projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Avoid re-expansion in ${sort }
[exim.git] / src / src / tls-gnu.c
CommitLineData
059ec3d9
PH		 1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
f9ba5e22 5/* Copyright (c) University of Cambridge 1995 - 2018 */
059ec3d9
PH		 6/* See the file NOTICE for conditions of use and distribution. */
7
17c76198 8/* Copyright (c) Phil Pennock 2012 */
059ec3d9 9
17c76198
PP		 10/* This file provides TLS/SSL support for Exim using the GnuTLS library,
11one of the available supported implementations. This file is #included into
12tls.c when USE_GNUTLS has been set.
059ec3d9 13
17c76198
PP		 14The code herein is a revamp of GnuTLS integration using the current APIs; the
15original tls-gnu.c was based on a patch which was contributed by Nikos
6aa6fc9c 16Mavrogiannopoulos. The revamp is partially a rewrite, partially cut&paste as
17c76198 17appropriate.
059ec3d9 18
17c76198
PP		 19APIs current as of GnuTLS 2.12.18; note that the GnuTLS manual is for GnuTLS 3,
20which is not widely deployed by OS vendors. Will note issues below, which may
21assist in updating the code in the future. Another sources of hints is
22mod_gnutls for Apache (SNI callback registration and handling).
059ec3d9 23
17c76198
PP		 24Keeping client and server variables more split than before and is currently
25the norm, in anticipation of TLS in ACL callouts.
059ec3d9 26
17c76198
PP		 27I wanted to switch to gnutls_certificate_set_verify_function() so that
28certificate rejection could happen during handshake where it belongs, rather
29than being dropped afterwards, but that was introduced in 2.10.0 and Debian
30(6.0.5) is still on 2.8.6. So for now we have to stick with sub-par behaviour.
059ec3d9 31
17c76198
PP		 32(I wasn't looking for libraries quite that old, when updating to get rid of
33compiler warnings of deprecated APIs. If it turns out that a lot of the rest
34require current GnuTLS, then we'll drop support for the ancient libraries).
35*/
b5aea5e1 36
17c76198
PP		 37#include <gnutls/gnutls.h>
38/* needed for cert checks in verification and DN extraction: */
39#include <gnutls/x509.h>
40/* man-page is incorrect, gnutls_rnd() is not in gnutls.h: */
41#include <gnutls/crypto.h>
184384c3 42
a5f239e4
PP		 43/* needed to disable PKCS11 autoload unless requested */
44#if GNUTLS_VERSION_NUMBER >= 0x020c00
45# include <gnutls/pkcs11.h>
76075bb5 46# define SUPPORT_PARAM_TO_PK_BITS
a5f239e4 47#endif
7e07527a
JH		 48#if GNUTLS_VERSION_NUMBER < 0x030103 && !defined(DISABLE_OCSP)
49# warning "GnuTLS library version too old; define DISABLE_OCSP in Makefile"
50# define DISABLE_OCSP
51#endif
0cbf2b82 52#if GNUTLS_VERSION_NUMBER < 0x020a00 && !defined(DISABLE_EVENT)
774ef2d7 53# warning "GnuTLS library version too old; tls:cert event unsupported"
0cbf2b82 54# define DISABLE_EVENT
a7538db1 55#endif
a7fec7a7
JH		 56#if GNUTLS_VERSION_NUMBER >= 0x030306
57# define SUPPORT_CA_DIR
58#else
59# undef SUPPORT_CA_DIR
60#endif
11a04b5a 61#if GNUTLS_VERSION_NUMBER >= 0x030014
cb1d7830
JH		 62# define SUPPORT_SYSDEFAULT_CABUNDLE
63#endif
184384c3
JH		 64#if GNUTLS_VERSION_NUMBER >= 0x030104
65# define GNUTLS_CERT_VFY_STATUS_PRINT
66#endif
925ac8e4
JH		 67#if GNUTLS_VERSION_NUMBER >= 0x030109
68# define SUPPORT_CORK
69#endif
f20cfa4a
JH		 70#if GNUTLS_VERSION_NUMBER >= 0x03010a
71# define SUPPORT_GNUTLS_SESS_DESC
72#endif
73#if GNUTLS_VERSION_NUMBER >= 0x030500
74# define SUPPORT_GNUTLS_KEYLOG
75#endif
47195144
JH		 76#if GNUTLS_VERSION_NUMBER >= 0x030506 && !defined(DISABLE_OCSP)
77# define SUPPORT_SRV_OCSP_STACK
78#endif
c0635b6d
JH		 79
80#ifdef SUPPORT_DANE
81# if GNUTLS_VERSION_NUMBER >= 0x030000
82# define DANESSL_USAGE_DANE_TA 2
83# define DANESSL_USAGE_DANE_EE 3
84# else
85# error GnuTLS version too early for DANE
86# endif
87# if GNUTLS_VERSION_NUMBER < 0x999999
88# define GNUTLS_BROKEN_DANE_VALIDATION
89# endif
899b8bbc 90#endif
7e07527a 91
43e2db44
JH		 92#ifdef EXPERIMENTAL_TLS_RESUME
93# if GNUTLS_VERSION_NUMBER < 0x030603
94# error GNUTLS version too early for session-resumption
95# endif
96#endif
97
f2de3a33 98#ifndef DISABLE_OCSP
2b4a568d
JH		 99# include <gnutls/ocsp.h>
100#endif
899b8bbc
JH		 101#ifdef SUPPORT_DANE
102# include <gnutls/dane.h>
103#endif
059ec3d9 104
f1be21cf
JH		 105#include "tls-cipher-stdname.c"
106
107
b10c87b3
JH		 108#ifdef MACRO_PREDEF
109void
110options_tls(void)
111{
112# ifdef EXPERIMENTAL_TLS_RESUME
113builtin_macro_create_var(US"_RESUME_DECODE", RESUME_DECODE_STRING );
114# endif
115}
116#else
117
118
17c76198 119/* GnuTLS 2 vs 3
059ec3d9 120
17c76198
PP		 121GnuTLS 3 only:
122 gnutls_global_set_audit_log_function()
059ec3d9 123
17c76198
PP		 124Changes:
125 gnutls_certificate_verify_peers2(): is new, drop the 2 for old version
126*/
059ec3d9 127
17c76198 128/* Local static variables for GnuTLS */
059ec3d9 129
17c76198 130/* Values for verify_requirement */
059ec3d9 131
e51c7be2 132enum peer_verify_requirement
899b8bbc 133 { VERIFY_NONE, VERIFY_OPTIONAL, VERIFY_REQUIRED, VERIFY_DANE };
059ec3d9 134
17c76198
PP		 135/* This holds most state for server or client; with this, we can set up an
136outbound TLS-enabled connection in an ACL callout, while not stomping all
137over the TLS variables available for expansion.
059ec3d9 138
17c76198
PP		 139Some of these correspond to variables in globals.c; those variables will
140be set to point to content in one of these instances, as appropriate for
141the stage of the process lifetime.
059ec3d9 142
389ca47a 143Not handled here: global tls_channelbinding_b64.
17c76198 144*/
059ec3d9 145
17c76198 146typedef struct exim_gnutls_state {
9d1c15ef 147 gnutls_session_t session;
17c76198 148 gnutls_certificate_credentials_t x509_cred;
9d1c15ef 149 gnutls_priority_t priority_cache;
17c76198 150 enum peer_verify_requirement verify_requirement;
9d1c15ef
JH		 151 int fd_in;
152 int fd_out;
153 BOOL peer_cert_verified;
899b8bbc 154 BOOL peer_dane_verified;
9d1c15ef
JH		 155 BOOL trigger_sni_changes;
156 BOOL have_set_peerdn;
5fd28bb8 157 const struct host_item *host; /* NULL if server */
afdb5e9c 158 gnutls_x509_crt_t peercert;
9d1c15ef
JH		 159 uschar *peerdn;
160 uschar *ciphersuite;
161 uschar *received_sni;
17c76198
PP		 162
163 const uschar *tls_certificate;
164 const uschar *tls_privatekey;
165 const uschar *tls_sni; /* client send only, not received */
166 const uschar *tls_verify_certificates;
167 const uschar *tls_crl;
168 const uschar *tls_require_ciphers;
e51c7be2 169
17c76198
PP		 170 uschar *exp_tls_certificate;
171 uschar *exp_tls_privatekey;
17c76198
PP		 172 uschar *exp_tls_verify_certificates;
173 uschar *exp_tls_crl;
174 uschar *exp_tls_require_ciphers;
55414b25 175 const uschar *exp_tls_verify_cert_hostnames;
0cbf2b82 176#ifndef DISABLE_EVENT
a7538db1
JH		 177 uschar *event_action;
178#endif
899b8bbc
JH		 179#ifdef SUPPORT_DANE
180 char * const * dane_data;
181 const int * dane_data_len;
182#endif
17c76198 183
389ca47a 184 tls_support *tlsp; /* set in tls_init() */
817d9f57 185
17c76198
PP		 186 uschar *xfer_buffer;
187 int xfer_buffer_lwm;
188 int xfer_buffer_hwm;
8b77d27a
JH		 189 BOOL xfer_eof; /*XXX never gets set! */
190 BOOL xfer_error;
17c76198
PP		 191} exim_gnutls_state_st;
192
193static const exim_gnutls_state_st exim_gnutls_state_init = {
b10c87b3 194 /* all elements not explicitly intialised here get 0/NULL/FALSE */
f2ed27cf
JH		 195 .fd_in = -1,
196 .fd_out = -1,
17c76198 197};
83da1223 198
17c76198
PP		 199/* Not only do we have our own APIs which don't pass around state, assuming
200it's held in globals, GnuTLS doesn't appear to let us register callback data
201for callbacks, or as part of the session, so we have to keep a "this is the
202context we're currently dealing with" pointer and rely upon being
203single-threaded to keep from processing data on an inbound TLS connection while
204talking to another TLS connection for an outbound check. This does mean that
205there's no way for heart-beats to be responded to, for the duration of the
a7538db1
JH		 206second connection.
207XXX But see gnutls_session_get_ptr()
208*/
059ec3d9 209
74f1a423 210static exim_gnutls_state_st state_server;
059ec3d9 211
17c76198
PP		 212/* dh_params are initialised once within the lifetime of a process using TLS;
213if we used TLS in a long-lived daemon, we'd have to reconsider this. But we
214don't want to repeat this. */
83da1223 215
17c76198 216static gnutls_dh_params_t dh_server_params = NULL;
059ec3d9 217
dea4b568 218static int ssl_session_timeout = 7200; /* Two hours */
059ec3d9 219
fc243e94 220static const uschar * const exim_default_gnutls_priority = US"NORMAL";
83da1223 221
17c76198 222/* Guard library core initialisation */
83da1223 223
17c76198 224static BOOL exim_gnutls_base_init_done = FALSE;
059ec3d9 225
4fb7df6d 226#ifndef DISABLE_OCSP
9196d5bf 227static BOOL gnutls_buggy_ocsp = FALSE;
4fb7df6d 228#endif
9196d5bf 229
b10c87b3
JH		 230#ifdef EXPERIMENTAL_TLS_RESUME
231static gnutls_datum_t server_sessticket_key;
232#endif
059ec3d9 233
17c76198
PP		 234/* ------------------------------------------------------------------------ */
235/* macros */
83da1223 236
17c76198 237#define MAX_HOST_LEN 255
83da1223 238
17c76198
PP		 239/* Set this to control gnutls_global_set_log_level(); values 0 to 9 will setup
240the library logging; a value less than 0 disables the calls to set up logging
dc6d1769
JH		 241callbacks. GNuTLS also looks for an environment variable - except not for
242setuid binaries, making it useless - "GNUTLS_DEBUG_LEVEL".
243Allegedly the testscript line "GNUTLS_DEBUG_LEVEL=9 sudo exim ..." would work,
244but the env var must be added to /etc/sudoers too. */
2c17bb02 245#ifndef EXIM_GNUTLS_LIBRARY_LOG_LEVEL
b1a4f234 246# define EXIM_GNUTLS_LIBRARY_LOG_LEVEL -1
2c17bb02 247#endif
83da1223 248
2c17bb02 249#ifndef EXIM_CLIENT_DH_MIN_BITS
a7538db1 250# define EXIM_CLIENT_DH_MIN_BITS 1024
2c17bb02 251#endif
83da1223 252
af3498d6
PP		 253/* With GnuTLS 2.12.x+ we have gnutls_sec_param_to_pk_bits() with which we
254can ask for a bit-strength. Without that, we stick to the constant we had
255before, for now. */
2c17bb02 256#ifndef EXIM_SERVER_DH_BITS_PRE2_12
a7538db1 257# define EXIM_SERVER_DH_BITS_PRE2_12 1024
2c17bb02 258#endif
af3498d6 259
cf0c6164
JH		 260#define expand_check_tlsvar(Varname, errstr) \
261 expand_check(state->Varname, US #Varname, &state->exp_##Varname, errstr)
83da1223 262
17c76198 263#if GNUTLS_VERSION_NUMBER >= 0x020c00
e51c7be2
JH		 264# define HAVE_GNUTLS_SESSION_CHANNEL_BINDING
265# define HAVE_GNUTLS_SEC_PARAM_CONSTANTS
266# define HAVE_GNUTLS_RND
2519e60d
TL		 267/* The security fix we provide with the gnutls_allow_auto_pkcs11 option
268 * (4.82 PP/09) introduces a compatibility regression. The symbol simply
269 * isn't available sometimes, so this needs to become a conditional
270 * compilation; the sanest way to deal with this being a problem on
271 * older OSes is to block it in the Local/Makefile with this compiler
272 * definition */
e51c7be2
JH		 273# ifndef AVOID_GNUTLS_PKCS11
274# define HAVE_GNUTLS_PKCS11
275# endif /* AVOID_GNUTLS_PKCS11 */
17c76198 276#endif
83da1223 277
af3498d6
PP		 278
279
280
281/* ------------------------------------------------------------------------ */
282/* Callback declarations */
283
284#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
285static void exim_gnutls_logger_cb(int level, const char *message);
286#endif
287
288static int exim_sni_handling_cb(gnutls_session_t session);
289
f2de3a33 290#ifndef DISABLE_OCSP
44662487
JH		 291static int server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
292 gnutls_datum_t * ocsp_response);
293#endif
af3498d6
PP		 294
295
296
b10c87b3
JH		 297/* Daemon one-time initialisation */
298void
299tls_daemon_init(void)
300{
301#ifdef EXPERIMENTAL_TLS_RESUME
302/* We are dependent on the GnuTLS implementation of the Session Ticket
303encryption; both the strength and the key rotation period. We hope that
304the strength at least matches that of the ciphersuite (but GnuTLS does not
305document this). */
306
307static BOOL once = FALSE;
308if (once) return;
309once = TRUE;
310gnutls_session_ticket_key_generate(&server_sessticket_key); /* >= 2.10.0 */
311if (f.running_in_test_harness) ssl_session_timeout = 6;
312#endif
313}
314
17c76198
PP		 315/* ------------------------------------------------------------------------ */
316/* Static functions */
059ec3d9
PH		 317
318/*************************************************
319* Handle TLS error *
320*************************************************/
321
322/* Called from lots of places when errors occur before actually starting to do
323the TLS handshake, that is, while the session is still in clear. Always returns
324DEFER for a server and FAIL for a client so that most calls can use "return
325tls_error(...)" to do this processing and then give an appropriate return. A
326single function is used for both server and client, because it is called from
327some shared functions.
328
329Argument:
330 prefix text to include in the logged error
7199e1ee
TF		 331 msg additional error string (may be NULL)
332 usually obtained from gnutls_strerror()
17c76198
PP		 333 host NULL if setting up a server;
334 the connected host if setting up a client
cf0c6164 335 errstr pointer to returned error string
059ec3d9
PH		 336
337Returns: OK/DEFER/FAIL
338*/
339
340static int
48224640 341tls_error(const uschar *prefix, const uschar *msg, const host_item *host,
cf0c6164 342 uschar ** errstr)
059ec3d9 343{
cf0c6164 344if (errstr)
48224640 345 *errstr = string_sprintf("(%s)%s%s", prefix, msg ? ": " : "", msg ? msg : US"");
cf0c6164 346return host ? FAIL : DEFER;
059ec3d9
PH		 347}
348
349
452a164f
JH		 350static int
351tls_error_gnu(const uschar *prefix, int err, const host_item *host,
352 uschar ** errstr)
353{
354return tls_error(prefix, US gnutls_strerror(err), host, errstr);
355}
356
357static int
358tls_error_sys(const uschar *prefix, int err, const host_item *host,
359 uschar ** errstr)
360{
361return tls_error(prefix, US strerror(err), host, errstr);
362}
059ec3d9 363
17c76198 364
059ec3d9 365/*************************************************
17c76198 366* Deal with logging errors during I/O *
059ec3d9
PH		 367*************************************************/
368
17c76198 369/* We have to get the identity of the peer from saved data.
059ec3d9 370
17c76198
PP		 371Argument:
372 state the current GnuTLS exim state container
373 rc the GnuTLS error code, or 0 if it's a local error
374 when text identifying read or write
95f52235 375 text local error text when rc is 0
059ec3d9 376
17c76198 377Returns: nothing
059ec3d9
PH		 378*/
379
17c76198
PP		 380static void
381record_io_error(exim_gnutls_state_st *state, int rc, uschar *when, uschar *text)
059ec3d9 382{
48224640 383const uschar * msg;
cf0c6164 384uschar * errstr;
059ec3d9 385
17c76198 386if (rc == GNUTLS_E_FATAL_ALERT_RECEIVED)
95f52235 387 msg = string_sprintf("A TLS fatal alert has been received: %s",
17c76198
PP		 388 US gnutls_alert_get_name(gnutls_alert_get(state->session)));
389else
48224640 390 msg = US gnutls_strerror(rc);
059ec3d9 391
cf0c6164
JH		 392(void) tls_error(when, msg, state->host, &errstr);
393
394if (state->host)
395 log_write(0, LOG_MAIN, "H=%s [%s] TLS error on connection %s",
396 state->host->name, state->host->address, errstr);
397else
398 {
399 uschar * conn_info = smtp_get_connection_info();
400 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0) conn_info += 5;
401 /* I'd like to get separated H= here, but too hard for now */
402 log_write(0, LOG_MAIN, "TLS error on %s %s", conn_info, errstr);
403 }
17c76198 404}
059ec3d9 405
059ec3d9 406
059ec3d9 407
059ec3d9 408
17c76198
PP		 409/*************************************************
410* Set various Exim expansion vars *
411*************************************************/
059ec3d9 412
e51c7be2
JH		 413#define exim_gnutls_cert_err(Label) \
414 do \
415 { \
416 if (rc != GNUTLS_E_SUCCESS) \
417 { \
418 DEBUG(D_tls) debug_printf("TLS: cert problem: %s: %s\n", \
419 (Label), gnutls_strerror(rc)); \
420 return rc; \
421 } \
422 } while (0)
9d1c15ef
JH		 423
424static int
27f19eb4 425import_cert(const gnutls_datum_t * cert, gnutls_x509_crt_t * crtp)
9d1c15ef
JH		 426{
427int rc;
428
429rc = gnutls_x509_crt_init(crtp);
430exim_gnutls_cert_err(US"gnutls_x509_crt_init (crt)");
431
432rc = gnutls_x509_crt_import(*crtp, cert, GNUTLS_X509_FMT_DER);
433exim_gnutls_cert_err(US"failed to import certificate [gnutls_x509_crt_import(cert)]");
434
435return rc;
436}
437
438#undef exim_gnutls_cert_err
439
440
17c76198
PP		 441/* We set various Exim global variables from the state, once a session has
442been established. With TLS callouts, may need to change this to stack
443variables, or just re-call it with the server state after client callout
444has finished.
059ec3d9 445
9d1c15ef 446Make sure anything set here is unset in tls_getc().
17c76198
PP		 447
448Sets:
449 tls_active fd
450 tls_bits strength indicator
451 tls_certificate_verified bool indicator
452 tls_channelbinding_b64 for some SASL mechanisms
453 tls_cipher a string
9d1c15ef 454 tls_peercert pointer to library internal
17c76198
PP		 455 tls_peerdn a string
456 tls_sni a (UTF-8) string
9d1c15ef 457 tls_ourcert pointer to library internal
17c76198
PP		 458
459Argument:
460 state the relevant exim_gnutls_state_st *
461*/
462
463static void
9d1c15ef 464extract_exim_vars_from_tls_state(exim_gnutls_state_st * state)
17c76198 465{
17c76198
PP		 466#ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
467int old_pool;
468int rc;
469gnutls_datum_t channel;
470#endif
9d1c15ef 471tls_support * tlsp = state->tlsp;
17c76198 472
74f1a423
JH		 473tlsp->active.sock = state->fd_out;
474tlsp->active.tls_ctx = state;
17c76198 475
817d9f57 476DEBUG(D_tls) debug_printf("cipher: %s\n", state->ciphersuite);
17c76198 477
9d1c15ef 478tlsp->certificate_verified = state->peer_cert_verified;
899b8bbc
JH		 479#ifdef SUPPORT_DANE
480tlsp->dane_verified = state->peer_dane_verified;
481#endif
059ec3d9 482
17c76198
PP		 483/* note that tls_channelbinding_b64 is not saved to the spool file, since it's
484only available for use for authenticators while this TLS session is running. */
485
486tls_channelbinding_b64 = NULL;
487#ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
488channel.data = NULL;
489channel.size = 0;
1f20760b
JH		 490if ((rc = gnutls_session_channel_binding(state->session, GNUTLS_CB_TLS_UNIQUE, &channel)))
491 { DEBUG(D_tls) debug_printf("Channel binding error: %s\n", gnutls_strerror(rc)); }
492else
493 {
17c76198
PP		 494 old_pool = store_pool;
495 store_pool = POOL_PERM;
1f20760b 496 tls_channelbinding_b64 = b64encode(CUS channel.data, (int)channel.size);
17c76198
PP		 497 store_pool = old_pool;
498 DEBUG(D_tls) debug_printf("Have channel bindings cached for possible auth usage.\n");
1f20760b 499 }
17c76198
PP		 500#endif
501
9d1c15ef
JH		 502/* peercert is set in peer_status() */
503tlsp->peerdn = state->peerdn;
504tlsp->sni = state->received_sni;
505
506/* record our certificate */
507 {
27f19eb4 508 const gnutls_datum_t * cert = gnutls_certificate_get_ours(state->session);
9d1c15ef
JH		 509 gnutls_x509_crt_t crt;
510
511 tlsp->ourcert = cert && import_cert(cert, &crt)==0 ? crt : NULL;
512 }
059ec3d9
PH		 513}
514
515
516
17c76198 517
059ec3d9 518/*************************************************
575643cd 519* Setup up DH parameters *
059ec3d9
PH		 520*************************************************/
521
575643cd 522/* Generating the D-H parameters may take a long time. They only need to
059ec3d9
PH		 523be re-generated every so often, depending on security policy. What we do is to
524keep these parameters in a file in the spool directory. If the file does not
525exist, we generate them. This means that it is easy to cause a regeneration.
526
527The new file is written as a temporary file and renamed, so that an incomplete
528file is never present. If two processes both compute some new parameters, you
529waste a bit of effort, but it doesn't seem worth messing around with locking to
530prevent this.
531
059ec3d9
PH		 532Returns: OK/DEFER/FAIL
533*/
534
535static int
cf0c6164 536init_server_dh(uschar ** errstr)
059ec3d9 537{
17c76198
PP		 538int fd, rc;
539unsigned int dh_bits;
27f19eb4 540gnutls_datum_t m;
a799883d
PP		 541uschar filename_buf[PATH_MAX];
542uschar *filename = NULL;
17c76198 543size_t sz;
a799883d
PP		 544uschar *exp_tls_dhparam;
545BOOL use_file_in_spool = FALSE;
17c76198 546host_item *host = NULL; /* dummy for macros */
059ec3d9 547
17c76198 548DEBUG(D_tls) debug_printf("Initialising GnuTLS server params.\n");
059ec3d9 549
452a164f
JH		 550if ((rc = gnutls_dh_params_init(&dh_server_params)))
551 return tls_error_gnu(US"gnutls_dh_params_init", rc, host, errstr);
059ec3d9 552
a799883d
PP		 553m.data = NULL;
554m.size = 0;
555
cf0c6164 556if (!expand_check(tls_dhparam, US"tls_dhparam", &exp_tls_dhparam, errstr))
a799883d
PP		 557 return DEFER;
558
559if (!exp_tls_dhparam)
560 {
561 DEBUG(D_tls) debug_printf("Loading default hard-coded DH params\n");
562 m.data = US std_dh_prime_default();
563 m.size = Ustrlen(m.data);
564 }
565else if (Ustrcmp(exp_tls_dhparam, "historic") == 0)
566 use_file_in_spool = TRUE;
567else if (Ustrcmp(exp_tls_dhparam, "none") == 0)
568 {
569 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
570 return OK;
571 }
572else if (exp_tls_dhparam[0] != '/')
573 {
f5d25c2b 574 if (!(m.data = US std_dh_prime_named(exp_tls_dhparam)))
48224640 575 return tls_error(US"No standard prime named", exp_tls_dhparam, NULL, errstr);
a799883d
PP		 576 m.size = Ustrlen(m.data);
577 }
578else
a799883d 579 filename = exp_tls_dhparam;
a799883d
PP		 580
581if (m.data)
582 {
452a164f
JH		 583 if ((rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM)))
584 return tls_error_gnu(US"gnutls_dh_params_import_pkcs3", rc, host, errstr);
a799883d
PP		 585 DEBUG(D_tls) debug_printf("Loaded fixed standard D-H parameters\n");
586 return OK;
587 }
588
af3498d6
PP		 589#ifdef HAVE_GNUTLS_SEC_PARAM_CONSTANTS
590/* If you change this constant, also change dh_param_fn_ext so that we can use a
17c76198 591different filename and ensure we have sufficient bits. */
452a164f
JH		 592
593if (!(dh_bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL)))
cf0c6164 594 return tls_error(US"gnutls_sec_param_to_pk_bits() failed", NULL, NULL, errstr);
af3498d6 595DEBUG(D_tls)
b34fc30c 596 debug_printf("GnuTLS tells us that for D-H PK, NORMAL is %d bits.\n",
af3498d6
PP		 597 dh_bits);
598#else
599dh_bits = EXIM_SERVER_DH_BITS_PRE2_12;
600DEBUG(D_tls)
601 debug_printf("GnuTLS lacks gnutls_sec_param_to_pk_bits(), using %d bits.\n",
602 dh_bits);
603#endif
059ec3d9 604
3375e053
PP		 605/* Some clients have hard-coded limits. */
606if (dh_bits > tls_dh_max_bits)
607 {
608 DEBUG(D_tls)
609 debug_printf("tls_dh_max_bits clamping override, using %d bits instead.\n",
610 tls_dh_max_bits);
611 dh_bits = tls_dh_max_bits;
612 }
613
a799883d
PP		 614if (use_file_in_spool)
615 {
616 if (!string_format(filename_buf, sizeof(filename_buf),
617 "%s/gnutls-params-%d", spool_directory, dh_bits))
cf0c6164 618 return tls_error(US"overlong filename", NULL, NULL, errstr);
a799883d
PP		 619 filename = filename_buf;
620 }
059ec3d9 621
b5aea5e1 622/* Open the cache file for reading and if successful, read it and set up the
575643cd 623parameters. */
059ec3d9 624
f5d25c2b 625if ((fd = Uopen(filename, O_RDONLY, 0)) >= 0)
059ec3d9 626 {
b5aea5e1 627 struct stat statbuf;
17c76198
PP		 628 FILE *fp;
629 int saved_errno;
630
631 if (fstat(fd, &statbuf) < 0) /* EIO */
632 {
633 saved_errno = errno;
634 (void)close(fd);
452a164f 635 return tls_error_sys(US"TLS cache stat failed", saved_errno, NULL, errstr);
17c76198
PP		 636 }
637 if (!S_ISREG(statbuf.st_mode))
b5aea5e1
PH		 638 {
639 (void)close(fd);
cf0c6164 640 return tls_error(US"TLS cache not a file", NULL, NULL, errstr);
17c76198 641 }
40c90bca 642 if (!(fp = fdopen(fd, "rb")))
17c76198
PP		 643 {
644 saved_errno = errno;
645 (void)close(fd);
452a164f
JH		 646 return tls_error_sys(US"fdopen(TLS cache stat fd) failed",
647 saved_errno, NULL, errstr);
b5aea5e1 648 }
059ec3d9 649
b5aea5e1 650 m.size = statbuf.st_size;
40c90bca 651 if (!(m.data = malloc(m.size)))
17c76198
PP		 652 {
653 fclose(fp);
452a164f 654 return tls_error_sys(US"malloc failed", errno, NULL, errstr);
17c76198 655 }
40c90bca 656 if (!(sz = fread(m.data, m.size, 1, fp)))
17c76198
PP		 657 {
658 saved_errno = errno;
659 fclose(fp);
660 free(m.data);
452a164f 661 return tls_error_sys(US"fread failed", saved_errno, NULL, errstr);
17c76198
PP		 662 }
663 fclose(fp);
b5aea5e1 664
17c76198 665 rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM);
b5aea5e1 666 free(m.data);
452a164f
JH		 667 if (rc)
668 return tls_error_gnu(US"gnutls_dh_params_import_pkcs3", rc, host, errstr);
17c76198 669 DEBUG(D_tls) debug_printf("read D-H parameters from file \"%s\"\n", filename);
b5aea5e1
PH		 670 }
671
672/* If the file does not exist, fall through to compute new data and cache it.
673If there was any other opening error, it is serious. */
674
182ad5cf
PH		 675else if (errno == ENOENT)
676 {
17c76198 677 rc = -1;
182ad5cf 678 DEBUG(D_tls)
17c76198 679 debug_printf("D-H parameter cache file \"%s\" does not exist\n", filename);
182ad5cf
PH		 680 }
681else
17c76198 682 return tls_error(string_open_failed(errno, "\"%s\" for reading", filename),
cf0c6164 683 NULL, NULL, errstr);
b5aea5e1
PH		 684
685/* If ret < 0, either the cache file does not exist, or the data it contains
686is not useful. One particular case of this is when upgrading from an older
687release of Exim in which the data was stored in a different format. We don't
688try to be clever and support both formats; we just regenerate new data in this
689case. */
690
17c76198 691if (rc < 0)
b5aea5e1 692 {
17c76198 693 uschar *temp_fn;
201f5254 694 unsigned int dh_bits_gen = dh_bits;
059ec3d9 695
17c76198
PP		 696 if ((PATH_MAX - Ustrlen(filename)) < 10)
697 return tls_error(US"Filename too long to generate replacement",
48224640 698 filename, NULL, errstr);
059ec3d9 699
48224640 700 temp_fn = string_copy(US"%s.XXXXXXX");
f5d25c2b 701 if ((fd = mkstemp(CS temp_fn)) < 0) /* modifies temp_fn */
452a164f 702 return tls_error_sys(US"Unable to open temp file", errno, NULL, errstr);
b66fecb4 703 (void)exim_chown(temp_fn, exim_uid, exim_gid); /* Probably not necessary */
059ec3d9 704
201f5254
PP		 705 /* GnuTLS overshoots!
706 * If we ask for 2236, we might get 2237 or more.
707 * But there's no way to ask GnuTLS how many bits there really are.
708 * We can ask how many bits were used in a TLS session, but that's it!
709 * The prime itself is hidden behind too much abstraction.
710 * So we ask for less, and proceed on a wing and a prayer.
711 * First attempt, subtracted 3 for 2233 and got 2240.
712 */
cae6e576 713 if (dh_bits >= EXIM_CLIENT_DH_MIN_BITS + 10)
201f5254
PP		 714 {
715 dh_bits_gen = dh_bits - 10;
716 DEBUG(D_tls)
717 debug_printf("being paranoid about DH generation, make it '%d' bits'\n",
718 dh_bits_gen);
719 }
720
721 DEBUG(D_tls)
722 debug_printf("requesting generation of %d bit Diffie-Hellman prime ...\n",
723 dh_bits_gen);
452a164f
JH		 724 if ((rc = gnutls_dh_params_generate2(dh_server_params, dh_bits_gen)))
725 return tls_error_gnu(US"gnutls_dh_params_generate2", rc, host, errstr);
17c76198
PP		 726
727 /* gnutls_dh_params_export_pkcs3() will tell us the exact size, every time,
728 and I confirmed that a NULL call to get the size first is how the GnuTLS
729 sample apps handle this. */
730
731 sz = 0;
732 m.data = NULL;
452a164f
JH		 733 if ( (rc = gnutls_dh_params_export_pkcs3(dh_server_params,
734 GNUTLS_X509_FMT_PEM, m.data, &sz))
735 && rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
736 return tls_error_gnu(US"gnutls_dh_params_export_pkcs3(NULL) sizing",
737 rc, host, errstr);
17c76198 738 m.size = sz;
40c90bca 739 if (!(m.data = malloc(m.size)))
452a164f 740 return tls_error_sys(US"memory allocation failed", errno, NULL, errstr);
40c90bca 741
1f00591e 742 /* this will return a size 1 less than the allocation size above */
452a164f
JH		 743 if ((rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM,
744 m.data, &sz)))
17c76198
PP		 745 {
746 free(m.data);
452a164f 747 return tls_error_gnu(US"gnutls_dh_params_export_pkcs3() real", rc, host, errstr);
17c76198 748 }
1f00591e 749 m.size = sz; /* shrink by 1, probably */
059ec3d9 750
f5d25c2b 751 if ((sz = write_to_fd_buf(fd, m.data, (size_t) m.size)) != m.size)
17c76198
PP		 752 {
753 free(m.data);
452a164f
JH		 754 return tls_error_sys(US"TLS cache write D-H params failed",
755 errno, NULL, errstr);
17c76198 756 }
b5aea5e1 757 free(m.data);
f5d25c2b 758 if ((sz = write_to_fd_buf(fd, US"\n", 1)) != 1)
452a164f
JH		 759 return tls_error_sys(US"TLS cache write D-H params final newline failed",
760 errno, NULL, errstr);
17c76198 761
f5d25c2b 762 if ((rc = close(fd)))
452a164f 763 return tls_error_sys(US"TLS cache write close() failed", errno, NULL, errstr);
059ec3d9 764
17c76198 765 if (Urename(temp_fn, filename) < 0)
452a164f
JH		 766 return tls_error_sys(string_sprintf("failed to rename \"%s\" as \"%s\"",
767 temp_fn, filename), errno, NULL, errstr);
059ec3d9 768
17c76198 769 DEBUG(D_tls) debug_printf("wrote D-H parameters to file \"%s\"\n", filename);
059ec3d9
PH		 770 }
771
17c76198 772DEBUG(D_tls) debug_printf("initialized server D-H parameters\n");
059ec3d9
PH		 773return OK;
774}
775
776
777
778
23bb6982
JH		 779/* Create and install a selfsigned certificate, for use in server mode */
780
781static int
cf0c6164 782tls_install_selfsign(exim_gnutls_state_st * state, uschar ** errstr)
23bb6982
JH		 783{
784gnutls_x509_crt_t cert = NULL;
785time_t now;
786gnutls_x509_privkey_t pkey = NULL;
787const uschar * where;
788int rc;
789
790where = US"initialising pkey";
791if ((rc = gnutls_x509_privkey_init(&pkey))) goto err;
792
793where = US"initialising cert";
794if ((rc = gnutls_x509_crt_init(&cert))) goto err;
795
796where = US"generating pkey";
797if ((rc = gnutls_x509_privkey_generate(pkey, GNUTLS_PK_RSA,
76075bb5 798#ifdef SUPPORT_PARAM_TO_PK_BITS
4312da48
JH		 799# ifndef GNUTLS_SEC_PARAM_MEDIUM
800# define GNUTLS_SEC_PARAM_MEDIUM GNUTLS_SEC_PARAM_HIGH
801# endif
6aac3239 802 gnutls_sec_param_to_pk_bits(GNUTLS_PK_RSA, GNUTLS_SEC_PARAM_MEDIUM),
76075bb5 803#else
6aac3239 804 2048,
76075bb5
JH		 805#endif
806 0)))
23bb6982
JH		 807 goto err;
808
809where = US"configuring cert";
1613fd68 810now = 1;
23bb6982
JH		 811if ( (rc = gnutls_x509_crt_set_version(cert, 3))
812 || (rc = gnutls_x509_crt_set_serial(cert, &now, sizeof(now)))
813 || (rc = gnutls_x509_crt_set_activation_time(cert, now = time(NULL)))
814 || (rc = gnutls_x509_crt_set_expiration_time(cert, now + 60 * 60)) /* 1 hr */
815 || (rc = gnutls_x509_crt_set_key(cert, pkey))
816
817 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
818 GNUTLS_OID_X520_COUNTRY_NAME, 0, "UK", 2))
819 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
820 GNUTLS_OID_X520_ORGANIZATION_NAME, 0, "Exim Developers", 15))
821 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
822 GNUTLS_OID_X520_COMMON_NAME, 0,
823 smtp_active_hostname, Ustrlen(smtp_active_hostname)))
824 )
825 goto err;
826
827where = US"signing cert";
828if ((rc = gnutls_x509_crt_sign(cert, cert, pkey))) goto err;
829
830where = US"installing selfsign cert";
831 /* Since: 2.4.0 */
832if ((rc = gnutls_certificate_set_x509_key(state->x509_cred, &cert, 1, pkey)))
833 goto err;
834
835rc = OK;
836
837out:
838 if (cert) gnutls_x509_crt_deinit(cert);
839 if (pkey) gnutls_x509_privkey_deinit(pkey);
840 return rc;
841
842err:
452a164f 843 rc = tls_error_gnu(where, rc, NULL, errstr);
23bb6982
JH		 844 goto out;
845}
846
847
848
849
47195144
JH		 850/* Add certificate and key, from files.
851
852Return:
853 Zero or negative: good. Negate value for certificate index if < 0.
854 Greater than zero: FAIL or DEFER code.
855*/
856
ba86e143
JH		 857static int
858tls_add_certfile(exim_gnutls_state_st * state, const host_item * host,
859 uschar * certfile, uschar * keyfile, uschar ** errstr)
860{
861int rc = gnutls_certificate_set_x509_key_file(state->x509_cred,
862 CS certfile, CS keyfile, GNUTLS_X509_FMT_PEM);
47195144 863if (rc < 0)
452a164f 864 return tls_error_gnu(
47195144 865 string_sprintf("cert/key setup: cert=%s key=%s", certfile, keyfile),
452a164f 866 rc, host, errstr);
47195144 867return -rc;
ba86e143
JH		 868}
869
870
059ec3d9 871/*************************************************
17c76198 872* Variables re-expanded post-SNI *
059ec3d9
PH		 873*************************************************/
874
17c76198
PP		 875/* Called from both server and client code, via tls_init(), and also from
876the SNI callback after receiving an SNI, if tls_certificate includes "tls_sni".
877
878We can tell the two apart by state->received_sni being non-NULL in callback.
879
880The callback should not call us unless state->trigger_sni_changes is true,
881which we are responsible for setting on the first pass through.
059ec3d9
PH		 882
883Arguments:
17c76198 884 state exim_gnutls_state_st *
cf0c6164 885 errstr error string pointer
059ec3d9
PH		 886
887Returns: OK/DEFER/FAIL
888*/
889
890static int
ba86e143 891tls_expand_session_files(exim_gnutls_state_st * state, uschar ** errstr)
059ec3d9 892{
1365611d 893struct stat statbuf;
059ec3d9 894int rc;
17c76198
PP		 895const host_item *host = state->host; /* macro should be reconsidered? */
896uschar *saved_tls_certificate = NULL;
897uschar *saved_tls_privatekey = NULL;
898uschar *saved_tls_verify_certificates = NULL;
899uschar *saved_tls_crl = NULL;
900int cert_count;
901
902/* We check for tls_sni *before* expansion. */
2b4a568d 903if (!host) /* server */
17c76198
PP		 904 if (!state->received_sni)
905 {
ba86e143
JH		 906 if ( state->tls_certificate
907 && ( Ustrstr(state->tls_certificate, US"tls_sni")
908 || Ustrstr(state->tls_certificate, US"tls_in_sni")
909 || Ustrstr(state->tls_certificate, US"tls_out_sni")
910 ) )
17c76198
PP		 911 {
912 DEBUG(D_tls) debug_printf("We will re-expand TLS session files if we receive SNI.\n");
913 state->trigger_sni_changes = TRUE;
914 }
915 }
916 else
917 {
1365611d 918 /* useful for debugging */
17c76198
PP		 919 saved_tls_certificate = state->exp_tls_certificate;
920 saved_tls_privatekey = state->exp_tls_privatekey;
921 saved_tls_verify_certificates = state->exp_tls_verify_certificates;
922 saved_tls_crl = state->exp_tls_crl;
923 }
059ec3d9 924
452a164f
JH		 925if ((rc = gnutls_certificate_allocate_credentials(&state->x509_cred)))
926 return tls_error_gnu(US"gnutls_certificate_allocate_credentials",
927 rc, host, errstr);
47195144
JH		 928
929#ifdef SUPPORT_SRV_OCSP_STACK
930gnutls_certificate_set_flags(state->x509_cred, GNUTLS_CERTIFICATE_API_V2);
931#endif
1365611d 932
17c76198
PP		 933/* remember: expand_check_tlsvar() is expand_check() but fiddling with
934state members, assuming consistent naming; and expand_check() returns
935false if expansion failed, unless expansion was forced to fail. */
059ec3d9 936
17c76198
PP		 937/* check if we at least have a certificate, before doing expensive
938D-H generation. */
059ec3d9 939
cf0c6164 940if (!expand_check_tlsvar(tls_certificate, errstr))
17c76198 941 return DEFER;
059ec3d9 942
17c76198 943/* certificate is mandatory in server, optional in client */
059ec3d9 944
23bb6982
JH		 945if ( !state->exp_tls_certificate
946 || !*state->exp_tls_certificate
947 )
2b4a568d 948 if (!host)
cf0c6164 949 return tls_install_selfsign(state, errstr);
17c76198
PP		 950 else
951 DEBUG(D_tls) debug_printf("TLS: no client certificate specified; okay\n");
059ec3d9 952
cf0c6164 953if (state->tls_privatekey && !expand_check_tlsvar(tls_privatekey, errstr))
059ec3d9
PH		 954 return DEFER;
955
17c76198
PP		 956/* tls_privatekey is optional, defaulting to same file as certificate */
957
958if (state->tls_privatekey == NULL || *state->tls_privatekey == '\0')
059ec3d9 959 {
17c76198
PP		 960 state->tls_privatekey = state->tls_certificate;
961 state->exp_tls_privatekey = state->exp_tls_certificate;
059ec3d9 962 }
c91535f3 963
059ec3d9 964
17c76198 965if (state->exp_tls_certificate && *state->exp_tls_certificate)
059ec3d9
PH		 966 {
967 DEBUG(D_tls) debug_printf("certificate file = %s\nkey file = %s\n",
17c76198
PP		 968 state->exp_tls_certificate, state->exp_tls_privatekey);
969
970 if (state->received_sni)
23bb6982
JH		 971 if ( Ustrcmp(state->exp_tls_certificate, saved_tls_certificate) == 0
972 && Ustrcmp(state->exp_tls_privatekey, saved_tls_privatekey) == 0
973 )
17c76198 974 {
b34fc30c 975 DEBUG(D_tls) debug_printf("TLS SNI: cert and key unchanged\n");
17c76198
PP		 976 }
977 else
978 {
b34fc30c 979 DEBUG(D_tls) debug_printf("TLS SNI: have a changed cert/key pair.\n");
17c76198 980 }
059ec3d9 981
ba86e143
JH		 982 if (!host) /* server */
983 {
984 const uschar * clist = state->exp_tls_certificate;
985 const uschar * klist = state->exp_tls_privatekey;
47195144
JH		 986 const uschar * olist;
987 int csep = 0, ksep = 0, osep = 0, cnt = 0;
988 uschar * cfile, * kfile, * ofile;
989
990#ifndef DISABLE_OCSP
991 if (!expand_check(tls_ocsp_file, US"tls_ocsp_file", &ofile, errstr))
992 return DEFER;
993 olist = ofile;
994#endif
ba86e143
JH		 995
996 while (cfile = string_nextinlist(&clist, &csep, NULL, 0))
47195144 997
ba86e143
JH		 998 if (!(kfile = string_nextinlist(&klist, &ksep, NULL, 0)))
999 return tls_error(US"cert/key setup: out of keys", NULL, host, errstr);
47195144 1000 else if (0 < (rc = tls_add_certfile(state, host, cfile, kfile, errstr)))
ba86e143
JH		 1001 return rc;
1002 else
47195144
JH		 1003 {
1004 int gnutls_cert_index = -rc;
ba86e143 1005 DEBUG(D_tls) debug_printf("TLS: cert/key %s registered\n", cfile);
47195144
JH		 1006
1007 /* Set the OCSP stapling server info */
1008
1009#ifndef DISABLE_OCSP
1010 if (tls_ocsp_file)
1011 if (gnutls_buggy_ocsp)
1012 {
1013 DEBUG(D_tls)
1014 debug_printf("GnuTLS library is buggy for OCSP; avoiding\n");
1015 }
1016 else if ((ofile = string_nextinlist(&olist, &osep, NULL, 0)))
1017 {
1018 /* Use the full callback method for stapling just to get
1019 observability. More efficient would be to read the file once only,
1020 if it never changed (due to SNI). Would need restart on file update,
1021 or watch datestamp. */
1022
1023# ifdef SUPPORT_SRV_OCSP_STACK
452a164f
JH		 1024 if ((rc = gnutls_certificate_set_ocsp_status_request_function2(
1025 state->x509_cred, gnutls_cert_index,
1026 server_ocsp_stapling_cb, ofile)))
1027 return tls_error_gnu(
1028 US"gnutls_certificate_set_ocsp_status_request_function2",
1029 rc, host, errstr);
47195144
JH		 1030# else
1031 if (cnt++ > 0)
1032 {
1033 DEBUG(D_tls)
1034 debug_printf("oops; multiple OCSP files not supported\n");
1035 break;
1036 }
1037 gnutls_certificate_set_ocsp_status_request_function(
1038 state->x509_cred, server_ocsp_stapling_cb, ofile);
1039# endif
1040
1041 DEBUG(D_tls) debug_printf("OCSP response file = %s\n", ofile);
1042 }
1043 else
1044 DEBUG(D_tls) debug_printf("ran out of OCSP response files in list\n");
1045#endif
1046 }
ba86e143
JH		 1047 }
1048 else
1049 {
47195144 1050 if (0 < (rc = tls_add_certfile(state, host,
ba86e143
JH		 1051 state->exp_tls_certificate, state->exp_tls_privatekey, errstr)))
1052 return rc;
1053 DEBUG(D_tls) debug_printf("TLS: cert/key registered\n");
1054 }
1055
b34fc30c 1056 } /* tls_certificate */
059ec3d9 1057
2b4a568d 1058
059ec3d9
PH		 1059/* Set the trusted CAs file if one is provided, and then add the CRL if one is
1060provided. Experiment shows that, if the certificate file is empty, an unhelpful
1061error message is provided. However, if we just refrain from setting anything up
1062in that case, certificate verification fails, which seems to be the correct
1063behaviour. */
1064
610ff438 1065if (state->tls_verify_certificates && *state->tls_verify_certificates)
059ec3d9 1066 {
cf0c6164 1067 if (!expand_check_tlsvar(tls_verify_certificates, errstr))
059ec3d9 1068 return DEFER;
610ff438
JH		 1069#ifndef SUPPORT_SYSDEFAULT_CABUNDLE
1070 if (Ustrcmp(state->exp_tls_verify_certificates, "system") == 0)
1071 state->exp_tls_verify_certificates = NULL;
1072#endif
17c76198 1073 if (state->tls_crl && *state->tls_crl)
cf0c6164 1074 if (!expand_check_tlsvar(tls_crl, errstr))
17c76198 1075 return DEFER;
059ec3d9 1076
1365611d
PP		 1077 if (!(state->exp_tls_verify_certificates &&
1078 *state->exp_tls_verify_certificates))
b34fc30c
PP		 1079 {
1080 DEBUG(D_tls)
1365611d
PP		 1081 debug_printf("TLS: tls_verify_certificates expanded empty, ignoring\n");
1082 /* With no tls_verify_certificates, we ignore tls_crl too */
17c76198 1083 return OK;
b34fc30c 1084 }
1365611d 1085 }
83e2f8a2
PP		 1086else
1087 {
1088 DEBUG(D_tls)
1089 debug_printf("TLS: tls_verify_certificates not set or empty, ignoring\n");
1090 return OK;
1091 }
17c76198 1092
cb1d7830
JH		 1093#ifdef SUPPORT_SYSDEFAULT_CABUNDLE
1094if (Ustrcmp(state->exp_tls_verify_certificates, "system") == 0)
1095 cert_count = gnutls_certificate_set_x509_system_trust(state->x509_cred);
1096else
1097#endif
1365611d 1098 {
cb1d7830
JH		 1099 if (Ustat(state->exp_tls_verify_certificates, &statbuf) < 0)
1100 {
1101 log_write(0, LOG_MAIN|LOG_PANIC, "could not stat %s "
1102 "(tls_verify_certificates): %s", state->exp_tls_verify_certificates,
1103 strerror(errno));
1104 return DEFER;
1105 }
17c76198 1106
a7fec7a7 1107#ifndef SUPPORT_CA_DIR
cb1d7830
JH		 1108 /* The test suite passes in /dev/null; we could check for that path explicitly,
1109 but who knows if someone has some weird FIFO which always dumps some certs, or
1110 other weirdness. The thing we really want to check is that it's not a
1111 directory, since while OpenSSL supports that, GnuTLS does not.
60f914bc 1112 So s/!S_ISREG/S_ISDIR/ and change some messaging ... */
cb1d7830
JH		 1113 if (S_ISDIR(statbuf.st_mode))
1114 {
1115 DEBUG(D_tls)
1116 debug_printf("verify certificates path is a dir: \"%s\"\n",
1117 state->exp_tls_verify_certificates);
1118 log_write(0, LOG_MAIN|LOG_PANIC,
1119 "tls_verify_certificates \"%s\" is a directory",
1120 state->exp_tls_verify_certificates);
1121 return DEFER;
1122 }
a7fec7a7 1123#endif
059ec3d9 1124
cb1d7830
JH		 1125 DEBUG(D_tls) debug_printf("verify certificates = %s size=" OFF_T_FMT "\n",
1126 state->exp_tls_verify_certificates, statbuf.st_size);
059ec3d9 1127
cb1d7830
JH		 1128 if (statbuf.st_size == 0)
1129 {
1130 DEBUG(D_tls)
1131 debug_printf("cert file empty, no certs, no verification, ignoring any CRL\n");
1132 return OK;
1133 }
059ec3d9 1134
cb1d7830 1135 cert_count =
a7fec7a7
JH		 1136
1137#ifdef SUPPORT_CA_DIR
cb1d7830
JH		 1138 (statbuf.st_mode & S_IFMT) == S_IFDIR
1139 ?
1140 gnutls_certificate_set_x509_trust_dir(state->x509_cred,
1141 CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM)
1142 :
a7fec7a7 1143#endif
cb1d7830
JH		 1144 gnutls_certificate_set_x509_trust_file(state->x509_cred,
1145 CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM);
12d95aa6
JH		 1146
1147#ifdef SUPPORT_CA_DIR
1148 /* Mimic the behaviour with OpenSSL of not advertising a usable-cert list
1149 when using the directory-of-certs config model. */
1150
1151 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
1152 gnutls_certificate_send_x509_rdn_sequence(state->session, 1);
1153#endif
cb1d7830 1154 }
a7fec7a7 1155
1365611d 1156if (cert_count < 0)
452a164f
JH		 1157 return tls_error_gnu(US"setting certificate trust", cert_count, host, errstr);
1158DEBUG(D_tls)
1159 debug_printf("Added %d certificate authorities.\n", cert_count);
059ec3d9 1160
5c8cda3a
PP		 1161if (state->tls_crl && *state->tls_crl &&
1162 state->exp_tls_crl && *state->exp_tls_crl)
1365611d 1163 {
5c8cda3a 1164 DEBUG(D_tls) debug_printf("loading CRL file = %s\n", state->exp_tls_crl);
452a164f
JH		 1165 if ((cert_count = gnutls_certificate_set_x509_crl_file(state->x509_cred,
1166 CS state->exp_tls_crl, GNUTLS_X509_FMT_PEM)) < 0)
1167 return tls_error_gnu(US"gnutls_certificate_set_x509_crl_file",
1168 cert_count, host, errstr);
1169
5c8cda3a 1170 DEBUG(D_tls) debug_printf("Processed %d CRLs.\n", cert_count);
1365611d 1171 }
059ec3d9 1172
059ec3d9
PH		 1173return OK;
1174}
1175
1176
1177
1178
1365611d
PP		 1179/*************************************************
1180* Set X.509 state variables *
1181*************************************************/
1182
1183/* In GnuTLS, the registered cert/key are not replaced by a later
1184set of a cert/key, so for SNI support we need a whole new x509_cred
1185structure. Which means various other non-re-expanded pieces of state
1186need to be re-set in the new struct, so the setting logic is pulled
1187out to this.
1188
1189Arguments:
1190 state exim_gnutls_state_st *
cf0c6164 1191 errstr error string pointer
1365611d
PP		 1192
1193Returns: OK/DEFER/FAIL
1194*/
1195
1196static int
cf0c6164 1197tls_set_remaining_x509(exim_gnutls_state_st *state, uschar ** errstr)
1365611d
PP		 1198{
1199int rc;
1200const host_item *host = state->host; /* macro should be reconsidered? */
1201
1202/* Create D-H parameters, or read them from the cache file. This function does
1203its own SMTP error messaging. This only happens for the server, TLS D-H ignores
1204client-side params. */
1205
1206if (!state->host)
1207 {
1208 if (!dh_server_params)
452a164f 1209 if ((rc = init_server_dh(errstr)) != OK) return rc;
1365611d
PP		 1210 gnutls_certificate_set_dh_params(state->x509_cred, dh_server_params);
1211 }
1212
1213/* Link the credentials to the session. */
1214
452a164f
JH		 1215if ((rc = gnutls_credentials_set(state->session,
1216 GNUTLS_CRD_CERTIFICATE, state->x509_cred)))
1217 return tls_error_gnu(US"gnutls_credentials_set", rc, host, errstr);
1365611d
PP		 1218
1219return OK;
1220}
1221
059ec3d9 1222/*************************************************
17c76198 1223* Initialize for GnuTLS *
059ec3d9
PH		 1224*************************************************/
1225
9196d5bf 1226
4fb7df6d
JH		 1227#ifndef DISABLE_OCSP
1228
9196d5bf
JH		 1229static BOOL
1230tls_is_buggy_ocsp(void)
1231{
1232const uschar * s;
1233uschar maj, mid, mic;
1234
1235s = CUS gnutls_check_version(NULL);
1236maj = atoi(CCS s);
1237if (maj == 3)
1238 {
1239 while (*s && *s != '.') s++;
1240 mid = atoi(CCS ++s);
1241 if (mid <= 2)
1242 return TRUE;
1243 else if (mid >= 5)
1244 return FALSE;
1245 else
1246 {
1247 while (*s && *s != '.') s++;
1248 mic = atoi(CCS ++s);
1249 return mic <= (mid == 3 ? 16 : 3);
1250 }
1251 }
1252return FALSE;
1253}
1254
4fb7df6d 1255#endif
9196d5bf
JH		 1256
1257
17c76198
PP		 1258/* Called from both server and client code. In the case of a server, errors
1259before actual TLS negotiation return DEFER.
059ec3d9
PH		 1260
1261Arguments:
17c76198
PP		 1262 host connected host, if client; NULL if server
1263 certificate certificate file
1264 privatekey private key file
1265 sni TLS SNI to send, sometimes when client; else NULL
1266 cas CA certs file
1267 crl CRL file
1268 require_ciphers tls_require_ciphers setting
817d9f57 1269 caller_state returned state-info structure
cf0c6164 1270 errstr error string pointer
059ec3d9 1271
17c76198 1272Returns: OK/DEFER/FAIL
059ec3d9
PH		 1273*/
1274
17c76198
PP		 1275static int
1276tls_init(
1277 const host_item *host,
1278 const uschar *certificate,
1279 const uschar *privatekey,
1280 const uschar *sni,
1281 const uschar *cas,
1282 const uschar *crl,
1283 const uschar *require_ciphers,
cf0c6164 1284 exim_gnutls_state_st **caller_state,
74f1a423 1285 tls_support * tlsp,
cf0c6164 1286 uschar ** errstr)
059ec3d9 1287{
00c0dd4e 1288exim_gnutls_state_st * state;
17c76198
PP		 1289int rc;
1290size_t sz;
00c0dd4e
JH		 1291const char * errpos;
1292const uschar * p;
17c76198
PP		 1293
1294if (!exim_gnutls_base_init_done)
059ec3d9 1295 {
17c76198
PP		 1296 DEBUG(D_tls) debug_printf("GnuTLS global init required.\n");
1297
a5f239e4
PP		 1298#ifdef HAVE_GNUTLS_PKCS11
1299 /* By default, gnutls_global_init will init PKCS11 support in auto mode,
1300 which loads modules from a config file, which sounds good and may be wanted
1301 by some sysadmin, but also means in common configurations that GNOME keyring
1302 environment variables are used and so breaks for users calling mailq.
1303 To prevent this, we init PKCS11 first, which is the documented approach. */
2519e60d 1304 if (!gnutls_allow_auto_pkcs11)
452a164f
JH		 1305 if ((rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL)))
1306 return tls_error_gnu(US"gnutls_pkcs11_init", rc, host, errstr);
a5f239e4
PP		 1307#endif
1308
452a164f
JH		 1309 if ((rc = gnutls_global_init()))
1310 return tls_error_gnu(US"gnutls_global_init", rc, host, errstr);
17c76198
PP		 1311
1312#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
1313 DEBUG(D_tls)
059ec3d9 1314 {
17c76198 1315 gnutls_global_set_log_function(exim_gnutls_logger_cb);
aded2255 1316 /* arbitrarily chosen level; bump up to 9 for more */
17c76198 1317 gnutls_global_set_log_level(EXIM_GNUTLS_LIBRARY_LOG_LEVEL);
059ec3d9 1318 }
17c76198
PP		 1319#endif
1320
4fb7df6d
JH		 1321#ifndef DISABLE_OCSP
1322 if (tls_ocsp_file && (gnutls_buggy_ocsp = tls_is_buggy_ocsp()))
9196d5bf 1323 log_write(0, LOG_MAIN, "OCSP unusable with this GnuTLS library version");
4fb7df6d 1324#endif
9196d5bf 1325
17c76198 1326 exim_gnutls_base_init_done = TRUE;
059ec3d9 1327 }
059ec3d9 1328
17c76198
PP		 1329if (host)
1330 {
74f1a423
JH		 1331 /* For client-side sessions we allocate a context. This lets us run
1332 several in parallel. */
1333 int old_pool = store_pool;
1334 store_pool = POOL_PERM;
1335 state = store_get(sizeof(exim_gnutls_state_st));
1336 store_pool = old_pool;
1337
17c76198 1338 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
74f1a423 1339 state->tlsp = tlsp;
17c76198
PP		 1340 DEBUG(D_tls) debug_printf("initialising GnuTLS client session\n");
1341 rc = gnutls_init(&state->session, GNUTLS_CLIENT);
1342 }
1343else
1344 {
1345 state = &state_server;
1346 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
74f1a423 1347 state->tlsp = tlsp;
17c76198
PP		 1348 DEBUG(D_tls) debug_printf("initialising GnuTLS server session\n");
1349 rc = gnutls_init(&state->session, GNUTLS_SERVER);
1350 }
452a164f
JH		 1351if (rc)
1352 return tls_error_gnu(US"gnutls_init", rc, host, errstr);
059ec3d9 1353
17c76198 1354state->host = host;
059ec3d9 1355
17c76198
PP		 1356state->tls_certificate = certificate;
1357state->tls_privatekey = privatekey;
5779e6aa 1358state->tls_require_ciphers = require_ciphers;
17c76198
PP		 1359state->tls_sni = sni;
1360state->tls_verify_certificates = cas;
1361state->tls_crl = crl;
059ec3d9 1362
17c76198
PP		 1363/* This handles the variables that might get re-expanded after TLS SNI;
1364that's tls_certificate, tls_privatekey, tls_verify_certificates, tls_crl */
059ec3d9 1365
17c76198
PP		 1366DEBUG(D_tls)
1367 debug_printf("Expanding various TLS configuration options for session credentials.\n");
cf0c6164 1368if ((rc = tls_expand_session_files(state, errstr)) != OK) return rc;
059ec3d9 1369
1365611d
PP		 1370/* These are all other parts of the x509_cred handling, since SNI in GnuTLS
1371requires a new structure afterwards. */
83da1223 1372
cf0c6164 1373if ((rc = tls_set_remaining_x509(state, errstr)) != OK) return rc;
83da1223 1374
17c76198
PP		 1375/* set SNI in client, only */
1376if (host)
1377 {
cf0c6164 1378 if (!expand_check(sni, US"tls_out_sni", &state->tlsp->sni, errstr))
17c76198 1379 return DEFER;
0df4ab80 1380 if (state->tlsp->sni && *state->tlsp->sni)
17c76198
PP		 1381 {
1382 DEBUG(D_tls)
0df4ab80
JH		 1383 debug_printf("Setting TLS client SNI to \"%s\"\n", state->tlsp->sni);
1384 sz = Ustrlen(state->tlsp->sni);
452a164f
JH		 1385 if ((rc = gnutls_server_name_set(state->session,
1386 GNUTLS_NAME_DNS, state->tlsp->sni, sz)))
1387 return tls_error_gnu(US"gnutls_server_name_set", rc, host, errstr);
17c76198
PP		 1388 }
1389 }
1390else if (state->tls_sni)
1391 DEBUG(D_tls) debug_printf("*** PROBABLY A BUG *** " \
ba86e143 1392 "have an SNI set for a server [%s]\n", state->tls_sni);
83da1223 1393
17c76198 1394/* This is the priority string support,
42bfef1e 1395http://www.gnutls.org/manual/html_node/Priority-Strings.html
17c76198
PP		 1396and replaces gnutls_require_kx, gnutls_require_mac & gnutls_require_protocols.
1397This was backwards incompatible, but means Exim no longer needs to track
1398all algorithms and provide string forms for them. */
83da1223 1399
fc243e94 1400p = NULL;
17c76198 1401if (state->tls_require_ciphers && *state->tls_require_ciphers)
83da1223 1402 {
cf0c6164 1403 if (!expand_check_tlsvar(tls_require_ciphers, errstr))
17c76198
PP		 1404 return DEFER;
1405 if (state->exp_tls_require_ciphers && *state->exp_tls_require_ciphers)
83da1223 1406 {
17c76198 1407 p = state->exp_tls_require_ciphers;
fc243e94 1408 DEBUG(D_tls) debug_printf("GnuTLS session cipher/priority \"%s\"\n", p);
83da1223
PH		 1409 }
1410 }
fc243e94 1411if (!p)
17c76198 1412 {
fc243e94 1413 p = exim_default_gnutls_priority;
83e2f8a2 1414 DEBUG(D_tls)
fc243e94 1415 debug_printf("GnuTLS using default session cipher/priority \"%s\"\n", p);
17c76198 1416 }
83da1223 1417
452a164f
JH		 1418if ((rc = gnutls_priority_init(&state->priority_cache, CCS p, &errpos)))
1419 return tls_error_gnu(string_sprintf(
1420 "gnutls_priority_init(%s) failed at offset %ld, \"%.6s..\"",
1421 p, errpos - CS p, errpos),
1422 rc, host, errstr);
17c76198 1423
452a164f
JH		 1424if ((rc = gnutls_priority_set(state->session, state->priority_cache)))
1425 return tls_error_gnu(US"gnutls_priority_set", rc, host, errstr);
17c76198 1426
b10c87b3
JH		 1427/* This also sets the server ticket expiration time to the same, and
1428the STEK rotation time to 3x. */
1429
17c76198
PP		 1430gnutls_db_set_cache_expiration(state->session, ssl_session_timeout);
1431
1432/* Reduce security in favour of increased compatibility, if the admin
1433decides to make that trade-off. */
1434if (gnutls_compat_mode)
83da1223 1435 {
17c76198
PP		 1436#if LIBGNUTLS_VERSION_NUMBER >= 0x020104
1437 DEBUG(D_tls) debug_printf("lowering GnuTLS security, compatibility mode\n");
1438 gnutls_session_enable_compatibility_mode(state->session);
1439#else
1440 DEBUG(D_tls) debug_printf("Unable to set gnutls_compat_mode - GnuTLS version too old\n");
1441#endif
83da1223
PH		 1442 }
1443
17c76198 1444*caller_state = state;
17c76198 1445return OK;
83da1223
PH		 1446}
1447
1448
1449
059ec3d9 1450/*************************************************
17c76198 1451* Extract peer information *
059ec3d9
PH		 1452*************************************************/
1453
f1be21cf
JH		 1454static const uschar *
1455cipher_stdname_kcm(gnutls_kx_algorithm_t kx, gnutls_cipher_algorithm_t cipher,
1456 gnutls_mac_algorithm_t mac)
1457{
1458uschar cs_id[2];
1459gnutls_kx_algorithm_t kx_i;
1460gnutls_cipher_algorithm_t cipher_i;
1461gnutls_mac_algorithm_t mac_i;
1462
1463for (size_t i = 0;
1464 gnutls_cipher_suite_info(i, cs_id, &kx_i, &cipher_i, &mac_i, NULL);
1465 i++)
1466 if (kx_i == kx && cipher_i == cipher && mac_i == mac)
1467 return cipher_stdname(cs_id[0], cs_id[1]);
1468return NULL;
1469}
1470
1471
1472
17c76198 1473/* Called from both server and client code.
4fe99a6c
PP		 1474Only this is allowed to set state->peerdn and state->have_set_peerdn
1475and we use that to detect double-calls.
059ec3d9 1476
75fe387d
PP		 1477NOTE: the state blocks last while the TLS connection is up, which is fine
1478for logging in the server side, but for the client side, we log after teardown
1479in src/deliver.c. While the session is up, we can twist about states and
1480repoint tls_* globals, but those variables used for logging or other variable
1481expansion that happens _after_ delivery need to have a longer life-time.
1482
1483So for those, we get the data from POOL_PERM; the re-invoke guard keeps us from
1484doing this more than once per generation of a state context. We set them in
1485the state context, and repoint tls_* to them. After the state goes away, the
1486tls_* copies of the pointers remain valid and client delivery logging is happy.
1487
1488tls_certificate_verified is a BOOL, so the tls_peerdn and tls_cipher issues
1489don't apply.
1490
059ec3d9 1491Arguments:
17c76198 1492 state exim_gnutls_state_st *
cf0c6164 1493 errstr pointer to error string
059ec3d9 1494
17c76198 1495Returns: OK/DEFER/FAIL
059ec3d9
PH		 1496*/
1497
17c76198 1498static int
b10c87b3 1499peer_status(exim_gnutls_state_st * state, uschar ** errstr)
059ec3d9 1500{
b10c87b3
JH		 1501gnutls_session_t session = state->session;
1502const gnutls_datum_t * cert_list;
75fe387d 1503int old_pool, rc;
17c76198 1504unsigned int cert_list_size = 0;
4fe99a6c
PP		 1505gnutls_protocol_t protocol;
1506gnutls_cipher_algorithm_t cipher;
1507gnutls_kx_algorithm_t kx;
1508gnutls_mac_algorithm_t mac;
17c76198
PP		 1509gnutls_certificate_type_t ct;
1510gnutls_x509_crt_t crt;
b10c87b3 1511uschar * dn_buf;
17c76198 1512size_t sz;
059ec3d9 1513
4fe99a6c 1514if (state->have_set_peerdn)
17c76198 1515 return OK;
4fe99a6c 1516state->have_set_peerdn = TRUE;
059ec3d9 1517
4fe99a6c 1518state->peerdn = NULL;
059ec3d9 1519
4fe99a6c 1520/* tls_cipher */
b10c87b3
JH		 1521cipher = gnutls_cipher_get(session);
1522protocol = gnutls_protocol_get_version(session);
1523mac = gnutls_mac_get(session);
b9c6f63c
JH		 1524kx =
1525#ifdef GNUTLS_TLS1_3
1526 protocol >= GNUTLS_TLS1_3 ? 0 :
1527#endif
b10c87b3 1528 gnutls_kx_get(session);
4fe99a6c 1529
75fe387d 1530old_pool = store_pool;
f1be21cf 1531 {
b10c87b3 1532 tls_support * tlsp = state->tlsp;
f1be21cf 1533 store_pool = POOL_PERM;
d9acfc1c
JH		 1534
1535#ifdef SUPPORT_GNUTLS_SESS_DESC
1536 {
1537 gstring * g = NULL;
b10c87b3 1538 uschar * s = US gnutls_session_get_desc(session), c;
d9acfc1c
JH		 1539
1540 /* Nikos M suggests we use this by preference. It returns like:
1541 (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
1542
1543 For partial back-compat, put a colon after the TLS version, replace the
1544 )-( grouping with __, replace in-group - with _ and append the :keysize. */
1545
1546 /* debug_printf("peer_status: gnutls_session_get_desc %s\n", s); */
1547
1548 for (s++; (c = *s) && c != ')'; s++) g = string_catn(g, s, 1);
1549 g = string_catn(g, US":", 1);
1550 if (*s) s++; /* now on _ between groups */
1551 while ((c = *s))
1552 {
1553 for (*++s && ++s; (c = *s) && c != ')'; s++) g = string_catn(g, c == '-' ? US"_" : s, 1);
1554 /* now on ) closing group */
1555 if ((c = *s) && *++s == '-') g = string_catn(g, US"__", 2);
1556 /* now on _ between groups */
1557 }
1558 g = string_catn(g, US":", 1);
1559 g = string_cat(g, string_sprintf("%d", (int) gnutls_cipher_get_key_size(cipher) * 8));
1560 state->ciphersuite = string_from_gstring(g);
1561 }
1562#else
f1be21cf
JH		 1563 state->ciphersuite = string_sprintf("%s:%s:%d",
1564 gnutls_protocol_get_name(protocol),
1565 gnutls_cipher_suite_get_name(kx, cipher, mac),
1566 (int) gnutls_cipher_get_key_size(cipher) * 8);
1567
1568 /* I don't see a way that spaces could occur, in the current GnuTLS
1569 code base, but it was a concern in the old code and perhaps older GnuTLS
1570 releases did return "TLS 1.0"; play it safe, just in case. */
1571
1572 for (uschar * p = state->ciphersuite; *p; p++) if (isspace(*p)) *p = '-';
d9acfc1c
JH		 1573#endif
1574
1575/* debug_printf("peer_status: ciphersuite %s\n", state->ciphersuite); */
1576
b10c87b3
JH		 1577 tlsp->cipher = state->ciphersuite;
1578 tlsp->bits = gnutls_cipher_get_key_size(cipher) * 8;
f1be21cf 1579
b10c87b3 1580 tlsp->cipher_stdname = cipher_stdname_kcm(kx, cipher, mac);
f1be21cf 1581 }
75fe387d 1582store_pool = old_pool;
4fe99a6c
PP		 1583
1584/* tls_peerdn */
b10c87b3 1585cert_list = gnutls_certificate_get_peers(session, &cert_list_size);
83da1223 1586
f1be21cf 1587if (!cert_list || cert_list_size == 0)
17c76198 1588 {
17c76198
PP		 1589 DEBUG(D_tls) debug_printf("TLS: no certificate from peer (%p & %d)\n",
1590 cert_list, cert_list_size);
e51c7be2 1591 if (state->verify_requirement >= VERIFY_REQUIRED)
17c76198 1592 return tls_error(US"certificate verification failed",
48224640 1593 US"no certificate received from peer", state->host, errstr);
17c76198
PP		 1594 return OK;
1595 }
059ec3d9 1596
b10c87b3 1597if ((ct = gnutls_certificate_type_get(session)) != GNUTLS_CRT_X509)
059ec3d9 1598 {
95f52235 1599 const uschar * ctn = US gnutls_certificate_type_get_name(ct);
17c76198
PP		 1600 DEBUG(D_tls)
1601 debug_printf("TLS: peer cert not X.509 but instead \"%s\"\n", ctn);
e51c7be2 1602 if (state->verify_requirement >= VERIFY_REQUIRED)
17c76198 1603 return tls_error(US"certificate verification not possible, unhandled type",
cf0c6164 1604 ctn, state->host, errstr);
17c76198 1605 return OK;
83da1223 1606 }
059ec3d9 1607
e51c7be2
JH		 1608#define exim_gnutls_peer_err(Label) \
1609 do { \
1610 if (rc != GNUTLS_E_SUCCESS) \
1611 { \
1612 DEBUG(D_tls) debug_printf("TLS: peer cert problem: %s: %s\n", \
1613 (Label), gnutls_strerror(rc)); \
1614 if (state->verify_requirement >= VERIFY_REQUIRED) \
452a164f 1615 return tls_error_gnu((Label), rc, state->host, errstr); \
e51c7be2
JH		 1616 return OK; \
1617 } \
1618 } while (0)
17c76198 1619
9d1c15ef
JH		 1620rc = import_cert(&cert_list[0], &crt);
1621exim_gnutls_peer_err(US"cert 0");
1622
1623state->tlsp->peercert = state->peercert = crt;
17c76198 1624
17c76198
PP		 1625sz = 0;
1626rc = gnutls_x509_crt_get_dn(crt, NULL, &sz);
1627if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
83da1223 1628 {
17c76198
PP		 1629 exim_gnutls_peer_err(US"getting size for cert DN failed");
1630 return FAIL; /* should not happen */
059ec3d9 1631 }
17c76198
PP		 1632dn_buf = store_get_perm(sz);
1633rc = gnutls_x509_crt_get_dn(crt, CS dn_buf, &sz);
1634exim_gnutls_peer_err(US"failed to extract certificate DN [gnutls_x509_crt_get_dn(cert 0)]");
9d1c15ef 1635
17c76198
PP		 1636state->peerdn = dn_buf;
1637
1638return OK;
1639#undef exim_gnutls_peer_err
1640}
059ec3d9 1641
059ec3d9 1642
059ec3d9 1643
059ec3d9 1644
17c76198
PP		 1645/*************************************************
1646* Verify peer certificate *
1647*************************************************/
059ec3d9 1648
17c76198
PP		 1649/* Called from both server and client code.
1650*Should* be using a callback registered with
1651gnutls_certificate_set_verify_function() to fail the handshake if we dislike
1652the peer information, but that's too new for some OSes.
059ec3d9 1653
17c76198 1654Arguments:
899b8bbc
JH		 1655 state exim_gnutls_state_st *
1656 errstr where to put an error message
059ec3d9 1657
17c76198
PP		 1658Returns:
1659 FALSE if the session should be rejected
1660 TRUE if the cert is okay or we just don't care
1661*/
059ec3d9 1662
17c76198 1663static BOOL
28646fa9 1664verify_certificate(exim_gnutls_state_st * state, uschar ** errstr)
17c76198
PP		 1665{
1666int rc;
899b8bbc
JH		 1667uint verify;
1668
8008accd 1669DEBUG(D_tls) debug_printf("TLS: checking peer certificate\n");
cf0c6164 1670*errstr = NULL;
b10c87b3 1671rc = peer_status(state, errstr);
17c76198 1672
b10c87b3
JH		 1673if (state->verify_requirement == VERIFY_NONE)
1674 return TRUE;
1675
1676if (rc != OK || !state->peerdn)
e6060e2c 1677 {
17c76198 1678 verify = GNUTLS_CERT_INVALID;
cf0c6164 1679 *errstr = US"certificate not supplied";
17c76198
PP		 1680 }
1681else
899b8bbc
JH		 1682
1683 {
1684#ifdef SUPPORT_DANE
1685 if (state->verify_requirement == VERIFY_DANE && state->host)
1686 {
1687 /* Using dane_verify_session_crt() would be easy, as it does it all for us
1688 including talking to a DNS resolver. But we want to do that bit ourselves
1689 as the testsuite intercepts and fakes its own DNS environment. */
1690
1691 dane_state_t s;
1692 dane_query_t r;
899b8bbc 1693 uint lsize;
94c13285
JH		 1694 const gnutls_datum_t * certlist =
1695 gnutls_certificate_get_peers(state->session, &lsize);
1696 int usage = tls_out.tlsa_usage;
1697
1698# ifdef GNUTLS_BROKEN_DANE_VALIDATION
1699 /* Split the TLSA records into two sets, TA and EE selectors. Run the
1700 dane-verification separately so that we know which selector verified;
570cb1bd 1701 then we know whether to do name-verification (needed for TA but not EE). */
94c13285
JH		 1702
1703 if (usage == ((1<<DANESSL_USAGE_DANE_TA) | (1<<DANESSL_USAGE_DANE_EE)))
bd5b3f3c 1704 { /* a mixed-usage bundle */
94c13285
JH		 1705 int i, j, nrec;
1706 const char ** dd;
1707 int * ddl;
1708
1709 for(nrec = 0; state->dane_data_len[nrec]; ) nrec++;
1710 nrec++;
1711
1712 dd = store_get(nrec * sizeof(uschar *));
1713 ddl = store_get(nrec * sizeof(int));
1714 nrec--;
1715
1716 if ((rc = dane_state_init(&s, 0)))
1717 goto tlsa_prob;
1718
1719 for (usage = DANESSL_USAGE_DANE_EE;
1720 usage >= DANESSL_USAGE_DANE_TA; usage--)
1721 { /* take records with this usage */
1722 for (j = i = 0; i < nrec; i++)
1723 if (state->dane_data[i][0] == usage)
1724 {
1725 dd[j] = state->dane_data[i];
1726 ddl[j++] = state->dane_data_len[i];
1727 }
1728 if (j)
1729 {
1730 dd[j] = NULL;
1731 ddl[j] = 0;
1732
1733 if ((rc = dane_raw_tlsa(s, &r, (char * const *)dd, ddl, 1, 0)))
1734 goto tlsa_prob;
1735
1736 if ((rc = dane_verify_crt_raw(s, certlist, lsize,
1737 gnutls_certificate_type_get(state->session),
1738 r, 0,
1739 usage == DANESSL_USAGE_DANE_EE
1740 ? DANE_VFLAG_ONLY_CHECK_EE_USAGE : 0,
1741 &verify)))
1742 {
1743 DEBUG(D_tls)
1744 debug_printf("TLSA record problem: %s\n", dane_strerror(rc));
1745 }
1746 else if (verify == 0) /* verification passed */
1747 {
1748 usage = 1 << usage;
1749 break;
1750 }
1751 }
1752 }
899b8bbc 1753
94c13285
JH		 1754 if (rc) goto tlsa_prob;
1755 }
1756 else
1757# endif
899b8bbc 1758 {
94c13285
JH		 1759 if ( (rc = dane_state_init(&s, 0))
1760 || (rc = dane_raw_tlsa(s, &r, state->dane_data, state->dane_data_len,
1761 1, 0))
1762 || (rc = dane_verify_crt_raw(s, certlist, lsize,
1763 gnutls_certificate_type_get(state->session),
5ec37a55 1764 r, 0,
94c13285
JH		 1765# ifdef GNUTLS_BROKEN_DANE_VALIDATION
1766 usage == (1 << DANESSL_USAGE_DANE_EE)
1767 ? DANE_VFLAG_ONLY_CHECK_EE_USAGE : 0,
1768# else
1769 0,
1770# endif
1771 &verify))
1772 )
1773 goto tlsa_prob;
899b8bbc 1774 }
94c13285
JH		 1775
1776 if (verify != 0) /* verification failed */
899b8bbc
JH		 1777 {
1778 gnutls_datum_t str;
1779 (void) dane_verification_status_print(verify, &str, 0);
1780 *errstr = US str.data; /* don't bother to free */
1781 goto badcert;
1782 }
28646fa9 1783
94c13285
JH		 1784# ifdef GNUTLS_BROKEN_DANE_VALIDATION
1785 /* If a TA-mode TLSA record was used for verification we must additionally
570cb1bd 1786 verify the cert name (but not the CA chain). For EE-mode, skip it. */
28646fa9 1787
94c13285
JH		 1788 if (usage & (1 << DANESSL_USAGE_DANE_EE))
1789# endif
28646fa9 1790 {
570cb1bd 1791 state->peer_dane_verified = state->peer_cert_verified = TRUE;
28646fa9
JH		 1792 goto goodcert;
1793 }
570cb1bd
JH		 1794# ifdef GNUTLS_BROKEN_DANE_VALIDATION
1795 /* Assume that the name on the A-record is the one that should be matching
1796 the cert. An alternate view is that the domain part of the email address
1797 is also permissible. */
1798
1799 if (gnutls_x509_crt_check_hostname(state->tlsp->peercert,
1800 CS state->host->name))
1801 {
1802 state->peer_dane_verified = state->peer_cert_verified = TRUE;
1803 goto goodcert;
1804 }
1805# endif
899b8bbc 1806 }
570cb1bd 1807#endif /*SUPPORT_DANE*/
899b8bbc 1808
17c76198 1809 rc = gnutls_certificate_verify_peers2(state->session, &verify);
899b8bbc 1810 }
e6060e2c 1811
899b8bbc 1812/* Handle the result of verification. INVALID is set if any others are. */
059ec3d9 1813
28646fa9 1814if (rc < 0 || verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED))
17c76198
PP		 1815 {
1816 state->peer_cert_verified = FALSE;
cf0c6164 1817 if (!*errstr)
184384c3
JH		 1818 {
1819#ifdef GNUTLS_CERT_VFY_STATUS_PRINT
1820 DEBUG(D_tls)
1821 {
1822 gnutls_datum_t txt;
1823
1824 if (gnutls_certificate_verification_status_print(verify,
1825 gnutls_certificate_type_get(state->session), &txt, 0)
1826 == GNUTLS_E_SUCCESS)
1827 {
1828 debug_printf("%s\n", txt.data);
1829 gnutls_free(txt.data);
1830 }
1831 }
1832#endif
cf0c6164
JH		 1833 *errstr = verify & GNUTLS_CERT_REVOKED
1834 ? US"certificate revoked" : US"certificate invalid";
184384c3 1835 }
059ec3d9 1836
17c76198 1837 DEBUG(D_tls)
e51c7be2 1838 debug_printf("TLS certificate verification failed (%s): peerdn=\"%s\"\n",
cf0c6164 1839 *errstr, state->peerdn ? state->peerdn : US"<unset>");
059ec3d9 1840
e51c7be2 1841 if (state->verify_requirement >= VERIFY_REQUIRED)
899b8bbc 1842 goto badcert;
17c76198 1843 DEBUG(D_tls)
4789da3a 1844 debug_printf("TLS verify failure overridden (host in tls_try_verify_hosts)\n");
17c76198 1845 }
e51c7be2 1846
17c76198
PP		 1847else
1848 {
5fd28bb8
JH		 1849 /* Client side, check the server's certificate name versus the name on the
1850 A-record for the connection we made. What to do for server side - what name
1851 to use for client? We document that there is no such checking for server
1852 side. */
1853
1854 if ( state->exp_tls_verify_cert_hostnames
1855 && !gnutls_x509_crt_check_hostname(state->tlsp->peercert,
1856 CS state->exp_tls_verify_cert_hostnames)
1857 )
e51c7be2 1858 {
5fd28bb8
JH		 1859 DEBUG(D_tls)
1860 debug_printf("TLS certificate verification failed: cert name mismatch\n");
1861 if (state->verify_requirement >= VERIFY_REQUIRED)
1862 goto badcert;
1863 return TRUE;
e51c7be2 1864 }
5fd28bb8 1865
17c76198 1866 state->peer_cert_verified = TRUE;
e51c7be2 1867 DEBUG(D_tls) debug_printf("TLS certificate verified: peerdn=\"%s\"\n",
4fe99a6c 1868 state->peerdn ? state->peerdn : US"<unset>");
17c76198 1869 }
059ec3d9 1870
28646fa9
JH		 1871goodcert:
1872 state->tlsp->peerdn = state->peerdn;
1873 return TRUE;
899b8bbc 1874
b83314e3 1875#ifdef SUPPORT_DANE
94c13285 1876tlsa_prob:
624f33df
JH		 1877 *errstr = string_sprintf("TLSA record problem: %s",
1878 rc == DANE_E_REQUESTED_DATA_NOT_AVAILABLE ? "none usable" : dane_strerror(rc));
b83314e3
JH		 1879#endif
1880
899b8bbc
JH		 1881badcert:
1882 gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_BAD_CERTIFICATE);
1883 return FALSE;
17c76198 1884}
059ec3d9 1885
17c76198
PP		 1886
1887
1888
1889/* ------------------------------------------------------------------------ */
1890/* Callbacks */
1891
1892/* Logging function which can be registered with
1893 * gnutls_global_set_log_function()
1894 * gnutls_global_set_log_level() 0..9
1895 */
af3498d6 1896#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
059ec3d9 1897static void
17c76198 1898exim_gnutls_logger_cb(int level, const char *message)
059ec3d9 1899{
8c79eebf
PP		 1900 size_t len = strlen(message);
1901 if (len < 1)
1902 {
1903 DEBUG(D_tls) debug_printf("GnuTLS<%d> empty debug message\n", level);
1904 return;
1905 }
1906 DEBUG(D_tls) debug_printf("GnuTLS<%d>: %s%s", level, message,
1907 message[len-1] == '\n' ? "" : "\n");
17c76198 1908}
af3498d6 1909#endif
059ec3d9 1910
059ec3d9 1911
17c76198
PP		 1912/* Called after client hello, should handle SNI work.
1913This will always set tls_sni (state->received_sni) if available,
1914and may trigger presenting different certificates,
1915if state->trigger_sni_changes is TRUE.
059ec3d9 1916
17c76198
PP		 1917Should be registered with
1918 gnutls_handshake_set_post_client_hello_function()
059ec3d9 1919
17c76198
PP		 1920"This callback must return 0 on success or a gnutls error code to terminate the
1921handshake.".
059ec3d9 1922
17c76198
PP		 1923For inability to get SNI information, we return 0.
1924We only return non-zero if re-setup failed.
817d9f57 1925Only used for server-side TLS.
17c76198 1926*/
44bbabb5 1927
17c76198
PP		 1928static int
1929exim_sni_handling_cb(gnutls_session_t session)
1930{
1931char sni_name[MAX_HOST_LEN];
1932size_t data_len = MAX_HOST_LEN;
817d9f57 1933exim_gnutls_state_st *state = &state_server;
17c76198
PP		 1934unsigned int sni_type;
1935int rc, old_pool;
cf0c6164 1936uschar * dummy_errstr;
17c76198
PP		 1937
1938rc = gnutls_server_name_get(session, sni_name, &data_len, &sni_type, 0);
b34fc30c
PP		 1939if (rc != GNUTLS_E_SUCCESS)
1940 {
1941 DEBUG(D_tls) {
1942 if (rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
1943 debug_printf("TLS: no SNI presented in handshake.\n");
1944 else
1945 debug_printf("TLS failure: gnutls_server_name_get(): %s [%d]\n",
1946 gnutls_strerror(rc), rc);
cf0c6164 1947 }
b34fc30c
PP		 1948 return 0;
1949 }
1950
17c76198
PP		 1951if (sni_type != GNUTLS_NAME_DNS)
1952 {
1953 DEBUG(D_tls) debug_printf("TLS: ignoring SNI of unhandled type %u\n", sni_type);
1954 return 0;
1955 }
44bbabb5 1956
17c76198
PP		 1957/* We now have a UTF-8 string in sni_name */
1958old_pool = store_pool;
1959store_pool = POOL_PERM;
1960state->received_sni = string_copyn(US sni_name, data_len);
1961store_pool = old_pool;
1962
1963/* We set this one now so that variable expansions below will work */
817d9f57 1964state->tlsp->sni = state->received_sni;
17c76198
PP		 1965
1966DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", sni_name,
1967 state->trigger_sni_changes ? "" : " (unused for certificate selection)");
1968
1969if (!state->trigger_sni_changes)
1970 return 0;
1971
cf0c6164 1972if ((rc = tls_expand_session_files(state, &dummy_errstr)) != OK)
17c76198
PP		 1973 {
1974 /* If the setup of certs/etc failed before handshake, TLS would not have
1975 been offered. The best we can do now is abort. */
1976 return GNUTLS_E_APPLICATION_ERROR_MIN;
1977 }
1978
cf0c6164 1979rc = tls_set_remaining_x509(state, &dummy_errstr);
1365611d
PP		 1980if (rc != OK) return GNUTLS_E_APPLICATION_ERROR_MIN;
1981
1982return 0;
059ec3d9
PH		 1983}
1984
1985
1986
f2de3a33 1987#ifndef DISABLE_OCSP
44662487
JH		 1988
1989static int
1990server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
1991 gnutls_datum_t * ocsp_response)
1992{
1993int ret;
47195144 1994DEBUG(D_tls) debug_printf("OCSP stapling callback: %s\n", US ptr);
44662487 1995
44662487
JH		 1996if ((ret = gnutls_load_file(ptr, ocsp_response)) < 0)
1997 {
1998 DEBUG(D_tls) debug_printf("Failed to load ocsp stapling file %s\n",
5903c6ff 1999 CS ptr);
018058b2 2000 tls_in.ocsp = OCSP_NOT_RESP;
44662487
JH		 2001 return GNUTLS_E_NO_CERTIFICATE_STATUS;
2002 }
2003
018058b2 2004tls_in.ocsp = OCSP_VFY_NOT_TRIED;
44662487
JH		 2005return 0;
2006}
2007
2008#endif
2009
2010
0cbf2b82 2011#ifndef DISABLE_EVENT
a7538db1
JH		 2012/*
2013We use this callback to get observability and detail-level control
723fe533
JH		 2014for an exim TLS connection (either direction), raising a tls:cert event
2015for each cert in the chain presented by the peer. Any event
a7538db1
JH		 2016can deny verification.
2017
2018Return 0 for the handshake to continue or non-zero to terminate.
2019*/
2020
2021static int
723fe533 2022verify_cb(gnutls_session_t session)
a7538db1 2023{
27f19eb4 2024const gnutls_datum_t * cert_list;
a7538db1
JH		 2025unsigned int cert_list_size = 0;
2026gnutls_x509_crt_t crt;
2027int rc;
b30275b8 2028uschar * yield;
a7538db1
JH		 2029exim_gnutls_state_st * state = gnutls_session_get_ptr(session);
2030
bd5b3f3c 2031if ((cert_list = gnutls_certificate_get_peers(session, &cert_list_size)))
a7538db1
JH		 2032 while (cert_list_size--)
2033 {
bd5b3f3c 2034 if ((rc = import_cert(&cert_list[cert_list_size], &crt)) != GNUTLS_E_SUCCESS)
a7538db1
JH		 2035 {
2036 DEBUG(D_tls) debug_printf("TLS: peer cert problem: depth %d: %s\n",
2037 cert_list_size, gnutls_strerror(rc));
2038 break;
2039 }
2040
2041 state->tlsp->peercert = crt;
b30275b8
JH		 2042 if ((yield = event_raise(state->event_action,
2043 US"tls:cert", string_sprintf("%d", cert_list_size))))
a7538db1
JH		 2044 {
2045 log_write(0, LOG_MAIN,
b30275b8
JH		 2046 "SSL verify denied by event-action: depth=%d: %s",
2047 cert_list_size, yield);
a7538db1
JH		 2048 return 1; /* reject */
2049 }
2050 state->tlsp->peercert = NULL;
2051 }
2052
2053return 0;
2054}
2055
2056#endif
44662487
JH		 2057
2058
f20cfa4a
JH		 2059static gstring *
2060ddump(gnutls_datum_t * d)
2061{
2062gstring * g = string_get((d->size+1) * 2);
2063uschar * s = d->data;
2064for (unsigned i = d->size; i > 0; i--, s++)
2065 {
2066 g = string_catn(g, US "0123456789abcdef" + (*s >> 4), 1);
2067 g = string_catn(g, US "0123456789abcdef" + (*s & 0xf), 1);
2068 }
2069return g;
2070}
17c76198 2071
dc6d1769
JH		 2072static void
2073post_handshake_debug(exim_gnutls_state_st * state)
2074{
dc6d1769
JH		 2075#ifdef SUPPORT_GNUTLS_SESS_DESC
2076debug_printf("%s\n", gnutls_session_get_desc(state->session));
2077#endif
2078#ifdef SUPPORT_GNUTLS_KEYLOG
a8af957d 2079# ifdef GNUTLS_TLS1_3
dc6d1769 2080if (gnutls_protocol_get_version(state->session) < GNUTLS_TLS1_3)
a8af957d
JH		 2081#else
2082if (TRUE)
2083#endif
dc6d1769
JH		 2084 {
2085 gnutls_datum_t c, s;
2086 gstring * gc, * gs;
2087 /* we only want the client random and the master secret */
2088 gnutls_session_get_random(state->session, &c, &s);
2089 gnutls_session_get_master_secret(state->session, &s);
2090 gc = ddump(&c);
2091 gs = ddump(&s);
2092 debug_printf("CLIENT_RANDOM %.*s %.*s\n", (int)gc->ptr, gc->s, (int)gs->ptr, gs->s);
2093 }
2094else
2095 debug_printf("To get keying info for TLS1.3 is hard:\n"
2096 " set environment variable SSLKEYLOGFILE to a filename writable by uid exim\n"
2097 " add SSLKEYLOGFILE to keep_environment in the exim config\n"
2098 " run exim as root\n"
2099 " if using sudo, add SSLKEYLOGFILE to env_keep in /etc/sudoers\n");
2100#endif
2101}
2102
b10c87b3
JH		 2103
2104#ifdef EXPERIMENTAL_TLS_RESUME
2105static int
2106tls_server_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
2107 unsigned incoming, const gnutls_datum_t * msg)
2108{
2109DEBUG(D_tls) debug_printf("newticket cb\n");
2110tls_in.resumption |= RESUME_CLIENT_REQUESTED;
2111return 0;
2112}
2113
2114static void
2115tls_server_resume_prehandshake(exim_gnutls_state_st * state)
2116{
2117/* Should the server offer session resumption? */
2118tls_in.resumption = RESUME_SUPPORTED;
2119if (verify_check_host(&tls_resumption_hosts) == OK)
2120 {
2121 int rc;
2122 /* GnuTLS appears to not do ticket overlap, but does emit a fresh ticket when
2123 an offered resumption is unacceptable. We lose one resumption per ticket
2124 lifetime, and sessions cannot be indefinitely re-used. There seems to be no
2125 way (3.6.7) of changing the default number of 2 TLS1.3 tickets issued, but at
2126 least they go out in a single packet. */
2127
2128 if (!(rc = gnutls_session_ticket_enable_server(state->session,
2129 &server_sessticket_key)))
2130 tls_in.resumption |= RESUME_SERVER_TICKET;
2131 else
2132 DEBUG(D_tls)
2133 debug_printf("enabling session tickets: %s\n", US gnutls_strerror(rc));
2134
2135 /* Try to tell if we see a ticket request */
2136 gnutls_handshake_set_hook_function(state->session,
2137 GNUTLS_HANDSHAKE_NEW_SESSION_TICKET, GNUTLS_HOOK_POST, tls_server_ticket_cb);
2138 }
2139}
2140
2141static void
2142tls_server_resume_posthandshake(exim_gnutls_state_st * state)
2143{
2144if (gnutls_session_resumption_requested(state->session))
2145 {
2146 /* This tells us the client sent a full ticket. We use a
2147 callback on session-ticket request, elsewhere, to tell
2148 if a client asked for a ticket. */
2149
2150 tls_in.resumption |= RESUME_CLIENT_SUGGESTED;
2151 DEBUG(D_tls) debug_printf("client requested resumption\n");
2152 }
2153if (gnutls_session_is_resumed(state->session))
2154 {
2155 tls_in.resumption |= RESUME_USED;
2156 DEBUG(D_tls) debug_printf("Session resumed\n");
2157 }
2158}
2159#endif
17c76198
PP		 2160/* ------------------------------------------------------------------------ */
2161/* Exported functions */
2162
2163
2164
2165
059ec3d9
PH		 2166/*************************************************
2167* Start a TLS session in a server *
2168*************************************************/
2169
2170/* This is called when Exim is running as a server, after having received
2171the STARTTLS command. It must respond to that command, and then negotiate
2172a TLS session.
2173
2174Arguments:
83da1223 2175 require_ciphers list of allowed ciphers or NULL
cf0c6164 2176 errstr pointer to error string
059ec3d9
PH		 2177
2178Returns: OK on success
2179 DEFER for errors before the start of the negotiation
4c04137d 2180 FAIL for errors during the negotiation; the server can't
059ec3d9
PH		 2181 continue running.
2182*/
2183
2184int
cf0c6164 2185tls_server_start(const uschar * require_ciphers, uschar ** errstr)
059ec3d9
PH		 2186{
2187int rc;
cf0c6164 2188exim_gnutls_state_st * state = NULL;
059ec3d9
PH		 2189
2190/* Check for previous activation */
74f1a423 2191if (tls_in.active.sock >= 0)
059ec3d9 2192 {
48224640 2193 tls_error(US"STARTTLS received after TLS started", US "", NULL, errstr);
925ac8e4 2194 smtp_printf("554 Already in TLS\r\n", FALSE);
059ec3d9
PH		 2195 return FAIL;
2196 }
2197
2198/* Initialize the library. If it fails, it will already have logged the error
2199and sent an SMTP response. */
2200
17c76198 2201DEBUG(D_tls) debug_printf("initialising GnuTLS as a server\n");
059ec3d9 2202
cf0c6164 2203if ((rc = tls_init(NULL, tls_certificate, tls_privatekey,
17c76198 2204 NULL, tls_verify_certificates, tls_crl,
74f1a423 2205 require_ciphers, &state, &tls_in, errstr)) != OK) return rc;
059ec3d9 2206
b10c87b3
JH		 2207#ifdef EXPERIMENTAL_TLS_RESUME
2208tls_server_resume_prehandshake(state);
2209#endif
2210
059ec3d9
PH		 2211/* If this is a host for which certificate verification is mandatory or
2212optional, set up appropriately. */
2213
059ec3d9 2214if (verify_check_host(&tls_verify_hosts) == OK)
17c76198 2215 {
e51c7be2
JH		 2216 DEBUG(D_tls)
2217 debug_printf("TLS: a client certificate will be required.\n");
17c76198
PP		 2218 state->verify_requirement = VERIFY_REQUIRED;
2219 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
2220 }
059ec3d9 2221else if (verify_check_host(&tls_try_verify_hosts) == OK)
17c76198 2222 {
e51c7be2
JH		 2223 DEBUG(D_tls)
2224 debug_printf("TLS: a client certificate will be requested but not required.\n");
17c76198
PP		 2225 state->verify_requirement = VERIFY_OPTIONAL;
2226 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
2227 }
2228else
2229 {
e51c7be2
JH		 2230 DEBUG(D_tls)
2231 debug_printf("TLS: a client certificate will not be requested.\n");
17c76198
PP		 2232 state->verify_requirement = VERIFY_NONE;
2233 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
2234 }
059ec3d9 2235
0cbf2b82 2236#ifndef DISABLE_EVENT
723fe533
JH		 2237if (event_action)
2238 {
2239 state->event_action = event_action;
2240 gnutls_session_set_ptr(state->session, state);
2241 gnutls_certificate_set_verify_function(state->x509_cred, verify_cb);
2242 }
2243#endif
2244
17c76198
PP		 2245/* Register SNI handling; always, even if not in tls_certificate, so that the
2246expansion variable $tls_sni is always available. */
059ec3d9 2247
17c76198
PP		 2248gnutls_handshake_set_post_client_hello_function(state->session,
2249 exim_sni_handling_cb);
059ec3d9
PH		 2250
2251/* Set context and tell client to go ahead, except in the case of TLS startup
2252on connection, where outputting anything now upsets the clients and tends to
2253make them disconnect. We need to have an explicit fflush() here, to force out
2254the response. Other smtp_printf() calls do not need it, because in non-TLS
2255mode, the fflush() happens when smtp_getc() is called. */
2256
817d9f57 2257if (!state->tlsp->on_connect)
059ec3d9 2258 {
925ac8e4 2259 smtp_printf("220 TLS go ahead\r\n", FALSE);
9d1c15ef 2260 fflush(smtp_out);
059ec3d9
PH		 2261 }
2262
2263/* Now negotiate the TLS session. We put our own timer on it, since it seems
8008accd
JH		 2264that the GnuTLS library doesn't.
2265From 3.1.0 there is gnutls_handshake_set_timeout() - but it requires you
2266to set (and clear down afterwards) up a pull-timeout callback function that does
2267a select, so we're no better off unless avoiding signals becomes an issue. */
059ec3d9 2268
17c76198 2269gnutls_transport_set_ptr2(state->session,
27f19eb4
JH		 2270 (gnutls_transport_ptr_t)(long) fileno(smtp_in),
2271 (gnutls_transport_ptr_t)(long) fileno(smtp_out));
17c76198
PP		 2272state->fd_in = fileno(smtp_in);
2273state->fd_out = fileno(smtp_out);
059ec3d9
PH		 2274
2275sigalrm_seen = FALSE;
c2a1bba0 2276if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
17c76198 2277do
17c76198 2278 rc = gnutls_handshake(state->session);
157a7880 2279while (rc == GNUTLS_E_AGAIN || rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen);
c2a1bba0 2280ALARM_CLR(0);
059ec3d9 2281
17c76198 2282if (rc != GNUTLS_E_SUCCESS)
059ec3d9 2283 {
059ec3d9
PH		 2284 /* It seems that, except in the case of a timeout, we have to close the
2285 connection right here; otherwise if the other end is running OpenSSL it hangs
2286 until the server times out. */
2287
60d10ce7 2288 if (sigalrm_seen)
ad7fc6eb 2289 {
48224640 2290 tls_error(US"gnutls_handshake", US"timed out", NULL, errstr);
ad7fc6eb
JH		 2291 gnutls_db_remove_session(state->session);
2292 }
60d10ce7 2293 else
059ec3d9 2294 {
452a164f 2295 tls_error_gnu(US"gnutls_handshake", rc, NULL, errstr);
f5d25c2b 2296 (void) gnutls_alert_send_appropriate(state->session, rc);
ad7fc6eb 2297 gnutls_deinit(state->session);
ed62aae3 2298 gnutls_certificate_free_credentials(state->x509_cred);
60d10ce7 2299 millisleep(500);
ad7fc6eb 2300 shutdown(state->fd_out, SHUT_WR);
d7978c0f 2301 for (int i = 1024; fgetc(smtp_in) != EOF && i > 0; ) i--; /* drain skt */
f1e894f3
PH		 2302 (void)fclose(smtp_out);
2303 (void)fclose(smtp_in);
60d10ce7 2304 smtp_out = smtp_in = NULL;
059ec3d9
PH		 2305 }
2306
2307 return FAIL;
2308 }
2309
b10c87b3
JH		 2310#ifdef EXPERIMENTAL_TLS_RESUME
2311tls_server_resume_posthandshake(state);
2312#endif
2313
dc6d1769 2314DEBUG(D_tls) post_handshake_debug(state);
059ec3d9 2315
17c76198
PP		 2316/* Verify after the fact */
2317
899b8bbc 2318if (!verify_certificate(state, errstr))
059ec3d9 2319 {
9d1c15ef 2320 if (state->verify_requirement != VERIFY_OPTIONAL)
17c76198 2321 {
cf0c6164 2322 (void) tls_error(US"certificate verification failed", *errstr, NULL, errstr);
9d1c15ef 2323 return FAIL;
17c76198 2324 }
9d1c15ef
JH		 2325 DEBUG(D_tls)
2326 debug_printf("TLS: continuing on only because verification was optional, after: %s\n",
cf0c6164 2327 *errstr);
059ec3d9
PH		 2328 }
2329
17c76198
PP		 2330/* Sets various Exim expansion variables; always safe within server */
2331
9d1c15ef 2332extract_exim_vars_from_tls_state(state);
059ec3d9
PH		 2333
2334/* TLS has been set up. Adjust the input functions to read via TLS,
2335and initialize appropriately. */
2336
17c76198 2337state->xfer_buffer = store_malloc(ssl_xfer_buffer_size);
059ec3d9
PH		 2338
2339receive_getc = tls_getc;
0d81dabc 2340receive_getbuf = tls_getbuf;
584e96c6 2341receive_get_cache = tls_get_cache;
059ec3d9
PH		 2342receive_ungetc = tls_ungetc;
2343receive_feof = tls_feof;
2344receive_ferror = tls_ferror;
58eb016e 2345receive_smtp_buffered = tls_smtp_buffered;
059ec3d9 2346
059ec3d9
PH		 2347return OK;
2348}
2349
2350
2351
2352
aa2a70ba
JH		 2353static void
2354tls_client_setup_hostname_checks(host_item * host, exim_gnutls_state_st * state,
2355 smtp_transport_options_block * ob)
2356{
3fb3231c 2357if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
aa2a70ba 2358 {
4af0d74a 2359 state->exp_tls_verify_cert_hostnames =
8c5d388a 2360#ifdef SUPPORT_I18N
4af0d74a
JH		 2361 string_domain_utf8_to_alabel(host->name, NULL);
2362#else
2363 host->name;
2364#endif
aa2a70ba
JH		 2365 DEBUG(D_tls)
2366 debug_printf("TLS: server cert verification includes hostname: \"%s\".\n",
2367 state->exp_tls_verify_cert_hostnames);
2368 }
2369}
aa2a70ba
JH		 2370
2371
899b8bbc
JH		 2372
2373
2374#ifdef SUPPORT_DANE
2375/* Given our list of RRs from the TLSA lookup, build a lookup block in
2376GnuTLS-DANE's preferred format. Hang it on the state str for later
2377use in DANE verification.
2378
2379We point at the dnsa data not copy it, so it must remain valid until
2380after verification is done.*/
2381
3674140c 2382static BOOL
899b8bbc
JH		 2383dane_tlsa_load(exim_gnutls_state_st * state, dns_answer * dnsa)
2384{
899b8bbc
JH		 2385dns_scan dnss;
2386int i;
2387const char ** dane_data;
2388int * dane_data_len;
2389
d7978c0f
JH		 2390i = 1;
2391for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
899b8bbc
JH		 2392 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
2393 ) if (rr->type == T_TLSA) i++;
2394
2395dane_data = store_get(i * sizeof(uschar *));
2396dane_data_len = store_get(i * sizeof(int));
2397
d7978c0f
JH		 2398i = 0;
2399for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
899b8bbc 2400 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
1b76ad22 2401 ) if (rr->type == T_TLSA && rr->size > 3)
899b8bbc
JH		 2402 {
2403 const uschar * p = rr->data;
3674140c
JH		 2404 uint8_t usage = p[0], sel = p[1], type = p[2];
2405
2406 DEBUG(D_tls)
2407 debug_printf("TLSA: %d %d %d size %d\n", usage, sel, type, rr->size);
2408
94c13285
JH		 2409 if ( (usage != DANESSL_USAGE_DANE_TA && usage != DANESSL_USAGE_DANE_EE)
2410 || (sel != 0 && sel != 1)
2411 )
2412 continue;
3674140c
JH		 2413 switch(type)
2414 {
2415 case 0: /* Full: cannot check at present */
2416 break;
2417 case 1: if (rr->size != 3 + 256/8) continue; /* sha2-256 */
2418 break;
2419 case 2: if (rr->size != 3 + 512/8) continue; /* sha2-512 */
2420 break;
2421 default: continue;
2422 }
899b8bbc
JH		 2423
2424 tls_out.tlsa_usage |= 1<<usage;
48224640 2425 dane_data[i] = CS p;
899b8bbc
JH		 2426 dane_data_len[i++] = rr->size;
2427 }
3674140c
JH		 2428
2429if (!i) return FALSE;
2430
899b8bbc
JH		 2431dane_data[i] = NULL;
2432dane_data_len[i] = 0;
2433
2434state->dane_data = (char * const *)dane_data;
2435state->dane_data_len = dane_data_len;
3674140c 2436return TRUE;
899b8bbc
JH		 2437}
2438#endif
2439
2440
2441
b10c87b3
JH		 2442#ifdef EXPERIMENTAL_TLS_RESUME
2443/* On the client, get any stashed session for the given IP from hints db
2444and apply it to the ssl-connection for attempted resumption. Although
2445there is a gnutls_session_ticket_enable_client() interface it is
2446documented as unnecessary (as of 3.6.7) as "session tickets are emabled
2447by deafult". There seems to be no way to disable them, so even hosts not
2448enabled by the transport option will be sent a ticket request. We will
2449however avoid storing and retrieving session information. */
2450
2451static void
2452tls_retrieve_session(tls_support * tlsp, gnutls_session_t session,
2453 host_item * host, smtp_transport_options_block * ob)
2454{
2455tlsp->resumption = RESUME_SUPPORTED;
2456if (verify_check_given_host(CUSS &ob->tls_resumption_hosts, host) == OK)
2457 {
2458 dbdata_tls_session * dt;
2459 int len, rc;
2460 open_db dbblock, * dbm_file;
2461
2462 DEBUG(D_tls)
2463 debug_printf("check for resumable session for %s\n", host->address);
2464 tlsp->host_resumable = TRUE;
2465 tlsp->resumption |= RESUME_CLIENT_REQUESTED;
2466 if ((dbm_file = dbfn_open(US"tls", O_RDONLY, &dbblock, FALSE, FALSE)))
2467 {
dea4b568
JH		 2468 /* Key for the db is the IP. We'd like to filter the retrieved session
2469 for ticket advisory expiry, but 3.6.1 seems to give no access to that */
2470
b10c87b3
JH		 2471 if ((dt = dbfn_read_with_length(dbm_file, host->address, &len)))
2472 if (!(rc = gnutls_session_set_data(session,
2473 CUS dt->session, (size_t)len - sizeof(dbdata_tls_session))))
2474 {
2475 DEBUG(D_tls) debug_printf("good session\n");
2476 tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
2477 }
2478 else DEBUG(D_tls) debug_printf("setting session resumption data: %s\n",
2479 US gnutls_strerror(rc));
2480 dbfn_close(dbm_file);
2481 }
2482 }
2483}
2484
2485
2486static void
2487tls_save_session(tls_support * tlsp, gnutls_session_t session, const host_item * host)
2488{
2489/* TLS 1.2 - we get both the callback and the direct posthandshake call,
2490but this flag is not set until the second. TLS 1.3 it's the other way about.
2491Keep both calls as the session data cannot be extracted before handshake
2492completes. */
2493
2494if (gnutls_session_get_flags(session) & GNUTLS_SFLAGS_SESSION_TICKET)
2495 {
2496 gnutls_datum_t tkt;
2497 int rc;
2498
2499 DEBUG(D_tls) debug_printf("server offered session ticket\n");
2500 tlsp->ticket_received = TRUE;
2501 tlsp->resumption |= RESUME_SERVER_TICKET;
2502
2503 if (tlsp->host_resumable)
2504 if (!(rc = gnutls_session_get_data2(session, &tkt)))
2505 {
2506 open_db dbblock, * dbm_file;
2507 int dlen = sizeof(dbdata_tls_session) + tkt.size;
2508 dbdata_tls_session * dt = store_get(dlen);
2509
2510 DEBUG(D_tls) debug_printf("session data size %u\n", (unsigned)tkt.size);
2511 memcpy(dt->session, tkt.data, tkt.size);
2512 gnutls_free(tkt.data);
2513
2514 if ((dbm_file = dbfn_open(US"tls", O_RDWR, &dbblock, FALSE, FALSE)))
2515 {
2516 /* key for the db is the IP */
2517 dbfn_delete(dbm_file, host->address);
2518 dbfn_write(dbm_file, host->address, dt, dlen);
2519 dbfn_close(dbm_file);
2520
2521 DEBUG(D_tls)
2522 debug_printf("wrote session db (len %u)\n", (unsigned)dlen);
2523 }
2524 }
2525 else DEBUG(D_tls)
2526 debug_printf("extract session data: %s\n", US gnutls_strerror(rc));
2527 }
2528}
2529
2530
2531/* With a TLS1.3 session, the ticket(s) are not seen until
2532the first data read is attempted. And there's often two of them.
2533Pick them up with this callback. We are also called for 1.2
2534but we do nothing.
2535*/
2536static int
2537tls_client_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
2538 unsigned incoming, const gnutls_datum_t * msg)
2539{
2540exim_gnutls_state_st * state = gnutls_session_get_ptr(sess);
2541tls_support * tlsp = state->tlsp;
2542
2543DEBUG(D_tls) debug_printf("newticket cb\n");
2544
2545if (!tlsp->ticket_received)
2546 tls_save_session(tlsp, sess, state->host);
2547return 0;
2548}
2549
2550
2551static void
2552tls_client_resume_prehandshake(exim_gnutls_state_st * state,
2553 tls_support * tlsp, host_item * host,
2554 smtp_transport_options_block * ob)
2555{
2556gnutls_session_set_ptr(state->session, state);
2557gnutls_handshake_set_hook_function(state->session,
2558 GNUTLS_HANDSHAKE_NEW_SESSION_TICKET, GNUTLS_HOOK_POST, tls_client_ticket_cb);
2559
2560tls_retrieve_session(tlsp, state->session, host, ob);
2561}
2562
2563static void
2564tls_client_resume_posthandshake(exim_gnutls_state_st * state,
2565 tls_support * tlsp, host_item * host)
2566{
2567if (gnutls_session_is_resumed(state->session))
2568 {
2569 DEBUG(D_tls) debug_printf("Session resumed\n");
2570 tlsp->resumption |= RESUME_USED;
2571 }
2572
2573tls_save_session(tlsp, state->session, host);
2574}
2575#endif /* EXPERIMENTAL_TLS_RESUME */
2576
2577
059ec3d9
PH		 2578/*************************************************
2579* Start a TLS session in a client *
2580*************************************************/
2581
2582/* Called from the smtp transport after STARTTLS has been accepted.
2583
2584Arguments:
c05bdbd6
JH		 2585 cctx connection context
2586 conn_args connection details
2587 cookie datum for randomness (not used)
2588 tlsp record details of channel configuration here; must be non-NULL
2589 errstr error string pointer
2590
2591Returns: TRUE for success with TLS session context set in smtp context,
2592 FALSE on error
059ec3d9
PH		 2593*/
2594
c05bdbd6
JH		 2595BOOL
2596tls_client_start(client_conn_ctx * cctx, smtp_connect_args * conn_args,
2597 void * cookie ARG_UNUSED,
2598 tls_support * tlsp, uschar ** errstr)
059ec3d9 2599{
c05bdbd6
JH		 2600host_item * host = conn_args->host; /* for msgs and option-tests */
2601transport_instance * tb = conn_args->tblock; /* always smtp or NULL */
2602smtp_transport_options_block * ob = tb
afdb5e9c
JH		 2603 ? (smtp_transport_options_block *)tb->options_block
2604 : &smtp_transport_option_defaults;
059ec3d9 2605int rc;
899b8bbc 2606exim_gnutls_state_st * state = NULL;
c05bdbd6 2607uschar * cipher_list = NULL;
74f1a423 2608
f2de3a33 2609#ifndef DISABLE_OCSP
5130845b 2610BOOL require_ocsp =
3fb3231c 2611 verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK;
44662487 2612BOOL request_ocsp = require_ocsp ? TRUE
3fb3231c 2613 : verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
2b4a568d 2614#endif
059ec3d9 2615
c05bdbd6 2616DEBUG(D_tls) debug_printf("initialising GnuTLS as a client on fd %d\n", cctx->sock);
059ec3d9 2617
5ec37a55 2618#ifdef SUPPORT_DANE
c05bdbd6
JH		 2619/* If dane is flagged, have either request or require dane for this host, and
2620a TLSA record found. Therefore, dane verify required. Which implies cert must
2621be requested and supplied, dane verify must pass, and cert verify irrelevant
2622(incl. hostnames), and (caller handled) require_tls */
2623
2624if (conn_args->dane && ob->dane_require_tls_ciphers)
5ec37a55
PP		 2625 {
2626 /* not using expand_check_tlsvar because not yet in state */
2627 if (!expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
2628 &cipher_list, errstr))
c05bdbd6 2629 return FALSE;
cf260049
JH		 2630 cipher_list = cipher_list && *cipher_list
2631 ? ob->dane_require_tls_ciphers : ob->tls_require_ciphers;
5ec37a55
PP		 2632 }
2633#endif
2634
2635if (!cipher_list)
2636 cipher_list = ob->tls_require_ciphers;
2637
74f1a423 2638if (tls_init(host, ob->tls_certificate, ob->tls_privatekey,
65867078 2639 ob->tls_sni, ob->tls_verify_certificates, ob->tls_crl,
74f1a423 2640 cipher_list, &state, tlsp, errstr) != OK)
c05bdbd6 2641 return FALSE;
059ec3d9 2642
54c90be1 2643 {
65867078
JH		 2644 int dh_min_bits = ob->tls_dh_min_bits;
2645 if (dh_min_bits < EXIM_CLIENT_DH_MIN_MIN_BITS)
2646 {
2647 DEBUG(D_tls)
2648 debug_printf("WARNING: tls_dh_min_bits far too low,"
2649 " clamping %d up to %d\n",
2650 dh_min_bits, EXIM_CLIENT_DH_MIN_MIN_BITS);
2651 dh_min_bits = EXIM_CLIENT_DH_MIN_MIN_BITS;
2652 }
54c90be1 2653
65867078
JH		 2654 DEBUG(D_tls) debug_printf("Setting D-H prime minimum"
2655 " acceptable bits to %d\n",
2656 dh_min_bits);
2657 gnutls_dh_set_prime_bits(state->session, dh_min_bits);
2658 }
83da1223 2659
94431adb 2660/* Stick to the old behaviour for compatibility if tls_verify_certificates is
2b4a568d
JH		 2661set but both tls_verify_hosts and tls_try_verify_hosts are unset. Check only
2662the specified host patterns if one of them is defined */
2663
899b8bbc 2664#ifdef SUPPORT_DANE
c05bdbd6 2665if (conn_args->dane && dane_tlsa_load(state, &conn_args->tlsa_dnsa))
899b8bbc
JH		 2666 {
2667 DEBUG(D_tls)
2668 debug_printf("TLS: server certificate DANE required.\n");
2669 state->verify_requirement = VERIFY_DANE;
2670 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
899b8bbc
JH		 2671 }
2672else
2673#endif
2674 if ( ( state->exp_tls_verify_certificates
2675 && !ob->tls_verify_hosts
2676 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
2677 )
3fb3231c 2678 || verify_check_given_host(CUSS &ob->tls_verify_hosts, host) == OK
899b8bbc 2679 )
17c76198 2680 {
aa2a70ba 2681 tls_client_setup_hostname_checks(host, state, ob);
aa2a70ba
JH		 2682 DEBUG(D_tls)
2683 debug_printf("TLS: server certificate verification required.\n");
2684 state->verify_requirement = VERIFY_REQUIRED;
52f93eed
WB		 2685 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
2686 }
3fb3231c 2687else if (verify_check_given_host(CUSS &ob->tls_try_verify_hosts, host) == OK)
52f93eed 2688 {
aa2a70ba 2689 tls_client_setup_hostname_checks(host, state, ob);
e51c7be2
JH		 2690 DEBUG(D_tls)
2691 debug_printf("TLS: server certificate verification optional.\n");
52f93eed 2692 state->verify_requirement = VERIFY_OPTIONAL;
17c76198
PP		 2693 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
2694 }
2695else
2696 {
e51c7be2
JH		 2697 DEBUG(D_tls)
2698 debug_printf("TLS: server certificate verification not required.\n");
52f93eed
WB		 2699 state->verify_requirement = VERIFY_NONE;
2700 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
17c76198 2701 }
059ec3d9 2702
f2de3a33
JH		 2703#ifndef DISABLE_OCSP
2704 /* supported since GnuTLS 3.1.3 */
44662487 2705if (request_ocsp)
9d1c15ef
JH		 2706 {
2707 DEBUG(D_tls) debug_printf("TLS: will request OCSP stapling\n");
65867078
JH		 2708 if ((rc = gnutls_ocsp_status_request_enable_client(state->session,
2709 NULL, 0, NULL)) != OK)
74f1a423 2710 {
452a164f 2711 tls_error_gnu(US"cert-status-req", rc, state->host, errstr);
c05bdbd6 2712 return FALSE;
74f1a423
JH		 2713 }
2714 tlsp->ocsp = OCSP_NOT_RESP;
9d1c15ef 2715 }
2b4a568d
JH		 2716#endif
2717
b10c87b3
JH		 2718#ifdef EXPERIMENTAL_TLS_RESUME
2719tls_client_resume_prehandshake(state, tlsp, host, ob);
2720#endif
2721
0cbf2b82 2722#ifndef DISABLE_EVENT
afdb5e9c 2723if (tb && tb->event_action)
a7538db1 2724 {
774ef2d7 2725 state->event_action = tb->event_action;
a7538db1 2726 gnutls_session_set_ptr(state->session, state);
723fe533 2727 gnutls_certificate_set_verify_function(state->x509_cred, verify_cb);
a7538db1
JH		 2728 }
2729#endif
2730
c05bdbd6
JH		 2731gnutls_transport_set_ptr(state->session, (gnutls_transport_ptr_t)(long) cctx->sock);
2732state->fd_in = cctx->sock;
2733state->fd_out = cctx->sock;
059ec3d9 2734
9d1c15ef 2735DEBUG(D_tls) debug_printf("about to gnutls_handshake\n");
059ec3d9
PH		 2736/* There doesn't seem to be a built-in timeout on connection. */
2737
2738sigalrm_seen = FALSE;
c2a1bba0 2739ALARM(ob->command_timeout);
17c76198 2740do
17c76198 2741 rc = gnutls_handshake(state->session);
f1fed05b 2742while (rc == GNUTLS_E_AGAIN || rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen);
c2a1bba0 2743ALARM_CLR(0);
059ec3d9 2744
4fe99a6c 2745if (rc != GNUTLS_E_SUCCESS)
74f1a423 2746 {
60d10ce7
JH		 2747 if (sigalrm_seen)
2748 {
2749 gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_USER_CANCELED);
48224640 2750 tls_error(US"gnutls_handshake", US"timed out", state->host, errstr);
60d10ce7
JH		 2751 }
2752 else
452a164f 2753 tls_error_gnu(US"gnutls_handshake", rc, state->host, errstr);
c05bdbd6 2754 return FALSE;
74f1a423 2755 }
4fe99a6c 2756
dc6d1769 2757DEBUG(D_tls) post_handshake_debug(state);
059ec3d9 2758
17c76198 2759/* Verify late */
059ec3d9 2760
899b8bbc 2761if (!verify_certificate(state, errstr))
74f1a423
JH		 2762 {
2763 tls_error(US"certificate verification failed", *errstr, state->host, errstr);
c05bdbd6 2764 return FALSE;
74f1a423 2765 }
059ec3d9 2766
f2de3a33 2767#ifndef DISABLE_OCSP
7a501c87 2768if (request_ocsp)
2b4a568d
JH		 2769 {
2770 DEBUG(D_tls)
2771 {
2772 gnutls_datum_t stapling;
2773 gnutls_ocsp_resp_t resp;
2774 gnutls_datum_t printed;
2775 if ( (rc= gnutls_ocsp_status_request_get(state->session, &stapling)) == 0
2776 && (rc= gnutls_ocsp_resp_init(&resp)) == 0
2777 && (rc= gnutls_ocsp_resp_import(resp, &stapling)) == 0
2778 && (rc= gnutls_ocsp_resp_print(resp, GNUTLS_OCSP_PRINT_FULL, &printed)) == 0
2779 )
2780 {
65867078 2781 debug_printf("%.4096s", printed.data);
2b4a568d
JH		 2782 gnutls_free(printed.data);
2783 }
2784 else
452a164f 2785 (void) tls_error_gnu(US"ocsp decode", rc, state->host, errstr);
2b4a568d
JH		 2786 }
2787
2b4a568d 2788 if (gnutls_ocsp_status_request_is_checked(state->session, 0) == 0)
018058b2 2789 {
74f1a423
JH		 2790 tlsp->ocsp = OCSP_FAILED;
2791 tls_error(US"certificate status check failed", NULL, state->host, errstr);
7a501c87
JH		 2792 if (require_ocsp)
2793 return FALSE;
2794 }
2795 else
2796 {
2797 DEBUG(D_tls) debug_printf("Passed OCSP checking\n");
2798 tlsp->ocsp = OCSP_VFIED;
018058b2 2799 }
2b4a568d
JH		 2800 }
2801#endif
2802
b10c87b3
JH		 2803#ifdef EXPERIMENTAL_TLS_RESUME
2804tls_client_resume_posthandshake(state, tlsp, host);
2805#endif
059ec3d9 2806
4fe99a6c 2807/* Sets various Exim expansion variables; may need to adjust for ACL callouts */
059ec3d9 2808
9d1c15ef 2809extract_exim_vars_from_tls_state(state);
059ec3d9 2810
c05bdbd6
JH		 2811cctx->tls_ctx = state;
2812return TRUE;
059ec3d9
PH		 2813}
2814
2815
2816
17c76198 2817
059ec3d9 2818/*************************************************
17c76198 2819* Close down a TLS session *
059ec3d9
PH		 2820*************************************************/
2821
17c76198
PP		 2822/* This is also called from within a delivery subprocess forked from the
2823daemon, to shut down the TLS library, without actually doing a shutdown (which
2824would tamper with the TLS session in the parent process).
059ec3d9 2825
dec766a1 2826Arguments:
74f1a423 2827 ct_ctx client context pointer, or NULL for the one global server context
dec766a1 2828 shutdown 1 if TLS close-alert is to be sent,
afdb5e9c 2829 2 if also response to be waited for
dec766a1 2830
17c76198 2831Returns: nothing
059ec3d9
PH		 2832*/
2833
17c76198 2834void
74f1a423 2835tls_close(void * ct_ctx, int shutdown)
059ec3d9 2836{
74f1a423 2837exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
059ec3d9 2838
74f1a423 2839if (!state->tlsp || state->tlsp->active.sock < 0) return; /* TLS was not active */
17c76198
PP		 2840
2841if (shutdown)
2842 {
dec766a1
WB		 2843 DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS%s\n",
2844 shutdown > 1 ? " (with response-wait)" : "");
2845
c2a1bba0 2846 ALARM(2);
dec766a1 2847 gnutls_bye(state->session, shutdown > 1 ? GNUTLS_SHUT_RDWR : GNUTLS_SHUT_WR);
c2a1bba0 2848 ALARM_CLR(0);
17c76198
PP		 2849 }
2850
2851gnutls_deinit(state->session);
ed62aae3
HSHR		 2852gnutls_certificate_free_credentials(state->x509_cred);
2853
17c76198 2854
74f1a423
JH		 2855state->tlsp->active.sock = -1;
2856state->tlsp->active.tls_ctx = NULL;
b808677c 2857if (state->xfer_buffer) store_free(state->xfer_buffer);
17c76198 2858memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
059ec3d9
PH		 2859}
2860
2861
2862
17c76198 2863
0d81dabc
JH		 2864static BOOL
2865tls_refill(unsigned lim)
2866{
2867exim_gnutls_state_st * state = &state_server;
2868ssize_t inbytes;
2869
2870DEBUG(D_tls) debug_printf("Calling gnutls_record_recv(%p, %p, %u)\n",
2871 state->session, state->xfer_buffer, ssl_xfer_buffer_size);
2872
f1fed05b 2873sigalrm_seen = FALSE;
c2a1bba0 2874if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
4896a319
AM		 2875
2876do
2877 inbytes = gnutls_record_recv(state->session, state->xfer_buffer,
2878 MIN(ssl_xfer_buffer_size, lim));
2879while (inbytes == GNUTLS_E_AGAIN);
2880
c2a1bba0 2881if (smtp_receive_timeout > 0) ALARM_CLR(0);
9723f966
JH		 2882
2883if (had_command_timeout) /* set by signal handler */
2884 smtp_command_timeout_exit(); /* does not return */
2885if (had_command_sigterm)
2886 smtp_command_sigterm_exit();
2887if (had_data_timeout)
2888 smtp_data_timeout_exit();
2889if (had_data_sigint)
2890 smtp_data_sigint_exit();
2891
2892/* Timeouts do not get this far. A zero-byte return appears to mean that the
2893TLS session has been closed down, not that the socket itself has been closed
2894down. Revert to non-TLS handling. */
0d81dabc
JH		 2895
2896if (sigalrm_seen)
2897 {
2898 DEBUG(D_tls) debug_printf("Got tls read timeout\n");
8b77d27a 2899 state->xfer_error = TRUE;
0d81dabc
JH		 2900 return FALSE;
2901 }
2902
2903else if (inbytes == 0)
2904 {
2905 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
2906
2907 receive_getc = smtp_getc;
2908 receive_getbuf = smtp_getbuf;
2909 receive_get_cache = smtp_get_cache;
2910 receive_ungetc = smtp_ungetc;
2911 receive_feof = smtp_feof;
2912 receive_ferror = smtp_ferror;
2913 receive_smtp_buffered = smtp_buffered;
2914
2915 gnutls_deinit(state->session);
2916 gnutls_certificate_free_credentials(state->x509_cred);
2917
2918 state->session = NULL;
74f1a423
JH		 2919 state->tlsp->active.sock = -1;
2920 state->tlsp->active.tls_ctx = NULL;
0d81dabc
JH		 2921 state->tlsp->bits = 0;
2922 state->tlsp->certificate_verified = FALSE;
2923 tls_channelbinding_b64 = NULL;
2924 state->tlsp->cipher = NULL;
2925 state->tlsp->peercert = NULL;
2926 state->tlsp->peerdn = NULL;
2927
2928 return FALSE;
2929 }
2930
2931/* Handle genuine errors */
2932
2933else if (inbytes < 0)
2934 {
95f52235 2935 DEBUG(D_tls) debug_printf("%s: err from gnutls_record_recv\n", __FUNCTION__);
0d81dabc 2936 record_io_error(state, (int) inbytes, US"recv", NULL);
8b77d27a 2937 state->xfer_error = TRUE;
0d81dabc
JH		 2938 return FALSE;
2939 }
2940#ifndef DISABLE_DKIM
2941dkim_exim_verify_feed(state->xfer_buffer, inbytes);
2942#endif
2943state->xfer_buffer_hwm = (int) inbytes;
2944state->xfer_buffer_lwm = 0;
2945return TRUE;
2946}
2947
059ec3d9
PH		 2948/*************************************************
2949* TLS version of getc *
2950*************************************************/
2951
2952/* This gets the next byte from the TLS input buffer. If the buffer is empty,
2953it refills the buffer via the GnuTLS reading function.
817d9f57 2954Only used by the server-side TLS.
059ec3d9 2955
17c76198
PP		 2956This feeds DKIM and should be used for all message-body reads.
2957
aded2255 2958Arguments: lim Maximum amount to read/buffer
059ec3d9
PH		 2959Returns: the next character or EOF
2960*/
2961
2962int
bd8fbe36 2963tls_getc(unsigned lim)
059ec3d9 2964{
0d81dabc 2965exim_gnutls_state_st * state = &state_server;
059ec3d9 2966
0d81dabc
JH		 2967if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
2968 if (!tls_refill(lim))
2969 return state->xfer_error ? EOF : smtp_getc(lim);
ed62aae3 2970
0d81dabc 2971/* Something in the buffer; return next uschar */
059ec3d9 2972
0d81dabc
JH		 2973return state->xfer_buffer[state->xfer_buffer_lwm++];
2974}
059ec3d9 2975
0d81dabc
JH		 2976uschar *
2977tls_getbuf(unsigned * len)
2978{
2979exim_gnutls_state_st * state = &state_server;
2980unsigned size;
2981uschar * buf;
059ec3d9 2982
0d81dabc
JH		 2983if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
2984 if (!tls_refill(*len))
059ec3d9 2985 {
0d81dabc
JH		 2986 if (!state->xfer_error) return smtp_getbuf(len);
2987 *len = 0;
2988 return NULL;
059ec3d9 2989 }
059ec3d9 2990
0d81dabc
JH		 2991if ((size = state->xfer_buffer_hwm - state->xfer_buffer_lwm) > *len)
2992 size = *len;
2993buf = &state->xfer_buffer[state->xfer_buffer_lwm];
2994state->xfer_buffer_lwm += size;
2995*len = size;
2996return buf;
059ec3d9
PH		 2997}
2998
0d81dabc 2999
584e96c6
JH		 3000void
3001tls_get_cache()
3002{
9960d1e5 3003#ifndef DISABLE_DKIM
584e96c6
JH		 3004exim_gnutls_state_st * state = &state_server;
3005int n = state->xfer_buffer_hwm - state->xfer_buffer_lwm;
3006if (n > 0)
3007 dkim_exim_verify_feed(state->xfer_buffer+state->xfer_buffer_lwm, n);
584e96c6 3008#endif
9960d1e5 3009}
584e96c6 3010
059ec3d9 3011
925ac8e4
JH		 3012BOOL
3013tls_could_read(void)
3014{
3015return state_server.xfer_buffer_lwm < state_server.xfer_buffer_hwm
3016 || gnutls_record_check_pending(state_server.session) > 0;
3017}
3018
3019
059ec3d9 3020
17c76198 3021
059ec3d9
PH		 3022/*************************************************
3023* Read bytes from TLS channel *
3024*************************************************/
3025
17c76198
PP		 3026/* This does not feed DKIM, so if the caller uses this for reading message body,
3027then the caller must feed DKIM.
817d9f57 3028
059ec3d9 3029Arguments:
74f1a423 3030 ct_ctx client context pointer, or NULL for the one global server context
059ec3d9
PH		 3031 buff buffer of data
3032 len size of buffer
3033
3034Returns: the number of bytes read
afdb5e9c 3035 -1 after a failed read, including EOF
059ec3d9
PH		 3036*/
3037
3038int
74f1a423 3039tls_read(void * ct_ctx, uschar *buff, size_t len)
059ec3d9 3040{
74f1a423 3041exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
17c76198 3042ssize_t inbytes;
059ec3d9 3043
17c76198
PP		 3044if (len > INT_MAX)
3045 len = INT_MAX;
059ec3d9 3046
17c76198
PP		 3047if (state->xfer_buffer_lwm < state->xfer_buffer_hwm)
3048 DEBUG(D_tls)
3049 debug_printf("*** PROBABLY A BUG *** " \
3050 "tls_read() called with data in the tls_getc() buffer, %d ignored\n",
3051 state->xfer_buffer_hwm - state->xfer_buffer_lwm);
3052
3053DEBUG(D_tls)
3054 debug_printf("Calling gnutls_record_recv(%p, %p, " SIZE_T_FMT ")\n",
3055 state->session, buff, len);
3056
4896a319
AM		 3057do
3058 inbytes = gnutls_record_recv(state->session, buff, len);
3059while (inbytes == GNUTLS_E_AGAIN);
3060
059ec3d9
PH		 3061if (inbytes > 0) return inbytes;
3062if (inbytes == 0)
3063 {
3064 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
3065 }
5fd28bb8 3066else
4896a319 3067 {
95f52235 3068 DEBUG(D_tls) debug_printf("%s: err from gnutls_record_recv\n", __FUNCTION__);
4896a319
AM		 3069 record_io_error(state, (int)inbytes, US"recv", NULL);
3070 }
059ec3d9
PH		 3071
3072return -1;
3073}
3074
3075
3076
17c76198 3077
059ec3d9
PH		 3078/*************************************************
3079* Write bytes down TLS channel *
3080*************************************************/
3081
3082/*
3083Arguments:
74f1a423 3084 ct_ctx client context pointer, or NULL for the one global server context
059ec3d9
PH		 3085 buff buffer of data
3086 len number of bytes
925ac8e4 3087 more more data expected soon
059ec3d9
PH		 3088
3089Returns: the number of bytes after a successful write,
3090 -1 after a failed write
3091*/
3092
3093int
74f1a423 3094tls_write(void * ct_ctx, const uschar * buff, size_t len, BOOL more)
059ec3d9 3095{
17c76198
PP		 3096ssize_t outbytes;
3097size_t left = len;
74f1a423 3098exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
925ac8e4
JH		 3099#ifdef SUPPORT_CORK
3100static BOOL corked = FALSE;
3101
3102if (more && !corked) gnutls_record_cork(state->session);
3103#endif
3104
3105DEBUG(D_tls) debug_printf("%s(%p, " SIZE_T_FMT "%s)\n", __FUNCTION__,
3106 buff, left, more ? ", more" : "");
059ec3d9 3107
059ec3d9
PH		 3108while (left > 0)
3109 {
17c76198
PP		 3110 DEBUG(D_tls) debug_printf("gnutls_record_send(SSL, %p, " SIZE_T_FMT ")\n",
3111 buff, left);
4896a319
AM		 3112
3113 do
3114 outbytes = gnutls_record_send(state->session, buff, left);
3115 while (outbytes == GNUTLS_E_AGAIN);
059ec3d9 3116
17c76198 3117 DEBUG(D_tls) debug_printf("outbytes=" SSIZE_T_FMT "\n", outbytes);
059ec3d9
PH		 3118 if (outbytes < 0)
3119 {
1b76ad22 3120 DEBUG(D_tls) debug_printf("%s: gnutls_record_send err\n", __FUNCTION__);
17c76198 3121 record_io_error(state, outbytes, US"send", NULL);
059ec3d9
PH		 3122 return -1;
3123 }
3124 if (outbytes == 0)
3125 {
17c76198 3126 record_io_error(state, 0, US"send", US"TLS channel closed on write");
059ec3d9
PH		 3127 return -1;
3128 }
3129
3130 left -= outbytes;
3131 buff += outbytes;
3132 }
3133
17c76198
PP		 3134if (len > INT_MAX)
3135 {
3136 DEBUG(D_tls)
3137 debug_printf("Whoops! Wrote more bytes (" SIZE_T_FMT ") than INT_MAX\n",
3138 len);
3139 len = INT_MAX;
3140 }
3141
925ac8e4
JH		 3142#ifdef SUPPORT_CORK
3143if (more != corked)
3144 {
3145 if (!more) (void) gnutls_record_uncork(state->session, 0);
3146 corked = more;
3147 }
3148#endif
3149
17c76198 3150return (int) len;
059ec3d9
PH		 3151}
3152
3153
3154
17c76198 3155
059ec3d9 3156/*************************************************
17c76198 3157* Random number generation *
059ec3d9
PH		 3158*************************************************/
3159
17c76198
PP		 3160/* Pseudo-random number generation. The result is not expected to be
3161cryptographically strong but not so weak that someone will shoot themselves
3162in the foot using it as a nonce in input in some email header scheme or
3163whatever weirdness they'll twist this into. The result should handle fork()
3164and avoid repeating sequences. OpenSSL handles that for us.
059ec3d9 3165
17c76198
PP		 3166Arguments:
3167 max range maximum
3168Returns a random number in range [0, max-1]
059ec3d9
PH		 3169*/
3170
af3498d6 3171#ifdef HAVE_GNUTLS_RND
17c76198
PP		 3172int
3173vaguely_random_number(int max)
059ec3d9 3174{
17c76198
PP		 3175unsigned int r;
3176int i, needed_len;
17c76198
PP		 3177uschar smallbuf[sizeof(r)];
3178
3179if (max <= 1)
3180 return 0;
3181
3182needed_len = sizeof(r);
3183/* Don't take 8 times more entropy than needed if int is 8 octets and we were
d7978c0f
JH		 3184asked for a number less than 10. */
3185
17c76198
PP		 3186for (r = max, i = 0; r; ++i)
3187 r >>= 1;
3188i = (i + 7) / 8;
3189if (i < needed_len)
3190 needed_len = i;
3191
3192i = gnutls_rnd(GNUTLS_RND_NONCE, smallbuf, needed_len);
3193if (i < 0)
059ec3d9 3194 {
17c76198
PP		 3195 DEBUG(D_all) debug_printf("gnutls_rnd() failed, using fallback.\n");
3196 return vaguely_random_number_fallback(max);
3197 }
3198r = 0;
d7978c0f
JH		 3199for (uschar * p = smallbuf; needed_len; --needed_len, ++p)
3200 r = r * 256 + *p;
059ec3d9 3201
17c76198
PP		 3202/* We don't particularly care about weighted results; if someone wants
3203 * smooth distribution and cares enough then they should submit a patch then. */
3204return r % max;
059ec3d9 3205}
af3498d6
PP		 3206#else /* HAVE_GNUTLS_RND */
3207int
3208vaguely_random_number(int max)
3209{
3210 return vaguely_random_number_fallback(max);
3211}
3212#endif /* HAVE_GNUTLS_RND */
059ec3d9 3213
36f12725
NM		 3214
3215
3216
3375e053
PP		 3217/*************************************************
3218* Let tls_require_ciphers be checked at startup *
3219*************************************************/
3220
3221/* The tls_require_ciphers option, if set, must be something which the
3222library can parse.
3223
3224Returns: NULL on success, or error message
3225*/
3226
3227uschar *
3228tls_validate_require_cipher(void)
3229{
3230int rc;
3231uschar *expciphers = NULL;
3232gnutls_priority_t priority_cache;
3233const char *errpos;
cf0c6164 3234uschar * dummy_errstr;
3375e053
PP		 3235
3236#define validate_check_rc(Label) do { \
3237 if (rc != GNUTLS_E_SUCCESS) { if (exim_gnutls_base_init_done) gnutls_global_deinit(); \
3238 return string_sprintf("%s failed: %s", (Label), gnutls_strerror(rc)); } } while (0)
3239#define return_deinit(Label) do { gnutls_global_deinit(); return (Label); } while (0)
3240
3241if (exim_gnutls_base_init_done)
3242 log_write(0, LOG_MAIN|LOG_PANIC,
3243 "already initialised GnuTLS, Exim developer bug");
3244
a5f239e4 3245#ifdef HAVE_GNUTLS_PKCS11
2519e60d 3246if (!gnutls_allow_auto_pkcs11)
a5f239e4
PP		 3247 {
3248 rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
3249 validate_check_rc(US"gnutls_pkcs11_init");
3250 }
3251#endif
3375e053
PP		 3252rc = gnutls_global_init();
3253validate_check_rc(US"gnutls_global_init()");
3254exim_gnutls_base_init_done = TRUE;
3255
3256if (!(tls_require_ciphers && *tls_require_ciphers))
3257 return_deinit(NULL);
3258
cf0c6164
JH		 3259if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers,
3260 &dummy_errstr))
3375e053
PP		 3261 return_deinit(US"failed to expand tls_require_ciphers");
3262
3263if (!(expciphers && *expciphers))
3264 return_deinit(NULL);
3265
3266DEBUG(D_tls)
3267 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
3268
3269rc = gnutls_priority_init(&priority_cache, CS expciphers, &errpos);
3270validate_check_rc(string_sprintf(
3271 "gnutls_priority_init(%s) failed at offset %ld, \"%.8s..\"",
3272 expciphers, errpos - CS expciphers, errpos));
3273
3274#undef return_deinit
3275#undef validate_check_rc
3276gnutls_global_deinit();
3277
3278return NULL;
3279}
3280
3281
3282
3283
36f12725
NM		 3284/*************************************************
3285* Report the library versions. *
3286*************************************************/
3287
3288/* See a description in tls-openssl.c for an explanation of why this exists.
3289
3290Arguments: a FILE* to print the results to
3291Returns: nothing
3292*/
3293
3294void
3295tls_version_report(FILE *f)
3296{
754a0503
PP		 3297fprintf(f, "Library version: GnuTLS: Compile: %s\n"
3298 " Runtime: %s\n",
3299 LIBGNUTLS_VERSION,
3300 gnutls_check_version(NULL));
36f12725
NM		 3301}
3302
b10c87b3 3303#endif /*!MACRO_PREDEF*/
2b4a568d
JH		 3304/* vi: aw ai sw=2
3305*/
059ec3d9 3306/* End of tls-gnu.c */
Unnamed repository; edit this file 'description' to name the repository.