1 706
17c76198 707 rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM);
f3ebb786 708 store_free(m.data);
452a164f
JH
709 if (rc)
710 return tls_error_gnu(US"gnutls_dh_params_import_pkcs3", rc, host, errstr);
17c76198 711 DEBUG(D_tls) debug_printf("read D-H parameters from file \"%s\"\n", filename);
b5aea5e1
PH
712 }
713
714/* If the file does not exist, fall through to compute new data and cache it.
715If there was any other opening error, it is serious. */
716
182ad5cf
PH
717else if (errno == ENOENT)
718 {
17c76198 719 rc = -1;
182ad5cf 720 DEBUG(D_tls)
17c76198 721 debug_printf("D-H parameter cache file \"%s\" does not exist\n", filename);
182ad5cf
PH
722 }
723else
17c76198 724 return tls_error(string_open_failed(errno, "\"%s\" for reading", filename),
cf0c6164 725 NULL, NULL, errstr);
b5aea5e1
PH
726
727/* If ret < 0, either the cache file does not exist, or the data it contains
728is not useful. One particular case of this is when upgrading from an older
729release of Exim in which the data was stored in a different format. We don't
730try to be clever and support both formats; we just regenerate new data in this
731case. */
732
17c76198 733if (rc < 0)
b5aea5e1 734 {
17c76198 735 uschar *temp_fn;
201f5254 736 unsigned int dh_bits_gen = dh_bits;
059ec3d9 737
17c76198
PP
738 if ((PATH_MAX - Ustrlen(filename)) < 10)
739 return tls_error(US"Filename too long to generate replacement",
48224640 740 filename, NULL, errstr);
059ec3d9 741
48224640 742 temp_fn = string_copy(US"%s.XXXXXXX");
f5d25c2b 743 if ((fd = mkstemp(CS temp_fn)) < 0) /* modifies temp_fn */
452a164f 744 return tls_error_sys(US"Unable to open temp file", errno, NULL, errstr);
b66fecb4 745 (void)exim_chown(temp_fn, exim_uid, exim_gid); /* Probably not necessary */
059ec3d9 746
49132a3b
JH
747 /* GnuTLS overshoots! If we ask for 2236, we might get 2237 or more. But
748 there's no way to ask GnuTLS how many bits there really are. We can ask
749 how many bits were used in a TLS session, but that's it! The prime itself
750 is hidden behind too much abstraction. So we ask for less, and proceed on
751 a wing and a prayer. First attempt, subtracted 3 for 2233 and got 2240. */
752
cae6e576 753 if (dh_bits >= EXIM_CLIENT_DH_MIN_BITS + 10)
201f5254
PP
754 {
755 dh_bits_gen = dh_bits - 10;
756 DEBUG(D_tls)
757 debug_printf("being paranoid about DH generation, make it '%d' bits'\n",
758 dh_bits_gen);
759 }
760
761 DEBUG(D_tls)
762 debug_printf("requesting generation of %d bit Diffie-Hellman prime ...\n",
763 dh_bits_gen);
452a164f
JH
764 if ((rc = gnutls_dh_params_generate2(dh_server_params, dh_bits_gen)))
765 return tls_error_gnu(US"gnutls_dh_params_generate2", rc, host, errstr);
17c76198
PP
766
767 /* gnutls_dh_params_export_pkcs3() will tell us the exact size, every time,
768 and I confirmed that a NULL call to get the size first is how the GnuTLS
769 sample apps handle this. */
770
771 sz = 0;
772 m.data = NULL;
452a164f
JH
773 if ( (rc = gnutls_dh_params_export_pkcs3(dh_server_params,
774 GNUTLS_X509_FMT_PEM, m.data, &sz))
775 && rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
776 return tls_error_gnu(US"gnutls_dh_params_export_pkcs3(NULL) sizing",
777 rc, host, errstr);
17c76198 778 m.size = sz;
f3ebb786 779 if (!(m.data = store_malloc(m.size)))
452a164f 780 return tls_error_sys(US"memory allocation failed", errno, NULL, errstr);
40c90bca 781
1f00591e 782 /* this will return a size 1 less than the allocation size above */
452a164f
JH
783 if ((rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM,
784 m.data, &sz)))
17c76198 785 {
f3ebb786 786 store_free(m.data);
452a164f 787 return tls_error_gnu(US"gnutls_dh_params_export_pkcs3() real", rc, host, errstr);
17c76198 788 }
1f00591e 789 m.size = sz; /* shrink by 1, probably */
059ec3d9 790
f5d25c2b 791 if ((sz = write_to_fd_buf(fd, m.data, (size_t) m.size)) != m.size)
17c76198 792 {
f3ebb786 793 store_free(m.data);
452a164f
JH
794 return tls_error_sys(US"TLS cache write D-H params failed",
795 errno, NULL, errstr);
17c76198 796 }
f3ebb786 797 store_free(m.data);
f5d25c2b 798 if ((sz = write_to_fd_buf(fd, US"\n", 1)) != 1)
452a164f
JH
799 return tls_error_sys(US"TLS cache write D-H params final newline failed",
800 errno, NULL, errstr);
17c76198 801
f5d25c2b 802 if ((rc = close(fd)))
452a164f 803 return tls_error_sys(US"TLS cache write close() failed", errno, NULL, errstr);
059ec3d9 804
17c76198 805 if (Urename(temp_fn, filename) < 0)
452a164f
JH
806 return tls_error_sys(string_sprintf("failed to rename \"%s\" as \"%s\"",
807 temp_fn, filename), errno, NULL, errstr);
059ec3d9 808
17c76198 809 DEBUG(D_tls) debug_printf("wrote D-H parameters to file \"%s\"\n", filename);
059ec3d9
PH
810 }
811
17c76198 812DEBUG(D_tls) debug_printf("initialized server D-H parameters\n");
059ec3d9
PH
813return OK;
814}
49132a3b 815#endif
059ec3d9
PH
816
817
818
819
23bb6982
JH
820/* Create and install a selfsigned certificate, for use in server mode */
821
822static int
cf0c6164 823tls_install_selfsign(exim_gnutls_state_st * state, uschar ** errstr)
23bb6982
JH
824{
825gnutls_x509_crt_t cert = NULL;
826time_t now;
827gnutls_x509_privkey_t pkey = NULL;
828const uschar * where;
829int rc;
830
c1cea16d
JH
831#ifndef SUPPORT_SELFSIGN
832where = US"library too old";
833rc = GNUTLS_E_NO_CERTIFICATE_FOUND;
834if (TRUE) goto err;
835#endif
836
23bb6982
JH
837where = US"initialising pkey";
838if ((rc = gnutls_x509_privkey_init(&pkey))) goto err;
839
840where = US"initialising cert";
841if ((rc = gnutls_x509_crt_init(&cert))) goto err;
842
c1cea16d 843where = US"generating pkey"; /* Hangs on 2.12.23 */
23bb6982 844if ((rc = gnutls_x509_privkey_generate(pkey, GNUTLS_PK_RSA,
76075bb5 845#ifdef SUPPORT_PARAM_TO_PK_BITS
4312da48
JH
846# ifndef GNUTLS_SEC_PARAM_MEDIUM
847# define GNUTLS_SEC_PARAM_MEDIUM GNUTLS_SEC_PARAM_HIGH
848# endif
6aac3239 849 gnutls_sec_param_to_pk_bits(GNUTLS_PK_RSA, GNUTLS_SEC_PARAM_MEDIUM),
76075bb5 850#else
6aac3239 851 2048,
76075bb5
JH
852#endif
853 0)))
23bb6982
JH
854 goto err;
855
856where = US"configuring cert";
1613fd68 857now = 1;
23bb6982
JH
858if ( (rc = gnutls_x509_crt_set_version(cert, 3))
859 || (rc = gnutls_x509_crt_set_serial(cert, &now, sizeof(now)))
860 || (rc = gnutls_x509_crt_set_activation_time(cert, now = time(NULL)))
861 || (rc = gnutls_x509_crt_set_expiration_time(cert, now + 60 * 60)) /* 1 hr */
862 || (rc = gnutls_x509_crt_set_key(cert, pkey))
863
864 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
865 GNUTLS_OID_X520_COUNTRY_NAME, 0, "UK", 2))
866 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
867 GNUTLS_OID_X520_ORGANIZATION_NAME, 0, "Exim Developers", 15))
868 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
869 GNUTLS_OID_X520_COMMON_NAME, 0,
870 smtp_active_hostname, Ustrlen(smtp_active_hostname)))
871 )
872 goto err;
873
874where = US"signing cert";
875if ((rc = gnutls_x509_crt_sign(cert, cert, pkey))) goto err;
876
877where = US"installing selfsign cert";
878 /* Since: 2.4.0 */
879if ((rc = gnutls_certificate_set_x509_key(state->x509_cred, &cert, 1, pkey)))
880 goto err;
881
882rc = OK;
883
884out:
885 if (cert) gnutls_x509_crt_deinit(cert);
886 if (pkey) gnutls_x509_privkey_deinit(pkey);
887 return rc;
888
889err:
452a164f 890 rc = tls_error_gnu(where, rc, NULL, errstr);
23bb6982
JH
891 goto out;
892}
893
894
895
896
47195144
JH
897/* Add certificate and key, from files.
898
899Return:
900 Zero or negative: good. Negate value for certificate index if < 0.
901 Greater than zero: FAIL or DEFER code.
902*/
903
ba86e143
JH
904static int
905tls_add_certfile(exim_gnutls_state_st * state, const host_item * host,
906 uschar * certfile, uschar * keyfile, uschar ** errstr)
907{
908int rc = gnutls_certificate_set_x509_key_file(state->x509_cred,
909 CS certfile, CS keyfile, GNUTLS_X509_FMT_PEM);
47195144 910if (rc < 0)
452a164f 911 return tls_error_gnu(
47195144 912 string_sprintf("cert/key setup: cert=%s key=%s", certfile, keyfile),
452a164f 913 rc, host, errstr);
47195144 914return -rc;
ba86e143
JH
915}
916
917
d896cef5
JH
918#if !defined(DISABLE_OCSP) && !defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
919/* Load an OCSP proof from file for sending by the server. Called
920on getting a status-request handshake message, for earlier versions
921of GnuTLS. */
922
923static int
924server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
925 gnutls_datum_t * ocsp_response)
926{
927int ret;
928DEBUG(D_tls) debug_printf("OCSP stapling callback: %s\n", US ptr);
929
930if ((ret = gnutls_load_file(ptr, ocsp_response)) < 0)
931 {
932 DEBUG(D_tls) debug_printf("Failed to load ocsp stapling file %s\n",
933 CS ptr);
934 tls_in.ocsp = OCSP_NOT_RESP;
935 return GNUTLS_E_NO_CERTIFICATE_STATUS;
936 }
937
938tls_in.ocsp = OCSP_VFY_NOT_TRIED;
939return 0;
940}
941#endif
942
943
be427508 944#ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
e5489333
JH
945/* Make a note that we saw a status-request */
946static int
947tls_server_clienthello_ext(void * ctx, unsigned tls_id,
948 const unsigned char *data, unsigned size)
949{
950/* https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml */
951if (tls_id == 5) /* status_request */
952 {
e326959e 953 DEBUG(D_tls) debug_printf("Seen status_request extension from client\n");
e5489333
JH
954 tls_in.ocsp = OCSP_NOT_RESP;
955 }
956return 0;
957}
958
959/* Callback for client-hello, on server, if we think we might serve stapled-OCSP */
960static int
961tls_server_clienthello_cb(gnutls_session_t session, unsigned int htype,
962 unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
963{
964/* Call fn for each extension seen. 3.6.3 onwards */
965return gnutls_ext_raw_parse(NULL, tls_server_clienthello_ext, msg,
966 GNUTLS_EXT_RAW_FLAG_TLS_CLIENT_HELLO);
967}
e326959e
JH
968
969
970/* Make a note that we saw a status-response */
971static int
972tls_server_servercerts_ext(void * ctx, unsigned tls_id,
973 const unsigned char *data, unsigned size)
974{
975/* debug_printf("%s %u\n", __FUNCTION__, tls_id); */
976/* https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml */
977if (FALSE && tls_id == 5) /* status_request */
978 {
979 DEBUG(D_tls) debug_printf("Seen status_request extension\n");
980 tls_in.ocsp = exim_testharness_disable_ocsp_validity_check
981 ? OCSP_VFY_NOT_TRIED : OCSP_VFIED; /* We know that GnuTLS verifies responses */
982 }
983return 0;
984}
985
986/* Callback for certificates packet, on server, if we think we might serve stapled-OCSP */
987static int
988tls_server_servercerts_cb(gnutls_session_t session, unsigned int htype,
989 unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
990{
991/* Call fn for each extension seen. 3.6.3 onwards */
992#ifdef notdef
993/*XXX crashes */
994return gnutls_ext_raw_parse(NULL, tls_server_servercerts_ext, msg, 0);
995#endif
996}
be427508 997#endif
e5489333 998
e326959e
JH
999/*XXX in tls1.3 the cert-status travel as an extension next to the cert, in the
1000 "Handshake Protocol: Certificate" record.
1001So we need to spot the Certificate handshake message, parse it and spot any status_request extension(s)
1002
1003This is different to tls1.2 - where it is a separate record (wireshake term) / handshake message (gnutls term).
1004*/
1005
727a5d25 1006#if defined(EXPERIMENTAL_TLS_RESUME) || defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
e5489333
JH
1007/* Callback for certificate-status, on server. We sent stapled OCSP. */
1008static int
1009tls_server_certstatus_cb(gnutls_session_t session, unsigned int htype,
1010 unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
1011{
e326959e 1012DEBUG(D_tls) debug_printf("Sending certificate-status\n"); /*XXX we get this for tls1.2 but not for 1.3 */
e5489333
JH
1013#ifdef SUPPORT_SRV_OCSP_STACK
1014tls_in.ocsp = exim_testharness_disable_ocsp_validity_check
1015 ? OCSP_VFY_NOT_TRIED : OCSP_VFIED; /* We know that GnuTLS verifies responses */
1016#else
1017tls_in.ocsp = OCSP_VFY_NOT_TRIED;
1018#endif
1019return 0;
1020}
1021
1022/* Callback for handshake messages, on server */
1023static int
1024tls_server_hook_cb(gnutls_session_t sess, u_int htype, unsigned when,
1025 unsigned incoming, const gnutls_datum_t * msg)
1026{
e326959e 1027/* debug_printf("%s: htype %u\n", __FUNCTION__, htype); */
e5489333
JH
1028switch (htype)
1029 {
727a5d25 1030# ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
e5489333
JH
1031 case GNUTLS_HANDSHAKE_CLIENT_HELLO:
1032 return tls_server_clienthello_cb(sess, htype, when, incoming, msg);
e326959e
JH
1033 case GNUTLS_HANDSHAKE_CERTIFICATE_PKT:
1034 return tls_server_servercerts_cb(sess, htype, when, incoming, msg);
727a5d25 1035# endif
e5489333
JH
1036 case GNUTLS_HANDSHAKE_CERTIFICATE_STATUS:
1037 return tls_server_certstatus_cb(sess, htype, when, incoming, msg);
727a5d25 1038# ifdef EXPERIMENTAL_TLS_RESUME
e5489333
JH
1039 case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET:
1040 return tls_server_ticket_cb(sess, htype, when, incoming, msg);
727a5d25 1041# endif
e5489333
JH
1042 default:
1043 return 0;
1044 }
1045}
727a5d25 1046#endif
e5489333
JH
1047
1048
727a5d25 1049#if !defined(DISABLE_OCSP) && defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
e5489333
JH
1050static void
1051tls_server_testharness_ocsp_fiddle(void)
1052{
1053extern char ** environ;
1054if (environ) for (uschar ** p = USS environ; *p; p++)
1055 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
1056 {
1057 DEBUG(D_tls) debug_printf("Permitting known bad OCSP response\n");
1058 exim_testharness_disable_ocsp_validity_check = TRUE;
1059 }
1060}
727a5d25 1061#endif
e5489333 1062
059ec3d9 1063/*************************************************
17c76198 1064* Variables re-expanded post-SNI *
059ec3d9
PH
1065*************************************************/
1066
17c76198
PP
1067/* Called from both server and client code, via tls_init(), and also from
1068the SNI callback after receiving an SNI, if tls_certificate includes "tls_sni".
1069
1070We can tell the two apart by state->received_sni being non-NULL in callback.
1071
1072The callback should not call us unless state->trigger_sni_changes is true,
1073which we are responsible for setting on the first pass through.
059ec3d9
PH
1074
1075Arguments:
17c76198 1076 state exim_gnutls_state_st *
cf0c6164 1077 errstr error string pointer
059ec3d9
PH
1078
1079Returns: OK/DEFER/FAIL
1080*/
1081
1082static int
ba86e143 1083tls_expand_session_files(exim_gnutls_state_st * state, uschar ** errstr)
059ec3d9 1084{
1365611d 1085struct stat statbuf;
059ec3d9 1086int rc;
17c76198
PP
1087const host_item *host = state->host; /* macro should be reconsidered? */
1088uschar *saved_tls_certificate = NULL;
1089uschar *saved_tls_privatekey = NULL;
1090uschar *saved_tls_verify_certificates = NULL;
1091uschar *saved_tls_crl = NULL;
1092int cert_count;
1093
1094/* We check for tls_sni *before* expansion. */
2b4a568d 1095if (!host) /* server */
17c76198
PP
1096 if (!state->received_sni)
1097 {
ba86e143
JH
1098 if ( state->tls_certificate
1099 && ( Ustrstr(state->tls_certificate, US"tls_sni")
1100 || Ustrstr(state->tls_certificate, US"tls_in_sni")
1101 || Ustrstr(state->tls_certificate, US"tls_out_sni")
1102 ) )
17c76198
PP
1103 {
1104 DEBUG(D_tls) debug_printf("We will re-expand TLS session files if we receive SNI.\n");
1105 state->trigger_sni_changes = TRUE;
1106 }
1107 }
1108 else
1109 {
1365611d 1110 /* useful for debugging */
17c76198
PP
1111 saved_tls_certificate = state->exp_tls_certificate;
1112 saved_tls_privatekey = state->exp_tls_privatekey;
1113 saved_tls_verify_certificates = state->exp_tls_verify_certificates;
1114 saved_tls_crl = state->exp_tls_crl;
1115 }
059ec3d9 1116
452a164f
JH
1117if ((rc = gnutls_certificate_allocate_credentials(&state->x509_cred)))
1118 return tls_error_gnu(US"gnutls_certificate_allocate_credentials",
1119 rc, host, errstr);
47195144
JH
1120
1121#ifdef SUPPORT_SRV_OCSP_STACK
1122gnutls_certificate_set_flags(state->x509_cred, GNUTLS_CERTIFICATE_API_V2);
e326959e
JH
1123
1124# if !defined(DISABLE_OCSP) && defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
1125if (!host && tls_ocsp_file)
1126 {
1127 if (f.running_in_test_harness)
1128 tls_server_testharness_ocsp_fiddle();
1129
1130 if (exim_testharness_disable_ocsp_validity_check)
1131 gnutls_certificate_set_flags(state->x509_cred,
1132 GNUTLS_CERTIFICATE_API_V2 | GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK);
1133 }
1134# endif
47195144 1135#endif
1365611d 1136
17c76198
PP
1137/* remember: expand_check_tlsvar() is expand_check() but fiddling with
1138state members, assuming consistent naming; and expand_check() returns
1139false if expansion failed, unless expansion was forced to fail. */
059ec3d9 1140
17c76198
PP
1141/* check if we at least have a certificate, before doing expensive
1142D-H generation. */
059ec3d9 1143
cf0c6164 1144if (!expand_check_tlsvar(tls_certificate, errstr))
17c76198 1145 return DEFER;
059ec3d9 1146
17c76198 1147/* certificate is mandatory in server, optional in client */
059ec3d9 1148
23bb6982
JH
1149if ( !state->exp_tls_certificate
1150 || !*state->exp_tls_certificate
1151 )
2b4a568d 1152 if (!host)
cf0c6164 1153 return tls_install_selfsign(state, errstr);
17c76198
PP
1154 else
1155 DEBUG(D_tls) debug_printf("TLS: no client certificate specified; okay\n");
059ec3d9 1156
cf0c6164 1157if (state->tls_privatekey && !expand_check_tlsvar(tls_privatekey, errstr))
059ec3d9
PH
1158 return DEFER;
1159
17c76198
PP
1160/* tls_privatekey is optional, defaulting to same file as certificate */
1161
e326959e 1162if (!state->tls_privatekey || !*state->tls_privatekey)
059ec3d9 1163 {
17c76198
PP
1164 state->tls_privatekey = state->tls_certificate;
1165 state->exp_tls_privatekey = state->exp_tls_certificate;
059ec3d9 1166 }
c91535f3 1167
059ec3d9 1168
17c76198 1169if (state->exp_tls_certificate && *state->exp_tls_certificate)
059ec3d9
PH
1170 {
1171 DEBUG(D_tls) debug_printf("certificate file = %s\nkey file = %s\n",
17c76198
PP
1172 state->exp_tls_certificate, state->exp_tls_privatekey);
1173
1174 if (state->received_sni)
23bb6982
JH
1175 if ( Ustrcmp(state->exp_tls_certificate, saved_tls_certificate) == 0
1176 && Ustrcmp(state->exp_tls_privatekey, saved_tls_privatekey) == 0
1177 )
17c76198 1178 {
b34fc30c 1179 DEBUG(D_tls) debug_printf("TLS SNI: cert and key unchanged\n");
17c76198
PP
1180 }
1181 else
1182 {
b34fc30c 1183 DEBUG(D_tls) debug_printf("TLS SNI: have a changed cert/key pair.\n");
17c76198 1184 }
059ec3d9 1185
ba86e143
JH
1186 if (!host) /* server */
1187 {
1188 const uschar * clist = state->exp_tls_certificate;
1189 const uschar * klist = state->exp_tls_privatekey;
47195144
JH
1190 const uschar * olist;
1191 int csep = 0, ksep = 0, osep = 0, cnt = 0;
1192 uschar * cfile, * kfile, * ofile;
47195144 1193#ifndef DISABLE_OCSP
e326959e
JH
1194# ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
1195 gnutls_x509_crt_fmt_t ocsp_fmt = GNUTLS_X509_FMT_DER;
1196# endif
1197
47195144
JH
1198 if (!expand_check(tls_ocsp_file, US"tls_ocsp_file", &ofile, errstr))
1199 return DEFER;
1200 olist = ofile;
1201#endif
ba86e143
JH
1202
1203 while (cfile = string_nextinlist(&clist, &csep, NULL, 0))
47195144 1204
ba86e143
JH
1205 if (!(kfile = string_nextinlist(&klist, &ksep, NULL, 0)))
1206 return tls_error(US"cert/key setup: out of keys", NULL, host, errstr);
47195144 1207 else if (0 < (rc = tls_add_certfile(state, host, cfile, kfile, errstr)))
ba86e143
JH
1208 return rc;
1209 else
47195144
JH
1210 {
1211 int gnutls_cert_index = -rc;
e326959e
JH
1212 DEBUG(D_tls) debug_printf("TLS: cert/key %d %s registered\n",
1213 gnutls_cert_index, cfile);
47195144
JH
1214
1215#ifndef DISABLE_OCSP
1216 if (tls_ocsp_file)
e5489333 1217 {
e326959e 1218 /* Set the OCSP stapling server info */
47195144
JH
1219 if (gnutls_buggy_ocsp)
1220 {
1221 DEBUG(D_tls)
1222 debug_printf("GnuTLS library is buggy for OCSP; avoiding\n");
1223 }
1224 else if ((ofile = string_nextinlist(&olist, &osep, NULL, 0)))
1225 {
e326959e
JH
1226 DEBUG(D_tls) debug_printf("OCSP response file %d = %s\n",
1227 gnutls_cert_index, ofile);
be427508 1228# ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
e326959e 1229 if (Ustrncmp(ofile, US"PEM ", 4) == 0)
47195144 1230 {
e326959e
JH
1231 ocsp_fmt = GNUTLS_X509_FMT_PEM;
1232 ofile += 4;
1233 }
1234 else if (Ustrncmp(ofile, US"DER ", 4) == 0)
1235 {
1236 ocsp_fmt = GNUTLS_X509_FMT_DER;
1237 ofile += 4;
1238 }
e5489333 1239
e326959e
JH
1240 if ((rc = gnutls_certificate_set_ocsp_status_request_file2(
1241 state->x509_cred, CCS ofile, gnutls_cert_index,
1242 ocsp_fmt)) < 0)
1243 return tls_error_gnu(
1244 US"gnutls_certificate_set_ocsp_status_request_file2",
1245 rc, host, errstr);
1246 DEBUG(D_tls)
1247 debug_printf(" %d response%s loaded\n", rc, rc>1 ? "s":"");
e5489333 1248
e326959e
JH
1249 /* Arrange callbacks for OCSP request observability */
1250
1251 gnutls_handshake_set_hook_function(state->session,
1252 GNUTLS_HANDSHAKE_ANY, GNUTLS_HOOK_POST, tls_server_hook_cb);
1253
1254# else
1255# if defined(SUPPORT_SRV_OCSP_STACK)
be427508
JH
1256 if ((rc = gnutls_certificate_set_ocsp_status_request_function2(
1257 state->x509_cred, gnutls_cert_index,
1258 server_ocsp_stapling_cb, ofile)))
1259 return tls_error_gnu(
1260 US"gnutls_certificate_set_ocsp_status_request_function2",
1261 rc, host, errstr);
1262 else
e326959e 1263# endif
e5489333
JH
1264 {
1265 if (cnt++ > 0)
1266 {
1267 DEBUG(D_tls)
1268 debug_printf("oops; multiple OCSP files not supported\n");
1269 break;
1270 }
d896cef5
JH
1271 gnutls_certificate_set_ocsp_status_request_function(
1272 state->x509_cred, server_ocsp_stapling_cb, ofile);
e5489333 1273 }
e326959e 1274# endif /* SUPPORT_GNUTLS_EXT_RAW_PARSE */
47195144
JH
1275 }
1276 else
1277 DEBUG(D_tls) debug_printf("ran out of OCSP response files in list\n");
e5489333 1278 }
fd71e7b8 1279#endif /* DISABLE_OCSP */
47195144 1280 }
ba86e143 1281 }
e5489333 1282 else /* client */
ba86e143 1283 {
47195144 1284 if (0 < (rc = tls_add_certfile(state, host,
ba86e143
JH
1285 state->exp_tls_certificate, state->exp_tls_privatekey, errstr)))
1286 return rc;
1287 DEBUG(D_tls) debug_printf("TLS: cert/key registered\n");
1288 }
1289
b34fc30c 1290 } /* tls_certificate */
059ec3d9 1291
2b4a568d 1292
059ec3d9
PH
1293/* Set the trusted CAs file if one is provided, and then add the CRL if one is
1294provided. Experiment shows that, if the certificate file is empty, an unhelpful
1295error message is provided. However, if we just refrain from setting anything up
1296in that case, certificate verification fails, which seems to be the correct
1297behaviour. */
1298
610ff438 1299if (state->tls_verify_certificates && *state->tls_verify_certificates)
059ec3d9 1300 {
cf0c6164 1301 if (!expand_check_tlsvar(tls_verify_certificates, errstr))
059ec3d9 1302 return DEFER;
610ff438
JH
1303#ifndef SUPPORT_SYSDEFAULT_CABUNDLE
1304 if (Ustrcmp(state->exp_tls_verify_certificates, "system") == 0)
1305 state->exp_tls_verify_certificates = NULL;
1306#endif
17c76198 1307 if (state->tls_crl && *state->tls_crl)
cf0c6164 1308 if (!expand_check_tlsvar(tls_crl, errstr))
17c76198 1309 return DEFER;
059ec3d9 1310
1365611d
PP
1311 if (!(state->exp_tls_verify_certificates &&
1312 *state->exp_tls_verify_certificates))
b34fc30c
PP
1313 {
1314 DEBUG(D_tls)
1365611d
PP
1315 debug_printf("TLS: tls_verify_certificates expanded empty, ignoring\n");
1316 /* With no tls_verify_certificates, we ignore tls_crl too */
17c76198 1317 return OK;
b34fc30c 1318 }
1365611d 1319 }
83e2f8a2
PP
1320else
1321 {
1322 DEBUG(D_tls)
1323 debug_printf("TLS: tls_verify_certificates not set or empty, ignoring\n");
1324 return OK;
1325 }
17c76198 1326
cb1d7830
JH
1327#ifdef SUPPORT_SYSDEFAULT_CABUNDLE
1328if (Ustrcmp(state->exp_tls_verify_certificates, "system") == 0)
1329 cert_count = gnutls_certificate_set_x509_system_trust(state->x509_cred);
1330else
1331#endif
1365611d 1332 {
cb1d7830
JH
1333 if (Ustat(state->exp_tls_verify_certificates, &statbuf) < 0)
1334 {
d896cef5 1335 log_write(0, LOG_MAIN|LOG_PANIC, "could not stat '%s' "
cb1d7830
JH
1336 "(tls_verify_certificates): %s", state->exp_tls_verify_certificates,
1337 strerror(errno));
1338 return DEFER;
1339 }
17c76198 1340
a7fec7a7 1341#ifndef SUPPORT_CA_DIR
cb1d7830
JH
1342 /* The test suite passes in /dev/null; we could check for that path explicitly,
1343 but who knows if someone has some weird FIFO which always dumps some certs, or
1344 other weirdness. The thing we really want to check is that it's not a
1345 directory, since while OpenSSL supports that, GnuTLS does not.
60f914bc 1346 So s/!S_ISREG/S_ISDIR/ and change some messaging ... */
cb1d7830
JH
1347 if (S_ISDIR(statbuf.st_mode))
1348 {
1349 DEBUG(D_tls)
1350 debug_printf("verify certificates path is a dir: \"%s\"\n",
1351 state->exp_tls_verify_certificates);
1352 log_write(0, LOG_MAIN|LOG_PANIC,
1353 "tls_verify_certificates \"%s\" is a directory",
1354 state->exp_tls_verify_certificates);
1355 return DEFER;
1356 }
a7fec7a7 1357#endif
059ec3d9 1358
cb1d7830
JH
1359 DEBUG(D_tls) debug_printf("verify certificates = %s size=" OFF_T_FMT "\n",
1360 state->exp_tls_verify_certificates, statbuf.st_size);
059ec3d9 1361
cb1d7830
JH
1362 if (statbuf.st_size == 0)
1363 {
1364 DEBUG(D_tls)
1365 debug_printf("cert file empty, no certs, no verification, ignoring any CRL\n");
1366 return OK;
1367 }
059ec3d9 1368
cb1d7830 1369 cert_count =
a7fec7a7
JH
1370
1371#ifdef SUPPORT_CA_DIR
cb1d7830
JH
1372 (statbuf.st_mode & S_IFMT) == S_IFDIR
1373 ?
1374 gnutls_certificate_set_x509_trust_dir(state->x509_cred,
1375 CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM)
1376 :
a7fec7a7 1377#endif
cb1d7830
JH
1378 gnutls_certificate_set_x509_trust_file(state->x509_cred,
1379 CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM);
12d95aa6
JH
1380
1381#ifdef SUPPORT_CA_DIR
1382 /* Mimic the behaviour with OpenSSL of not advertising a usable-cert list
1383 when using the directory-of-certs config model. */
1384
1385 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
1386 gnutls_certificate_send_x509_rdn_sequence(state->session, 1);
1387#endif
cb1d7830 1388 }
a7fec7a7 1389
1365611d 1390if (cert_count < 0)
452a164f
JH
1391 return tls_error_gnu(US"setting certificate trust", cert_count, host, errstr);
1392DEBUG(D_tls)
1393 debug_printf("Added %d certificate authorities.\n", cert_count);
059ec3d9 1394
5c8cda3a
PP
1395if (state->tls_crl && *state->tls_crl &&
1396 state->exp_tls_crl && *state->exp_tls_crl)
1365611d 1397 {
5c8cda3a 1398 DEBUG(D_tls) debug_printf("loading CRL file = %s\n", state->exp_tls_crl);
452a164f
JH
1399 if ((cert_count = gnutls_certificate_set_x509_crl_file(state->x509_cred,
1400 CS state->exp_tls_crl, GNUTLS_X509_FMT_PEM)) < 0)
1401 return tls_error_gnu(US"gnutls_certificate_set_x509_crl_file",
1402 cert_count, host, errstr);
1403
5c8cda3a 1404 DEBUG(D_tls) debug_printf("Processed %d CRLs.\n", cert_count);
1365611d 1405 }
059ec3d9 1406
059ec3d9
PH
1407return OK;
1408}
1409
1410
1411
1412
1413/*************************************************
1365611d
PP
1414* Set X.509 state variables *
1415*************************************************/
1416
1417/* In GnuTLS, the registered cert/key are not replaced by a later
1418set of a cert/key, so for SNI support we need a whole new x509_cred
1419structure. Which means various other non-re-expanded pieces of state
1420need to be re-set in the new struct, so the setting logic is pulled
1421out to this.
1422
1423Arguments:
1424 state exim_gnutls_state_st *
cf0c6164 1425 errstr error string pointer
1365611d
PP
1426
1427Returns: OK/DEFER/FAIL
1428*/
1429
1430static int
cf0c6164 1431tls_set_remaining_x509(exim_gnutls_state_st *state, uschar ** errstr)
1365611d
PP
1432{
1433int rc;
1434const host_item *host = state->host; /* macro should be reconsidered? */
1435
49132a3b 1436#ifndef GNUTLS_AUTO_DHPARAMS
1365611d
PP
1437/* Create D-H parameters, or read them from the cache file. This function does
1438its own SMTP error messaging. This only happens for the server, TLS D-H ignores
1439client-side params. */
1440
1441if (!state->host)
1442 {
1443 if (!dh_server_params)
452a164f 1444 if ((rc = init_server_dh(errstr)) != OK) return rc;
49132a3b
JH
1445
1446 /* Unnecessary & discouraged with 3.6.0 or later */
1365611d
PP
1447 gnutls_certificate_set_dh_params(state->x509_cred, dh_server_params);
1448 }
49132a3b 1449#endif
1365611d
PP
1450
1451/* Link the credentials to the session. */
1452
452a164f
JH
1453if ((rc = gnutls_credentials_set(state->session,
1454 GNUTLS_CRD_CERTIFICATE, state->x509_cred)))
1455 return tls_error_gnu(US"gnutls_credentials_set", rc, host, errstr);
1365611d
PP
1456
1457return OK;
1458}
1459
1460/*************************************************
17c76198 1461* Initialize for GnuTLS *
059ec3d9
PH
1462*************************************************/
1463
9196d5bf 1464
4fb7df6d
JH
1465#ifndef DISABLE_OCSP
1466
9196d5bf
JH
1467static BOOL
1468tls_is_buggy_ocsp(void)
1469{
1470const uschar * s;
1471uschar maj, mid, mic;
1472
1473s = CUS gnutls_check_version(NULL);
1474maj = atoi(CCS s);
1475if (maj == 3)
1476 {
1477 while (*s && *s != '.') s++;
1478 mid = atoi(CCS ++s);
1479 if (mid <= 2)
1480 return TRUE;
1481 else if (mid >= 5)
1482 return FALSE;
1483 else
1484 {
1485 while (*s && *s != '.') s++;
1486 mic = atoi(CCS ++s);
1487 return mic <= (mid == 3 ? 16 : 3);
1488 }
1489 }
1490return FALSE;
1491}
1492
4fb7df6d 1493#endif
9196d5bf
JH
1494
1495
17c76198
PP
1496/* Called from both server and client code. In the case of a server, errors
1497before actual TLS negotiation return DEFER.
059ec3d9
PH
1498
1499Arguments:
17c76198
PP
1500 host connected host, if client; NULL if server
1501 certificate certificate file
1502 privatekey private key file
1503 sni TLS SNI to send, sometimes when client; else NULL
1504 cas CA certs file
1505 crl CRL file
1506 require_ciphers tls_require_ciphers setting
817d9f57 1507 caller_state returned state-info structure
cf0c6164 1508 errstr error string pointer
059ec3d9 1509
17c76198 1510Returns: OK/DEFER/FAIL
059ec3d9
PH
1511*/
1512
17c76198
PP
1513static int
1514tls_init(
1515 const host_item *host,
1516 const uschar *certificate,
1517 const uschar *privatekey,
1518 const uschar *sni,
1519 const uschar *cas,
1520 const uschar *crl,
1521 const uschar *require_ciphers,
cf0c6164 1522 exim_gnutls_state_st **caller_state,
74f1a423 1523 tls_support * tlsp,
cf0c6164 1524 uschar ** errstr)
059ec3d9 1525{
00c0dd4e 1526exim_gnutls_state_st * state;
17c76198
PP
1527int rc;
1528size_t sz;
00c0dd4e
JH
1529const char * errpos;
1530const uschar * p;
17c76198
PP
1531
1532if (!exim_gnutls_base_init_done)
059ec3d9 1533 {
17c76198
PP
1534 DEBUG(D_tls) debug_printf("GnuTLS global init required.\n");
1535
9f707b89 1536#if defined(HAVE_GNUTLS_PKCS11) && !defined(GNUTLS_AUTO_PKCS11_MANUAL)
a5f239e4
PP
1537 /* By default, gnutls_global_init will init PKCS11 support in auto mode,
1538 which loads modules from a config file, which sounds good and may be wanted
1539 by some sysadmin, but also means in common configurations that GNOME keyring
1540 environment variables are used and so breaks for users calling mailq.
1541 To prevent this, we init PKCS11 first, which is the documented approach. */
2519e60d 1542 if (!gnutls_allow_auto_pkcs11)
452a164f
JH
1543 if ((rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL)))
1544 return tls_error_gnu(US"gnutls_pkcs11_init", rc, host, errstr);
a5f239e4
PP
1545#endif
1546
4d2a62a3 1547#ifndef GNUTLS_AUTO_GLOBAL_INIT
452a164f
JH
1548 if ((rc = gnutls_global_init()))
1549 return tls_error_gnu(US"gnutls_global_init", rc, host, errstr);
4d2a62a3 1550#endif
17c76198
PP
1551
1552#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
1553 DEBUG(D_tls)
059ec3d9 1554 {
17c76198 1555 gnutls_global_set_log_function(exim_gnutls_logger_cb);
aded2255 1556 /* arbitrarily chosen level; bump up to 9 for more */
17c76198 1557 gnutls_global_set_log_level(EXIM_GNUTLS_LIBRARY_LOG_LEVEL);
059ec3d9 1558 }
17c76198
PP
1559#endif
1560
4fb7df6d
JH
1561#ifndef DISABLE_OCSP
1562 if (tls_ocsp_file && (gnutls_buggy_ocsp = tls_is_buggy_ocsp()))
9196d5bf 1563 log_write(0, LOG_MAIN, "OCSP unusable with this GnuTLS library version");
4fb7df6d 1564#endif
9196d5bf 1565
17c76198 1566 exim_gnutls_base_init_done = TRUE;
059ec3d9 1567 }
059ec3d9 1568
17c76198
PP
1569if (host)
1570 {
74f1a423
JH
1571 /* For client-side sessions we allocate a context. This lets us run
1572 several in parallel. */
1573 int old_pool = store_pool;
1574 store_pool = POOL_PERM;
f3ebb786 1575 state = store_get(sizeof(exim_gnutls_state_st), FALSE);
74f1a423
JH
1576 store_pool = old_pool;
1577
17c76198 1578 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
74f1a423 1579 state->tlsp = tlsp;
17c76198
PP
1580 DEBUG(D_tls) debug_printf("initialising GnuTLS client session\n");
1581 rc = gnutls_init(&state->session, GNUTLS_CLIENT);
1582 }
1583else
1584 {
1585 state = &state_server;
1586 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
74f1a423 1587 state->tlsp = tlsp;
17c76198
PP
1588 DEBUG(D_tls) debug_printf("initialising GnuTLS server session\n");
1589 rc = gnutls_init(&state->session, GNUTLS_SERVER);
1590 }
452a164f
JH
1591if (rc)
1592 return tls_error_gnu(US"gnutls_init", rc, host, errstr);
059ec3d9 1593
17c76198 1594state->host = host;
059ec3d9 1595
17c76198
PP
1596state->tls_certificate = certificate;
1597state->tls_privatekey = privatekey;
5779e6aa 1598state->tls_require_ciphers = require_ciphers;
17c76198
PP
1599state->tls_sni = sni;
1600state->tls_verify_certificates = cas;
1601state->tls_crl = crl;
059ec3d9 1602
17c76198
PP
1603/* This handles the variables that might get re-expanded after TLS SNI;
1604that's tls_certificate, tls_privatekey, tls_verify_certificates, tls_crl */
059ec3d9 1605
17c76198
PP
1606DEBUG(D_tls)
1607 debug_printf("Expanding various TLS configuration options for session credentials.\n");
cf0c6164 1608if ((rc = tls_expand_session_files(state, errstr)) != OK) return rc;
059ec3d9 1609
1365611d
PP
1610/* These are all other parts of the x509_cred handling, since SNI in GnuTLS
1611requires a new structure afterwards. */
83da1223 1612
cf0c6164 1613if ((rc = tls_set_remaining_x509(state, errstr)) != OK) return rc;
83da1223 1614
17c76198
PP
1615/* set SNI in client, only */
1616if (host)
1617 {
cf0c6164 1618 if (!expand_check(sni, US"tls_out_sni", &state->tlsp->sni, errstr))
17c76198 1619 return DEFER;
0df4ab80 1620 if (state->tlsp->sni && *state->tlsp->sni)
17c76198
PP
1621 {
1622 DEBUG(D_tls)
0df4ab80
JH
1623 debug_printf("Setting TLS client SNI to \"%s\"\n", state->tlsp->sni);
1624 sz = Ustrlen(state->tlsp->sni);
452a164f
JH
1625 if ((rc = gnutls_server_name_set(state->session,
1626 GNUTLS_NAME_DNS, state->tlsp->sni, sz)))
1627 return tls_error_gnu(US"gnutls_server_name_set", rc, host, errstr);
17c76198
PP
1628 }
1629 }
1630else if (state->tls_sni)
1631 DEBUG(D_tls) debug_printf("*** PROBABLY A BUG *** " \
ba86e143 1632 "have an SNI set for a server [%s]\n", state->tls_sni);
83da1223 1633
17c76198 1634/* This is the priority string support,
42bfef1e 1635http://www.gnutls.org/manual/html_node/Priority-Strings.html
17c76198
PP
1636and replaces gnutls_require_kx, gnutls_require_mac & gnutls_require_protocols.
1637This was backwards incompatible, but means Exim no longer needs to track
1638all algorithms and provide string forms for them. */
83da1223 1639
fc243e94 1640p = NULL;
17c76198 1641if (state->tls_require_ciphers && *state->tls_require_ciphers)
83da1223 1642 {
cf0c6164 1643 if (!expand_check_tlsvar(tls_require_ciphers, errstr))
17c76198
PP
1644 return DEFER;
1645 if (state->exp_tls_require_ciphers && *state->exp_tls_require_ciphers)
83da1223 1646 {
17c76198 1647 p = state->exp_tls_require_ciphers;
fc243e94 1648 DEBUG(D_tls) debug_printf("GnuTLS session cipher/priority \"%s\"\n", p);
83da1223
PH
1649 }
1650 }
fc243e94 1651if (!p)
17c76198 1652 {
fc243e94 1653 p = exim_default_gnutls_priority;
83e2f8a2 1654 DEBUG(D_tls)
fc243e94 1655 debug_printf("GnuTLS using default session cipher/priority \"%s\"\n", p);
17c76198 1656 }
83da1223 1657
452a164f
JH
1658if ((rc = gnutls_priority_init(&state->priority_cache, CCS p, &errpos)))
1659 return tls_error_gnu(string_sprintf(
1660 "gnutls_priority_init(%s) failed at offset %ld, \"%.6s..\"",
1661 p, errpos - CS p, errpos),
1662 rc, host, errstr);
17c76198 1663
452a164f
JH
1664if ((rc = gnutls_priority_set(state->session, state->priority_cache)))
1665 return tls_error_gnu(US"gnutls_priority_set", rc, host, errstr);
17c76198 1666
b10c87b3
JH
1667/* This also sets the server ticket expiration time to the same, and
1668the STEK rotation time to 3x. */
1669
17c76198
PP
1670gnutls_db_set_cache_expiration(state->session, ssl_session_timeout);
1671
1672/* Reduce security in favour of increased compatibility, if the admin
1673decides to make that trade-off. */
1674if (gnutls_compat_mode)
83da1223 1675 {
17c76198
PP
1676#if LIBGNUTLS_VERSION_NUMBER >= 0x020104
1677 DEBUG(D_tls) debug_printf("lowering GnuTLS security, compatibility mode\n");
1678 gnutls_session_enable_compatibility_mode(state->session);
1679#else
1680 DEBUG(D_tls) debug_printf("Unable to set gnutls_compat_mode - GnuTLS version too old\n");
1681#endif
83da1223
PH
1682 }
1683
17c76198 1684*caller_state = state;
17c76198 1685return OK;
83da1223
PH
1686}
1687
1688
1689
83da1223 1690/*************************************************
17c76198 1691* Extract peer information *
059ec3d9
PH
1692*************************************************/
1693
f1be21cf
JH
1694static const uschar *
1695cipher_stdname_kcm(gnutls_kx_algorithm_t kx, gnutls_cipher_algorithm_t cipher,
1696 gnutls_mac_algorithm_t mac)
1697{
1698uschar cs_id[2];
1699gnutls_kx_algorithm_t kx_i;
1700gnutls_cipher_algorithm_t cipher_i;
1701gnutls_mac_algorithm_t mac_i;
1702
1703for (size_t i = 0;
1704 gnutls_cipher_suite_info(i, cs_id, &kx_i, &cipher_i, &mac_i, NULL);
1705 i++)
1706 if (kx_i == kx && cipher_i == cipher && mac_i == mac)
1707 return cipher_stdname(cs_id[0], cs_id[1]);
1708return NULL;
1709}
1710
1711
1712
17c76198 1713/* Called from both server and client code.
4fe99a6c
PP
1714Only this is allowed to set state->peerdn and state->have_set_peerdn
1715and we use that to detect double-calls.
059ec3d9 1716
75fe387d
PP
1717NOTE: the state blocks last while the TLS connection is up, which is fine
1718for logging in the server side, but for the client side, we log after teardown
1719in src/deliver.c. While the session is up, we can twist about states and
1720repoint tls_* globals, but those variables used for logging or other variable
1721expansion that happens _after_ delivery need to have a longer life-time.
1722
1723So for those, we get the data from POOL_PERM; the re-invoke guard keeps us from
1724doing this more than once per generation of a state context. We set them in
1725the state context, and repoint tls_* to them. After the state goes away, the
1726tls_* copies of the pointers remain valid and client delivery logging is happy.
1727
1728tls_certificate_verified is a BOOL, so the tls_peerdn and tls_cipher issues
1729don't apply.
1730
059ec3d9 1731Arguments:
17c76198 1732 state exim_gnutls_state_st *
cf0c6164 1733 errstr pointer to error string
059ec3d9 1734
17c76198 1735Returns: OK/DEFER/FAIL
059ec3d9
PH
1736*/
1737
17c76198 1738static int
b10c87b3 1739peer_status(exim_gnutls_state_st * state, uschar ** errstr)
059ec3d9 1740{
b10c87b3
JH
1741gnutls_session_t session = state->session;
1742const gnutls_datum_t * cert_list;
75fe387d 1743int old_pool, rc;
17c76198 1744unsigned int cert_list_size = 0;
4fe99a6c
PP
1745gnutls_protocol_t protocol;
1746gnutls_cipher_algorithm_t cipher;
1747gnutls_kx_algorithm_t kx;
1748gnutls_mac_algorithm_t mac;
17c76198
PP
1749gnutls_certificate_type_t ct;
1750gnutls_x509_crt_t crt;
b10c87b3 1751uschar * dn_buf;
17c76198 1752size_t sz;
059ec3d9 1753
4fe99a6c 1754if (state->have_set_peerdn)
17c76198 1755 return OK;
4fe99a6c 1756state->have_set_peerdn = TRUE;
059ec3d9 1757
4fe99a6c 1758state->peerdn = NULL;
059ec3d9 1759
4fe99a6c 1760/* tls_cipher */
b10c87b3
JH
1761cipher = gnutls_cipher_get(session);
1762protocol = gnutls_protocol_get_version(session);
1763mac = gnutls_mac_get(session);
b9c6f63c
JH
1764kx =
1765#ifdef GNUTLS_TLS1_3
1766 protocol >= GNUTLS_TLS1_3 ? 0 :
1767#endif
b10c87b3 1768 gnutls_kx_get(session);
4fe99a6c 1769
75fe387d 1770old_pool = store_pool;
f1be21cf 1771 {
b10c87b3 1772 tls_support * tlsp = state->tlsp;
f1be21cf 1773 store_pool = POOL_PERM;
d9acfc1c
JH
1774
1775#ifdef SUPPORT_GNUTLS_SESS_DESC
1776 {
1777 gstring * g = NULL;
b10c87b3 1778 uschar * s = US gnutls_session_get_desc(session), c;
d9acfc1c
JH
1779
1780 /* Nikos M suggests we use this by preference. It returns like:
1781 (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
1782
1783 For partial back-compat, put a colon after the TLS version, replace the
1784 )-( grouping with __, replace in-group - with _ and append the :keysize. */
1785
1786 /* debug_printf("peer_status: gnutls_session_get_desc %s\n", s); */
1787
1788 for (s++; (c = *s) && c != ')'; s++) g = string_catn(g, s, 1);
da40b1ec
JH
1789
1790 tlsp->ver = string_copyn(g->s, g->ptr);
1791 for (uschar * p = US tlsp->ver; *p; p++)
1792 if (*p == '-') { *p = '\0'; break; } /* TLS1.0-PKIX -> TLS1.0 */
1793
d9acfc1c
JH
1794 g = string_catn(g, US":", 1);
1795 if (*s) s++; /* now on _ between groups */
1796 while ((c = *s))
1797 {
da40b1ec
JH
1798 for (*++s && ++s; (c = *s) && c != ')'; s++)
1799 g = string_catn(g, c == '-' ? US"_" : s, 1);
d9acfc1c
JH
1800 /* now on ) closing group */
1801 if ((c = *s) && *++s == '-') g = string_catn(g, US"__", 2);
1802 /* now on _ between groups */
1803 }
1804 g = string_catn(g, US":", 1);
1805 g = string_cat(g, string_sprintf("%d", (int) gnutls_cipher_get_key_size(cipher) * 8));
1806 state->ciphersuite = string_from_gstring(g);
1807 }
1808#else
f1be21cf
JH
1809 state->ciphersuite = string_sprintf("%s:%s:%d",
1810 gnutls_protocol_get_name(protocol),
1811 gnutls_cipher_suite_get_name(kx, cipher, mac),
1812 (int) gnutls_cipher_get_key_size(cipher) * 8);
1813
1814 /* I don't see a way that spaces could occur, in the current GnuTLS
1815 code base, but it was a concern in the old code and perhaps older GnuTLS
1816 releases did return "TLS 1.0"; play it safe, just in case. */
1817
1818 for (uschar * p = state->ciphersuite; *p; p++) if (isspace(*p)) *p = '-';
da40b1ec
JH
1819 tlsp->ver = string_copyn(state->ciphersuite,
1820 Ustrchr(state->ciphersuite, ':') - state->ciphersuite);
d9acfc1c
JH
1821#endif
1822
1823/* debug_printf("peer_status: ciphersuite %s\n", state->ciphersuite); */
1824
b10c87b3
JH
1825 tlsp->cipher = state->ciphersuite;
1826 tlsp->bits = gnutls_cipher_get_key_size(cipher) * 8;
f1be21cf 1827
b10c87b3 1828 tlsp->cipher_stdname = cipher_stdname_kcm(kx, cipher, mac);
f1be21cf 1829 }
75fe387d 1830store_pool = old_pool;
4fe99a6c
PP
1831
1832/* tls_peerdn */
b10c87b3 1833cert_list = gnutls_certificate_get_peers(session, &cert_list_size);
83da1223 1834
f1be21cf 1835if (!cert_list || cert_list_size == 0)
17c76198 1836 {
17c76198
PP
1837 DEBUG(D_tls) debug_printf("TLS: no certificate from peer (%p & %d)\n",
1838 cert_list, cert_list_size);
e51c7be2 1839 if (state->verify_requirement >= VERIFY_REQUIRED)
17c76198 1840 return tls_error(US"certificate verification failed",
48224640 1841 US"no certificate received from peer", state->host, errstr);
17c76198
PP
1842 return OK;
1843 }
059ec3d9 1844
b10c87b3 1845if ((ct = gnutls_certificate_type_get(session)) != GNUTLS_CRT_X509)
059ec3d9 1846 {
95f52235 1847 const uschar * ctn = US gnutls_certificate_type_get_name(ct);
17c76198
PP
1848 DEBUG(D_tls)
1849 debug_printf("TLS: peer cert not X.509 but instead \"%s\"\n", ctn);
e51c7be2 1850 if (state->verify_requirement >= VERIFY_REQUIRED)
17c76198 1851 return tls_error(US"certificate verification not possible, unhandled type",
cf0c6164 1852 ctn, state->host, errstr);
17c76198 1853 return OK;
83da1223 1854 }
059ec3d9 1855
e51c7be2
JH
1856#define exim_gnutls_peer_err(Label) \
1857 do { \
1858 if (rc != GNUTLS_E_SUCCESS) \
1859 { \
1860 DEBUG(D_tls) debug_printf("TLS: peer cert problem: %s: %s\n", \
1861 (Label), gnutls_strerror(rc)); \
1862 if (state->verify_requirement >= VERIFY_REQUIRED) \
452a164f 1863 return tls_error_gnu((Label), rc, state->host, errstr); \
e51c7be2
JH
1864 return OK; \
1865 } \
1866 } while (0)
17c76198 1867
9d1c15ef
JH
1868rc = import_cert(&cert_list[0], &crt);
1869exim_gnutls_peer_err(US"cert 0");
1870
1871state->tlsp->peercert = state->peercert = crt;
17c76198 1872
17c76198
PP
1873sz = 0;
1874rc = gnutls_x509_crt_get_dn(crt, NULL, &sz);
1875if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
83da1223 1876 {
17c76198
PP
1877 exim_gnutls_peer_err(US"getting size for cert DN failed");
1878 return FAIL; /* should not happen */
059ec3d9 1879 }
f3ebb786 1880dn_buf = store_get_perm(sz, TRUE); /* tainted */
17c76198
PP
1881rc = gnutls_x509_crt_get_dn(crt, CS dn_buf, &sz);
1882exim_gnutls_peer_err(US"failed to extract certificate DN [gnutls_x509_crt_get_dn(cert 0)]");
9d1c15ef 1883
17c76198
PP
1884state->peerdn = dn_buf;
1885
1886return OK;
1887#undef exim_gnutls_peer_err
1888}
059ec3d9 1889
059ec3d9 1890
059ec3d9 1891
059ec3d9 1892
17c76198
PP
1893/*************************************************
1894* Verify peer certificate *
1895*************************************************/
059ec3d9 1896
17c76198
PP
1897/* Called from both server and client code.
1898*Should* be using a callback registered with
1899gnutls_certificate_set_verify_function() to fail the handshake if we dislike
1900the peer information, but that's too new for some OSes.
059ec3d9 1901
17c76198 1902Arguments:
899b8bbc
JH
1903 state exim_gnutls_state_st *
1904 errstr where to put an error message
059ec3d9 1905
17c76198
PP
1906Returns:
1907 FALSE if the session should be rejected
1908 TRUE if the cert is okay or we just don't care
1909*/
059ec3d9 1910
17c76198 1911static BOOL
28646fa9 1912verify_certificate(exim_gnutls_state_st * state, uschar ** errstr)
17c76198
PP
1913{
1914int rc;
899b8bbc
JH
1915uint verify;
1916
8008accd 1917DEBUG(D_tls) debug_printf("TLS: checking peer certificate\n");
cf0c6164 1918*errstr = NULL;
b10c87b3 1919rc = peer_status(state, errstr);
17c76198 1920
b10c87b3
JH
1921if (state->verify_requirement == VERIFY_NONE)
1922 return TRUE;
1923
1924if (rc != OK || !state->peerdn)
e6060e2c 1925 {
17c76198 1926 verify = GNUTLS_CERT_INVALID;
cf0c6164 1927 *errstr = US"certificate not supplied";
17c76198
PP
1928 }
1929else
899b8bbc
JH
1930
1931 {
1932#ifdef SUPPORT_DANE
1933 if (state->verify_requirement == VERIFY_DANE && state->host)
1934 {
1935 /* Using dane_verify_session_crt() would be easy, as it does it all for us
1936 including talking to a DNS resolver. But we want to do that bit ourselves
1937 as the testsuite intercepts and fakes its own DNS environment. */
1938
1939 dane_state_t s;
1940 dane_query_t r;
899b8bbc 1941 uint lsize;
94c13285
JH
1942 const gnutls_datum_t * certlist =
1943 gnutls_certificate_get_peers(state->session, &lsize);
1944 int usage = tls_out.tlsa_usage;
1945
1946# ifdef GNUTLS_BROKEN_DANE_VALIDATION
1947 /* Split the TLSA records into two sets, TA and EE selectors. Run the
1948 dane-verification separately so that we know which selector verified;
570cb1bd 1949 then we know whether to do name-verification (needed for TA but not EE). */
94c13285
JH
1950
1951 if (usage == ((1<<DANESSL_USAGE_DANE_TA) | (1<<DANESSL_USAGE_DANE_EE)))
bd5b3f3c 1952 { /* a mixed-usage bundle */
94c13285
JH
1953 int i, j, nrec;
1954 const char ** dd;
1955 int * ddl;
1956
3d2e82c5 1957 for (nrec = 0; state->dane_data_len[nrec]; ) nrec++;
94c13285
JH
1958 nrec++;
1959
f3ebb786
JH
1960 dd = store_get(nrec * sizeof(uschar *), FALSE);
1961 ddl = store_get(nrec * sizeof(int), FALSE);
94c13285
JH
1962 nrec--;
1963
1964 if ((rc = dane_state_init(&s, 0)))
1965 goto tlsa_prob;
1966
1967 for (usage = DANESSL_USAGE_DANE_EE;
1968 usage >= DANESSL_USAGE_DANE_TA; usage--)
1969 { /* take records with this usage */
1970 for (j = i = 0; i < nrec; i++)
1971 if (state->dane_data[i][0] == usage)
1972 {
1973 dd[j] = state->dane_data[i];
1974 ddl[j++] = state->dane_data_len[i];
1975 }
1976 if (j)
1977 {
1978 dd[j] = NULL;
1979 ddl[j] = 0;
1980
1981 if ((rc = dane_raw_tlsa(s, &r, (char * const *)dd, ddl, 1, 0)))
1982 goto tlsa_prob;
1983
1984 if ((rc = dane_verify_crt_raw(s, certlist, lsize,
1985 gnutls_certificate_type_get(state->session),
1986 r, 0,
1987 usage == DANESSL_USAGE_DANE_EE
1988 ? DANE_VFLAG_ONLY_CHECK_EE_USAGE : 0,
1989 &verify)))
1990 {
1991 DEBUG(D_tls)
1992 debug_printf("TLSA record problem: %s\n", dane_strerror(rc));
1993 }
1994 else if (verify == 0) /* verification passed */
1995 {
1996 usage = 1 << usage;
1997 break;
1998 }
1999 }
2000 }
899b8bbc 2001
94c13285
JH
2002 if (rc) goto tlsa_prob;
2003 }
2004 else
2005# endif
899b8bbc 2006 {
94c13285
JH
2007 if ( (rc = dane_state_init(&s, 0))
2008 || (rc = dane_raw_tlsa(s, &r, state->dane_data, state->dane_data_len,
2009 1, 0))
2010 || (rc = dane_verify_crt_raw(s, certlist, lsize,
2011 gnutls_certificate_type_get(state->session),
5ec37a55 2012 r, 0,
94c13285
JH
2013# ifdef GNUTLS_BROKEN_DANE_VALIDATION
2014 usage == (1 << DANESSL_USAGE_DANE_EE)
2015 ? DANE_VFLAG_ONLY_CHECK_EE_USAGE : 0,
2016# else
2017 0,
2018# endif
2019 &verify))
2020 )
2021 goto tlsa_prob;
899b8bbc 2022 }
94c13285
JH
2023
2024 if (verify != 0) /* verification failed */
899b8bbc
JH
2025 {
2026 gnutls_datum_t str;
2027 (void) dane_verification_status_print(verify, &str, 0);
2028 *errstr = US str.data; /* don't bother to free */
2029 goto badcert;
2030 }
28646fa9 2031
94c13285
JH
2032# ifdef GNUTLS_BROKEN_DANE_VALIDATION
2033 /* If a TA-mode TLSA record was used for verification we must additionally
570cb1bd 2034 verify the cert name (but not the CA chain). For EE-mode, skip it. */
28646fa9 2035
94c13285
JH
2036 if (usage & (1 << DANESSL_USAGE_DANE_EE))
2037# endif
28646fa9 2038 {
570cb1bd 2039 state->peer_dane_verified = state->peer_cert_verified = TRUE;
28646fa9
JH
2040 goto goodcert;
2041 }
570cb1bd
JH
2042# ifdef GNUTLS_BROKEN_DANE_VALIDATION
2043 /* Assume that the name on the A-record is the one that should be matching
2044 the cert. An alternate view is that the domain part of the email address
2045 is also permissible. */
2046
2047 if (gnutls_x509_crt_check_hostname(state->tlsp->peercert,
2048 CS state->host->name))
2049 {
2050 state->peer_dane_verified = state->peer_cert_verified = TRUE;
2051 goto goodcert;
2052 }
2053# endif
899b8bbc 2054 }
570cb1bd 2055#endif /*SUPPORT_DANE*/
899b8bbc 2056
17c76198 2057 rc = gnutls_certificate_verify_peers2(state->session, &verify);
899b8bbc 2058 }
e6060e2c 2059
899b8bbc 2060/* Handle the result of verification. INVALID is set if any others are. */
059ec3d9 2061
28646fa9 2062if (rc < 0 || verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED))
17c76198
PP
2063 {
2064 state->peer_cert_verified = FALSE;
cf0c6164 2065 if (!*errstr)
184384c3
JH
2066 {
2067#ifdef GNUTLS_CERT_VFY_STATUS_PRINT
2068 DEBUG(D_tls)
2069 {
2070 gnutls_datum_t txt;
2071
2072 if (gnutls_certificate_verification_status_print(verify,
2073 gnutls_certificate_type_get(state->session), &txt, 0)
2074 == GNUTLS_E_SUCCESS)
2075 {
2076 debug_printf("%s\n", txt.data);
2077 gnutls_free(txt.data);
2078 }
2079 }
2080#endif
cf0c6164
JH
2081 *errstr = verify & GNUTLS_CERT_REVOKED
2082 ? US"certificate revoked" : US"certificate invalid";
184384c3 2083 }
059ec3d9 2084
17c76198 2085 DEBUG(D_tls)
e51c7be2 2086 debug_printf("TLS certificate verification failed (%s): peerdn=\"%s\"\n",
cf0c6164 2087 *errstr, state->peerdn ? state->peerdn : US"<unset>");
059ec3d9 2088
e51c7be2 2089 if (state->verify_requirement >= VERIFY_REQUIRED)
899b8bbc 2090 goto badcert;
17c76198 2091 DEBUG(D_tls)
4789da3a 2092 debug_printf("TLS verify failure overridden (host in tls_try_verify_hosts)\n");
17c76198 2093 }
e51c7be2 2094
17c76198
PP
2095else
2096 {
5fd28bb8
JH
2097 /* Client side, check the server's certificate name versus the name on the
2098 A-record for the connection we made. What to do for server side - what name
2099 to use for client? We document that there is no such checking for server
2100 side. */
2101
2102 if ( state->exp_tls_verify_cert_hostnames
2103 && !gnutls_x509_crt_check_hostname(state->tlsp->peercert,
2104 CS state->exp_tls_verify_cert_hostnames)
2105 )
e51c7be2 2106 {
5fd28bb8
JH
2107 DEBUG(D_tls)
2108 debug_printf("TLS certificate verification failed: cert name mismatch\n");
2109 if (state->verify_requirement >= VERIFY_REQUIRED)
2110 goto badcert;
2111 return TRUE;
e51c7be2 2112 }
5fd28bb8 2113
17c76198 2114 state->peer_cert_verified = TRUE;
e51c7be2 2115 DEBUG(D_tls) debug_printf("TLS certificate verified: peerdn=\"%s\"\n",
4fe99a6c 2116 state->peerdn ? state->peerdn : US"<unset>");
17c76198 2117 }
059ec3d9 2118
28646fa9
JH
2119goodcert:
2120 state->tlsp->peerdn = state->peerdn;
2121 return TRUE;
899b8bbc 2122
b83314e3 2123#ifdef SUPPORT_DANE
94c13285 2124tlsa_prob:
624f33df
JH
2125 *errstr = string_sprintf("TLSA record problem: %s",
2126 rc == DANE_E_REQUESTED_DATA_NOT_AVAILABLE ? "none usable" : dane_strerror(rc));
b83314e3
JH
2127#endif
2128
899b8bbc
JH
2129badcert:
2130 gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_BAD_CERTIFICATE);
2131 return FALSE;
17c76198 2132}
059ec3d9 2133
17c76198
PP
2134
2135
2136
2137/* ------------------------------------------------------------------------ */
2138/* Callbacks */
2139
2140/* Logging function which can be registered with
2141 * gnutls_global_set_log_function()
2142 * gnutls_global_set_log_level() 0..9
2143 */
af3498d6 2144#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
059ec3d9 2145static void
17c76198 2146exim_gnutls_logger_cb(int level, const char *message)
059ec3d9 2147{
8c79eebf
PP
2148 size_t len = strlen(message);
2149 if (len < 1)
2150 {
2151 DEBUG(D_tls) debug_printf("GnuTLS<%d> empty debug message\n", level);
2152 return;
2153 }
2154 DEBUG(D_tls) debug_printf("GnuTLS<%d>: %s%s", level, message,
2155 message[len-1] == '\n' ? "" : "\n");
17c76198 2156}
af3498d6 2157#endif
059ec3d9 2158
059ec3d9 2159
17c76198
PP
2160/* Called after client hello, should handle SNI work.
2161This will always set tls_sni (state->received_sni) if available,
2162and may trigger presenting different certificates,
2163if state->trigger_sni_changes is TRUE.
059ec3d9 2164
17c76198
PP
2165Should be registered with
2166 gnutls_handshake_set_post_client_hello_function()
059ec3d9 2167
17c76198
PP
2168"This callback must return 0 on success or a gnutls error code to terminate the
2169handshake.".
059ec3d9 2170
17c76198
PP
2171For inability to get SNI information, we return 0.
2172We only return non-zero if re-setup failed.
817d9f57 2173Only used for server-side TLS.
17c76198 2174*/
44bbabb5 2175
17c76198
PP
2176static int
2177exim_sni_handling_cb(gnutls_session_t session)
2178{
2179char sni_name[MAX_HOST_LEN];
2180size_t data_len = MAX_HOST_LEN;
817d9f57 2181exim_gnutls_state_st *state = &state_server;
17c76198
PP
2182unsigned int sni_type;
2183int rc, old_pool;
cf0c6164 2184uschar * dummy_errstr;
17c76198
PP
2185
2186rc = gnutls_server_name_get(session, sni_name, &data_len, &sni_type, 0);
b34fc30c
PP
2187if (rc != GNUTLS_E_SUCCESS)
2188 {
8775d84f 2189 DEBUG(D_tls)
b34fc30c
PP
2190 if (rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
2191 debug_printf("TLS: no SNI presented in handshake.\n");
2192 else
2193 debug_printf("TLS failure: gnutls_server_name_get(): %s [%d]\n",
2194 gnutls_strerror(rc), rc);
b34fc30c
PP
2195 return 0;
2196 }
2197
17c76198
PP
2198if (sni_type != GNUTLS_NAME_DNS)
2199 {
2200 DEBUG(D_tls) debug_printf("TLS: ignoring SNI of unhandled type %u\n", sni_type);
2201 return 0;
2202 }
44bbabb5 2203
17c76198
PP
2204/* We now have a UTF-8 string in sni_name */
2205old_pool = store_pool;
2206store_pool = POOL_PERM;
89a80675 2207state->received_sni = string_copy_taint(US sni_name, TRUE);
17c76198
PP
2208store_pool = old_pool;
2209
2210/* We set this one now so that variable expansions below will work */
817d9f57 2211state->tlsp->sni = state->received_sni;
17c76198
PP
2212
2213DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", sni_name,
2214 state->trigger_sni_changes ? "" : " (unused for certificate selection)");
2215
2216if (!state->trigger_sni_changes)
2217 return 0;
2218
cf0c6164 2219if ((rc = tls_expand_session_files(state, &dummy_errstr)) != OK)
17c76198
PP
2220 {
2221 /* If the setup of certs/etc failed before handshake, TLS would not have
2222 been offered. The best we can do now is abort. */
2223 return GNUTLS_E_APPLICATION_ERROR_MIN;
2224 }
2225
cf0c6164 2226rc = tls_set_remaining_x509(state, &dummy_errstr);
1365611d
PP
2227if (rc != OK) return GNUTLS_E_APPLICATION_ERROR_MIN;
2228
2229return 0;
059ec3d9
PH
2230}
2231
2232
2233
0cbf2b82 2234#ifndef DISABLE_EVENT
a7538db1
JH
2235/*
2236We use this callback to get observability and detail-level control
723fe533
JH
2237for an exim TLS connection (either direction), raising a tls:cert event
2238for each cert in the chain presented by the peer. Any event
a7538db1
JH
2239can deny verification.
2240
2241Return 0 for the handshake to continue or non-zero to terminate.
2242*/
2243
2244static int
723fe533 2245verify_cb(gnutls_session_t session)
a7538db1 2246{
27f19eb4 2247const gnutls_datum_t * cert_list;
a7538db1
JH
2248unsigned int cert_list_size = 0;
2249gnutls_x509_crt_t crt;
2250int rc;
b30275b8 2251uschar * yield;
a7538db1
JH
2252exim_gnutls_state_st * state = gnutls_session_get_ptr(session);
2253
bd5b3f3c 2254if ((cert_list = gnutls_certificate_get_peers(session, &cert_list_size)))
a7538db1
JH
2255 while (cert_list_size--)
2256 {
bd5b3f3c 2257 if ((rc = import_cert(&cert_list[cert_list_size], &crt)) != GNUTLS_E_SUCCESS)
a7538db1
JH
2258 {
2259 DEBUG(D_tls) debug_printf("TLS: peer cert problem: depth %d: %s\n",
2260 cert_list_size, gnutls_strerror(rc));
2261 break;
2262 }
2263
2264 state->tlsp->peercert = crt;
b30275b8
JH
2265 if ((yield = event_raise(state->event_action,
2266 US"tls:cert", string_sprintf("%d", cert_list_size))))
a7538db1
JH
2267 {
2268 log_write(0, LOG_MAIN,
b30275b8
JH
2269 "SSL verify denied by event-action: depth=%d: %s",
2270 cert_list_size, yield);
a7538db1
JH
2271 return 1; /* reject */
2272 }
2273 state->tlsp->peercert = NULL;
2274 }
2275
2276return 0;
2277}
2278
2279#endif
44662487
JH
2280
2281
f20cfa4a
JH
2282static gstring *
2283ddump(gnutls_datum_t * d)
2284{
2285gstring * g = string_get((d->size+1) * 2);
2286uschar * s = d->data;
2287for (unsigned i = d->size; i > 0; i--, s++)
2288 {
2289 g = string_catn(g, US "0123456789abcdef" + (*s >> 4), 1);
2290 g = string_catn(g, US "0123456789abcdef" + (*s & 0xf), 1);
2291 }
2292return g;
2293}
17c76198 2294
dc6d1769
JH
2295static void
2296post_handshake_debug(exim_gnutls_state_st * state)
2297{
dc6d1769
JH
2298#ifdef SUPPORT_GNUTLS_SESS_DESC
2299debug_printf("%s\n", gnutls_session_get_desc(state->session));
2300#endif
e326959e 2301
86ede124 2302#ifdef SUPPORT_GNUTLS_KEYLOG
e326959e 2303# ifdef EXIM_HAVE_TLS1_3
dc6d1769 2304if (gnutls_protocol_get_version(state->session) < GNUTLS_TLS1_3)
86ede124 2305# else
a8af957d 2306if (TRUE)
86ede124 2307# endif
dc6d1769
JH
2308 {
2309 gnutls_datum_t c, s;
2310 gstring * gc, * gs;
86ede124 2311 /* For TLS1.2 we only want the client random and the master secret */
dc6d1769
JH
2312 gnutls_session_get_random(state->session, &c, &s);
2313 gnutls_session_get_master_secret(state->session, &s);
2314 gc = ddump(&c);
2315 gs = ddump(&s);
2316 debug_printf("CLIENT_RANDOM %.*s %.*s\n", (int)gc->ptr, gc->s, (int)gs->ptr, gs->s);
2317 }
2318else
2319 debug_printf("To get keying info for TLS1.3 is hard:\n"
7832b9aa
HSHR
2320 " Set environment variable SSLKEYLOGFILE to a filename relative to the spool directory,\n"
2321 " and make sure it is writable by the Exim runtime user.\n"
2322 " Add SSLKEYLOGFILE to keep_environment in the exim config.\n"
2323 " Start Exim as root.\n"
2324 " If using sudo, add SSLKEYLOGFILE to env_keep in /etc/sudoers\n"
2325 " (works for TLS1.2 also, and saves cut-paste into file).\n"
86ede124 2326 " Trying to use add_environment for this will not work\n");
dc6d1769
JH
2327#endif
2328}
2329
b10c87b3
JH
2330
2331#ifdef EXPERIMENTAL_TLS_RESUME
2332static int
2333tls_server_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
2334 unsigned incoming, const gnutls_datum_t * msg)
2335{
2336DEBUG(D_tls) debug_printf("newticket cb\n");
2337tls_in.resumption |= RESUME_CLIENT_REQUESTED;
2338return 0;
2339}
2340
2341static void
2342tls_server_resume_prehandshake(exim_gnutls_state_st * state)
2343{
2344/* Should the server offer session resumption? */
2345tls_in.resumption = RESUME_SUPPORTED;
2346if (verify_check_host(&tls_resumption_hosts) == OK)
2347 {
2348 int rc;
2349 /* GnuTLS appears to not do ticket overlap, but does emit a fresh ticket when
2350 an offered resumption is unacceptable. We lose one resumption per ticket
2351 lifetime, and sessions cannot be indefinitely re-used. There seems to be no
2352 way (3.6.7) of changing the default number of 2 TLS1.3 tickets issued, but at
2353 least they go out in a single packet. */
2354
2355 if (!(rc = gnutls_session_ticket_enable_server(state->session,
2356 &server_sessticket_key)))
2357 tls_in.resumption |= RESUME_SERVER_TICKET;
2358 else
2359 DEBUG(D_tls)
2360 debug_printf("enabling session tickets: %s\n", US gnutls_strerror(rc));
2361
2362 /* Try to tell if we see a ticket request */
2363 gnutls_handshake_set_hook_function(state->session,
e5489333 2364 GNUTLS_HANDSHAKE_ANY, GNUTLS_HOOK_POST, tls_server_hook_cb);
b10c87b3
JH
2365 }
2366}
2367
2368static void
2369tls_server_resume_posthandshake(exim_gnutls_state_st * state)
2370{
2371if (gnutls_session_resumption_requested(state->session))
2372 {
2373 /* This tells us the client sent a full ticket. We use a
2374 callback on session-ticket request, elsewhere, to tell
2375 if a client asked for a ticket. */
2376
2377 tls_in.resumption |= RESUME_CLIENT_SUGGESTED;
2378 DEBUG(D_tls) debug_printf("client requested resumption\n");
2379 }
2380if (gnutls_session_is_resumed(state->session))
2381 {
2382 tls_in.resumption |= RESUME_USED;
2383 DEBUG(D_tls) debug_printf("Session resumed\n");
2384 }
2385}
2386#endif
17c76198
PP
2387/* ------------------------------------------------------------------------ */
2388/* Exported functions */
2389
2390
2391
2392
059ec3d9
PH
2393/*************************************************
2394* Start a TLS session in a server *
2395*************************************************/
2396
2397/* This is called when Exim is running as a server, after having received
2398the STARTTLS command. It must respond to that command, and then negotiate
2399a TLS session.
2400
2401Arguments:
83da1223 2402 require_ciphers list of allowed ciphers or NULL
cf0c6164 2403 errstr pointer to error string
059ec3d9
PH
2404
2405Returns: OK on success
2406 DEFER for errors before the start of the negotiation
4c04137d 2407 FAIL for errors during the negotiation; the server can't
059ec3d9
PH
2408 continue running.
2409*/
2410
2411int
cf0c6164 2412tls_server_start(const uschar * require_ciphers, uschar ** errstr)
059ec3d9
PH
2413{
2414int rc;
cf0c6164 2415exim_gnutls_state_st * state = NULL;
059ec3d9
PH
2416
2417/* Check for previous activation */
74f1a423 2418if (tls_in.active.sock >= 0)
059ec3d9 2419 {
48224640 2420 tls_error(US"STARTTLS received after TLS started", US "", NULL, errstr);
925ac8e4 2421 smtp_printf("554 Already in TLS\r\n", FALSE);
059ec3d9
PH
2422 return FAIL;
2423 }
2424
2425/* Initialize the library. If it fails, it will already have logged the error
2426and sent an SMTP response. */
2427
17c76198 2428DEBUG(D_tls) debug_printf("initialising GnuTLS as a server\n");
059ec3d9 2429
d85cdeb5
JH
2430 {
2431#ifdef MEASURE_TIMING
2432 struct timeval t0;
2433 gettimeofday(&t0, NULL);
2434#endif
2435
2436 if ((rc = tls_init(NULL, tls_certificate, tls_privatekey,
2437 NULL, tls_verify_certificates, tls_crl,
2438 require_ciphers, &state, &tls_in, errstr)) != OK) return rc;
2439
2440#ifdef MEASURE_TIMING
2441 report_time_since(&t0, US"server tls_init (delta)");
2442#endif
2443 }
059ec3d9 2444
b10c87b3
JH
2445#ifdef EXPERIMENTAL_TLS_RESUME
2446tls_server_resume_prehandshake(state);
2447#endif
2448
059ec3d9
PH
2449/* If this is a host for which certificate verification is mandatory or
2450optional, set up appropriately. */
2451
059ec3d9 2452if (verify_check_host(&tls_verify_hosts) == OK)
17c76198 2453 {
e51c7be2
JH
2454 DEBUG(D_tls)
2455 debug_printf("TLS: a client certificate will be required.\n");
17c76198
PP
2456 state->verify_requirement = VERIFY_REQUIRED;
2457 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
2458 }
059ec3d9 2459else if (verify_check_host(&tls_try_verify_hosts) == OK)
17c76198 2460 {
e51c7be2
JH
2461 DEBUG(D_tls)
2462 debug_printf("TLS: a client certificate will be requested but not required.\n");
17c76198
PP
2463 state->verify_requirement = VERIFY_OPTIONAL;
2464 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
2465 }
2466else
2467 {
e51c7be2
JH
2468 DEBUG(D_tls)
2469 debug_printf("TLS: a client certificate will not be requested.\n");
17c76198
PP
2470 state->verify_requirement = VERIFY_NONE;
2471 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
2472 }
059ec3d9 2473
0cbf2b82 2474#ifndef DISABLE_EVENT
723fe533
JH
2475if (event_action)
2476 {
2477 state->event_action = event_action;
2478 gnutls_session_set_ptr(state->session, state);
2479 gnutls_certificate_set_verify_function(state->x509_cred, verify_cb);
2480 }
2481#endif
2482
17c76198
PP
2483/* Register SNI handling; always, even if not in tls_certificate, so that the
2484expansion variable $tls_sni is always available. */
059ec3d9 2485
17c76198
PP
2486gnutls_handshake_set_post_client_hello_function(state->session,
2487 exim_sni_handling_cb);
059ec3d9
PH
2488
2489/* Set context and tell client to go ahead, except in the case of TLS startup
2490on connection, where outputting anything now upsets the clients and tends to
2491make them disconnect. We need to have an explicit fflush() here, to force out
2492the response. Other smtp_printf() calls do not need it, because in non-TLS
2493mode, the fflush() happens when smtp_getc() is called. */
2494
817d9f57 2495if (!state->tlsp->on_connect)
059ec3d9 2496 {
925ac8e4 2497 smtp_printf("220 TLS go ahead\r\n", FALSE);
9d1c15ef 2498 fflush(smtp_out);
059ec3d9
PH
2499 }
2500
2501/* Now negotiate the TLS session. We put our own timer on it, since it seems
8008accd
JH
2502that the GnuTLS library doesn't.
2503From 3.1.0 there is gnutls_handshake_set_timeout() - but it requires you
2504to set (and clear down afterwards) up a pull-timeout callback function that does
2505a select, so we're no better off unless avoiding signals becomes an issue. */
059ec3d9 2506
17c76198 2507gnutls_transport_set_ptr2(state->session,
27f19eb4
JH
2508 (gnutls_transport_ptr_t)(long) fileno(smtp_in),
2509 (gnutls_transport_ptr_t)(long) fileno(smtp_out));
17c76198
PP
2510state->fd_in = fileno(smtp_in);
2511state->fd_out = fileno(smtp_out);
059ec3d9
PH
2512
2513sigalrm_seen = FALSE;
c2a1bba0 2514if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
17c76198 2515do
17c76198 2516 rc = gnutls_handshake(state->session);
05c3a5a2 2517while (rc == GNUTLS_E_AGAIN || rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen);
c2a1bba0 2518ALARM_CLR(0);
059ec3d9 2519
17c76198 2520if (rc != GNUTLS_E_SUCCESS)
059ec3d9 2521 {
059ec3d9
PH
2522 /* It seems that, except in the case of a timeout, we have to close the
2523 connection right here; otherwise if the other end is running OpenSSL it hangs
2524 until the server times out. */
2525
60d10ce7 2526 if (sigalrm_seen)
ad7fc6eb 2527 {
48224640 2528 tls_error(US"gnutls_handshake", US"timed out", NULL, errstr);
ad7fc6eb
JH
2529 gnutls_db_remove_session(state->session);
2530 }
60d10ce7 2531 else
059ec3d9 2532 {
452a164f 2533 tls_error_gnu(US"gnutls_handshake", rc, NULL, errstr);
f5d25c2b 2534 (void) gnutls_alert_send_appropriate(state->session, rc);
ad7fc6eb 2535 gnutls_deinit(state->session);
ed62aae3 2536 gnutls_certificate_free_credentials(state->x509_cred);
60d10ce7 2537 millisleep(500);
ad7fc6eb 2538 shutdown(state->fd_out, SHUT_WR);
d7978c0f 2539 for (int i = 1024; fgetc(smtp_in) != EOF && i > 0; ) i--; /* drain skt */
f1e894f3
PH
2540 (void)fclose(smtp_out);
2541 (void)fclose(smtp_in);
60d10ce7 2542 smtp_out = smtp_in = NULL;
059ec3d9
PH
2543 }
2544
2545 return FAIL;
2546 }
2547
17ba0f52 2548#ifdef GNUTLS_SFLAGS_EXT_MASTER_SECRET
1c519e07
JH
2549if (gnutls_session_get_flags(state->session) & GNUTLS_SFLAGS_EXT_MASTER_SECRET)
2550 tls_in.ext_master_secret = TRUE;
17ba0f52 2551#endif
1c519e07 2552
b10c87b3
JH
2553#ifdef EXPERIMENTAL_TLS_RESUME
2554tls_server_resume_posthandshake(state);
2555#endif
2556
dc6d1769 2557DEBUG(D_tls) post_handshake_debug(state);
059ec3d9 2558
17c76198
PP
2559/* Verify after the fact */
2560
899b8bbc 2561if (!verify_certificate(state, errstr))
059ec3d9 2562 {
9d1c15ef 2563 if (state->verify_requirement != VERIFY_OPTIONAL)
17c76198 2564 {
cf0c6164 2565 (void) tls_error(US"certificate verification failed", *errstr, NULL, errstr);
9d1c15ef 2566 return FAIL;
17c76198 2567 }
9d1c15ef
JH
2568 DEBUG(D_tls)
2569 debug_printf("TLS: continuing on only because verification was optional, after: %s\n",
cf0c6164 2570 *errstr);
059ec3d9
PH
2571 }
2572
17c76198
PP
2573/* Sets various Exim expansion variables; always safe within server */
2574
9d1c15ef 2575extract_exim_vars_from_tls_state(state);
059ec3d9
PH
2576
2577/* TLS has been set up. Adjust the input functions to read via TLS,
2578and initialize appropriately. */
2579
17c76198 2580state->xfer_buffer = store_malloc(ssl_xfer_buffer_size);
059ec3d9
PH
2581
2582receive_getc = tls_getc;
0d81dabc 2583receive_getbuf = tls_getbuf;
584e96c6 2584receive_get_cache = tls_get_cache;
059ec3d9
PH
2585receive_ungetc = tls_ungetc;
2586receive_feof = tls_feof;
2587receive_ferror = tls_ferror;
58eb016e 2588receive_smtp_buffered = tls_smtp_buffered;
059ec3d9 2589
059ec3d9
PH
2590return OK;
2591}
2592
2593
2594
2595
aa2a70ba
JH
2596static void
2597tls_client_setup_hostname_checks(host_item * host, exim_gnutls_state_st * state,
2598 smtp_transport_options_block * ob)
2599{
3fb3231c 2600if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
aa2a70ba 2601 {
4af0d74a 2602 state->exp_tls_verify_cert_hostnames =
8c5d388a 2603#ifdef SUPPORT_I18N
4af0d74a
JH
2604 string_domain_utf8_to_alabel(host->name, NULL);
2605#else
2606 host->name;
2607#endif
aa2a70ba
JH
2608 DEBUG(D_tls)
2609 debug_printf("TLS: server cert verification includes hostname: \"%s\".\n",
2610 state->exp_tls_verify_cert_hostnames);
2611 }
2612}
aa2a70ba
JH
2613
2614
899b8bbc
JH
2615
2616
2617#ifdef SUPPORT_DANE
2618/* Given our list of RRs from the TLSA lookup, build a lookup block in
2619GnuTLS-DANE's preferred format. Hang it on the state str for later
2620use in DANE verification.
2621
2622We point at the dnsa data not copy it, so it must remain valid until
2623after verification is done.*/
2624
3674140c 2625static BOOL
899b8bbc
JH
2626dane_tlsa_load(exim_gnutls_state_st * state, dns_answer * dnsa)
2627{
899b8bbc
JH
2628dns_scan dnss;
2629int i;
2630const char ** dane_data;
2631int * dane_data_len;
2632
d7978c0f
JH
2633i = 1;
2634for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
899b8bbc
JH
2635 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
2636 ) if (rr->type == T_TLSA) i++;
2637
f3ebb786
JH
2638dane_data = store_get(i * sizeof(uschar *), FALSE);
2639dane_data_len = store_get(i * sizeof(int), FALSE);
899b8bbc 2640
d7978c0f
JH
2641i = 0;
2642for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
899b8bbc 2643 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
1b76ad22 2644 ) if (rr->type == T_TLSA && rr->size > 3)
899b8bbc
JH
2645 {
2646 const uschar * p = rr->data;
f3ebb786 2647/*XXX need somehow to mark rr and its data as tainted. Doues this mean copying it? */
3674140c
JH
2648 uint8_t usage = p[0], sel = p[1], type = p[2];
2649
2650 DEBUG(D_tls)
2651 debug_printf("TLSA: %d %d %d size %d\n", usage, sel, type, rr->size);
2652
94c13285
JH
2653 if ( (usage != DANESSL_USAGE_DANE_TA && usage != DANESSL_USAGE_DANE_EE)
2654 || (sel != 0 && sel != 1)
2655 )
2656 continue;
3674140c
JH
2657 switch(type)
2658 {
2659 case 0: /* Full: cannot check at present */
2660 break;
2661 case 1: if (rr->size != 3 + 256/8) continue; /* sha2-256 */
2662 break;
2663 case 2: if (rr->size != 3 + 512/8) continue; /* sha2-512 */
2664 break;
2665 default: continue;
2666 }
899b8bbc
JH
2667
2668 tls_out.tlsa_usage |= 1<<usage;
48224640 2669 dane_data[i] = CS p;
899b8bbc
JH
2670 dane_data_len[i++] = rr->size;
2671 }
3674140c
JH
2672
2673if (!i) return FALSE;
2674
899b8bbc
JH
2675dane_data[i] = NULL;
2676dane_data_len[i] = 0;
2677
2678state->dane_data = (char * const *)dane_data;
2679state->dane_data_len = dane_data_len;
3674140c 2680return TRUE;
899b8bbc
JH
2681}
2682#endif
2683
2684
2685
b10c87b3
JH
2686#ifdef EXPERIMENTAL_TLS_RESUME
2687/* On the client, get any stashed session for the given IP from hints db
2688and apply it to the ssl-connection for attempted resumption. Although
2689there is a gnutls_session_ticket_enable_client() interface it is
2690documented as unnecessary (as of 3.6.7) as "session tickets are emabled
2691by deafult". There seems to be no way to disable them, so even hosts not
2692enabled by the transport option will be sent a ticket request. We will
2693however avoid storing and retrieving session information. */
2694
2695static void
2696tls_retrieve_session(tls_support * tlsp, gnutls_session_t session,
2697 host_item * host, smtp_transport_options_block * ob)
2698{
2699tlsp->resumption = RESUME_SUPPORTED;
2700if (verify_check_given_host(CUSS &ob->tls_resumption_hosts, host) == OK)
2701 {
2702 dbdata_tls_session * dt;
2703 int len, rc;
2704 open_db dbblock, * dbm_file;
2705
2706 DEBUG(D_tls)
2707 debug_printf("check for resumable session for %s\n", host->address);
2708 tlsp->host_resumable = TRUE;
2709 tlsp->resumption |= RESUME_CLIENT_REQUESTED;
2710 if ((dbm_file = dbfn_open(US"tls", O_RDONLY, &dbblock, FALSE, FALSE)))
2711 {
dea4b568
JH
2712 /* Key for the db is the IP. We'd like to filter the retrieved session
2713 for ticket advisory expiry, but 3.6.1 seems to give no access to that */
2714
b10c87b3
JH
2715 if ((dt = dbfn_read_with_length(dbm_file, host->address, &len)))
2716 if (!(rc = gnutls_session_set_data(session,
2717 CUS dt->session, (size_t)len - sizeof(dbdata_tls_session))))
2718 {
2719 DEBUG(D_tls) debug_printf("good session\n");
2720 tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
2721 }
2722 else DEBUG(D_tls) debug_printf("setting session resumption data: %s\n",
2723 US gnutls_strerror(rc));
2724 dbfn_close(dbm_file);
2725 }
2726 }
2727}
2728
2729
2730static void
2731tls_save_session(tls_support * tlsp, gnutls_session_t session, const host_item * host)
2732{
2733/* TLS 1.2 - we get both the callback and the direct posthandshake call,
2734but this flag is not set until the second. TLS 1.3 it's the other way about.
2735Keep both calls as the session data cannot be extracted before handshake
2736completes. */
2737
2738if (gnutls_session_get_flags(session) & GNUTLS_SFLAGS_SESSION_TICKET)
2739 {
2740 gnutls_datum_t tkt;
2741 int rc;
2742
2743 DEBUG(D_tls) debug_printf("server offered session ticket\n");
2744 tlsp->ticket_received = TRUE;
2745 tlsp->resumption |= RESUME_SERVER_TICKET;
2746
2747 if (tlsp->host_resumable)
2748 if (!(rc = gnutls_session_get_data2(session, &tkt)))
2749 {
2750 open_db dbblock, * dbm_file;
2751 int dlen = sizeof(dbdata_tls_session) + tkt.size;
f3ebb786 2752 dbdata_tls_session * dt = store_get(dlen, TRUE);
b10c87b3
JH
2753
2754 DEBUG(D_tls) debug_printf("session data size %u\n", (unsigned)tkt.size);
2755 memcpy(dt->session, tkt.data, tkt.size);
2756 gnutls_free(tkt.data);
2757
2758 if ((dbm_file = dbfn_open(US"tls", O_RDWR, &dbblock, FALSE, FALSE)))
2759 {
2760 /* key for the db is the IP */
2761 dbfn_delete(dbm_file, host->address);
2762 dbfn_write(dbm_file, host->address, dt, dlen);
2763 dbfn_close(dbm_file);
2764
2765 DEBUG(D_tls)
2766 debug_printf("wrote session db (len %u)\n", (unsigned)dlen);
2767 }
2768 }
2769 else DEBUG(D_tls)
2770 debug_printf("extract session data: %s\n", US gnutls_strerror(rc));
2771 }
2772}
2773
2774
2775/* With a TLS1.3 session, the ticket(s) are not seen until
2776the first data read is attempted. And there's often two of them.
2777Pick them up with this callback. We are also called for 1.2
2778but we do nothing.
2779*/
2780static int
2781tls_client_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
2782 unsigned incoming, const gnutls_datum_t * msg)
2783{
2784exim_gnutls_state_st * state = gnutls_session_get_ptr(sess);
2785tls_support * tlsp = state->tlsp;
2786
2787DEBUG(D_tls) debug_printf("newticket cb\n");
2788
2789if (!tlsp->ticket_received)
2790 tls_save_session(tlsp, sess, state->host);
2791return 0;
2792}
2793
2794
2795static void
2796tls_client_resume_prehandshake(exim_gnutls_state_st * state,
2797 tls_support * tlsp, host_item * host,
2798 smtp_transport_options_block * ob)
2799{
2800gnutls_session_set_ptr(state->session, state);
2801gnutls_handshake_set_hook_function(state->session,
2802 GNUTLS_HANDSHAKE_NEW_SESSION_TICKET, GNUTLS_HOOK_POST, tls_client_ticket_cb);
2803
2804tls_retrieve_session(tlsp, state->session, host, ob);
2805}
2806
2807static void
2808tls_client_resume_posthandshake(exim_gnutls_state_st * state,
2809 tls_support * tlsp, host_item * host)
2810{
2811if (gnutls_session_is_resumed(state->session))
2812 {
2813 DEBUG(D_tls) debug_printf("Session resumed\n");
2814 tlsp->resumption |= RESUME_USED;
2815 }
2816
2817tls_save_session(tlsp, state->session, host);
2818}
2819#endif /* EXPERIMENTAL_TLS_RESUME */
2820
2821
059ec3d9
PH
2822/*************************************************
2823* Start a TLS session in a client *
2824*************************************************/
2825
2826/* Called from the smtp transport after STARTTLS has been accepted.
2827
2828Arguments:
c05bdbd6
JH
2829 cctx connection context
2830 conn_args connection details
2831 cookie datum for randomness (not used)
2832 tlsp record details of channel configuration here; must be non-NULL
2833 errstr error string pointer
2834
2835Returns: TRUE for success with TLS session context set in smtp context,
2836 FALSE on error
059ec3d9
PH
2837*/
2838
c05bdbd6
JH
2839BOOL
2840tls_client_start(client_conn_ctx * cctx, smtp_connect_args * conn_args,
2841 void * cookie ARG_UNUSED,
2842 tls_support * tlsp, uschar ** errstr)
059ec3d9 2843{
c05bdbd6
JH
2844host_item * host = conn_args->host; /* for msgs and option-tests */
2845transport_instance * tb = conn_args->tblock; /* always smtp or NULL */
2846smtp_transport_options_block * ob = tb
afdb5e9c
JH
2847 ? (smtp_transport_options_block *)tb->options_block
2848 : &smtp_transport_option_defaults;
059ec3d9 2849int rc;
899b8bbc 2850exim_gnutls_state_st * state = NULL;
c05bdbd6 2851uschar * cipher_list = NULL;
74f1a423 2852
f2de3a33 2853#ifndef DISABLE_OCSP
5130845b 2854BOOL require_ocsp =
3fb3231c 2855 verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK;
44662487 2856BOOL request_ocsp = require_ocsp ? TRUE
3fb3231c 2857 : verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
2b4a568d 2858#endif
059ec3d9 2859
c05bdbd6 2860DEBUG(D_tls) debug_printf("initialising GnuTLS as a client on fd %d\n", cctx->sock);
059ec3d9 2861
5ec37a55 2862#ifdef SUPPORT_DANE
c05bdbd6
JH
2863/* If dane is flagged, have either request or require dane for this host, and
2864a TLSA record found. Therefore, dane verify required. Which implies cert must
2865be requested and supplied, dane verify must pass, and cert verify irrelevant
2866(incl. hostnames), and (caller handled) require_tls */
2867
2868if (conn_args->dane && ob->dane_require_tls_ciphers)
5ec37a55
PP
2869 {
2870 /* not using expand_check_tlsvar because not yet in state */
2871 if (!expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
2872 &cipher_list, errstr))
c05bdbd6 2873 return FALSE;
cf260049
JH
2874 cipher_list = cipher_list && *cipher_list
2875 ? ob->dane_require_tls_ciphers : ob->tls_require_ciphers;
5ec37a55
PP
2876 }
2877#endif
2878
2879if (!cipher_list)
2880 cipher_list = ob->tls_require_ciphers;
2881
d85cdeb5
JH
2882 {
2883#ifdef MEASURE_TIMING
2884 struct timeval t0;
2885 gettimeofday(&t0, NULL);
2886#endif
2887
2888 if (tls_init(host, ob->tls_certificate, ob->tls_privatekey,
2889 ob->tls_sni, ob->tls_verify_certificates, ob->tls_crl,
2890 cipher_list, &state, tlsp, errstr) != OK)
2891 return FALSE;
2892
2893#ifdef MEASURE_TIMING
2894 report_time_since(&t0, US"client tls_init (delta)");
2895#endif
2896 }
059ec3d9 2897
54c90be1 2898 {
65867078
JH
2899 int dh_min_bits = ob->tls_dh_min_bits;
2900 if (dh_min_bits < EXIM_CLIENT_DH_MIN_MIN_BITS)
2901 {
2902 DEBUG(D_tls)
2903 debug_printf("WARNING: tls_dh_min_bits far too low,"
2904 " clamping %d up to %d\n",
2905 dh_min_bits, EXIM_CLIENT_DH_MIN_MIN_BITS);
2906 dh_min_bits = EXIM_CLIENT_DH_MIN_MIN_BITS;
2907 }
54c90be1 2908
65867078
JH
2909 DEBUG(D_tls) debug_printf("Setting D-H prime minimum"
2910 " acceptable bits to %d\n",
2911 dh_min_bits);
2912 gnutls_dh_set_prime_bits(state->session, dh_min_bits);
2913 }
83da1223 2914
94431adb 2915/* Stick to the old behaviour for compatibility if tls_verify_certificates is
2b4a568d
JH
2916set but both tls_verify_hosts and tls_try_verify_hosts are unset. Check only
2917the specified host patterns if one of them is defined */
2918
899b8bbc 2919#ifdef SUPPORT_DANE
c05bdbd6 2920if (conn_args->dane && dane_tlsa_load(state, &conn_args->tlsa_dnsa))
899b8bbc
JH
2921 {
2922 DEBUG(D_tls)
2923 debug_printf("TLS: server certificate DANE required.\n");
2924 state->verify_requirement = VERIFY_DANE;
2925 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
899b8bbc
JH
2926 }
2927else
2928#endif
2929 if ( ( state->exp_tls_verify_certificates
2930 && !ob->tls_verify_hosts
2931 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
2932 )
3fb3231c 2933 || verify_check_given_host(CUSS &ob->tls_verify_hosts, host) == OK
899b8bbc 2934 )
17c76198 2935 {
aa2a70ba 2936 tls_client_setup_hostname_checks(host, state, ob);
aa2a70ba
JH
2937 DEBUG(D_tls)
2938 debug_printf("TLS: server certificate verification required.\n");
2939 state->verify_requirement = VERIFY_REQUIRED;
52f93eed
WB
2940 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
2941 }
3fb3231c 2942else if (verify_check_given_host(CUSS &ob->tls_try_verify_hosts, host) == OK)
52f93eed 2943 {
aa2a70ba 2944 tls_client_setup_hostname_checks(host, state, ob);
e51c7be2
JH
2945 DEBUG(D_tls)
2946 debug_printf("TLS: server certificate verification optional.\n");
52f93eed 2947 state->verify_requirement = VERIFY_OPTIONAL;
17c76198
PP
2948 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
2949 }
2950else
2951 {
e51c7be2
JH
2952 DEBUG(D_tls)
2953 debug_printf("TLS: server certificate verification not required.\n");
52f93eed
WB
2954 state->verify_requirement = VERIFY_NONE;
2955 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
17c76198 2956 }
059ec3d9 2957
f2de3a33
JH
2958#ifndef DISABLE_OCSP
2959 /* supported since GnuTLS 3.1.3 */
44662487 2960if (request_ocsp)
9d1c15ef
JH
2961 {
2962 DEBUG(D_tls) debug_printf("TLS: will request OCSP stapling\n");
65867078
JH
2963 if ((rc = gnutls_ocsp_status_request_enable_client(state->session,
2964 NULL, 0, NULL)) != OK)
74f1a423 2965 {
452a164f 2966 tls_error_gnu(US"cert-status-req", rc, state->host, errstr);
c05bdbd6 2967 return FALSE;
74f1a423
JH
2968 }
2969 tlsp->ocsp = OCSP_NOT_RESP;
9d1c15ef 2970 }
2b4a568d
JH
2971#endif
2972
b10c87b3
JH
2973#ifdef EXPERIMENTAL_TLS_RESUME
2974tls_client_resume_prehandshake(state, tlsp, host, ob);
2975#endif
2976
0cbf2b82 2977#ifndef DISABLE_EVENT
afdb5e9c 2978if (tb && tb->event_action)
a7538db1 2979 {
774ef2d7 2980 state->event_action = tb->event_action;
a7538db1 2981 gnutls_session_set_ptr(state->session, state);
723fe533 2982 gnutls_certificate_set_verify_function(state->x509_cred, verify_cb);
a7538db1
JH
2983 }
2984#endif
2985
c05bdbd6
JH
2986gnutls_transport_set_ptr(state->session, (gnutls_transport_ptr_t)(long) cctx->sock);
2987state->fd_in = cctx->sock;
2988state->fd_out = cctx->sock;
059ec3d9 2989
9d1c15ef 2990DEBUG(D_tls) debug_printf("about to gnutls_handshake\n");
059ec3d9
PH
2991/* There doesn't seem to be a built-in timeout on connection. */
2992
2993sigalrm_seen = FALSE;
c2a1bba0 2994ALARM(ob->command_timeout);
17c76198 2995do
17c76198 2996 rc = gnutls_handshake(state->session);
05c3a5a2 2997while (rc == GNUTLS_E_AGAIN || rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen);
c2a1bba0 2998ALARM_CLR(0);
059ec3d9 2999
4fe99a6c 3000if (rc != GNUTLS_E_SUCCESS)
74f1a423 3001 {
60d10ce7
JH
3002 if (sigalrm_seen)
3003 {
3004 gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_USER_CANCELED);
48224640 3005 tls_error(US"gnutls_handshake", US"timed out", state->host, errstr);
60d10ce7
JH
3006 }
3007 else
452a164f 3008 tls_error_gnu(US"gnutls_handshake", rc, state->host, errstr);
c05bdbd6 3009 return FALSE;
74f1a423 3010 }
4fe99a6c 3011
dc6d1769 3012DEBUG(D_tls) post_handshake_debug(state);
059ec3d9 3013
17c76198 3014/* Verify late */
059ec3d9 3015
899b8bbc 3016if (!verify_certificate(state, errstr))
74f1a423
JH
3017 {
3018 tls_error(US"certificate verification failed", *errstr, state->host, errstr);
c05bdbd6 3019 return FALSE;
74f1a423 3020 }
059ec3d9 3021
17ba0f52 3022#ifdef GNUTLS_SFLAGS_EXT_MASTER_SECRET
1c519e07
JH
3023if (gnutls_session_get_flags(state->session) & GNUTLS_SFLAGS_EXT_MASTER_SECRET)
3024 tlsp->ext_master_secret = TRUE;
17ba0f52 3025#endif
1c519e07 3026
f2de3a33 3027#ifndef DISABLE_OCSP
7a501c87 3028if (request_ocsp)
2b4a568d
JH
3029 {
3030 DEBUG(D_tls)
3031 {
3032 gnutls_datum_t stapling;
3033 gnutls_ocsp_resp_t resp;
3034 gnutls_datum_t printed;
e326959e
JH
3035 unsigned idx = 0;
3036
3037 for (;
3038# ifdef GNUTLS_OCSP_STATUS_REQUEST_GET2
3039 (rc = gnutls_ocsp_status_request_get2(state->session, idx, &stapling)) == 0;
3040#else
3041 (rc = gnutls_ocsp_status_request_get(state->session, &stapling)) == 0;
3042#endif
3043 idx++)
3044 if ( (rc= gnutls_ocsp_resp_init(&resp)) == 0
3045 && (rc= gnutls_ocsp_resp_import(resp, &stapling)) == 0
3046 && (rc= gnutls_ocsp_resp_print(resp, GNUTLS_OCSP_PRINT_COMPACT, &printed)) == 0
3047 )
3048 {
3049 debug_printf("%.4096s", printed.data);
3050 gnutls_free(printed.data);
3051 }
3052 else
3053 (void) tls_error_gnu(US"ocsp decode", rc, state->host, errstr);
3054 if (idx == 0 && rc)
452a164f 3055 (void) tls_error_gnu(US"ocsp decode", rc, state->host, errstr);
2b4a568d
JH
3056 }
3057
2b4a568d 3058 if (gnutls_ocsp_status_request_is_checked(state->session, 0) == 0)
018058b2 3059 {
74f1a423
JH
3060 tlsp->ocsp = OCSP_FAILED;
3061 tls_error(US"certificate status check failed", NULL, state->host, errstr);
7a501c87
JH
3062 if (require_ocsp)
3063 return FALSE;
3064 }
3065 else
3066 {
3067 DEBUG(D_tls) debug_printf("Passed OCSP checking\n");
3068 tlsp->ocsp = OCSP_VFIED;
018058b2 3069 }
2b4a568d
JH
3070 }
3071#endif
3072
b10c87b3
JH
3073#ifdef EXPERIMENTAL_TLS_RESUME
3074tls_client_resume_posthandshake(state, tlsp, host);
3075#endif
059ec3d9 3076
4fe99a6c 3077/* Sets various Exim expansion variables; may need to adjust for ACL callouts */
059ec3d9 3078
9d1c15ef 3079extract_exim_vars_from_tls_state(state);
059ec3d9 3080
c05bdbd6
JH
3081cctx->tls_ctx = state;
3082return TRUE;
059ec3d9
PH
3083}
3084
3085
3086
17c76198 3087
059ec3d9 3088/*************************************************
17c76198 3089* Close down a TLS session *
059ec3d9
PH
3090*************************************************/
3091
17c76198
PP
3092/* This is also called from within a delivery subprocess forked from the
3093daemon, to shut down the TLS library, without actually doing a shutdown (which
3094would tamper with the TLS session in the parent process).
059ec3d9 3095
dec766a1 3096Arguments:
74f1a423 3097 ct_ctx client context pointer, or NULL for the one global server context
dec766a1 3098 shutdown 1 if TLS close-alert is to be sent,
afdb5e9c 3099 2 if also response to be waited for
dec766a1 3100
17c76198 3101Returns: nothing
059ec3d9
PH
3102*/
3103
17c76198 3104void
74f1a423 3105tls_close(void * ct_ctx, int shutdown)
059ec3d9 3106{
74f1a423 3107exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
bd231acd 3108tls_support * tlsp = state->tlsp;
059ec3d9 3109
bd231acd 3110if (!tlsp || tlsp->active.sock < 0) return; /* TLS was not active */
17c76198
PP
3111
3112if (shutdown)
3113 {
dec766a1
WB
3114 DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS%s\n",
3115 shutdown > 1 ? " (with response-wait)" : "");
3116
c2a1bba0 3117 ALARM(2);
dec766a1 3118 gnutls_bye(state->session, shutdown > 1 ? GNUTLS_SHUT_RDWR : GNUTLS_SHUT_WR);
c2a1bba0 3119 ALARM_CLR(0);
17c76198
PP
3120 }
3121
bd231acd
JH
3122if (!ct_ctx) /* server */
3123 {
3124 receive_getc = smtp_getc;
3125 receive_getbuf = smtp_getbuf;
3126 receive_get_cache = smtp_get_cache;
3127 receive_ungetc = smtp_ungetc;
3128 receive_feof = smtp_feof;
3129 receive_ferror = smtp_ferror;
3130 receive_smtp_buffered = smtp_buffered;
3131 }
3132
17c76198 3133gnutls_deinit(state->session);
ed62aae3
HSHR
3134gnutls_certificate_free_credentials(state->x509_cred);
3135
bd231acd
JH
3136tlsp->active.sock = -1;
3137tlsp->active.tls_ctx = NULL;
3138/* Leave bits, peercert, cipher, peerdn, certificate_verified set, for logging */
b1a32a3c 3139tlsp->channelbinding = NULL;
bd231acd 3140
17c76198 3141
b808677c 3142if (state->xfer_buffer) store_free(state->xfer_buffer);
17c76198 3143memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
059ec3d9
PH
3144}
3145
3146
3147
17c76198 3148
0d81dabc
JH
3149static BOOL
3150tls_refill(unsigned lim)
3151{
3152exim_gnutls_state_st * state = &state_server;
3153ssize_t inbytes;
3154
50a3f205 3155DEBUG(D_tls) debug_printf("Calling gnutls_record_recv(session=%p, buffer=%p, buffersize=%u)\n",
0d81dabc
JH
3156 state->session, state->xfer_buffer, ssl_xfer_buffer_size);
3157
f1fed05b 3158sigalrm_seen = FALSE;
c2a1bba0 3159if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
4896a319 3160
05c3a5a2
HSHR
3161do
3162 inbytes = gnutls_record_recv(state->session, state->xfer_buffer,
3163 MIN(ssl_xfer_buffer_size, lim));
3164while (inbytes == GNUTLS_E_AGAIN);
4896a319 3165
c2a1bba0 3166if (smtp_receive_timeout > 0) ALARM_CLR(0);
9723f966
JH
3167
3168if (had_command_timeout) /* set by signal handler */
3169 smtp_command_timeout_exit(); /* does not return */
3170if (had_command_sigterm)
3171 smtp_command_sigterm_exit();
3172if (had_data_timeout)
3173 smtp_data_timeout_exit();
3174if (had_data_sigint)
3175 smtp_data_sigint_exit();
3176
3177/* Timeouts do not get this far. A zero-byte return appears to mean that the
3178TLS session has been closed down, not that the socket itself has been closed
3179down. Revert to non-TLS handling. */
0d81dabc
JH
3180
3181if (sigalrm_seen)
3182 {
3183 DEBUG(D_tls) debug_printf("Got tls read timeout\n");
8b77d27a 3184 state->xfer_error = TRUE;
0d81dabc
JH
3185 return FALSE;
3186 }
3187
3188else if (inbytes == 0)
3189 {
3190 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
bd231acd 3191 tls_close(NULL, TLS_NO_SHUTDOWN);
0d81dabc
JH
3192 return FALSE;
3193 }
3194
3195/* Handle genuine errors */
3196
3197else if (inbytes < 0)
3198 {
95f52235 3199 DEBUG(D_tls) debug_printf("%s: err from gnutls_record_recv\n", __FUNCTION__);
0d81dabc 3200 record_io_error(state, (int) inbytes, US"recv", NULL);
8b77d27a 3201 state->xfer_error = TRUE;
0d81dabc
JH
3202 return FALSE;
3203 }
3204#ifndef DISABLE_DKIM
3205dkim_exim_verify_feed(state->xfer_buffer, inbytes);
3206#endif
3207state->xfer_buffer_hwm = (int) inbytes;
3208state->xfer_buffer_lwm = 0;
3209return TRUE;
3210}
3211
059ec3d9
PH
3212/*************************************************
3213* TLS version of getc *
3214*************************************************/
3215
3216/* This gets the next byte from the TLS input buffer. If the buffer is empty,
3217it refills the buffer via the GnuTLS reading function.
817d9f57 3218Only used by the server-side TLS.
059ec3d9 3219
17c76198
PP
3220This feeds DKIM and should be used for all message-body reads.
3221
aded2255 3222Arguments: lim Maximum amount to read/buffer
059ec3d9
PH
3223Returns: the next character or EOF
3224*/
3225
3226int
bd8fbe36 3227tls_getc(unsigned lim)
059ec3d9 3228{
0d81dabc 3229exim_gnutls_state_st * state = &state_server;
059ec3d9 3230
0d81dabc
JH
3231if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
3232 if (!tls_refill(lim))
3233 return state->xfer_error ? EOF : smtp_getc(lim);
ed62aae3 3234
0d81dabc 3235/* Something in the buffer; return next uschar */
059ec3d9 3236
0d81dabc
JH
3237return state->xfer_buffer[state->xfer_buffer_lwm++];
3238}
059ec3d9 3239
0d81dabc
JH
3240uschar *
3241tls_getbuf(unsigned * len)
3242{
3243exim_gnutls_state_st * state = &state_server;
3244unsigned size;
3245uschar * buf;
059ec3d9 3246
0d81dabc
JH
3247if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
3248 if (!tls_refill(*len))
059ec3d9 3249 {
0d81dabc
JH
3250 if (!state->xfer_error) return smtp_getbuf(len);
3251 *len = 0;
3252 return NULL;
059ec3d9 3253 }
059ec3d9 3254
0d81dabc
JH
3255if ((size = state->xfer_buffer_hwm - state->xfer_buffer_lwm) > *len)
3256 size = *len;
3257buf = &state->xfer_buffer[state->xfer_buffer_lwm];
3258state->xfer_buffer_lwm += size;
3259*len = size;
3260return buf;
059ec3d9
PH
3261}
3262
0d81dabc 3263
584e96c6
JH
3264void
3265tls_get_cache()
3266{
9960d1e5 3267#ifndef DISABLE_DKIM
584e96c6
JH
3268exim_gnutls_state_st * state = &state_server;
3269int n = state->xfer_buffer_hwm - state->xfer_buffer_lwm;
3270if (n > 0)
3271 dkim_exim_verify_feed(state->xfer_buffer+state->xfer_buffer_lwm, n);
584e96c6 3272#endif
9960d1e5 3273}
584e96c6 3274
059ec3d9 3275
925ac8e4
JH
3276BOOL
3277tls_could_read(void)
3278{
3279return state_server.xfer_buffer_lwm < state_server.xfer_buffer_hwm
3280 || gnutls_record_check_pending(state_server.session) > 0;
3281}
3282
3283
059ec3d9 3284
17c76198 3285
059ec3d9
PH
3286/*************************************************
3287* Read bytes from TLS channel *
3288*************************************************/
3289
17c76198
PP
3290/* This does not feed DKIM, so if the caller uses this for reading message body,
3291then the caller must feed DKIM.
817d9f57 3292
059ec3d9 3293Arguments:
74f1a423 3294 ct_ctx client context pointer, or NULL for the one global server context
059ec3d9
PH
3295 buff buffer of data
3296 len size of buffer
3297
3298Returns: the number of bytes read
afdb5e9c 3299 -1 after a failed read, including EOF
059ec3d9
PH
3300*/
3301
3302int
74f1a423 3303tls_read(void * ct_ctx, uschar *buff, size_t len)
059ec3d9 3304{
74f1a423 3305exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
17c76198 3306ssize_t inbytes;
059ec3d9 3307
17c76198
PP
3308if (len > INT_MAX)
3309 len = INT_MAX;
059ec3d9 3310
17c76198
PP
3311if (state->xfer_buffer_lwm < state->xfer_buffer_hwm)
3312 DEBUG(D_tls)
3313 debug_printf("*** PROBABLY A BUG *** " \
3314 "tls_read() called with data in the tls_getc() buffer, %d ignored\n",
3315 state->xfer_buffer_hwm - state->xfer_buffer_lwm);
3316
3317DEBUG(D_tls)
50a3f205 3318 debug_printf("Calling gnutls_record_recv(session=%p, buffer=%p, len=" SIZE_T_FMT ")\n",
17c76198
PP
3319 state->session, buff, len);
3320
05c3a5a2
HSHR
3321do
3322 inbytes = gnutls_record_recv(state->session, buff, len);
3323while (inbytes == GNUTLS_E_AGAIN);
4896a319 3324
059ec3d9
PH
3325if (inbytes > 0) return inbytes;
3326if (inbytes == 0)
3327 {
3328 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
3329 }
5fd28bb8 3330else
4896a319 3331 {
95f52235 3332