Final tidyout of EXPERIMENTAL_PRDR
[exim.git] / src / src / tls-gnu.c
CommitLineData
059ec3d9
PH
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
5a66c31b 5/* Copyright (c) University of Cambridge 1995 - 2014 */
059ec3d9
PH
6/* See the file NOTICE for conditions of use and distribution. */
7
17c76198 8/* Copyright (c) Phil Pennock 2012 */
059ec3d9 9
17c76198
PP
10/* This file provides TLS/SSL support for Exim using the GnuTLS library,
11one of the available supported implementations. This file is #included into
12tls.c when USE_GNUTLS has been set.
059ec3d9 13
17c76198
PP
14The code herein is a revamp of GnuTLS integration using the current APIs; the
15original tls-gnu.c was based on a patch which was contributed by Nikos
16Mavroyanopoulos. The revamp is partially a rewrite, partially cut&paste as
17appropriate.
059ec3d9 18
17c76198
PP
19APIs current as of GnuTLS 2.12.18; note that the GnuTLS manual is for GnuTLS 3,
20which is not widely deployed by OS vendors. Will note issues below, which may
21assist in updating the code in the future. Another sources of hints is
22mod_gnutls for Apache (SNI callback registration and handling).
059ec3d9 23
17c76198
PP
24Keeping client and server variables more split than before and is currently
25the norm, in anticipation of TLS in ACL callouts.
059ec3d9 26
17c76198
PP
27I wanted to switch to gnutls_certificate_set_verify_function() so that
28certificate rejection could happen during handshake where it belongs, rather
29than being dropped afterwards, but that was introduced in 2.10.0 and Debian
30(6.0.5) is still on 2.8.6. So for now we have to stick with sub-par behaviour.
059ec3d9 31
17c76198
PP
32(I wasn't looking for libraries quite that old, when updating to get rid of
33compiler warnings of deprecated APIs. If it turns out that a lot of the rest
34require current GnuTLS, then we'll drop support for the ancient libraries).
35*/
b5aea5e1 36
17c76198
PP
37#include <gnutls/gnutls.h>
38/* needed for cert checks in verification and DN extraction: */
39#include <gnutls/x509.h>
40/* man-page is incorrect, gnutls_rnd() is not in gnutls.h: */
41#include <gnutls/crypto.h>
a5f239e4
PP
42/* needed to disable PKCS11 autoload unless requested */
43#if GNUTLS_VERSION_NUMBER >= 0x020c00
44# include <gnutls/pkcs11.h>
45#endif
2b4a568d
JH
46#ifdef EXPERIMENTAL_OCSP
47# include <gnutls/ocsp.h>
48#endif
059ec3d9 49
17c76198 50/* GnuTLS 2 vs 3
059ec3d9 51
17c76198
PP
52GnuTLS 3 only:
53 gnutls_global_set_audit_log_function()
059ec3d9 54
17c76198
PP
55Changes:
56 gnutls_certificate_verify_peers2(): is new, drop the 2 for old version
57*/
059ec3d9 58
17c76198 59/* Local static variables for GnuTLS */
059ec3d9 60
17c76198 61/* Values for verify_requirement */
059ec3d9 62
17c76198 63enum peer_verify_requirement { VERIFY_NONE, VERIFY_OPTIONAL, VERIFY_REQUIRED };
059ec3d9 64
17c76198
PP
65/* This holds most state for server or client; with this, we can set up an
66outbound TLS-enabled connection in an ACL callout, while not stomping all
67over the TLS variables available for expansion.
059ec3d9 68
17c76198
PP
69Some of these correspond to variables in globals.c; those variables will
70be set to point to content in one of these instances, as appropriate for
71the stage of the process lifetime.
059ec3d9 72
389ca47a 73Not handled here: global tls_channelbinding_b64.
17c76198 74*/
059ec3d9 75
17c76198 76typedef struct exim_gnutls_state {
9d1c15ef 77 gnutls_session_t session;
17c76198 78 gnutls_certificate_credentials_t x509_cred;
9d1c15ef 79 gnutls_priority_t priority_cache;
17c76198 80 enum peer_verify_requirement verify_requirement;
9d1c15ef
JH
81 int fd_in;
82 int fd_out;
83 BOOL peer_cert_verified;
84 BOOL trigger_sni_changes;
85 BOOL have_set_peerdn;
17c76198 86 const struct host_item *host;
9d1c15ef
JH
87 gnutls_x509_crt_t peercert;
88 uschar *peerdn;
89 uschar *ciphersuite;
90 uschar *received_sni;
17c76198
PP
91
92 const uschar *tls_certificate;
93 const uschar *tls_privatekey;
94 const uschar *tls_sni; /* client send only, not received */
95 const uschar *tls_verify_certificates;
96 const uschar *tls_crl;
97 const uschar *tls_require_ciphers;
98 uschar *exp_tls_certificate;
99 uschar *exp_tls_privatekey;
100 uschar *exp_tls_sni;
101 uschar *exp_tls_verify_certificates;
102 uschar *exp_tls_crl;
103 uschar *exp_tls_require_ciphers;
44662487 104 uschar *exp_tls_ocsp_file;
17c76198 105
389ca47a 106 tls_support *tlsp; /* set in tls_init() */
817d9f57 107
17c76198
PP
108 uschar *xfer_buffer;
109 int xfer_buffer_lwm;
110 int xfer_buffer_hwm;
111 int xfer_eof;
112 int xfer_error;
17c76198
PP
113} exim_gnutls_state_st;
114
115static const exim_gnutls_state_st exim_gnutls_state_init = {
4fe99a6c 116 NULL, NULL, NULL, VERIFY_NONE, -1, -1, FALSE, FALSE, FALSE,
75fe387d 117 NULL, NULL, NULL, NULL,
17c76198 118 NULL, NULL, NULL, NULL, NULL, NULL,
44662487 119 NULL, NULL, NULL, NULL, NULL, NULL, NULL,
817d9f57 120 NULL,
17c76198 121 NULL, 0, 0, 0, 0,
17c76198 122};
83da1223 123
17c76198
PP
124/* Not only do we have our own APIs which don't pass around state, assuming
125it's held in globals, GnuTLS doesn't appear to let us register callback data
126for callbacks, or as part of the session, so we have to keep a "this is the
127context we're currently dealing with" pointer and rely upon being
128single-threaded to keep from processing data on an inbound TLS connection while
129talking to another TLS connection for an outbound check. This does mean that
130there's no way for heart-beats to be responded to, for the duration of the
131second connection. */
059ec3d9 132
17c76198 133static exim_gnutls_state_st state_server, state_client;
059ec3d9 134
17c76198
PP
135/* dh_params are initialised once within the lifetime of a process using TLS;
136if we used TLS in a long-lived daemon, we'd have to reconsider this. But we
137don't want to repeat this. */
83da1223 138
17c76198 139static gnutls_dh_params_t dh_server_params = NULL;
059ec3d9 140
17c76198 141/* No idea how this value was chosen; preserving it. Default is 3600. */
059ec3d9 142
17c76198 143static const int ssl_session_timeout = 200;
059ec3d9 144
17c76198 145static const char * const exim_default_gnutls_priority = "NORMAL";
83da1223 146
17c76198 147/* Guard library core initialisation */
83da1223 148
17c76198 149static BOOL exim_gnutls_base_init_done = FALSE;
059ec3d9 150
059ec3d9 151
17c76198 152/* ------------------------------------------------------------------------ */
17c76198 153/* macros */
83da1223 154
17c76198 155#define MAX_HOST_LEN 255
83da1223 156
17c76198
PP
157/* Set this to control gnutls_global_set_log_level(); values 0 to 9 will setup
158the library logging; a value less than 0 disables the calls to set up logging
159callbacks. */
2c17bb02 160#ifndef EXIM_GNUTLS_LIBRARY_LOG_LEVEL
17c76198 161#define EXIM_GNUTLS_LIBRARY_LOG_LEVEL -1
2c17bb02 162#endif
83da1223 163
2c17bb02 164#ifndef EXIM_CLIENT_DH_MIN_BITS
bba74fc6 165#define EXIM_CLIENT_DH_MIN_BITS 1024
2c17bb02 166#endif
83da1223 167
af3498d6
PP
168/* With GnuTLS 2.12.x+ we have gnutls_sec_param_to_pk_bits() with which we
169can ask for a bit-strength. Without that, we stick to the constant we had
170before, for now. */
2c17bb02 171#ifndef EXIM_SERVER_DH_BITS_PRE2_12
af3498d6 172#define EXIM_SERVER_DH_BITS_PRE2_12 1024
2c17bb02 173#endif
af3498d6 174
17c76198
PP
175#define exim_gnutls_err_check(Label) do { \
176 if (rc != GNUTLS_E_SUCCESS) { return tls_error((Label), gnutls_strerror(rc), host); } } while (0)
059ec3d9 177
17c76198 178#define expand_check_tlsvar(Varname) expand_check(state->Varname, US #Varname, &state->exp_##Varname)
83da1223 179
17c76198
PP
180#if GNUTLS_VERSION_NUMBER >= 0x020c00
181#define HAVE_GNUTLS_SESSION_CHANNEL_BINDING
af3498d6
PP
182#define HAVE_GNUTLS_SEC_PARAM_CONSTANTS
183#define HAVE_GNUTLS_RND
2519e60d
TL
184/* The security fix we provide with the gnutls_allow_auto_pkcs11 option
185 * (4.82 PP/09) introduces a compatibility regression. The symbol simply
186 * isn't available sometimes, so this needs to become a conditional
187 * compilation; the sanest way to deal with this being a problem on
188 * older OSes is to block it in the Local/Makefile with this compiler
189 * definition */
190#ifndef AVOID_GNUTLS_PKCS11
a5f239e4 191#define HAVE_GNUTLS_PKCS11
2519e60d 192#endif /* AVOID_GNUTLS_PKCS11 */
17c76198 193#endif
83da1223 194
af3498d6
PP
195
196
197
198/* ------------------------------------------------------------------------ */
199/* Callback declarations */
200
201#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
202static void exim_gnutls_logger_cb(int level, const char *message);
203#endif
204
205static int exim_sni_handling_cb(gnutls_session_t session);
206
44662487
JH
207#ifdef EXPERIMENTAL_OCSP
208static int server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
209 gnutls_datum_t * ocsp_response);
210#endif
af3498d6
PP
211
212
213
17c76198
PP
214/* ------------------------------------------------------------------------ */
215/* Static functions */
059ec3d9
PH
216
217/*************************************************
218* Handle TLS error *
219*************************************************/
220
221/* Called from lots of places when errors occur before actually starting to do
222the TLS handshake, that is, while the session is still in clear. Always returns
223DEFER for a server and FAIL for a client so that most calls can use "return
224tls_error(...)" to do this processing and then give an appropriate return. A
225single function is used for both server and client, because it is called from
226some shared functions.
227
228Argument:
229 prefix text to include in the logged error
7199e1ee
TF
230 msg additional error string (may be NULL)
231 usually obtained from gnutls_strerror()
17c76198
PP
232 host NULL if setting up a server;
233 the connected host if setting up a client
059ec3d9
PH
234
235Returns: OK/DEFER/FAIL
236*/
237
238static int
17c76198 239tls_error(const uschar *prefix, const char *msg, const host_item *host)
059ec3d9 240{
17c76198
PP
241if (host)
242 {
243 log_write(0, LOG_MAIN, "TLS error on connection to %s [%s] (%s)%s%s",
244 host->name, host->address, prefix, msg ? ": " : "", msg ? msg : "");
245 return FAIL;
246 }
247else
059ec3d9 248 {
7199e1ee 249 uschar *conn_info = smtp_get_connection_info();
17c76198 250 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0)
7199e1ee
TF
251 conn_info += 5;
252 log_write(0, LOG_MAIN, "TLS error on %s (%s)%s%s",
17c76198 253 conn_info, prefix, msg ? ": " : "", msg ? msg : "");
059ec3d9
PH
254 return DEFER;
255 }
059ec3d9
PH
256}
257
258
259
17c76198 260
059ec3d9 261/*************************************************
17c76198 262* Deal with logging errors during I/O *
059ec3d9
PH
263*************************************************/
264
17c76198 265/* We have to get the identity of the peer from saved data.
059ec3d9 266
17c76198
PP
267Argument:
268 state the current GnuTLS exim state container
269 rc the GnuTLS error code, or 0 if it's a local error
270 when text identifying read or write
271 text local error text when ec is 0
059ec3d9 272
17c76198 273Returns: nothing
059ec3d9
PH
274*/
275
17c76198
PP
276static void
277record_io_error(exim_gnutls_state_st *state, int rc, uschar *when, uschar *text)
059ec3d9 278{
17c76198 279const char *msg;
059ec3d9 280
17c76198
PP
281if (rc == GNUTLS_E_FATAL_ALERT_RECEIVED)
282 msg = CS string_sprintf("%s: %s", US gnutls_strerror(rc),
283 US gnutls_alert_get_name(gnutls_alert_get(state->session)));
284else
285 msg = gnutls_strerror(rc);
059ec3d9 286
17c76198
PP
287tls_error(when, msg, state->host);
288}
059ec3d9 289
059ec3d9 290
059ec3d9 291
059ec3d9 292
17c76198
PP
293/*************************************************
294* Set various Exim expansion vars *
295*************************************************/
059ec3d9 296
9d1c15ef
JH
297#define exim_gnutls_cert_err(Label) do { \
298 if (rc != GNUTLS_E_SUCCESS) { \
299 DEBUG(D_tls) debug_printf("TLS: cert problem: %s: %s\n", (Label), gnutls_strerror(rc)); \
300 return rc; } } while (0)
301
302static int
303import_cert(const gnutls_datum * cert, gnutls_x509_crt_t * crtp)
304{
305int rc;
306
307rc = gnutls_x509_crt_init(crtp);
308exim_gnutls_cert_err(US"gnutls_x509_crt_init (crt)");
309
310rc = gnutls_x509_crt_import(*crtp, cert, GNUTLS_X509_FMT_DER);
311exim_gnutls_cert_err(US"failed to import certificate [gnutls_x509_crt_import(cert)]");
312
313return rc;
314}
315
316#undef exim_gnutls_cert_err
317
318
17c76198
PP
319/* We set various Exim global variables from the state, once a session has
320been established. With TLS callouts, may need to change this to stack
321variables, or just re-call it with the server state after client callout
322has finished.
059ec3d9 323
9d1c15ef 324Make sure anything set here is unset in tls_getc().
17c76198
PP
325
326Sets:
327 tls_active fd
328 tls_bits strength indicator
329 tls_certificate_verified bool indicator
330 tls_channelbinding_b64 for some SASL mechanisms
331 tls_cipher a string
9d1c15ef 332 tls_peercert pointer to library internal
17c76198
PP
333 tls_peerdn a string
334 tls_sni a (UTF-8) string
9d1c15ef 335 tls_ourcert pointer to library internal
17c76198
PP
336
337Argument:
338 state the relevant exim_gnutls_state_st *
339*/
340
341static void
9d1c15ef 342extract_exim_vars_from_tls_state(exim_gnutls_state_st * state)
17c76198 343{
17c76198 344gnutls_cipher_algorithm_t cipher;
17c76198
PP
345#ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
346int old_pool;
347int rc;
348gnutls_datum_t channel;
349#endif
9d1c15ef 350tls_support * tlsp = state->tlsp;
17c76198 351
9d1c15ef 352tlsp->active = state->fd_out;
17c76198
PP
353
354cipher = gnutls_cipher_get(state->session);
355/* returns size in "bytes" */
9d1c15ef 356tlsp->bits = gnutls_cipher_get_key_size(cipher) * 8;
17c76198 357
9d1c15ef 358tlsp->cipher = state->ciphersuite;
17c76198 359
817d9f57 360DEBUG(D_tls) debug_printf("cipher: %s\n", state->ciphersuite);
17c76198 361
9d1c15ef 362tlsp->certificate_verified = state->peer_cert_verified;
059ec3d9 363
17c76198
PP
364/* note that tls_channelbinding_b64 is not saved to the spool file, since it's
365only available for use for authenticators while this TLS session is running. */
366
367tls_channelbinding_b64 = NULL;
368#ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
369channel.data = NULL;
370channel.size = 0;
371rc = gnutls_session_channel_binding(state->session, GNUTLS_CB_TLS_UNIQUE, &channel);
372if (rc) {
373 DEBUG(D_tls) debug_printf("Channel binding error: %s\n", gnutls_strerror(rc));
374} else {
375 old_pool = store_pool;
376 store_pool = POOL_PERM;
377 tls_channelbinding_b64 = auth_b64encode(channel.data, (int)channel.size);
378 store_pool = old_pool;
379 DEBUG(D_tls) debug_printf("Have channel bindings cached for possible auth usage.\n");
380}
381#endif
382
9d1c15ef
JH
383/* peercert is set in peer_status() */
384tlsp->peerdn = state->peerdn;
385tlsp->sni = state->received_sni;
386
387/* record our certificate */
388 {
389 const gnutls_datum * cert = gnutls_certificate_get_ours(state->session);
390 gnutls_x509_crt_t crt;
391
392 tlsp->ourcert = cert && import_cert(cert, &crt)==0 ? crt : NULL;
393 }
059ec3d9
PH
394}
395
396
397
17c76198 398
059ec3d9 399/*************************************************
575643cd 400* Setup up DH parameters *
059ec3d9
PH
401*************************************************/
402
575643cd 403/* Generating the D-H parameters may take a long time. They only need to
059ec3d9
PH
404be re-generated every so often, depending on security policy. What we do is to
405keep these parameters in a file in the spool directory. If the file does not
406exist, we generate them. This means that it is easy to cause a regeneration.
407
408The new file is written as a temporary file and renamed, so that an incomplete
409file is never present. If two processes both compute some new parameters, you
410waste a bit of effort, but it doesn't seem worth messing around with locking to
411prevent this.
412
059ec3d9
PH
413Returns: OK/DEFER/FAIL
414*/
415
416static int
17c76198 417init_server_dh(void)
059ec3d9 418{
17c76198
PP
419int fd, rc;
420unsigned int dh_bits;
b5aea5e1 421gnutls_datum m;
a799883d
PP
422uschar filename_buf[PATH_MAX];
423uschar *filename = NULL;
17c76198 424size_t sz;
a799883d
PP
425uschar *exp_tls_dhparam;
426BOOL use_file_in_spool = FALSE;
427BOOL use_fixed_file = FALSE;
17c76198 428host_item *host = NULL; /* dummy for macros */
059ec3d9 429
17c76198 430DEBUG(D_tls) debug_printf("Initialising GnuTLS server params.\n");
059ec3d9 431
17c76198
PP
432rc = gnutls_dh_params_init(&dh_server_params);
433exim_gnutls_err_check(US"gnutls_dh_params_init");
059ec3d9 434
a799883d
PP
435m.data = NULL;
436m.size = 0;
437
438if (!expand_check(tls_dhparam, US"tls_dhparam", &exp_tls_dhparam))
439 return DEFER;
440
441if (!exp_tls_dhparam)
442 {
443 DEBUG(D_tls) debug_printf("Loading default hard-coded DH params\n");
444 m.data = US std_dh_prime_default();
445 m.size = Ustrlen(m.data);
446 }
447else if (Ustrcmp(exp_tls_dhparam, "historic") == 0)
448 use_file_in_spool = TRUE;
449else if (Ustrcmp(exp_tls_dhparam, "none") == 0)
450 {
451 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
452 return OK;
453 }
454else if (exp_tls_dhparam[0] != '/')
455 {
456 m.data = US std_dh_prime_named(exp_tls_dhparam);
457 if (m.data == NULL)
458 return tls_error(US"No standard prime named", CS exp_tls_dhparam, NULL);
459 m.size = Ustrlen(m.data);
460 }
461else
462 {
463 use_fixed_file = TRUE;
464 filename = exp_tls_dhparam;
465 }
466
467if (m.data)
468 {
469 rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM);
470 exim_gnutls_err_check(US"gnutls_dh_params_import_pkcs3");
471 DEBUG(D_tls) debug_printf("Loaded fixed standard D-H parameters\n");
472 return OK;
473 }
474
af3498d6
PP
475#ifdef HAVE_GNUTLS_SEC_PARAM_CONSTANTS
476/* If you change this constant, also change dh_param_fn_ext so that we can use a
17c76198
PP
477different filename and ensure we have sufficient bits. */
478dh_bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL);
479if (!dh_bits)
480 return tls_error(US"gnutls_sec_param_to_pk_bits() failed", NULL, NULL);
af3498d6 481DEBUG(D_tls)
b34fc30c 482 debug_printf("GnuTLS tells us that for D-H PK, NORMAL is %d bits.\n",
af3498d6
PP
483 dh_bits);
484#else
485dh_bits = EXIM_SERVER_DH_BITS_PRE2_12;
486DEBUG(D_tls)
487 debug_printf("GnuTLS lacks gnutls_sec_param_to_pk_bits(), using %d bits.\n",
488 dh_bits);
489#endif
059ec3d9 490
3375e053
PP
491/* Some clients have hard-coded limits. */
492if (dh_bits > tls_dh_max_bits)
493 {
494 DEBUG(D_tls)
495 debug_printf("tls_dh_max_bits clamping override, using %d bits instead.\n",
496 tls_dh_max_bits);
497 dh_bits = tls_dh_max_bits;
498 }
499
a799883d
PP
500if (use_file_in_spool)
501 {
502 if (!string_format(filename_buf, sizeof(filename_buf),
503 "%s/gnutls-params-%d", spool_directory, dh_bits))
504 return tls_error(US"overlong filename", NULL, NULL);
505 filename = filename_buf;
506 }
059ec3d9 507
b5aea5e1 508/* Open the cache file for reading and if successful, read it and set up the
575643cd 509parameters. */
059ec3d9
PH
510
511fd = Uopen(filename, O_RDONLY, 0);
b5aea5e1 512if (fd >= 0)
059ec3d9 513 {
b5aea5e1 514 struct stat statbuf;
17c76198
PP
515 FILE *fp;
516 int saved_errno;
517
518 if (fstat(fd, &statbuf) < 0) /* EIO */
519 {
520 saved_errno = errno;
521 (void)close(fd);
522 return tls_error(US"TLS cache stat failed", strerror(saved_errno), NULL);
523 }
524 if (!S_ISREG(statbuf.st_mode))
b5aea5e1
PH
525 {
526 (void)close(fd);
17c76198
PP
527 return tls_error(US"TLS cache not a file", NULL, NULL);
528 }
529 fp = fdopen(fd, "rb");
530 if (!fp)
531 {
532 saved_errno = errno;
533 (void)close(fd);
534 return tls_error(US"fdopen(TLS cache stat fd) failed",
535 strerror(saved_errno), NULL);
b5aea5e1 536 }
059ec3d9 537
b5aea5e1
PH
538 m.size = statbuf.st_size;
539 m.data = malloc(m.size);
540 if (m.data == NULL)
17c76198
PP
541 {
542 fclose(fp);
543 return tls_error(US"malloc failed", strerror(errno), NULL);
544 }
545 sz = fread(m.data, m.size, 1, fp);
546 if (!sz)
547 {
548 saved_errno = errno;
549 fclose(fp);
550 free(m.data);
551 return tls_error(US"fread failed", strerror(saved_errno), NULL);
552 }
553 fclose(fp);
b5aea5e1 554
17c76198 555 rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM);
b5aea5e1 556 free(m.data);
17c76198
PP
557 exim_gnutls_err_check(US"gnutls_dh_params_import_pkcs3");
558 DEBUG(D_tls) debug_printf("read D-H parameters from file \"%s\"\n", filename);
b5aea5e1
PH
559 }
560
561/* If the file does not exist, fall through to compute new data and cache it.
562If there was any other opening error, it is serious. */
563
182ad5cf
PH
564else if (errno == ENOENT)
565 {
17c76198 566 rc = -1;
182ad5cf 567 DEBUG(D_tls)
17c76198 568 debug_printf("D-H parameter cache file \"%s\" does not exist\n", filename);
182ad5cf
PH
569 }
570else
17c76198
PP
571 return tls_error(string_open_failed(errno, "\"%s\" for reading", filename),
572 NULL, NULL);
b5aea5e1
PH
573
574/* If ret < 0, either the cache file does not exist, or the data it contains
575is not useful. One particular case of this is when upgrading from an older
576release of Exim in which the data was stored in a different format. We don't
577try to be clever and support both formats; we just regenerate new data in this
578case. */
579
17c76198 580if (rc < 0)
b5aea5e1 581 {
17c76198 582 uschar *temp_fn;
201f5254 583 unsigned int dh_bits_gen = dh_bits;
059ec3d9 584
17c76198
PP
585 if ((PATH_MAX - Ustrlen(filename)) < 10)
586 return tls_error(US"Filename too long to generate replacement",
587 CS filename, NULL);
059ec3d9 588
17c76198
PP
589 temp_fn = string_copy(US "%s.XXXXXXX");
590 fd = mkstemp(CS temp_fn); /* modifies temp_fn */
059ec3d9 591 if (fd < 0)
17c76198 592 return tls_error(US"Unable to open temp file", strerror(errno), NULL);
059ec3d9
PH
593 (void)fchown(fd, exim_uid, exim_gid); /* Probably not necessary */
594
201f5254
PP
595 /* GnuTLS overshoots!
596 * If we ask for 2236, we might get 2237 or more.
597 * But there's no way to ask GnuTLS how many bits there really are.
598 * We can ask how many bits were used in a TLS session, but that's it!
599 * The prime itself is hidden behind too much abstraction.
600 * So we ask for less, and proceed on a wing and a prayer.
601 * First attempt, subtracted 3 for 2233 and got 2240.
602 */
cae6e576 603 if (dh_bits >= EXIM_CLIENT_DH_MIN_BITS + 10)
201f5254
PP
604 {
605 dh_bits_gen = dh_bits - 10;
606 DEBUG(D_tls)
607 debug_printf("being paranoid about DH generation, make it '%d' bits'\n",
608 dh_bits_gen);
609 }
610
611 DEBUG(D_tls)
612 debug_printf("requesting generation of %d bit Diffie-Hellman prime ...\n",
613 dh_bits_gen);
614 rc = gnutls_dh_params_generate2(dh_server_params, dh_bits_gen);
17c76198
PP
615 exim_gnutls_err_check(US"gnutls_dh_params_generate2");
616
617 /* gnutls_dh_params_export_pkcs3() will tell us the exact size, every time,
618 and I confirmed that a NULL call to get the size first is how the GnuTLS
619 sample apps handle this. */
620
621 sz = 0;
622 m.data = NULL;
623 rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM,
624 m.data, &sz);
625 if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
626 exim_gnutls_err_check(US"gnutls_dh_params_export_pkcs3(NULL) sizing");
627 m.size = sz;
b5aea5e1
PH
628 m.data = malloc(m.size);
629 if (m.data == NULL)
17c76198 630 return tls_error(US"memory allocation failed", strerror(errno), NULL);
1f00591e 631 /* this will return a size 1 less than the allocation size above */
17c76198 632 rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM,
1f00591e 633 m.data, &sz);
17c76198
PP
634 if (rc != GNUTLS_E_SUCCESS)
635 {
636 free(m.data);
637 exim_gnutls_err_check(US"gnutls_dh_params_export_pkcs3() real");
638 }
1f00591e 639 m.size = sz; /* shrink by 1, probably */
059ec3d9 640
17c76198
PP
641 sz = write_to_fd_buf(fd, m.data, (size_t) m.size);
642 if (sz != m.size)
643 {
644 free(m.data);
645 return tls_error(US"TLS cache write D-H params failed",
646 strerror(errno), NULL);
647 }
b5aea5e1 648 free(m.data);
17c76198
PP
649 sz = write_to_fd_buf(fd, US"\n", 1);
650 if (sz != 1)
651 return tls_error(US"TLS cache write D-H params final newline failed",
652 strerror(errno), NULL);
653
654 rc = close(fd);
655 if (rc)
656 return tls_error(US"TLS cache write close() failed",
657 strerror(errno), NULL);
059ec3d9 658
17c76198
PP
659 if (Urename(temp_fn, filename) < 0)
660 return tls_error(string_sprintf("failed to rename \"%s\" as \"%s\"",
661 temp_fn, filename), strerror(errno), NULL);
059ec3d9 662
17c76198 663 DEBUG(D_tls) debug_printf("wrote D-H parameters to file \"%s\"\n", filename);
059ec3d9
PH
664 }
665
17c76198 666DEBUG(D_tls) debug_printf("initialized server D-H parameters\n");
059ec3d9
PH
667return OK;
668}
669
670
671
672
673/*************************************************
17c76198 674* Variables re-expanded post-SNI *
059ec3d9
PH
675*************************************************/
676
17c76198
PP
677/* Called from both server and client code, via tls_init(), and also from
678the SNI callback after receiving an SNI, if tls_certificate includes "tls_sni".
679
680We can tell the two apart by state->received_sni being non-NULL in callback.
681
682The callback should not call us unless state->trigger_sni_changes is true,
683which we are responsible for setting on the first pass through.
059ec3d9
PH
684
685Arguments:
17c76198 686 state exim_gnutls_state_st *
059ec3d9
PH
687
688Returns: OK/DEFER/FAIL
689*/
690
691static int
17c76198 692tls_expand_session_files(exim_gnutls_state_st *state)
059ec3d9 693{
1365611d 694struct stat statbuf;
059ec3d9 695int rc;
17c76198
PP
696const host_item *host = state->host; /* macro should be reconsidered? */
697uschar *saved_tls_certificate = NULL;
698uschar *saved_tls_privatekey = NULL;
699uschar *saved_tls_verify_certificates = NULL;
700uschar *saved_tls_crl = NULL;
701int cert_count;
702
703/* We check for tls_sni *before* expansion. */
2b4a568d 704if (!host) /* server */
17c76198
PP
705 {
706 if (!state->received_sni)
707 {
d9b2312b
JH
708 if (state->tls_certificate &&
709 (Ustrstr(state->tls_certificate, US"tls_sni") ||
710 Ustrstr(state->tls_certificate, US"tls_in_sni") ||
711 Ustrstr(state->tls_certificate, US"tls_out_sni")
712 ))
17c76198
PP
713 {
714 DEBUG(D_tls) debug_printf("We will re-expand TLS session files if we receive SNI.\n");
715 state->trigger_sni_changes = TRUE;
716 }
717 }
718 else
719 {
1365611d 720 /* useful for debugging */
17c76198
PP
721 saved_tls_certificate = state->exp_tls_certificate;
722 saved_tls_privatekey = state->exp_tls_privatekey;
723 saved_tls_verify_certificates = state->exp_tls_verify_certificates;
724 saved_tls_crl = state->exp_tls_crl;
725 }
726 }
059ec3d9 727
1365611d
PP
728rc = gnutls_certificate_allocate_credentials(&state->x509_cred);
729exim_gnutls_err_check(US"gnutls_certificate_allocate_credentials");
730
17c76198
PP
731/* remember: expand_check_tlsvar() is expand_check() but fiddling with
732state members, assuming consistent naming; and expand_check() returns
733false if expansion failed, unless expansion was forced to fail. */
059ec3d9 734
17c76198
PP
735/* check if we at least have a certificate, before doing expensive
736D-H generation. */
059ec3d9 737
17c76198
PP
738if (!expand_check_tlsvar(tls_certificate))
739 return DEFER;
059ec3d9 740
17c76198 741/* certificate is mandatory in server, optional in client */
059ec3d9 742
17c76198
PP
743if ((state->exp_tls_certificate == NULL) ||
744 (*state->exp_tls_certificate == '\0'))
745 {
2b4a568d 746 if (!host)
17c76198
PP
747 return tls_error(US"no TLS server certificate is specified", NULL, NULL);
748 else
749 DEBUG(D_tls) debug_printf("TLS: no client certificate specified; okay\n");
750 }
059ec3d9 751
17c76198 752if (state->tls_privatekey && !expand_check_tlsvar(tls_privatekey))
059ec3d9
PH
753 return DEFER;
754
17c76198
PP
755/* tls_privatekey is optional, defaulting to same file as certificate */
756
757if (state->tls_privatekey == NULL || *state->tls_privatekey == '\0')
059ec3d9 758 {
17c76198
PP
759 state->tls_privatekey = state->tls_certificate;
760 state->exp_tls_privatekey = state->exp_tls_certificate;
059ec3d9 761 }
c91535f3 762
059ec3d9 763
17c76198 764if (state->exp_tls_certificate && *state->exp_tls_certificate)
059ec3d9
PH
765 {
766 DEBUG(D_tls) debug_printf("certificate file = %s\nkey file = %s\n",
17c76198
PP
767 state->exp_tls_certificate, state->exp_tls_privatekey);
768
769 if (state->received_sni)
de365ded 770 {
17c76198
PP
771 if ((Ustrcmp(state->exp_tls_certificate, saved_tls_certificate) == 0) &&
772 (Ustrcmp(state->exp_tls_privatekey, saved_tls_privatekey) == 0))
773 {
b34fc30c 774 DEBUG(D_tls) debug_printf("TLS SNI: cert and key unchanged\n");
17c76198
PP
775 }
776 else
777 {
b34fc30c 778 DEBUG(D_tls) debug_printf("TLS SNI: have a changed cert/key pair.\n");
17c76198 779 }
8e669ac1 780 }
059ec3d9 781
1365611d
PP
782 rc = gnutls_certificate_set_x509_key_file(state->x509_cred,
783 CS state->exp_tls_certificate, CS state->exp_tls_privatekey,
784 GNUTLS_X509_FMT_PEM);
785 exim_gnutls_err_check(
786 string_sprintf("cert/key setup: cert=%s key=%s",
787 state->exp_tls_certificate, state->exp_tls_privatekey));
788 DEBUG(D_tls) debug_printf("TLS: cert/key registered\n");
b34fc30c 789 } /* tls_certificate */
059ec3d9 790
2b4a568d
JH
791
792/* Set the OCSP stapling server info */
793
794#ifdef EXPERIMENTAL_OCSP
795if ( !host /* server */
796 && tls_ocsp_file
797 )
798 {
44662487
JH
799 if (!expand_check(tls_ocsp_file, US"tls_ocsp_file",
800 &state->exp_tls_ocsp_file))
2b4a568d
JH
801 return DEFER;
802
44662487
JH
803 /* Use the full callback method for stapling just to get observability.
804 More efficient would be to read the file once only, if it never changed
805 (due to SNI). Would need restart on file update, or watch datestamp. */
806
807 gnutls_certificate_set_ocsp_status_request_function(state->x509_cred,
808 server_ocsp_stapling_cb, state->exp_tls_ocsp_file);
2b4a568d 809
44662487 810 DEBUG(D_tls) debug_printf("Set OCSP response file %s\n", &state->exp_tls_ocsp_file);
2b4a568d
JH
811 }
812#endif
813
814
059ec3d9
PH
815/* Set the trusted CAs file if one is provided, and then add the CRL if one is
816provided. Experiment shows that, if the certificate file is empty, an unhelpful
817error message is provided. However, if we just refrain from setting anything up
818in that case, certificate verification fails, which seems to be the correct
819behaviour. */
820
17c76198 821if (state->tls_verify_certificates && *state->tls_verify_certificates)
059ec3d9 822 {
17c76198 823 if (!expand_check_tlsvar(tls_verify_certificates))
059ec3d9 824 return DEFER;
17c76198
PP
825 if (state->tls_crl && *state->tls_crl)
826 if (!expand_check_tlsvar(tls_crl))
827 return DEFER;
059ec3d9 828
1365611d
PP
829 if (!(state->exp_tls_verify_certificates &&
830 *state->exp_tls_verify_certificates))
b34fc30c
PP
831 {
832 DEBUG(D_tls)
1365611d
PP
833 debug_printf("TLS: tls_verify_certificates expanded empty, ignoring\n");
834 /* With no tls_verify_certificates, we ignore tls_crl too */
17c76198 835 return OK;
b34fc30c 836 }
1365611d 837 }
83e2f8a2
PP
838else
839 {
840 DEBUG(D_tls)
841 debug_printf("TLS: tls_verify_certificates not set or empty, ignoring\n");
842 return OK;
843 }
17c76198 844
1365611d
PP
845if (Ustat(state->exp_tls_verify_certificates, &statbuf) < 0)
846 {
847 log_write(0, LOG_MAIN|LOG_PANIC, "could not stat %s "
848 "(tls_verify_certificates): %s", state->exp_tls_verify_certificates,
849 strerror(errno));
850 return DEFER;
851 }
17c76198 852
619b2b25
PP
853/* The test suite passes in /dev/null; we could check for that path explicitly,
854but who knows if someone has some weird FIFO which always dumps some certs, or
855other weirdness. The thing we really want to check is that it's not a
856directory, since while OpenSSL supports that, GnuTLS does not.
857So s/!S_ISREG/S_ISDIR/ and change some messsaging ... */
858if (S_ISDIR(statbuf.st_mode))
1365611d
PP
859 {
860 DEBUG(D_tls)
619b2b25
PP
861 debug_printf("verify certificates path is a dir: \"%s\"\n",
862 state->exp_tls_verify_certificates);
1365611d 863 log_write(0, LOG_MAIN|LOG_PANIC,
619b2b25 864 "tls_verify_certificates \"%s\" is a directory",
1365611d
PP
865 state->exp_tls_verify_certificates);
866 return DEFER;
867 }
059ec3d9 868
1365611d
PP
869DEBUG(D_tls) debug_printf("verify certificates = %s size=" OFF_T_FMT "\n",
870 state->exp_tls_verify_certificates, statbuf.st_size);
059ec3d9 871
1365611d
PP
872if (statbuf.st_size == 0)
873 {
874 DEBUG(D_tls)
875 debug_printf("cert file empty, no certs, no verification, ignoring any CRL\n");
876 return OK;
877 }
059ec3d9 878
1365611d
PP
879cert_count = gnutls_certificate_set_x509_trust_file(state->x509_cred,
880 CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM);
881if (cert_count < 0)
882 {
883 rc = cert_count;
884 exim_gnutls_err_check(US"gnutls_certificate_set_x509_trust_file");
885 }
886DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n", cert_count);
059ec3d9 887
5c8cda3a
PP
888if (state->tls_crl && *state->tls_crl &&
889 state->exp_tls_crl && *state->exp_tls_crl)
1365611d 890 {
5c8cda3a
PP
891 DEBUG(D_tls) debug_printf("loading CRL file = %s\n", state->exp_tls_crl);
892 cert_count = gnutls_certificate_set_x509_crl_file(state->x509_cred,
893 CS state->exp_tls_crl, GNUTLS_X509_FMT_PEM);
894 if (cert_count < 0)
1365611d 895 {
5c8cda3a 896 rc = cert_count;
1365611d
PP
897 exim_gnutls_err_check(US"gnutls_certificate_set_x509_crl_file");
898 }
5c8cda3a 899 DEBUG(D_tls) debug_printf("Processed %d CRLs.\n", cert_count);
1365611d 900 }
059ec3d9 901
059ec3d9
PH
902return OK;
903}
904
905
906
907
908/*************************************************
1365611d
PP
909* Set X.509 state variables *
910*************************************************/
911
912/* In GnuTLS, the registered cert/key are not replaced by a later
913set of a cert/key, so for SNI support we need a whole new x509_cred
914structure. Which means various other non-re-expanded pieces of state
915need to be re-set in the new struct, so the setting logic is pulled
916out to this.
917
918Arguments:
919 state exim_gnutls_state_st *
920
921Returns: OK/DEFER/FAIL
922*/
923
924static int
925tls_set_remaining_x509(exim_gnutls_state_st *state)
926{
927int rc;
928const host_item *host = state->host; /* macro should be reconsidered? */
929
930/* Create D-H parameters, or read them from the cache file. This function does
931its own SMTP error messaging. This only happens for the server, TLS D-H ignores
932client-side params. */
933
934if (!state->host)
935 {
936 if (!dh_server_params)
937 {
938 rc = init_server_dh();
939 if (rc != OK) return rc;
940 }
941 gnutls_certificate_set_dh_params(state->x509_cred, dh_server_params);
942 }
943
944/* Link the credentials to the session. */
945
946rc = gnutls_credentials_set(state->session, GNUTLS_CRD_CERTIFICATE, state->x509_cred);
947exim_gnutls_err_check(US"gnutls_credentials_set");
948
949return OK;
950}
951
952/*************************************************
17c76198 953* Initialize for GnuTLS *
059ec3d9
PH
954*************************************************/
955
17c76198
PP
956/* Called from both server and client code. In the case of a server, errors
957before actual TLS negotiation return DEFER.
059ec3d9
PH
958
959Arguments:
17c76198
PP
960 host connected host, if client; NULL if server
961 certificate certificate file
962 privatekey private key file
963 sni TLS SNI to send, sometimes when client; else NULL
964 cas CA certs file
965 crl CRL file
966 require_ciphers tls_require_ciphers setting
817d9f57 967 caller_state returned state-info structure
059ec3d9 968
17c76198 969Returns: OK/DEFER/FAIL
059ec3d9
PH
970*/
971
17c76198
PP
972static int
973tls_init(
974 const host_item *host,
975 const uschar *certificate,
976 const uschar *privatekey,
977 const uschar *sni,
978 const uschar *cas,
979 const uschar *crl,
980 const uschar *require_ciphers,
981 exim_gnutls_state_st **caller_state)
059ec3d9 982{
17c76198
PP
983exim_gnutls_state_st *state;
984int rc;
985size_t sz;
986const char *errpos;
987uschar *p;
988BOOL want_default_priorities;
989
990if (!exim_gnutls_base_init_done)
059ec3d9 991 {
17c76198
PP
992 DEBUG(D_tls) debug_printf("GnuTLS global init required.\n");
993
a5f239e4
PP
994#ifdef HAVE_GNUTLS_PKCS11
995 /* By default, gnutls_global_init will init PKCS11 support in auto mode,
996 which loads modules from a config file, which sounds good and may be wanted
997 by some sysadmin, but also means in common configurations that GNOME keyring
998 environment variables are used and so breaks for users calling mailq.
999 To prevent this, we init PKCS11 first, which is the documented approach. */
2519e60d 1000 if (!gnutls_allow_auto_pkcs11)
a5f239e4
PP
1001 {
1002 rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
1003 exim_gnutls_err_check(US"gnutls_pkcs11_init");
1004 }
1005#endif
1006
17c76198
PP
1007 rc = gnutls_global_init();
1008 exim_gnutls_err_check(US"gnutls_global_init");
1009
1010#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
1011 DEBUG(D_tls)
059ec3d9 1012 {
17c76198
PP
1013 gnutls_global_set_log_function(exim_gnutls_logger_cb);
1014 /* arbitrarily chosen level; bump upto 9 for more */
1015 gnutls_global_set_log_level(EXIM_GNUTLS_LIBRARY_LOG_LEVEL);
059ec3d9 1016 }
17c76198
PP
1017#endif
1018
1019 exim_gnutls_base_init_done = TRUE;
059ec3d9 1020 }
059ec3d9 1021
17c76198
PP
1022if (host)
1023 {
1024 state = &state_client;
1025 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
817d9f57 1026 state->tlsp = &tls_out;
17c76198
PP
1027 DEBUG(D_tls) debug_printf("initialising GnuTLS client session\n");
1028 rc = gnutls_init(&state->session, GNUTLS_CLIENT);
1029 }
1030else
1031 {
1032 state = &state_server;
1033 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
817d9f57 1034 state->tlsp = &tls_in;
17c76198
PP
1035 DEBUG(D_tls) debug_printf("initialising GnuTLS server session\n");
1036 rc = gnutls_init(&state->session, GNUTLS_SERVER);
1037 }
1038exim_gnutls_err_check(US"gnutls_init");
059ec3d9 1039
17c76198 1040state->host = host;
059ec3d9 1041
17c76198
PP
1042state->tls_certificate = certificate;
1043state->tls_privatekey = privatekey;
5779e6aa 1044state->tls_require_ciphers = require_ciphers;
17c76198
PP
1045state->tls_sni = sni;
1046state->tls_verify_certificates = cas;
1047state->tls_crl = crl;
059ec3d9 1048
17c76198
PP
1049/* This handles the variables that might get re-expanded after TLS SNI;
1050that's tls_certificate, tls_privatekey, tls_verify_certificates, tls_crl */
059ec3d9 1051
17c76198
PP
1052DEBUG(D_tls)
1053 debug_printf("Expanding various TLS configuration options for session credentials.\n");
1054rc = tls_expand_session_files(state);
1055if (rc != OK) return rc;
059ec3d9 1056
1365611d
PP
1057/* These are all other parts of the x509_cred handling, since SNI in GnuTLS
1058requires a new structure afterwards. */
83da1223 1059
1365611d
PP
1060rc = tls_set_remaining_x509(state);
1061if (rc != OK) return rc;
83da1223 1062
17c76198
PP
1063/* set SNI in client, only */
1064if (host)
1065 {
a5f239e4 1066 if (!expand_check(state->tlsp->sni, US"tls_out_sni", &state->exp_tls_sni))
17c76198
PP
1067 return DEFER;
1068 if (state->exp_tls_sni && *state->exp_tls_sni)
1069 {
1070 DEBUG(D_tls)
1071 debug_printf("Setting TLS client SNI to \"%s\"\n", state->exp_tls_sni);
1072 sz = Ustrlen(state->exp_tls_sni);
1073 rc = gnutls_server_name_set(state->session,
1074 GNUTLS_NAME_DNS, state->exp_tls_sni, sz);
1075 exim_gnutls_err_check(US"gnutls_server_name_set");
1076 }
1077 }
1078else if (state->tls_sni)
1079 DEBUG(D_tls) debug_printf("*** PROBABLY A BUG *** " \
1080 "have an SNI set for a client [%s]\n", state->tls_sni);
83da1223 1081
17c76198 1082/* This is the priority string support,
42bfef1e 1083http://www.gnutls.org/manual/html_node/Priority-Strings.html
17c76198
PP
1084and replaces gnutls_require_kx, gnutls_require_mac & gnutls_require_protocols.
1085This was backwards incompatible, but means Exim no longer needs to track
1086all algorithms and provide string forms for them. */
83da1223 1087
17c76198 1088want_default_priorities = TRUE;
83da1223 1089
17c76198 1090if (state->tls_require_ciphers && *state->tls_require_ciphers)
83da1223 1091 {
17c76198
PP
1092 if (!expand_check_tlsvar(tls_require_ciphers))
1093 return DEFER;
1094 if (state->exp_tls_require_ciphers && *state->exp_tls_require_ciphers)
83da1223 1095 {
17c76198
PP
1096 DEBUG(D_tls) debug_printf("GnuTLS session cipher/priority \"%s\"\n",
1097 state->exp_tls_require_ciphers);
1098
1099 rc = gnutls_priority_init(&state->priority_cache,
1100 CS state->exp_tls_require_ciphers, &errpos);
1101 want_default_priorities = FALSE;
1102 p = state->exp_tls_require_ciphers;
83da1223
PH
1103 }
1104 }
17c76198
PP
1105if (want_default_priorities)
1106 {
83e2f8a2
PP
1107 DEBUG(D_tls)
1108 debug_printf("GnuTLS using default session cipher/priority \"%s\"\n",
1109 exim_default_gnutls_priority);
17c76198
PP
1110 rc = gnutls_priority_init(&state->priority_cache,
1111 exim_default_gnutls_priority, &errpos);
1112 p = US exim_default_gnutls_priority;
1113 }
83da1223 1114
17c76198
PP
1115exim_gnutls_err_check(string_sprintf(
1116 "gnutls_priority_init(%s) failed at offset %ld, \"%.6s..\"",
1117 p, errpos - CS p, errpos));
1118
1119rc = gnutls_priority_set(state->session, state->priority_cache);
1120exim_gnutls_err_check(US"gnutls_priority_set");
1121
1122gnutls_db_set_cache_expiration(state->session, ssl_session_timeout);
1123
1124/* Reduce security in favour of increased compatibility, if the admin
1125decides to make that trade-off. */
1126if (gnutls_compat_mode)
83da1223 1127 {
17c76198
PP
1128#if LIBGNUTLS_VERSION_NUMBER >= 0x020104
1129 DEBUG(D_tls) debug_printf("lowering GnuTLS security, compatibility mode\n");
1130 gnutls_session_enable_compatibility_mode(state->session);
1131#else
1132 DEBUG(D_tls) debug_printf("Unable to set gnutls_compat_mode - GnuTLS version too old\n");
1133#endif
83da1223
PH
1134 }
1135
17c76198 1136*caller_state = state;
17c76198 1137return OK;
83da1223
PH
1138}
1139
1140
1141
83da1223 1142/*************************************************
17c76198 1143* Extract peer information *
059ec3d9
PH
1144*************************************************/
1145
17c76198 1146/* Called from both server and client code.
4fe99a6c
PP
1147Only this is allowed to set state->peerdn and state->have_set_peerdn
1148and we use that to detect double-calls.
059ec3d9 1149
75fe387d
PP
1150NOTE: the state blocks last while the TLS connection is up, which is fine
1151for logging in the server side, but for the client side, we log after teardown
1152in src/deliver.c. While the session is up, we can twist about states and
1153repoint tls_* globals, but those variables used for logging or other variable
1154expansion that happens _after_ delivery need to have a longer life-time.
1155
1156So for those, we get the data from POOL_PERM; the re-invoke guard keeps us from
1157doing this more than once per generation of a state context. We set them in
1158the state context, and repoint tls_* to them. After the state goes away, the
1159tls_* copies of the pointers remain valid and client delivery logging is happy.
1160
1161tls_certificate_verified is a BOOL, so the tls_peerdn and tls_cipher issues
1162don't apply.
1163
059ec3d9 1164Arguments:
17c76198 1165 state exim_gnutls_state_st *
059ec3d9 1166
17c76198 1167Returns: OK/DEFER/FAIL
059ec3d9
PH
1168*/
1169
17c76198
PP
1170static int
1171peer_status(exim_gnutls_state_st *state)
059ec3d9 1172{
75fe387d 1173uschar cipherbuf[256];
17c76198 1174const gnutls_datum *cert_list;
75fe387d 1175int old_pool, rc;
17c76198 1176unsigned int cert_list_size = 0;
4fe99a6c
PP
1177gnutls_protocol_t protocol;
1178gnutls_cipher_algorithm_t cipher;
1179gnutls_kx_algorithm_t kx;
1180gnutls_mac_algorithm_t mac;
17c76198
PP
1181gnutls_certificate_type_t ct;
1182gnutls_x509_crt_t crt;
4fe99a6c 1183uschar *p, *dn_buf;
17c76198 1184size_t sz;
059ec3d9 1185
4fe99a6c 1186if (state->have_set_peerdn)
17c76198 1187 return OK;
4fe99a6c 1188state->have_set_peerdn = TRUE;
059ec3d9 1189
4fe99a6c 1190state->peerdn = NULL;
059ec3d9 1191
4fe99a6c
PP
1192/* tls_cipher */
1193cipher = gnutls_cipher_get(state->session);
1194protocol = gnutls_protocol_get_version(state->session);
1195mac = gnutls_mac_get(state->session);
1196kx = gnutls_kx_get(state->session);
1197
75fe387d 1198string_format(cipherbuf, sizeof(cipherbuf),
4fe99a6c
PP
1199 "%s:%s:%d",
1200 gnutls_protocol_get_name(protocol),
1201 gnutls_cipher_suite_get_name(kx, cipher, mac),
1202 (int) gnutls_cipher_get_key_size(cipher) * 8);
1203
1204/* I don't see a way that spaces could occur, in the current GnuTLS
1205code base, but it was a concern in the old code and perhaps older GnuTLS
1206releases did return "TLS 1.0"; play it safe, just in case. */
75fe387d 1207for (p = cipherbuf; *p != '\0'; ++p)
4fe99a6c
PP
1208 if (isspace(*p))
1209 *p = '-';
75fe387d
PP
1210old_pool = store_pool;
1211store_pool = POOL_PERM;
1212state->ciphersuite = string_copy(cipherbuf);
1213store_pool = old_pool;
817d9f57 1214state->tlsp->cipher = state->ciphersuite;
4fe99a6c
PP
1215
1216/* tls_peerdn */
17c76198 1217cert_list = gnutls_certificate_get_peers(state->session, &cert_list_size);
83da1223 1218
17c76198
PP
1219if (cert_list == NULL || cert_list_size == 0)
1220 {
17c76198
PP
1221 DEBUG(D_tls) debug_printf("TLS: no certificate from peer (%p & %d)\n",
1222 cert_list, cert_list_size);
1223 if (state->verify_requirement == VERIFY_REQUIRED)
1224 return tls_error(US"certificate verification failed",
1225 "no certificate received from peer", state->host);
1226 return OK;
1227 }
059ec3d9 1228
17c76198
PP
1229ct = gnutls_certificate_type_get(state->session);
1230if (ct != GNUTLS_CRT_X509)
059ec3d9 1231 {
17c76198 1232 const char *ctn = gnutls_certificate_type_get_name(ct);
17c76198
PP
1233 DEBUG(D_tls)
1234 debug_printf("TLS: peer cert not X.509 but instead \"%s\"\n", ctn);
1235 if (state->verify_requirement == VERIFY_REQUIRED)
1236 return tls_error(US"certificate verification not possible, unhandled type",
1237 ctn, state->host);
1238 return OK;
83da1223 1239 }
059ec3d9 1240
17c76198
PP
1241#define exim_gnutls_peer_err(Label) do { \
1242 if (rc != GNUTLS_E_SUCCESS) { \
1243 DEBUG(D_tls) debug_printf("TLS: peer cert problem: %s: %s\n", (Label), gnutls_strerror(rc)); \
1244 if (state->verify_requirement == VERIFY_REQUIRED) { return tls_error((Label), gnutls_strerror(rc), state->host); } \
1245 return OK; } } while (0)
1246
9d1c15ef
JH
1247rc = import_cert(&cert_list[0], &crt);
1248exim_gnutls_peer_err(US"cert 0");
1249
1250state->tlsp->peercert = state->peercert = crt;
17c76198 1251
17c76198
PP
1252sz = 0;
1253rc = gnutls_x509_crt_get_dn(crt, NULL, &sz);
1254if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
83da1223 1255 {
17c76198
PP
1256 exim_gnutls_peer_err(US"getting size for cert DN failed");
1257 return FAIL; /* should not happen */
059ec3d9 1258 }
17c76198
PP
1259dn_buf = store_get_perm(sz);
1260rc = gnutls_x509_crt_get_dn(crt, CS dn_buf, &sz);
1261exim_gnutls_peer_err(US"failed to extract certificate DN [gnutls_x509_crt_get_dn(cert 0)]");
9d1c15ef 1262
17c76198
PP
1263state->peerdn = dn_buf;
1264
1265return OK;
1266#undef exim_gnutls_peer_err
1267}
059ec3d9 1268
059ec3d9 1269
059ec3d9 1270
059ec3d9 1271
17c76198
PP
1272/*************************************************
1273* Verify peer certificate *
1274*************************************************/
059ec3d9 1275
17c76198
PP
1276/* Called from both server and client code.
1277*Should* be using a callback registered with
1278gnutls_certificate_set_verify_function() to fail the handshake if we dislike
1279the peer information, but that's too new for some OSes.
059ec3d9 1280
17c76198
PP
1281Arguments:
1282 state exim_gnutls_state_st *
1283 error where to put an error message
059ec3d9 1284
17c76198
PP
1285Returns:
1286 FALSE if the session should be rejected
1287 TRUE if the cert is okay or we just don't care
1288*/
059ec3d9 1289
17c76198
PP
1290static BOOL
1291verify_certificate(exim_gnutls_state_st *state, const char **error)
1292{
1293int rc;
1294unsigned int verify;
1295
1296*error = NULL;
1297
0a92f87f 1298if ((rc = peer_status(state)) != OK)
e6060e2c 1299 {
17c76198 1300 verify = GNUTLS_CERT_INVALID;
0a92f87f 1301 *error = "certificate not supplied";
17c76198
PP
1302 }
1303else
17c76198 1304 rc = gnutls_certificate_verify_peers2(state->session, &verify);
e6060e2c 1305
17c76198
PP
1306/* Handle the result of verification. INVALID seems to be set as well
1307as REVOKED, but leave the test for both. */
059ec3d9 1308
0a92f87f 1309if (rc < 0 || verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED))
17c76198
PP
1310 {
1311 state->peer_cert_verified = FALSE;
0a92f87f
JH
1312 if (!*error)
1313 *error = verify & GNUTLS_CERT_REVOKED
1314 ? "certificate revoked" : "certificate invalid";
059ec3d9 1315
17c76198
PP
1316 DEBUG(D_tls)
1317 debug_printf("TLS certificate verification failed (%s): peerdn=%s\n",
4fe99a6c 1318 *error, state->peerdn ? state->peerdn : US"<unset>");
059ec3d9 1319
17c76198
PP
1320 if (state->verify_requirement == VERIFY_REQUIRED)
1321 {
1322 gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_BAD_CERTIFICATE);
1323 return FALSE;
1324 }
1325 DEBUG(D_tls)
4789da3a 1326 debug_printf("TLS verify failure overridden (host in tls_try_verify_hosts)\n");
17c76198
PP
1327 }
1328else
1329 {
1330 state->peer_cert_verified = TRUE;
4fe99a6c
PP
1331 DEBUG(D_tls) debug_printf("TLS certificate verified: peerdn=%s\n",
1332 state->peerdn ? state->peerdn : US"<unset>");
17c76198 1333 }
059ec3d9 1334
817d9f57 1335state->tlsp->peerdn = state->peerdn;
059ec3d9 1336
17c76198
PP
1337return TRUE;
1338}
059ec3d9 1339
17c76198
PP
1340
1341
1342
1343/* ------------------------------------------------------------------------ */
1344/* Callbacks */
1345
1346/* Logging function which can be registered with
1347 * gnutls_global_set_log_function()
1348 * gnutls_global_set_log_level() 0..9
1349 */
af3498d6 1350#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
059ec3d9 1351static void
17c76198 1352exim_gnutls_logger_cb(int level, const char *message)
059ec3d9 1353{
8c79eebf
PP
1354 size_t len = strlen(message);
1355 if (len < 1)
1356 {
1357 DEBUG(D_tls) debug_printf("GnuTLS<%d> empty debug message\n", level);
1358 return;
1359 }
1360 DEBUG(D_tls) debug_printf("GnuTLS<%d>: %s%s", level, message,
1361 message[len-1] == '\n' ? "" : "\n");
17c76198 1362}
af3498d6 1363#endif
059ec3d9 1364
059ec3d9 1365
17c76198
PP
1366/* Called after client hello, should handle SNI work.
1367This will always set tls_sni (state->received_sni) if available,
1368and may trigger presenting different certificates,
1369if state->trigger_sni_changes is TRUE.
059ec3d9 1370
17c76198
PP
1371Should be registered with
1372 gnutls_handshake_set_post_client_hello_function()
059ec3d9 1373
17c76198
PP
1374"This callback must return 0 on success or a gnutls error code to terminate the
1375handshake.".
059ec3d9 1376
17c76198
PP
1377For inability to get SNI information, we return 0.
1378We only return non-zero if re-setup failed.
817d9f57 1379Only used for server-side TLS.
17c76198 1380*/
44bbabb5 1381
17c76198
PP
1382static int
1383exim_sni_handling_cb(gnutls_session_t session)
1384{
1385char sni_name[MAX_HOST_LEN];
1386size_t data_len = MAX_HOST_LEN;
817d9f57 1387exim_gnutls_state_st *state = &state_server;
17c76198
PP
1388unsigned int sni_type;
1389int rc, old_pool;
1390
1391rc = gnutls_server_name_get(session, sni_name, &data_len, &sni_type, 0);
b34fc30c
PP
1392if (rc != GNUTLS_E_SUCCESS)
1393 {
1394 DEBUG(D_tls) {
1395 if (rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
1396 debug_printf("TLS: no SNI presented in handshake.\n");
1397 else
1398 debug_printf("TLS failure: gnutls_server_name_get(): %s [%d]\n",
1399 gnutls_strerror(rc), rc);
1400 };
1401 return 0;
1402 }
1403
17c76198
PP
1404if (sni_type != GNUTLS_NAME_DNS)
1405 {
1406 DEBUG(D_tls) debug_printf("TLS: ignoring SNI of unhandled type %u\n", sni_type);
1407 return 0;
1408 }
44bbabb5 1409
17c76198
PP
1410/* We now have a UTF-8 string in sni_name */
1411old_pool = store_pool;
1412store_pool = POOL_PERM;
1413state->received_sni = string_copyn(US sni_name, data_len);
1414store_pool = old_pool;
1415
1416/* We set this one now so that variable expansions below will work */
817d9f57 1417state->tlsp->sni = state->received_sni;
17c76198
PP
1418
1419DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", sni_name,
1420 state->trigger_sni_changes ? "" : " (unused for certificate selection)");
1421
1422if (!state->trigger_sni_changes)
1423 return 0;
1424
1425rc = tls_expand_session_files(state);
1426if (rc != OK)
1427 {
1428 /* If the setup of certs/etc failed before handshake, TLS would not have
1429 been offered. The best we can do now is abort. */
1430 return GNUTLS_E_APPLICATION_ERROR_MIN;
1431 }
1432
1365611d
PP
1433rc = tls_set_remaining_x509(state);
1434if (rc != OK) return GNUTLS_E_APPLICATION_ERROR_MIN;
1435
1436return 0;
059ec3d9
PH
1437}
1438
1439
1440
44662487
JH
1441#ifdef EXPERIMENTAL_OCSP
1442
1443static int
1444server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
1445 gnutls_datum_t * ocsp_response)
1446{
1447int ret;
1448
44662487
JH
1449if ((ret = gnutls_load_file(ptr, ocsp_response)) < 0)
1450 {
1451 DEBUG(D_tls) debug_printf("Failed to load ocsp stapling file %s\n",
1452 (char *)ptr);
018058b2 1453 tls_in.ocsp = OCSP_NOT_RESP;
44662487
JH
1454 return GNUTLS_E_NO_CERTIFICATE_STATUS;
1455 }
1456
018058b2 1457tls_in.ocsp = OCSP_VFY_NOT_TRIED;
44662487
JH
1458return 0;
1459}
1460
1461#endif
1462
1463
1464
1465
17c76198
PP
1466
1467/* ------------------------------------------------------------------------ */
1468/* Exported functions */
1469
1470
1471
1472
059ec3d9
PH
1473/*************************************************
1474* Start a TLS session in a server *
1475*************************************************/
1476
1477/* This is called when Exim is running as a server, after having received
1478the STARTTLS command. It must respond to that command, and then negotiate
1479a TLS session.
1480
1481Arguments:
83da1223 1482 require_ciphers list of allowed ciphers or NULL
059ec3d9
PH
1483
1484Returns: OK on success
1485 DEFER for errors before the start of the negotiation
1486 FAIL for errors during the negotation; the server can't
1487 continue running.
1488*/
1489
1490int
17c76198 1491tls_server_start(const uschar *require_ciphers)
059ec3d9
PH
1492{
1493int rc;
7199e1ee 1494const char *error;
17c76198 1495exim_gnutls_state_st *state = NULL;
059ec3d9
PH
1496
1497/* Check for previous activation */
817d9f57 1498if (tls_in.active >= 0)
059ec3d9 1499 {
17c76198 1500 tls_error(US"STARTTLS received after TLS started", "", NULL);
059ec3d9
PH
1501 smtp_printf("554 Already in TLS\r\n");
1502 return FAIL;
1503 }
1504
1505/* Initialize the library. If it fails, it will already have logged the error
1506and sent an SMTP response. */
1507
17c76198 1508DEBUG(D_tls) debug_printf("initialising GnuTLS as a server\n");
059ec3d9 1509
17c76198
PP
1510rc = tls_init(NULL, tls_certificate, tls_privatekey,
1511 NULL, tls_verify_certificates, tls_crl,
1512 require_ciphers, &state);
059ec3d9
PH
1513if (rc != OK) return rc;
1514
059ec3d9
PH
1515/* If this is a host for which certificate verification is mandatory or
1516optional, set up appropriately. */
1517
059ec3d9 1518if (verify_check_host(&tls_verify_hosts) == OK)
17c76198
PP
1519 {
1520 DEBUG(D_tls) debug_printf("TLS: a client certificate will be required.\n");
1521 state->verify_requirement = VERIFY_REQUIRED;
1522 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
1523 }
059ec3d9 1524else if (verify_check_host(&tls_try_verify_hosts) == OK)
17c76198
PP
1525 {
1526 DEBUG(D_tls) debug_printf("TLS: a client certificate will be requested but not required.\n");
1527 state->verify_requirement = VERIFY_OPTIONAL;
1528 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
1529 }
1530else
1531 {
1532 DEBUG(D_tls) debug_printf("TLS: a client certificate will not be requested.\n");
1533 state->verify_requirement = VERIFY_NONE;
1534 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
1535 }
059ec3d9 1536
17c76198
PP
1537/* Register SNI handling; always, even if not in tls_certificate, so that the
1538expansion variable $tls_sni is always available. */
059ec3d9 1539
17c76198
PP
1540gnutls_handshake_set_post_client_hello_function(state->session,
1541 exim_sni_handling_cb);
059ec3d9
PH
1542
1543/* Set context and tell client to go ahead, except in the case of TLS startup
1544on connection, where outputting anything now upsets the clients and tends to
1545make them disconnect. We need to have an explicit fflush() here, to force out
1546the response. Other smtp_printf() calls do not need it, because in non-TLS
1547mode, the fflush() happens when smtp_getc() is called. */
1548
817d9f57 1549if (!state->tlsp->on_connect)
059ec3d9
PH
1550 {
1551 smtp_printf("220 TLS go ahead\r\n");
9d1c15ef 1552 fflush(smtp_out);
059ec3d9
PH
1553 }
1554
1555/* Now negotiate the TLS session. We put our own timer on it, since it seems
1556that the GnuTLS library doesn't. */
1557
17c76198 1558gnutls_transport_set_ptr2(state->session,
44662487
JH
1559 (gnutls_transport_ptr)(long) fileno(smtp_in),
1560 (gnutls_transport_ptr)(long) fileno(smtp_out));
17c76198
PP
1561state->fd_in = fileno(smtp_in);
1562state->fd_out = fileno(smtp_out);
059ec3d9
PH
1563
1564sigalrm_seen = FALSE;
1565if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
17c76198
PP
1566do
1567 {
1568 rc = gnutls_handshake(state->session);
619b2b25
PP
1569 } while ((rc == GNUTLS_E_AGAIN) ||
1570 (rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen));
059ec3d9
PH
1571alarm(0);
1572
17c76198 1573if (rc != GNUTLS_E_SUCCESS)
059ec3d9 1574 {
17c76198
PP
1575 tls_error(US"gnutls_handshake",
1576 sigalrm_seen ? "timed out" : gnutls_strerror(rc), NULL);
059ec3d9
PH
1577 /* It seems that, except in the case of a timeout, we have to close the
1578 connection right here; otherwise if the other end is running OpenSSL it hangs
1579 until the server times out. */
1580
1581 if (!sigalrm_seen)
1582 {
f1e894f3
PH
1583 (void)fclose(smtp_out);
1584 (void)fclose(smtp_in);
059ec3d9
PH
1585 }
1586
1587 return FAIL;
1588 }
1589
1590DEBUG(D_tls) debug_printf("gnutls_handshake was successful\n");
1591
17c76198
PP
1592/* Verify after the fact */
1593
9d1c15ef
JH
1594if ( state->verify_requirement != VERIFY_NONE
1595 && !verify_certificate(state, &error))
059ec3d9 1596 {
9d1c15ef 1597 if (state->verify_requirement != VERIFY_OPTIONAL)
17c76198 1598 {
9d1c15ef
JH
1599 tls_error(US"certificate verification failed", error, NULL);
1600 return FAIL;
17c76198 1601 }
9d1c15ef
JH
1602 DEBUG(D_tls)
1603 debug_printf("TLS: continuing on only because verification was optional, after: %s\n",
1604 error);
059ec3d9
PH
1605 }
1606
17c76198
PP
1607/* Figure out peer DN, and if authenticated, etc. */
1608
1609rc = peer_status(state);
1610if (rc != OK) return rc;
1611
1612/* Sets various Exim expansion variables; always safe within server */
1613
9d1c15ef 1614extract_exim_vars_from_tls_state(state);
059ec3d9
PH
1615
1616/* TLS has been set up. Adjust the input functions to read via TLS,
1617and initialize appropriately. */
1618
17c76198 1619state->xfer_buffer = store_malloc(ssl_xfer_buffer_size);
059ec3d9
PH
1620
1621receive_getc = tls_getc;
1622receive_ungetc = tls_ungetc;
1623receive_feof = tls_feof;
1624receive_ferror = tls_ferror;
58eb016e 1625receive_smtp_buffered = tls_smtp_buffered;
059ec3d9 1626
059ec3d9
PH
1627return OK;
1628}
1629
1630
1631
1632
1633/*************************************************
1634* Start a TLS session in a client *
1635*************************************************/
1636
1637/* Called from the smtp transport after STARTTLS has been accepted.
1638
1639Arguments:
1640 fd the fd of the connection
1641 host connected host (for messages)
83da1223 1642 addr the first address (not used)
65867078 1643 ob smtp transport options
059ec3d9
PH
1644
1645Returns: OK/DEFER/FAIL (because using common functions),
1646 but for a client, DEFER and FAIL have the same meaning
1647*/
1648
1649int
17c76198 1650tls_client_start(int fd, host_item *host,
f5d78688 1651 address_item *addr ARG_UNUSED,
65867078 1652 void *v_ob)
059ec3d9 1653{
65867078 1654smtp_transport_options_block *ob = v_ob;
059ec3d9 1655int rc;
17c76198
PP
1656const char *error;
1657exim_gnutls_state_st *state = NULL;
2b4a568d 1658#ifdef EXPERIMENTAL_OCSP
65867078 1659BOOL require_ocsp = verify_check_this_host(&ob->hosts_require_ocsp,
2b4a568d 1660 NULL, host->name, host->address, NULL) == OK;
44662487
JH
1661BOOL request_ocsp = require_ocsp ? TRUE
1662 : verify_check_this_host(&ob->hosts_request_ocsp,
1663 NULL, host->name, host->address, NULL) == OK;
2b4a568d 1664#endif
059ec3d9 1665
17c76198 1666DEBUG(D_tls) debug_printf("initialising GnuTLS as a client on fd %d\n", fd);
059ec3d9 1667
65867078
JH
1668if ((rc = tls_init(host, ob->tls_certificate, ob->tls_privatekey,
1669 ob->tls_sni, ob->tls_verify_certificates, ob->tls_crl,
1670 ob->tls_require_ciphers, &state)) != OK)
2b4a568d 1671 return rc;
059ec3d9 1672
54c90be1 1673 {
65867078
JH
1674 int dh_min_bits = ob->tls_dh_min_bits;
1675 if (dh_min_bits < EXIM_CLIENT_DH_MIN_MIN_BITS)
1676 {
1677 DEBUG(D_tls)
1678 debug_printf("WARNING: tls_dh_min_bits far too low,"
1679 " clamping %d up to %d\n",
1680 dh_min_bits, EXIM_CLIENT_DH_MIN_MIN_BITS);
1681 dh_min_bits = EXIM_CLIENT_DH_MIN_MIN_BITS;
1682 }
54c90be1 1683
65867078
JH
1684 DEBUG(D_tls) debug_printf("Setting D-H prime minimum"
1685 " acceptable bits to %d\n",
1686 dh_min_bits);
1687 gnutls_dh_set_prime_bits(state->session, dh_min_bits);
1688 }
83da1223 1689
2b4a568d
JH
1690/* Stick to the old behaviour for compatibility if tls_verify_certificates is
1691set but both tls_verify_hosts and tls_try_verify_hosts are unset. Check only
1692the specified host patterns if one of them is defined */
1693
1694if (( state->exp_tls_verify_certificates
65867078
JH
1695 && !ob->tls_verify_hosts
1696 && !ob->tls_try_verify_hosts
2b4a568d
JH
1697 )
1698 ||
65867078 1699 verify_check_host(&ob->tls_verify_hosts) == OK
2b4a568d 1700 )
17c76198 1701 {
52f93eed
WB
1702 DEBUG(D_tls) debug_printf("TLS: server certificate verification required.\n");
1703 state->verify_requirement = VERIFY_REQUIRED;
1704 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
1705 }
65867078 1706else if (verify_check_host(&ob->tls_try_verify_hosts) == OK)
52f93eed
WB
1707 {
1708 DEBUG(D_tls) debug_printf("TLS: server certificate verification optional.\n");
1709 state->verify_requirement = VERIFY_OPTIONAL;
17c76198
PP
1710 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
1711 }
1712else
1713 {
52f93eed
WB
1714 DEBUG(D_tls) debug_printf("TLS: server certificate verification not required.\n");
1715 state->verify_requirement = VERIFY_NONE;
1716 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
17c76198 1717 }
059ec3d9 1718
2b4a568d 1719#ifdef EXPERIMENTAL_OCSP /* since GnuTLS 3.1.3 */
44662487 1720if (request_ocsp)
9d1c15ef
JH
1721 {
1722 DEBUG(D_tls) debug_printf("TLS: will request OCSP stapling\n");
65867078
JH
1723 if ((rc = gnutls_ocsp_status_request_enable_client(state->session,
1724 NULL, 0, NULL)) != OK)
9d1c15ef
JH
1725 return tls_error(US"cert-status-req",
1726 gnutls_strerror(rc), state->host);
44662487 1727 tls_out.ocsp = OCSP_NOT_RESP;
9d1c15ef 1728 }
2b4a568d
JH
1729#endif
1730
44662487 1731gnutls_transport_set_ptr(state->session, (gnutls_transport_ptr)(long) fd);
17c76198
PP
1732state->fd_in = fd;
1733state->fd_out = fd;
059ec3d9 1734
9d1c15ef 1735DEBUG(D_tls) debug_printf("about to gnutls_handshake\n");
059ec3d9
PH
1736/* There doesn't seem to be a built-in timeout on connection. */
1737
1738sigalrm_seen = FALSE;
65867078 1739alarm(ob->command_timeout);
17c76198
PP
1740do
1741 {
1742 rc = gnutls_handshake(state->session);
619b2b25
PP
1743 } while ((rc == GNUTLS_E_AGAIN) ||
1744 (rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen));
059ec3d9
PH
1745alarm(0);
1746
4fe99a6c
PP
1747if (rc != GNUTLS_E_SUCCESS)
1748 return tls_error(US"gnutls_handshake",
1749 sigalrm_seen ? "timed out" : gnutls_strerror(rc), state->host);
1750
17c76198 1751DEBUG(D_tls) debug_printf("gnutls_handshake was successful\n");
059ec3d9 1752
17c76198 1753/* Verify late */
059ec3d9 1754
17c76198
PP
1755if (state->verify_requirement != VERIFY_NONE &&
1756 !verify_certificate(state, &error))
1757 return tls_error(US"certificate verification failed", error, state->host);
059ec3d9 1758
2b4a568d
JH
1759#ifdef EXPERIMENTAL_OCSP
1760if (require_ocsp)
1761 {
1762 DEBUG(D_tls)
1763 {
1764 gnutls_datum_t stapling;
1765 gnutls_ocsp_resp_t resp;
1766 gnutls_datum_t printed;
1767 if ( (rc= gnutls_ocsp_status_request_get(state->session, &stapling)) == 0
1768 && (rc= gnutls_ocsp_resp_init(&resp)) == 0
1769 && (rc= gnutls_ocsp_resp_import(resp, &stapling)) == 0
1770 && (rc= gnutls_ocsp_resp_print(resp, GNUTLS_OCSP_PRINT_FULL, &printed)) == 0
1771 )
1772 {
65867078 1773 debug_printf("%.4096s", printed.data);
2b4a568d
JH
1774 gnutls_free(printed.data);
1775 }
1776 else
1777 (void) tls_error(US"ocsp decode", gnutls_strerror(rc), state->host);
1778 }
1779
2b4a568d 1780 if (gnutls_ocsp_status_request_is_checked(state->session, 0) == 0)
018058b2
JH
1781 {
1782 tls_out.ocsp = OCSP_FAILED;
2b4a568d 1783 return tls_error(US"certificate status check failed", NULL, state->host);
018058b2 1784 }
2b4a568d 1785 DEBUG(D_tls) debug_printf("Passed OCSP checking\n");
44662487 1786 tls_out.ocsp = OCSP_VFIED;
2b4a568d
JH
1787 }
1788#endif
1789
17c76198 1790/* Figure out peer DN, and if authenticated, etc. */
059ec3d9 1791
2b4a568d
JH
1792if ((rc = peer_status(state)) != OK)
1793 return rc;
059ec3d9 1794
4fe99a6c 1795/* Sets various Exim expansion variables; may need to adjust for ACL callouts */
059ec3d9 1796
9d1c15ef 1797extract_exim_vars_from_tls_state(state);
059ec3d9 1798
059ec3d9
PH
1799return OK;
1800}
1801
1802
1803
17c76198 1804
059ec3d9 1805/*************************************************
17c76198 1806* Close down a TLS session *
059ec3d9
PH
1807*************************************************/
1808
17c76198
PP
1809/* This is also called from within a delivery subprocess forked from the
1810daemon, to shut down the TLS library, without actually doing a shutdown (which
1811would tamper with the TLS session in the parent process).
059ec3d9 1812
17c76198
PP
1813Arguments: TRUE if gnutls_bye is to be called
1814Returns: nothing
059ec3d9
PH
1815*/
1816
17c76198 1817void
817d9f57 1818tls_close(BOOL is_server, BOOL shutdown)
059ec3d9 1819{
817d9f57 1820exim_gnutls_state_st *state = is_server ? &state_server : &state_client;
059ec3d9 1821
389ca47a 1822if (!state->tlsp || state->tlsp->active < 0) return; /* TLS was not active */
17c76198
PP
1823
1824if (shutdown)
1825 {
1826 DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS\n");
1827 gnutls_bye(state->session, GNUTLS_SHUT_WR);
1828 }
1829
1830gnutls_deinit(state->session);
1831
389ca47a 1832state->tlsp->active = -1;
17c76198
PP
1833memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
1834
1835if ((state_server.session == NULL) && (state_client.session == NULL))
1836 {
1837 gnutls_global_deinit();
1838 exim_gnutls_base_init_done = FALSE;
1839 }
7199e1ee 1840
059ec3d9
PH
1841}
1842
1843
1844
17c76198 1845
059ec3d9
PH
1846/*************************************************
1847* TLS version of getc *
1848*************************************************/
1849
1850/* This gets the next byte from the TLS input buffer. If the buffer is empty,
1851it refills the buffer via the GnuTLS reading function.
817d9f57 1852Only used by the server-side TLS.
059ec3d9 1853
17c76198
PP
1854This feeds DKIM and should be used for all message-body reads.
1855
059ec3d9
PH
1856Arguments: none
1857Returns: the next character or EOF
1858*/
1859
1860int
1861tls_getc(void)
1862{
817d9f57 1863exim_gnutls_state_st *state = &state_server;
17c76198 1864if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
059ec3d9 1865 {
17c76198 1866 ssize_t inbytes;
059ec3d9 1867
17c76198
PP
1868 DEBUG(D_tls) debug_printf("Calling gnutls_record_recv(%p, %p, %u)\n",
1869 state->session, state->xfer_buffer, ssl_xfer_buffer_size);
059ec3d9
PH
1870
1871 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
17c76198 1872 inbytes = gnutls_record_recv(state->session, state->xfer_buffer,
059ec3d9
PH
1873 ssl_xfer_buffer_size);
1874 alarm(0);
1875
1876 /* A zero-byte return appears to mean that the TLS session has been
1877 closed down, not that the socket itself has been closed down. Revert to
1878 non-TLS handling. */
1879
1880 if (inbytes == 0)
1881 {
1882 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
1883
1884 receive_getc = smtp_getc;
1885 receive_ungetc = smtp_ungetc;
1886 receive_feof = smtp_feof;
1887 receive_ferror = smtp_ferror;
58eb016e 1888 receive_smtp_buffered = smtp_buffered;
059ec3d9 1889
17c76198
PP
1890 gnutls_deinit(state->session);
1891 state->session = NULL;
817d9f57
JH
1892 state->tlsp->active = -1;
1893 state->tlsp->bits = 0;
1894 state->tlsp->certificate_verified = FALSE;
9d1c15ef 1895 tls_channelbinding_b64 = NULL;
817d9f57 1896 state->tlsp->cipher = NULL;
9d1c15ef 1897 state->tlsp->peercert = NULL;
817d9f57 1898 state->tlsp->peerdn = NULL;
059ec3d9
PH
1899
1900 return smtp_getc();
1901 }
1902
1903 /* Handle genuine errors */
1904
1905 else if (inbytes < 0)
1906 {
17c76198
PP
1907 record_io_error(state, (int) inbytes, US"recv", NULL);
1908 state->xfer_error = 1;
059ec3d9
PH
1909 return EOF;
1910 }
80a47a2c 1911#ifndef DISABLE_DKIM
17c76198 1912 dkim_exim_verify_feed(state->xfer_buffer, inbytes);
80a47a2c 1913#endif
17c76198
PP
1914 state->xfer_buffer_hwm = (int) inbytes;
1915 state->xfer_buffer_lwm = 0;
059ec3d9
PH
1916 }
1917
059ec3d9
PH
1918/* Something in the buffer; return next uschar */
1919
17c76198 1920return state->xfer_buffer[state->xfer_buffer_lwm++];
059ec3d9
PH
1921}
1922
1923
1924
17c76198 1925
059ec3d9
PH
1926/*************************************************
1927* Read bytes from TLS channel *
1928*************************************************/
1929
17c76198
PP
1930/* This does not feed DKIM, so if the caller uses this for reading message body,
1931then the caller must feed DKIM.
817d9f57 1932
059ec3d9
PH
1933Arguments:
1934 buff buffer of data
1935 len size of buffer
1936
1937Returns: the number of bytes read
1938 -1 after a failed read
1939*/
1940
1941int
817d9f57 1942tls_read(BOOL is_server, uschar *buff, size_t len)
059ec3d9 1943{
817d9f57 1944exim_gnutls_state_st *state = is_server ? &state_server : &state_client;
17c76198 1945ssize_t inbytes;
059ec3d9 1946
17c76198
PP
1947if (len > INT_MAX)
1948 len = INT_MAX;
059ec3d9 1949
17c76198
PP
1950if (state->xfer_buffer_lwm < state->xfer_buffer_hwm)
1951 DEBUG(D_tls)
1952 debug_printf("*** PROBABLY A BUG *** " \
1953 "tls_read() called with data in the tls_getc() buffer, %d ignored\n",
1954 state->xfer_buffer_hwm - state->xfer_buffer_lwm);
1955
1956DEBUG(D_tls)
1957 debug_printf("Calling gnutls_record_recv(%p, %p, " SIZE_T_FMT ")\n",
1958 state->session, buff, len);
1959
1960inbytes = gnutls_record_recv(state->session, buff, len);
059ec3d9
PH
1961if (inbytes > 0) return inbytes;
1962if (inbytes == 0)
1963 {
1964 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
1965 }
17c76198 1966else record_io_error(state, (int)inbytes, US"recv", NULL);
059ec3d9
PH
1967
1968return -1;
1969}
1970
1971
1972
17c76198 1973
059ec3d9
PH
1974/*************************************************
1975* Write bytes down TLS channel *
1976*************************************************/
1977
1978/*
1979Arguments:
817d9f57 1980 is_server channel specifier
059ec3d9
PH
1981 buff buffer of data
1982 len number of bytes
1983
1984Returns: the number of bytes after a successful write,
1985 -1 after a failed write
1986*/
1987
1988int
817d9f57 1989tls_write(BOOL is_server, const uschar *buff, size_t len)
059ec3d9 1990{
17c76198
PP
1991ssize_t outbytes;
1992size_t left = len;
817d9f57 1993exim_gnutls_state_st *state = is_server ? &state_server : &state_client;
059ec3d9 1994
17c76198 1995DEBUG(D_tls) debug_printf("tls_do_write(%p, " SIZE_T_FMT ")\n", buff, left);
059ec3d9
PH
1996while (left > 0)
1997 {
17c76198
PP
1998 DEBUG(D_tls) debug_printf("gnutls_record_send(SSL, %p, " SIZE_T_FMT ")\n",
1999 buff, left);
2000 outbytes = gnutls_record_send(state->session, buff, left);
059ec3d9 2001
17c76198 2002 DEBUG(D_tls) debug_printf("outbytes=" SSIZE_T_FMT "\n", outbytes);
059ec3d9
PH
2003 if (outbytes < 0)
2004 {
17c76198 2005 record_io_error(state, outbytes, US"send", NULL);
059ec3d9
PH
2006 return -1;
2007 }
2008 if (outbytes == 0)
2009 {
17c76198 2010 record_io_error(state, 0, US"send", US"TLS channel closed on write");
059ec3d9
PH
2011 return -1;
2012 }
2013
2014 left -= outbytes;
2015 buff += outbytes;
2016 }
2017
17c76198
PP
2018if (len > INT_MAX)
2019 {
2020 DEBUG(D_tls)
2021 debug_printf("Whoops! Wrote more bytes (" SIZE_T_FMT ") than INT_MAX\n",
2022 len);
2023 len = INT_MAX;
2024 }
2025
2026return (int) len;
059ec3d9
PH
2027}
2028
2029
2030
17c76198 2031
059ec3d9 2032/*************************************************
17c76198 2033* Random number generation *
059ec3d9
PH
2034*************************************************/
2035
17c76198
PP
2036/* Pseudo-random number generation. The result is not expected to be
2037cryptographically strong but not so weak that someone will shoot themselves
2038in the foot using it as a nonce in input in some email header scheme or
2039whatever weirdness they'll twist this into. The result should handle fork()
2040and avoid repeating sequences. OpenSSL handles that for us.
059ec3d9 2041
17c76198
PP
2042Arguments:
2043 max range maximum
2044Returns a random number in range [0, max-1]
059ec3d9
PH
2045*/
2046
af3498d6 2047#ifdef HAVE_GNUTLS_RND
17c76198
PP
2048int
2049vaguely_random_number(int max)
059ec3d9 2050{
17c76198
PP
2051unsigned int r;
2052int i, needed_len;
2053uschar *p;
2054uschar smallbuf[sizeof(r)];
2055
2056if (max <= 1)
2057 return 0;
2058
2059needed_len = sizeof(r);
2060/* Don't take 8 times more entropy than needed if int is 8 octets and we were
2061 * asked for a number less than 10. */
2062for (r = max, i = 0; r; ++i)
2063 r >>= 1;
2064i = (i + 7) / 8;
2065if (i < needed_len)
2066 needed_len = i;
2067
2068i = gnutls_rnd(GNUTLS_RND_NONCE, smallbuf, needed_len);
2069if (i < 0)
059ec3d9 2070 {
17c76198
PP
2071 DEBUG(D_all) debug_printf("gnutls_rnd() failed, using fallback.\n");
2072 return vaguely_random_number_fallback(max);
2073 }
2074r = 0;
2075for (p = smallbuf; needed_len; --needed_len, ++p)
2076 {
2077 r *= 256;
2078 r += *p;
059ec3d9
PH
2079 }
2080
17c76198
PP
2081/* We don't particularly care about weighted results; if someone wants
2082 * smooth distribution and cares enough then they should submit a patch then. */
2083return r % max;
059ec3d9 2084}
af3498d6
PP
2085#else /* HAVE_GNUTLS_RND */
2086int
2087vaguely_random_number(int max)
2088{
2089 return vaguely_random_number_fallback(max);
2090}
2091#endif /* HAVE_GNUTLS_RND */
059ec3d9 2092
36f12725
NM
2093
2094
2095
2096/*************************************************
3375e053
PP
2097* Let tls_require_ciphers be checked at startup *
2098*************************************************/
2099
2100/* The tls_require_ciphers option, if set, must be something which the
2101library can parse.
2102
2103Returns: NULL on success, or error message
2104*/
2105
2106uschar *
2107tls_validate_require_cipher(void)
2108{
2109int rc;
2110uschar *expciphers = NULL;
2111gnutls_priority_t priority_cache;
2112const char *errpos;
2113
2114#define validate_check_rc(Label) do { \
2115 if (rc != GNUTLS_E_SUCCESS) { if (exim_gnutls_base_init_done) gnutls_global_deinit(); \
2116 return string_sprintf("%s failed: %s", (Label), gnutls_strerror(rc)); } } while (0)
2117#define return_deinit(Label) do { gnutls_global_deinit(); return (Label); } while (0)
2118
2119if (exim_gnutls_base_init_done)
2120 log_write(0, LOG_MAIN|LOG_PANIC,
2121 "already initialised GnuTLS, Exim developer bug");
2122
a5f239e4 2123#ifdef HAVE_GNUTLS_PKCS11
2519e60d 2124if (!gnutls_allow_auto_pkcs11)
a5f239e4
PP
2125 {
2126 rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
2127 validate_check_rc(US"gnutls_pkcs11_init");
2128 }
2129#endif
3375e053
PP
2130rc = gnutls_global_init();
2131validate_check_rc(US"gnutls_global_init()");
2132exim_gnutls_base_init_done = TRUE;
2133
2134if (!(tls_require_ciphers && *tls_require_ciphers))
2135 return_deinit(NULL);
2136
2137if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers))
2138 return_deinit(US"failed to expand tls_require_ciphers");
2139
2140if (!(expciphers && *expciphers))
2141 return_deinit(NULL);
2142
2143DEBUG(D_tls)
2144 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
2145
2146rc = gnutls_priority_init(&priority_cache, CS expciphers, &errpos);
2147validate_check_rc(string_sprintf(
2148 "gnutls_priority_init(%s) failed at offset %ld, \"%.8s..\"",
2149 expciphers, errpos - CS expciphers, errpos));
2150
2151#undef return_deinit
2152#undef validate_check_rc
2153gnutls_global_deinit();
2154
2155return NULL;
2156}
2157
2158
2159
2160
2161/*************************************************
36f12725
NM
2162* Report the library versions. *
2163*************************************************/
2164
2165/* See a description in tls-openssl.c for an explanation of why this exists.
2166
2167Arguments: a FILE* to print the results to
2168Returns: nothing
2169*/
2170
2171void
2172tls_version_report(FILE *f)
2173{
754a0503
PP
2174fprintf(f, "Library version: GnuTLS: Compile: %s\n"
2175 " Runtime: %s\n",
2176 LIBGNUTLS_VERSION,
2177 gnutls_check_version(NULL));
36f12725
NM
2178}
2179
2b4a568d
JH
2180/* vi: aw ai sw=2
2181*/
059ec3d9 2182/* End of tls-gnu.c */