Use exim string facilities rather than custom parser for DKIM pubkey
[exim.git] / src / src / tls-gnu.c
CommitLineData
059ec3d9
PH
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
3386088d 5/* Copyright (c) University of Cambridge 1995 - 2015 */
059ec3d9
PH
6/* See the file NOTICE for conditions of use and distribution. */
7
17c76198 8/* Copyright (c) Phil Pennock 2012 */
059ec3d9 9
17c76198
PP
10/* This file provides TLS/SSL support for Exim using the GnuTLS library,
11one of the available supported implementations. This file is #included into
12tls.c when USE_GNUTLS has been set.
059ec3d9 13
17c76198
PP
14The code herein is a revamp of GnuTLS integration using the current APIs; the
15original tls-gnu.c was based on a patch which was contributed by Nikos
6aa6fc9c 16Mavrogiannopoulos. The revamp is partially a rewrite, partially cut&paste as
17c76198 17appropriate.
059ec3d9 18
17c76198
PP
19APIs current as of GnuTLS 2.12.18; note that the GnuTLS manual is for GnuTLS 3,
20which is not widely deployed by OS vendors. Will note issues below, which may
21assist in updating the code in the future. Another sources of hints is
22mod_gnutls for Apache (SNI callback registration and handling).
059ec3d9 23
17c76198
PP
24Keeping client and server variables more split than before and is currently
25the norm, in anticipation of TLS in ACL callouts.
059ec3d9 26
17c76198
PP
27I wanted to switch to gnutls_certificate_set_verify_function() so that
28certificate rejection could happen during handshake where it belongs, rather
29than being dropped afterwards, but that was introduced in 2.10.0 and Debian
30(6.0.5) is still on 2.8.6. So for now we have to stick with sub-par behaviour.
059ec3d9 31
17c76198
PP
32(I wasn't looking for libraries quite that old, when updating to get rid of
33compiler warnings of deprecated APIs. If it turns out that a lot of the rest
34require current GnuTLS, then we'll drop support for the ancient libraries).
35*/
b5aea5e1 36
17c76198
PP
37#include <gnutls/gnutls.h>
38/* needed for cert checks in verification and DN extraction: */
39#include <gnutls/x509.h>
40/* man-page is incorrect, gnutls_rnd() is not in gnutls.h: */
41#include <gnutls/crypto.h>
a5f239e4
PP
42/* needed to disable PKCS11 autoload unless requested */
43#if GNUTLS_VERSION_NUMBER >= 0x020c00
44# include <gnutls/pkcs11.h>
76075bb5 45# define SUPPORT_PARAM_TO_PK_BITS
a5f239e4 46#endif
7e07527a
JH
47#if GNUTLS_VERSION_NUMBER < 0x030103 && !defined(DISABLE_OCSP)
48# warning "GnuTLS library version too old; define DISABLE_OCSP in Makefile"
49# define DISABLE_OCSP
50#endif
0cbf2b82 51#if GNUTLS_VERSION_NUMBER < 0x020a00 && !defined(DISABLE_EVENT)
774ef2d7 52# warning "GnuTLS library version too old; tls:cert event unsupported"
0cbf2b82 53# define DISABLE_EVENT
a7538db1 54#endif
a7fec7a7
JH
55#if GNUTLS_VERSION_NUMBER >= 0x030306
56# define SUPPORT_CA_DIR
57#else
58# undef SUPPORT_CA_DIR
59#endif
11a04b5a 60#if GNUTLS_VERSION_NUMBER >= 0x030014
cb1d7830
JH
61# define SUPPORT_SYSDEFAULT_CABUNDLE
62#endif
925ac8e4
JH
63#if GNUTLS_VERSION_NUMBER >= 0x030109
64# define SUPPORT_CORK
65#endif
7e07527a 66
f2de3a33 67#ifndef DISABLE_OCSP
2b4a568d
JH
68# include <gnutls/ocsp.h>
69#endif
059ec3d9 70
17c76198 71/* GnuTLS 2 vs 3
059ec3d9 72
17c76198
PP
73GnuTLS 3 only:
74 gnutls_global_set_audit_log_function()
059ec3d9 75
17c76198
PP
76Changes:
77 gnutls_certificate_verify_peers2(): is new, drop the 2 for old version
78*/
059ec3d9 79
17c76198 80/* Local static variables for GnuTLS */
059ec3d9 81
17c76198 82/* Values for verify_requirement */
059ec3d9 83
e51c7be2 84enum peer_verify_requirement
aa2a70ba 85 { VERIFY_NONE, VERIFY_OPTIONAL, VERIFY_REQUIRED };
059ec3d9 86
17c76198
PP
87/* This holds most state for server or client; with this, we can set up an
88outbound TLS-enabled connection in an ACL callout, while not stomping all
89over the TLS variables available for expansion.
059ec3d9 90
17c76198
PP
91Some of these correspond to variables in globals.c; those variables will
92be set to point to content in one of these instances, as appropriate for
93the stage of the process lifetime.
059ec3d9 94
389ca47a 95Not handled here: global tls_channelbinding_b64.
17c76198 96*/
059ec3d9 97
17c76198 98typedef struct exim_gnutls_state {
9d1c15ef 99 gnutls_session_t session;
17c76198 100 gnutls_certificate_credentials_t x509_cred;
9d1c15ef 101 gnutls_priority_t priority_cache;
17c76198 102 enum peer_verify_requirement verify_requirement;
9d1c15ef
JH
103 int fd_in;
104 int fd_out;
105 BOOL peer_cert_verified;
106 BOOL trigger_sni_changes;
107 BOOL have_set_peerdn;
17c76198 108 const struct host_item *host;
9d1c15ef
JH
109 gnutls_x509_crt_t peercert;
110 uschar *peerdn;
111 uschar *ciphersuite;
112 uschar *received_sni;
17c76198
PP
113
114 const uschar *tls_certificate;
115 const uschar *tls_privatekey;
116 const uschar *tls_sni; /* client send only, not received */
117 const uschar *tls_verify_certificates;
118 const uschar *tls_crl;
119 const uschar *tls_require_ciphers;
e51c7be2 120
17c76198
PP
121 uschar *exp_tls_certificate;
122 uschar *exp_tls_privatekey;
17c76198
PP
123 uschar *exp_tls_verify_certificates;
124 uschar *exp_tls_crl;
125 uschar *exp_tls_require_ciphers;
44662487 126 uschar *exp_tls_ocsp_file;
55414b25 127 const uschar *exp_tls_verify_cert_hostnames;
0cbf2b82 128#ifndef DISABLE_EVENT
a7538db1
JH
129 uschar *event_action;
130#endif
17c76198 131
389ca47a 132 tls_support *tlsp; /* set in tls_init() */
817d9f57 133
17c76198
PP
134 uschar *xfer_buffer;
135 int xfer_buffer_lwm;
136 int xfer_buffer_hwm;
137 int xfer_eof;
138 int xfer_error;
17c76198
PP
139} exim_gnutls_state_st;
140
141static const exim_gnutls_state_st exim_gnutls_state_init = {
4fe99a6c 142 NULL, NULL, NULL, VERIFY_NONE, -1, -1, FALSE, FALSE, FALSE,
75fe387d 143 NULL, NULL, NULL, NULL,
17c76198 144 NULL, NULL, NULL, NULL, NULL, NULL,
44662487 145 NULL, NULL, NULL, NULL, NULL, NULL, NULL,
01a4a5c5 146 NULL,
0cbf2b82 147#ifndef DISABLE_EVENT
a7538db1
JH
148 NULL,
149#endif
817d9f57 150 NULL,
17c76198 151 NULL, 0, 0, 0, 0,
17c76198 152};
83da1223 153
17c76198
PP
154/* Not only do we have our own APIs which don't pass around state, assuming
155it's held in globals, GnuTLS doesn't appear to let us register callback data
156for callbacks, or as part of the session, so we have to keep a "this is the
157context we're currently dealing with" pointer and rely upon being
158single-threaded to keep from processing data on an inbound TLS connection while
159talking to another TLS connection for an outbound check. This does mean that
160there's no way for heart-beats to be responded to, for the duration of the
a7538db1
JH
161second connection.
162XXX But see gnutls_session_get_ptr()
163*/
059ec3d9 164
17c76198 165static exim_gnutls_state_st state_server, state_client;
059ec3d9 166
17c76198
PP
167/* dh_params are initialised once within the lifetime of a process using TLS;
168if we used TLS in a long-lived daemon, we'd have to reconsider this. But we
169don't want to repeat this. */
83da1223 170
17c76198 171static gnutls_dh_params_t dh_server_params = NULL;
059ec3d9 172
17c76198 173/* No idea how this value was chosen; preserving it. Default is 3600. */
059ec3d9 174
17c76198 175static const int ssl_session_timeout = 200;
059ec3d9 176
17c76198 177static const char * const exim_default_gnutls_priority = "NORMAL";
83da1223 178
17c76198 179/* Guard library core initialisation */
83da1223 180
17c76198 181static BOOL exim_gnutls_base_init_done = FALSE;
059ec3d9 182
4fb7df6d 183#ifndef DISABLE_OCSP
9196d5bf 184static BOOL gnutls_buggy_ocsp = FALSE;
4fb7df6d 185#endif
9196d5bf 186
059ec3d9 187
17c76198 188/* ------------------------------------------------------------------------ */
17c76198 189/* macros */
83da1223 190
17c76198 191#define MAX_HOST_LEN 255
83da1223 192
17c76198
PP
193/* Set this to control gnutls_global_set_log_level(); values 0 to 9 will setup
194the library logging; a value less than 0 disables the calls to set up logging
195callbacks. */
2c17bb02 196#ifndef EXIM_GNUTLS_LIBRARY_LOG_LEVEL
a7538db1 197# define EXIM_GNUTLS_LIBRARY_LOG_LEVEL -1
2c17bb02 198#endif
83da1223 199
2c17bb02 200#ifndef EXIM_CLIENT_DH_MIN_BITS
a7538db1 201# define EXIM_CLIENT_DH_MIN_BITS 1024
2c17bb02 202#endif
83da1223 203
af3498d6
PP
204/* With GnuTLS 2.12.x+ we have gnutls_sec_param_to_pk_bits() with which we
205can ask for a bit-strength. Without that, we stick to the constant we had
206before, for now. */
2c17bb02 207#ifndef EXIM_SERVER_DH_BITS_PRE2_12
a7538db1 208# define EXIM_SERVER_DH_BITS_PRE2_12 1024
2c17bb02 209#endif
af3498d6 210
17c76198 211#define exim_gnutls_err_check(Label) do { \
cf0c6164
JH
212 if (rc != GNUTLS_E_SUCCESS) \
213 return tls_error((Label), gnutls_strerror(rc), host, errstr); \
214 } while (0)
059ec3d9 215
cf0c6164
JH
216#define expand_check_tlsvar(Varname, errstr) \
217 expand_check(state->Varname, US #Varname, &state->exp_##Varname, errstr)
83da1223 218
17c76198 219#if GNUTLS_VERSION_NUMBER >= 0x020c00
e51c7be2
JH
220# define HAVE_GNUTLS_SESSION_CHANNEL_BINDING
221# define HAVE_GNUTLS_SEC_PARAM_CONSTANTS
222# define HAVE_GNUTLS_RND
2519e60d
TL
223/* The security fix we provide with the gnutls_allow_auto_pkcs11 option
224 * (4.82 PP/09) introduces a compatibility regression. The symbol simply
225 * isn't available sometimes, so this needs to become a conditional
226 * compilation; the sanest way to deal with this being a problem on
227 * older OSes is to block it in the Local/Makefile with this compiler
228 * definition */
e51c7be2
JH
229# ifndef AVOID_GNUTLS_PKCS11
230# define HAVE_GNUTLS_PKCS11
231# endif /* AVOID_GNUTLS_PKCS11 */
17c76198 232#endif
83da1223 233
af3498d6
PP
234
235
236
237/* ------------------------------------------------------------------------ */
238/* Callback declarations */
239
240#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
241static void exim_gnutls_logger_cb(int level, const char *message);
242#endif
243
244static int exim_sni_handling_cb(gnutls_session_t session);
245
f2de3a33 246#ifndef DISABLE_OCSP
44662487
JH
247static int server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
248 gnutls_datum_t * ocsp_response);
249#endif
af3498d6
PP
250
251
252
17c76198
PP
253/* ------------------------------------------------------------------------ */
254/* Static functions */
059ec3d9
PH
255
256/*************************************************
257* Handle TLS error *
258*************************************************/
259
260/* Called from lots of places when errors occur before actually starting to do
261the TLS handshake, that is, while the session is still in clear. Always returns
262DEFER for a server and FAIL for a client so that most calls can use "return
263tls_error(...)" to do this processing and then give an appropriate return. A
264single function is used for both server and client, because it is called from
265some shared functions.
266
267Argument:
268 prefix text to include in the logged error
7199e1ee
TF
269 msg additional error string (may be NULL)
270 usually obtained from gnutls_strerror()
17c76198
PP
271 host NULL if setting up a server;
272 the connected host if setting up a client
cf0c6164 273 errstr pointer to returned error string
059ec3d9
PH
274
275Returns: OK/DEFER/FAIL
276*/
277
278static int
cf0c6164
JH
279tls_error(const uschar *prefix, const char *msg, const host_item *host,
280 uschar ** errstr)
059ec3d9 281{
cf0c6164
JH
282if (errstr)
283 *errstr = string_sprintf("(%s)%s%s", prefix, msg ? ": " : "", msg ? msg : "");
284return host ? FAIL : DEFER;
059ec3d9
PH
285}
286
287
288
17c76198 289
059ec3d9 290/*************************************************
17c76198 291* Deal with logging errors during I/O *
059ec3d9
PH
292*************************************************/
293
17c76198 294/* We have to get the identity of the peer from saved data.
059ec3d9 295
17c76198
PP
296Argument:
297 state the current GnuTLS exim state container
298 rc the GnuTLS error code, or 0 if it's a local error
299 when text identifying read or write
300 text local error text when ec is 0
059ec3d9 301
17c76198 302Returns: nothing
059ec3d9
PH
303*/
304
17c76198
PP
305static void
306record_io_error(exim_gnutls_state_st *state, int rc, uschar *when, uschar *text)
059ec3d9 307{
cf0c6164
JH
308const char * msg;
309uschar * errstr;
059ec3d9 310
17c76198
PP
311if (rc == GNUTLS_E_FATAL_ALERT_RECEIVED)
312 msg = CS string_sprintf("%s: %s", US gnutls_strerror(rc),
313 US gnutls_alert_get_name(gnutls_alert_get(state->session)));
314else
315 msg = gnutls_strerror(rc);
059ec3d9 316
cf0c6164
JH
317(void) tls_error(when, msg, state->host, &errstr);
318
319if (state->host)
320 log_write(0, LOG_MAIN, "H=%s [%s] TLS error on connection %s",
321 state->host->name, state->host->address, errstr);
322else
323 {
324 uschar * conn_info = smtp_get_connection_info();
325 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0) conn_info += 5;
326 /* I'd like to get separated H= here, but too hard for now */
327 log_write(0, LOG_MAIN, "TLS error on %s %s", conn_info, errstr);
328 }
17c76198 329}
059ec3d9 330
059ec3d9 331
059ec3d9 332
059ec3d9 333
17c76198
PP
334/*************************************************
335* Set various Exim expansion vars *
336*************************************************/
059ec3d9 337
e51c7be2
JH
338#define exim_gnutls_cert_err(Label) \
339 do \
340 { \
341 if (rc != GNUTLS_E_SUCCESS) \
342 { \
343 DEBUG(D_tls) debug_printf("TLS: cert problem: %s: %s\n", \
344 (Label), gnutls_strerror(rc)); \
345 return rc; \
346 } \
347 } while (0)
9d1c15ef
JH
348
349static int
27f19eb4 350import_cert(const gnutls_datum_t * cert, gnutls_x509_crt_t * crtp)
9d1c15ef
JH
351{
352int rc;
353
354rc = gnutls_x509_crt_init(crtp);
355exim_gnutls_cert_err(US"gnutls_x509_crt_init (crt)");
356
357rc = gnutls_x509_crt_import(*crtp, cert, GNUTLS_X509_FMT_DER);
358exim_gnutls_cert_err(US"failed to import certificate [gnutls_x509_crt_import(cert)]");
359
360return rc;
361}
362
363#undef exim_gnutls_cert_err
364
365
17c76198
PP
366/* We set various Exim global variables from the state, once a session has
367been established. With TLS callouts, may need to change this to stack
368variables, or just re-call it with the server state after client callout
369has finished.
059ec3d9 370
9d1c15ef 371Make sure anything set here is unset in tls_getc().
17c76198
PP
372
373Sets:
374 tls_active fd
375 tls_bits strength indicator
376 tls_certificate_verified bool indicator
377 tls_channelbinding_b64 for some SASL mechanisms
378 tls_cipher a string
9d1c15ef 379 tls_peercert pointer to library internal
17c76198
PP
380 tls_peerdn a string
381 tls_sni a (UTF-8) string
9d1c15ef 382 tls_ourcert pointer to library internal
17c76198
PP
383
384Argument:
385 state the relevant exim_gnutls_state_st *
386*/
387
388static void
9d1c15ef 389extract_exim_vars_from_tls_state(exim_gnutls_state_st * state)
17c76198 390{
17c76198 391gnutls_cipher_algorithm_t cipher;
17c76198
PP
392#ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
393int old_pool;
394int rc;
395gnutls_datum_t channel;
396#endif
9d1c15ef 397tls_support * tlsp = state->tlsp;
17c76198 398
9d1c15ef 399tlsp->active = state->fd_out;
17c76198
PP
400
401cipher = gnutls_cipher_get(state->session);
402/* returns size in "bytes" */
9d1c15ef 403tlsp->bits = gnutls_cipher_get_key_size(cipher) * 8;
17c76198 404
9d1c15ef 405tlsp->cipher = state->ciphersuite;
17c76198 406
817d9f57 407DEBUG(D_tls) debug_printf("cipher: %s\n", state->ciphersuite);
17c76198 408
9d1c15ef 409tlsp->certificate_verified = state->peer_cert_verified;
059ec3d9 410
17c76198
PP
411/* note that tls_channelbinding_b64 is not saved to the spool file, since it's
412only available for use for authenticators while this TLS session is running. */
413
414tls_channelbinding_b64 = NULL;
415#ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
416channel.data = NULL;
417channel.size = 0;
418rc = gnutls_session_channel_binding(state->session, GNUTLS_CB_TLS_UNIQUE, &channel);
419if (rc) {
420 DEBUG(D_tls) debug_printf("Channel binding error: %s\n", gnutls_strerror(rc));
421} else {
422 old_pool = store_pool;
423 store_pool = POOL_PERM;
f4d091fb 424 tls_channelbinding_b64 = b64encode(channel.data, (int)channel.size);
17c76198
PP
425 store_pool = old_pool;
426 DEBUG(D_tls) debug_printf("Have channel bindings cached for possible auth usage.\n");
427}
428#endif
429
9d1c15ef
JH
430/* peercert is set in peer_status() */
431tlsp->peerdn = state->peerdn;
432tlsp->sni = state->received_sni;
433
434/* record our certificate */
435 {
27f19eb4 436 const gnutls_datum_t * cert = gnutls_certificate_get_ours(state->session);
9d1c15ef
JH
437 gnutls_x509_crt_t crt;
438
439 tlsp->ourcert = cert && import_cert(cert, &crt)==0 ? crt : NULL;
440 }
059ec3d9
PH
441}
442
443
444
17c76198 445
059ec3d9 446/*************************************************
575643cd 447* Setup up DH parameters *
059ec3d9
PH
448*************************************************/
449
575643cd 450/* Generating the D-H parameters may take a long time. They only need to
059ec3d9
PH
451be re-generated every so often, depending on security policy. What we do is to
452keep these parameters in a file in the spool directory. If the file does not
453exist, we generate them. This means that it is easy to cause a regeneration.
454
455The new file is written as a temporary file and renamed, so that an incomplete
456file is never present. If two processes both compute some new parameters, you
457waste a bit of effort, but it doesn't seem worth messing around with locking to
458prevent this.
459
059ec3d9
PH
460Returns: OK/DEFER/FAIL
461*/
462
463static int
cf0c6164 464init_server_dh(uschar ** errstr)
059ec3d9 465{
17c76198
PP
466int fd, rc;
467unsigned int dh_bits;
27f19eb4 468gnutls_datum_t m;
a799883d
PP
469uschar filename_buf[PATH_MAX];
470uschar *filename = NULL;
17c76198 471size_t sz;
a799883d
PP
472uschar *exp_tls_dhparam;
473BOOL use_file_in_spool = FALSE;
474BOOL use_fixed_file = FALSE;
17c76198 475host_item *host = NULL; /* dummy for macros */
059ec3d9 476
17c76198 477DEBUG(D_tls) debug_printf("Initialising GnuTLS server params.\n");
059ec3d9 478
17c76198
PP
479rc = gnutls_dh_params_init(&dh_server_params);
480exim_gnutls_err_check(US"gnutls_dh_params_init");
059ec3d9 481
a799883d
PP
482m.data = NULL;
483m.size = 0;
484
cf0c6164 485if (!expand_check(tls_dhparam, US"tls_dhparam", &exp_tls_dhparam, errstr))
a799883d
PP
486 return DEFER;
487
488if (!exp_tls_dhparam)
489 {
490 DEBUG(D_tls) debug_printf("Loading default hard-coded DH params\n");
491 m.data = US std_dh_prime_default();
492 m.size = Ustrlen(m.data);
493 }
494else if (Ustrcmp(exp_tls_dhparam, "historic") == 0)
495 use_file_in_spool = TRUE;
496else if (Ustrcmp(exp_tls_dhparam, "none") == 0)
497 {
498 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
499 return OK;
500 }
501else if (exp_tls_dhparam[0] != '/')
502 {
f5d25c2b 503 if (!(m.data = US std_dh_prime_named(exp_tls_dhparam)))
cf0c6164 504 return tls_error(US"No standard prime named", CS exp_tls_dhparam, NULL, errstr);
a799883d
PP
505 m.size = Ustrlen(m.data);
506 }
507else
508 {
509 use_fixed_file = TRUE;
510 filename = exp_tls_dhparam;
511 }
512
513if (m.data)
514 {
515 rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM);
516 exim_gnutls_err_check(US"gnutls_dh_params_import_pkcs3");
517 DEBUG(D_tls) debug_printf("Loaded fixed standard D-H parameters\n");
518 return OK;
519 }
520
af3498d6
PP
521#ifdef HAVE_GNUTLS_SEC_PARAM_CONSTANTS
522/* If you change this constant, also change dh_param_fn_ext so that we can use a
17c76198
PP
523different filename and ensure we have sufficient bits. */
524dh_bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL);
525if (!dh_bits)
cf0c6164 526 return tls_error(US"gnutls_sec_param_to_pk_bits() failed", NULL, NULL, errstr);
af3498d6 527DEBUG(D_tls)
b34fc30c 528 debug_printf("GnuTLS tells us that for D-H PK, NORMAL is %d bits.\n",
af3498d6
PP
529 dh_bits);
530#else
531dh_bits = EXIM_SERVER_DH_BITS_PRE2_12;
532DEBUG(D_tls)
533 debug_printf("GnuTLS lacks gnutls_sec_param_to_pk_bits(), using %d bits.\n",
534 dh_bits);
535#endif
059ec3d9 536
3375e053
PP
537/* Some clients have hard-coded limits. */
538if (dh_bits > tls_dh_max_bits)
539 {
540 DEBUG(D_tls)
541 debug_printf("tls_dh_max_bits clamping override, using %d bits instead.\n",
542 tls_dh_max_bits);
543 dh_bits = tls_dh_max_bits;
544 }
545
a799883d
PP
546if (use_file_in_spool)
547 {
548 if (!string_format(filename_buf, sizeof(filename_buf),
549 "%s/gnutls-params-%d", spool_directory, dh_bits))
cf0c6164 550 return tls_error(US"overlong filename", NULL, NULL, errstr);
a799883d
PP
551 filename = filename_buf;
552 }
059ec3d9 553
b5aea5e1 554/* Open the cache file for reading and if successful, read it and set up the
575643cd 555parameters. */
059ec3d9 556
f5d25c2b 557if ((fd = Uopen(filename, O_RDONLY, 0)) >= 0)
059ec3d9 558 {
b5aea5e1 559 struct stat statbuf;
17c76198
PP
560 FILE *fp;
561 int saved_errno;
562
563 if (fstat(fd, &statbuf) < 0) /* EIO */
564 {
565 saved_errno = errno;
566 (void)close(fd);
cf0c6164 567 return tls_error(US"TLS cache stat failed", strerror(saved_errno), NULL, errstr);
17c76198
PP
568 }
569 if (!S_ISREG(statbuf.st_mode))
b5aea5e1
PH
570 {
571 (void)close(fd);
cf0c6164 572 return tls_error(US"TLS cache not a file", NULL, NULL, errstr);
17c76198 573 }
40c90bca 574 if (!(fp = fdopen(fd, "rb")))
17c76198
PP
575 {
576 saved_errno = errno;
577 (void)close(fd);
578 return tls_error(US"fdopen(TLS cache stat fd) failed",
cf0c6164 579 strerror(saved_errno), NULL, errstr);
b5aea5e1 580 }
059ec3d9 581
b5aea5e1 582 m.size = statbuf.st_size;
40c90bca 583 if (!(m.data = malloc(m.size)))
17c76198
PP
584 {
585 fclose(fp);
cf0c6164 586 return tls_error(US"malloc failed", strerror(errno), NULL, errstr);
17c76198 587 }
40c90bca 588 if (!(sz = fread(m.data, m.size, 1, fp)))
17c76198
PP
589 {
590 saved_errno = errno;
591 fclose(fp);
592 free(m.data);
cf0c6164 593 return tls_error(US"fread failed", strerror(saved_errno), NULL, errstr);
17c76198
PP
594 }
595 fclose(fp);
b5aea5e1 596
17c76198 597 rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM);
b5aea5e1 598 free(m.data);
17c76198
PP
599 exim_gnutls_err_check(US"gnutls_dh_params_import_pkcs3");
600 DEBUG(D_tls) debug_printf("read D-H parameters from file \"%s\"\n", filename);
b5aea5e1
PH
601 }
602
603/* If the file does not exist, fall through to compute new data and cache it.
604If there was any other opening error, it is serious. */
605
182ad5cf
PH
606else if (errno == ENOENT)
607 {
17c76198 608 rc = -1;
182ad5cf 609 DEBUG(D_tls)
17c76198 610 debug_printf("D-H parameter cache file \"%s\" does not exist\n", filename);
182ad5cf
PH
611 }
612else
17c76198 613 return tls_error(string_open_failed(errno, "\"%s\" for reading", filename),
cf0c6164 614 NULL, NULL, errstr);
b5aea5e1
PH
615
616/* If ret < 0, either the cache file does not exist, or the data it contains
617is not useful. One particular case of this is when upgrading from an older
618release of Exim in which the data was stored in a different format. We don't
619try to be clever and support both formats; we just regenerate new data in this
620case. */
621
17c76198 622if (rc < 0)
b5aea5e1 623 {
17c76198 624 uschar *temp_fn;
201f5254 625 unsigned int dh_bits_gen = dh_bits;
059ec3d9 626
17c76198
PP
627 if ((PATH_MAX - Ustrlen(filename)) < 10)
628 return tls_error(US"Filename too long to generate replacement",
cf0c6164 629 CS filename, NULL, errstr);
059ec3d9 630
17c76198 631 temp_fn = string_copy(US "%s.XXXXXXX");
f5d25c2b 632 if ((fd = mkstemp(CS temp_fn)) < 0) /* modifies temp_fn */
cf0c6164 633 return tls_error(US"Unable to open temp file", strerror(errno), NULL, errstr);
059ec3d9
PH
634 (void)fchown(fd, exim_uid, exim_gid); /* Probably not necessary */
635
201f5254
PP
636 /* GnuTLS overshoots!
637 * If we ask for 2236, we might get 2237 or more.
638 * But there's no way to ask GnuTLS how many bits there really are.
639 * We can ask how many bits were used in a TLS session, but that's it!
640 * The prime itself is hidden behind too much abstraction.
641 * So we ask for less, and proceed on a wing and a prayer.
642 * First attempt, subtracted 3 for 2233 and got 2240.
643 */
cae6e576 644 if (dh_bits >= EXIM_CLIENT_DH_MIN_BITS + 10)
201f5254
PP
645 {
646 dh_bits_gen = dh_bits - 10;
647 DEBUG(D_tls)
648 debug_printf("being paranoid about DH generation, make it '%d' bits'\n",
649 dh_bits_gen);
650 }
651
652 DEBUG(D_tls)
653 debug_printf("requesting generation of %d bit Diffie-Hellman prime ...\n",
654 dh_bits_gen);
655 rc = gnutls_dh_params_generate2(dh_server_params, dh_bits_gen);
17c76198
PP
656 exim_gnutls_err_check(US"gnutls_dh_params_generate2");
657
658 /* gnutls_dh_params_export_pkcs3() will tell us the exact size, every time,
659 and I confirmed that a NULL call to get the size first is how the GnuTLS
660 sample apps handle this. */
661
662 sz = 0;
663 m.data = NULL;
664 rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM,
665 m.data, &sz);
666 if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
667 exim_gnutls_err_check(US"gnutls_dh_params_export_pkcs3(NULL) sizing");
668 m.size = sz;
40c90bca 669 if (!(m.data = malloc(m.size)))
cf0c6164 670 return tls_error(US"memory allocation failed", strerror(errno), NULL, errstr);
40c90bca 671
1f00591e 672 /* this will return a size 1 less than the allocation size above */
17c76198 673 rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM,
1f00591e 674 m.data, &sz);
17c76198
PP
675 if (rc != GNUTLS_E_SUCCESS)
676 {
677 free(m.data);
678 exim_gnutls_err_check(US"gnutls_dh_params_export_pkcs3() real");
679 }
1f00591e 680 m.size = sz; /* shrink by 1, probably */
059ec3d9 681
f5d25c2b 682 if ((sz = write_to_fd_buf(fd, m.data, (size_t) m.size)) != m.size)
17c76198
PP
683 {
684 free(m.data);
685 return tls_error(US"TLS cache write D-H params failed",
cf0c6164 686 strerror(errno), NULL, errstr);
17c76198 687 }
b5aea5e1 688 free(m.data);
f5d25c2b 689 if ((sz = write_to_fd_buf(fd, US"\n", 1)) != 1)
17c76198 690 return tls_error(US"TLS cache write D-H params final newline failed",
cf0c6164 691 strerror(errno), NULL, errstr);
17c76198 692
f5d25c2b 693 if ((rc = close(fd)))
cf0c6164 694 return tls_error(US"TLS cache write close() failed", strerror(errno), NULL, errstr);
059ec3d9 695
17c76198
PP
696 if (Urename(temp_fn, filename) < 0)
697 return tls_error(string_sprintf("failed to rename \"%s\" as \"%s\"",
cf0c6164 698 temp_fn, filename), strerror(errno), NULL, errstr);
059ec3d9 699
17c76198 700 DEBUG(D_tls) debug_printf("wrote D-H parameters to file \"%s\"\n", filename);
059ec3d9
PH
701 }
702
17c76198 703DEBUG(D_tls) debug_printf("initialized server D-H parameters\n");
059ec3d9
PH
704return OK;
705}
706
707
708
709
23bb6982
JH
710/* Create and install a selfsigned certificate, for use in server mode */
711
712static int
cf0c6164 713tls_install_selfsign(exim_gnutls_state_st * state, uschar ** errstr)
23bb6982
JH
714{
715gnutls_x509_crt_t cert = NULL;
716time_t now;
717gnutls_x509_privkey_t pkey = NULL;
718const uschar * where;
719int rc;
720
721where = US"initialising pkey";
722if ((rc = gnutls_x509_privkey_init(&pkey))) goto err;
723
724where = US"initialising cert";
725if ((rc = gnutls_x509_crt_init(&cert))) goto err;
726
727where = US"generating pkey";
728if ((rc = gnutls_x509_privkey_generate(pkey, GNUTLS_PK_RSA,
76075bb5 729#ifdef SUPPORT_PARAM_TO_PK_BITS
23bb6982 730 gnutls_sec_param_to_pk_bits(GNUTLS_PK_RSA, GNUTLS_SEC_PARAM_LOW),
76075bb5
JH
731#else
732 1024,
733#endif
734 0)))
23bb6982
JH
735 goto err;
736
737where = US"configuring cert";
738now = 0;
739if ( (rc = gnutls_x509_crt_set_version(cert, 3))
740 || (rc = gnutls_x509_crt_set_serial(cert, &now, sizeof(now)))
741 || (rc = gnutls_x509_crt_set_activation_time(cert, now = time(NULL)))
742 || (rc = gnutls_x509_crt_set_expiration_time(cert, now + 60 * 60)) /* 1 hr */
743 || (rc = gnutls_x509_crt_set_key(cert, pkey))
744
745 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
746 GNUTLS_OID_X520_COUNTRY_NAME, 0, "UK", 2))
747 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
748 GNUTLS_OID_X520_ORGANIZATION_NAME, 0, "Exim Developers", 15))
749 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
750 GNUTLS_OID_X520_COMMON_NAME, 0,
751 smtp_active_hostname, Ustrlen(smtp_active_hostname)))
752 )
753 goto err;
754
755where = US"signing cert";
756if ((rc = gnutls_x509_crt_sign(cert, cert, pkey))) goto err;
757
758where = US"installing selfsign cert";
759 /* Since: 2.4.0 */
760if ((rc = gnutls_certificate_set_x509_key(state->x509_cred, &cert, 1, pkey)))
761 goto err;
762
763rc = OK;
764
765out:
766 if (cert) gnutls_x509_crt_deinit(cert);
767 if (pkey) gnutls_x509_privkey_deinit(pkey);
768 return rc;
769
770err:
cf0c6164 771 rc = tls_error(where, gnutls_strerror(rc), NULL, errstr);
23bb6982
JH
772 goto out;
773}
774
775
776
777
059ec3d9 778/*************************************************
17c76198 779* Variables re-expanded post-SNI *
059ec3d9
PH
780*************************************************/
781
17c76198
PP
782/* Called from both server and client code, via tls_init(), and also from
783the SNI callback after receiving an SNI, if tls_certificate includes "tls_sni".
784
785We can tell the two apart by state->received_sni being non-NULL in callback.
786
787The callback should not call us unless state->trigger_sni_changes is true,
788which we are responsible for setting on the first pass through.
059ec3d9
PH
789
790Arguments:
17c76198 791 state exim_gnutls_state_st *
cf0c6164 792 errstr error string pointer
059ec3d9
PH
793
794Returns: OK/DEFER/FAIL
795*/
796
797static int
cf0c6164 798tls_expand_session_files(exim_gnutls_state_st *state, uschar ** errstr)
059ec3d9 799{
1365611d 800struct stat statbuf;
059ec3d9 801int rc;
17c76198
PP
802const host_item *host = state->host; /* macro should be reconsidered? */
803uschar *saved_tls_certificate = NULL;
804uschar *saved_tls_privatekey = NULL;
805uschar *saved_tls_verify_certificates = NULL;
806uschar *saved_tls_crl = NULL;
807int cert_count;
808
809/* We check for tls_sni *before* expansion. */
2b4a568d 810if (!host) /* server */
17c76198
PP
811 if (!state->received_sni)
812 {
d9b2312b
JH
813 if (state->tls_certificate &&
814 (Ustrstr(state->tls_certificate, US"tls_sni") ||
815 Ustrstr(state->tls_certificate, US"tls_in_sni") ||
816 Ustrstr(state->tls_certificate, US"tls_out_sni")
817 ))
17c76198
PP
818 {
819 DEBUG(D_tls) debug_printf("We will re-expand TLS session files if we receive SNI.\n");
820 state->trigger_sni_changes = TRUE;
821 }
822 }
823 else
824 {
1365611d 825 /* useful for debugging */
17c76198
PP
826 saved_tls_certificate = state->exp_tls_certificate;
827 saved_tls_privatekey = state->exp_tls_privatekey;
828 saved_tls_verify_certificates = state->exp_tls_verify_certificates;
829 saved_tls_crl = state->exp_tls_crl;
830 }
059ec3d9 831
1365611d
PP
832rc = gnutls_certificate_allocate_credentials(&state->x509_cred);
833exim_gnutls_err_check(US"gnutls_certificate_allocate_credentials");
834
17c76198
PP
835/* remember: expand_check_tlsvar() is expand_check() but fiddling with
836state members, assuming consistent naming; and expand_check() returns
837false if expansion failed, unless expansion was forced to fail. */
059ec3d9 838
17c76198
PP
839/* check if we at least have a certificate, before doing expensive
840D-H generation. */
059ec3d9 841
cf0c6164 842if (!expand_check_tlsvar(tls_certificate, errstr))
17c76198 843 return DEFER;
059ec3d9 844
17c76198 845/* certificate is mandatory in server, optional in client */
059ec3d9 846
23bb6982
JH
847if ( !state->exp_tls_certificate
848 || !*state->exp_tls_certificate
849 )
2b4a568d 850 if (!host)
cf0c6164 851 return tls_install_selfsign(state, errstr);
17c76198
PP
852 else
853 DEBUG(D_tls) debug_printf("TLS: no client certificate specified; okay\n");
059ec3d9 854
cf0c6164 855if (state->tls_privatekey && !expand_check_tlsvar(tls_privatekey, errstr))
059ec3d9
PH
856 return DEFER;
857
17c76198
PP
858/* tls_privatekey is optional, defaulting to same file as certificate */
859
860if (state->tls_privatekey == NULL || *state->tls_privatekey == '\0')
059ec3d9 861 {
17c76198
PP
862 state->tls_privatekey = state->tls_certificate;
863 state->exp_tls_privatekey = state->exp_tls_certificate;
059ec3d9 864 }
c91535f3 865
059ec3d9 866
17c76198 867if (state->exp_tls_certificate && *state->exp_tls_certificate)
059ec3d9
PH
868 {
869 DEBUG(D_tls) debug_printf("certificate file = %s\nkey file = %s\n",
17c76198
PP
870 state->exp_tls_certificate, state->exp_tls_privatekey);
871
872 if (state->received_sni)
23bb6982
JH
873 if ( Ustrcmp(state->exp_tls_certificate, saved_tls_certificate) == 0
874 && Ustrcmp(state->exp_tls_privatekey, saved_tls_privatekey) == 0
875 )
17c76198 876 {
b34fc30c 877 DEBUG(D_tls) debug_printf("TLS SNI: cert and key unchanged\n");
17c76198
PP
878 }
879 else
880 {
b34fc30c 881 DEBUG(D_tls) debug_printf("TLS SNI: have a changed cert/key pair.\n");
17c76198 882 }
059ec3d9 883
1365611d
PP
884 rc = gnutls_certificate_set_x509_key_file(state->x509_cred,
885 CS state->exp_tls_certificate, CS state->exp_tls_privatekey,
886 GNUTLS_X509_FMT_PEM);
887 exim_gnutls_err_check(
888 string_sprintf("cert/key setup: cert=%s key=%s",
889 state->exp_tls_certificate, state->exp_tls_privatekey));
890 DEBUG(D_tls) debug_printf("TLS: cert/key registered\n");
b34fc30c 891 } /* tls_certificate */
059ec3d9 892
2b4a568d
JH
893
894/* Set the OCSP stapling server info */
895
f2de3a33 896#ifndef DISABLE_OCSP
2b4a568d
JH
897if ( !host /* server */
898 && tls_ocsp_file
899 )
900 {
9196d5bf
JH
901 if (gnutls_buggy_ocsp)
902 {
903 DEBUG(D_tls) debug_printf("GnuTLS library is buggy for OCSP; avoiding\n");
904 }
905 else
906 {
907 if (!expand_check(tls_ocsp_file, US"tls_ocsp_file",
cf0c6164 908 &state->exp_tls_ocsp_file, errstr))
9196d5bf 909 return DEFER;
2b4a568d 910
9196d5bf
JH
911 /* Use the full callback method for stapling just to get observability.
912 More efficient would be to read the file once only, if it never changed
913 (due to SNI). Would need restart on file update, or watch datestamp. */
44662487 914
9196d5bf
JH
915 gnutls_certificate_set_ocsp_status_request_function(state->x509_cred,
916 server_ocsp_stapling_cb, state->exp_tls_ocsp_file);
2b4a568d 917
9196d5bf
JH
918 DEBUG(D_tls) debug_printf("OCSP response file = %s\n", state->exp_tls_ocsp_file);
919 }
2b4a568d
JH
920 }
921#endif
922
923
059ec3d9
PH
924/* Set the trusted CAs file if one is provided, and then add the CRL if one is
925provided. Experiment shows that, if the certificate file is empty, an unhelpful
926error message is provided. However, if we just refrain from setting anything up
927in that case, certificate verification fails, which seems to be the correct
928behaviour. */
929
610ff438 930if (state->tls_verify_certificates && *state->tls_verify_certificates)
059ec3d9 931 {
cf0c6164 932 if (!expand_check_tlsvar(tls_verify_certificates, errstr))
059ec3d9 933 return DEFER;
610ff438
JH
934#ifndef SUPPORT_SYSDEFAULT_CABUNDLE
935 if (Ustrcmp(state->exp_tls_verify_certificates, "system") == 0)
936 state->exp_tls_verify_certificates = NULL;
937#endif
17c76198 938 if (state->tls_crl && *state->tls_crl)
cf0c6164 939 if (!expand_check_tlsvar(tls_crl, errstr))
17c76198 940 return DEFER;
059ec3d9 941
1365611d
PP
942 if (!(state->exp_tls_verify_certificates &&
943 *state->exp_tls_verify_certificates))
b34fc30c
PP
944 {
945 DEBUG(D_tls)
1365611d
PP
946 debug_printf("TLS: tls_verify_certificates expanded empty, ignoring\n");
947 /* With no tls_verify_certificates, we ignore tls_crl too */
17c76198 948 return OK;
b34fc30c 949 }
1365611d 950 }
83e2f8a2
PP
951else
952 {
953 DEBUG(D_tls)
954 debug_printf("TLS: tls_verify_certificates not set or empty, ignoring\n");
955 return OK;
956 }
17c76198 957
cb1d7830
JH
958#ifdef SUPPORT_SYSDEFAULT_CABUNDLE
959if (Ustrcmp(state->exp_tls_verify_certificates, "system") == 0)
960 cert_count = gnutls_certificate_set_x509_system_trust(state->x509_cred);
961else
962#endif
1365611d 963 {
cb1d7830
JH
964 if (Ustat(state->exp_tls_verify_certificates, &statbuf) < 0)
965 {
966 log_write(0, LOG_MAIN|LOG_PANIC, "could not stat %s "
967 "(tls_verify_certificates): %s", state->exp_tls_verify_certificates,
968 strerror(errno));
969 return DEFER;
970 }
17c76198 971
a7fec7a7 972#ifndef SUPPORT_CA_DIR
cb1d7830
JH
973 /* The test suite passes in /dev/null; we could check for that path explicitly,
974 but who knows if someone has some weird FIFO which always dumps some certs, or
975 other weirdness. The thing we really want to check is that it's not a
976 directory, since while OpenSSL supports that, GnuTLS does not.
60f914bc 977 So s/!S_ISREG/S_ISDIR/ and change some messaging ... */
cb1d7830
JH
978 if (S_ISDIR(statbuf.st_mode))
979 {
980 DEBUG(D_tls)
981 debug_printf("verify certificates path is a dir: \"%s\"\n",
982 state->exp_tls_verify_certificates);
983 log_write(0, LOG_MAIN|LOG_PANIC,
984 "tls_verify_certificates \"%s\" is a directory",
985 state->exp_tls_verify_certificates);
986 return DEFER;
987 }
a7fec7a7 988#endif
059ec3d9 989
cb1d7830
JH
990 DEBUG(D_tls) debug_printf("verify certificates = %s size=" OFF_T_FMT "\n",
991 state->exp_tls_verify_certificates, statbuf.st_size);
059ec3d9 992
cb1d7830
JH
993 if (statbuf.st_size == 0)
994 {
995 DEBUG(D_tls)
996 debug_printf("cert file empty, no certs, no verification, ignoring any CRL\n");
997 return OK;
998 }
059ec3d9 999
cb1d7830 1000 cert_count =
a7fec7a7
JH
1001
1002#ifdef SUPPORT_CA_DIR
cb1d7830
JH
1003 (statbuf.st_mode & S_IFMT) == S_IFDIR
1004 ?
1005 gnutls_certificate_set_x509_trust_dir(state->x509_cred,
1006 CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM)
1007 :
a7fec7a7 1008#endif
cb1d7830
JH
1009 gnutls_certificate_set_x509_trust_file(state->x509_cred,
1010 CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM);
1011 }
a7fec7a7 1012
1365611d
PP
1013if (cert_count < 0)
1014 {
1015 rc = cert_count;
cb1d7830 1016 exim_gnutls_err_check(US"setting certificate trust");
1365611d
PP
1017 }
1018DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n", cert_count);
059ec3d9 1019
5c8cda3a
PP
1020if (state->tls_crl && *state->tls_crl &&
1021 state->exp_tls_crl && *state->exp_tls_crl)
1365611d 1022 {
5c8cda3a
PP
1023 DEBUG(D_tls) debug_printf("loading CRL file = %s\n", state->exp_tls_crl);
1024 cert_count = gnutls_certificate_set_x509_crl_file(state->x509_cred,
1025 CS state->exp_tls_crl, GNUTLS_X509_FMT_PEM);
1026 if (cert_count < 0)
1365611d 1027 {
5c8cda3a 1028 rc = cert_count;
1365611d
PP
1029 exim_gnutls_err_check(US"gnutls_certificate_set_x509_crl_file");
1030 }
5c8cda3a 1031 DEBUG(D_tls) debug_printf("Processed %d CRLs.\n", cert_count);
1365611d 1032 }
059ec3d9 1033
059ec3d9
PH
1034return OK;
1035}
1036
1037
1038
1039
1040/*************************************************
1365611d
PP
1041* Set X.509 state variables *
1042*************************************************/
1043
1044/* In GnuTLS, the registered cert/key are not replaced by a later
1045set of a cert/key, so for SNI support we need a whole new x509_cred
1046structure. Which means various other non-re-expanded pieces of state
1047need to be re-set in the new struct, so the setting logic is pulled
1048out to this.
1049
1050Arguments:
1051 state exim_gnutls_state_st *
cf0c6164 1052 errstr error string pointer
1365611d
PP
1053
1054Returns: OK/DEFER/FAIL
1055*/
1056
1057static int
cf0c6164 1058tls_set_remaining_x509(exim_gnutls_state_st *state, uschar ** errstr)
1365611d
PP
1059{
1060int rc;
1061const host_item *host = state->host; /* macro should be reconsidered? */
1062
1063/* Create D-H parameters, or read them from the cache file. This function does
1064its own SMTP error messaging. This only happens for the server, TLS D-H ignores
1065client-side params. */
1066
1067if (!state->host)
1068 {
1069 if (!dh_server_params)
1070 {
cf0c6164 1071 rc = init_server_dh(errstr);
1365611d
PP
1072 if (rc != OK) return rc;
1073 }
1074 gnutls_certificate_set_dh_params(state->x509_cred, dh_server_params);
1075 }
1076
1077/* Link the credentials to the session. */
1078
1079rc = gnutls_credentials_set(state->session, GNUTLS_CRD_CERTIFICATE, state->x509_cred);
1080exim_gnutls_err_check(US"gnutls_credentials_set");
1081
1082return OK;
1083}
1084
1085/*************************************************
17c76198 1086* Initialize for GnuTLS *
059ec3d9
PH
1087*************************************************/
1088
9196d5bf 1089
4fb7df6d
JH
1090#ifndef DISABLE_OCSP
1091
9196d5bf
JH
1092static BOOL
1093tls_is_buggy_ocsp(void)
1094{
1095const uschar * s;
1096uschar maj, mid, mic;
1097
1098s = CUS gnutls_check_version(NULL);
1099maj = atoi(CCS s);
1100if (maj == 3)
1101 {
1102 while (*s && *s != '.') s++;
1103 mid = atoi(CCS ++s);
1104 if (mid <= 2)
1105 return TRUE;
1106 else if (mid >= 5)
1107 return FALSE;
1108 else
1109 {
1110 while (*s && *s != '.') s++;
1111 mic = atoi(CCS ++s);
1112 return mic <= (mid == 3 ? 16 : 3);
1113 }
1114 }
1115return FALSE;
1116}
1117
4fb7df6d 1118#endif
9196d5bf
JH
1119
1120
17c76198
PP
1121/* Called from both server and client code. In the case of a server, errors
1122before actual TLS negotiation return DEFER.
059ec3d9
PH
1123
1124Arguments:
17c76198
PP
1125 host connected host, if client; NULL if server
1126 certificate certificate file
1127 privatekey private key file
1128 sni TLS SNI to send, sometimes when client; else NULL
1129 cas CA certs file
1130 crl CRL file
1131 require_ciphers tls_require_ciphers setting
817d9f57 1132 caller_state returned state-info structure
cf0c6164 1133 errstr error string pointer
059ec3d9 1134
17c76198 1135Returns: OK/DEFER/FAIL
059ec3d9
PH
1136*/
1137
17c76198
PP
1138static int
1139tls_init(
1140 const host_item *host,
1141 const uschar *certificate,
1142 const uschar *privatekey,
1143 const uschar *sni,
1144 const uschar *cas,
1145 const uschar *crl,
1146 const uschar *require_ciphers,
cf0c6164
JH
1147 exim_gnutls_state_st **caller_state,
1148 uschar ** errstr)
059ec3d9 1149{
17c76198
PP
1150exim_gnutls_state_st *state;
1151int rc;
1152size_t sz;
1153const char *errpos;
1154uschar *p;
1155BOOL want_default_priorities;
1156
1157if (!exim_gnutls_base_init_done)
059ec3d9 1158 {
17c76198
PP
1159 DEBUG(D_tls) debug_printf("GnuTLS global init required.\n");
1160
a5f239e4
PP
1161#ifdef HAVE_GNUTLS_PKCS11
1162 /* By default, gnutls_global_init will init PKCS11 support in auto mode,
1163 which loads modules from a config file, which sounds good and may be wanted
1164 by some sysadmin, but also means in common configurations that GNOME keyring
1165 environment variables are used and so breaks for users calling mailq.
1166 To prevent this, we init PKCS11 first, which is the documented approach. */
2519e60d 1167 if (!gnutls_allow_auto_pkcs11)
a5f239e4
PP
1168 {
1169 rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
1170 exim_gnutls_err_check(US"gnutls_pkcs11_init");
1171 }
1172#endif
1173
17c76198
PP
1174 rc = gnutls_global_init();
1175 exim_gnutls_err_check(US"gnutls_global_init");
1176
1177#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
1178 DEBUG(D_tls)
059ec3d9 1179 {
17c76198
PP
1180 gnutls_global_set_log_function(exim_gnutls_logger_cb);
1181 /* arbitrarily chosen level; bump upto 9 for more */
1182 gnutls_global_set_log_level(EXIM_GNUTLS_LIBRARY_LOG_LEVEL);
059ec3d9 1183 }
17c76198
PP
1184#endif
1185
4fb7df6d
JH
1186#ifndef DISABLE_OCSP
1187 if (tls_ocsp_file && (gnutls_buggy_ocsp = tls_is_buggy_ocsp()))
9196d5bf 1188 log_write(0, LOG_MAIN, "OCSP unusable with this GnuTLS library version");
4fb7df6d 1189#endif
9196d5bf 1190
17c76198 1191 exim_gnutls_base_init_done = TRUE;
059ec3d9 1192 }
059ec3d9 1193
17c76198
PP
1194if (host)
1195 {
1196 state = &state_client;
1197 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
817d9f57 1198 state->tlsp = &tls_out;
17c76198
PP
1199 DEBUG(D_tls) debug_printf("initialising GnuTLS client session\n");
1200 rc = gnutls_init(&state->session, GNUTLS_CLIENT);
1201 }
1202else
1203 {
1204 state = &state_server;
1205 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
817d9f57 1206 state->tlsp = &tls_in;
17c76198
PP
1207 DEBUG(D_tls) debug_printf("initialising GnuTLS server session\n");
1208 rc = gnutls_init(&state->session, GNUTLS_SERVER);
1209 }
1210exim_gnutls_err_check(US"gnutls_init");
059ec3d9 1211
17c76198 1212state->host = host;
059ec3d9 1213
17c76198
PP
1214state->tls_certificate = certificate;
1215state->tls_privatekey = privatekey;
5779e6aa 1216state->tls_require_ciphers = require_ciphers;
17c76198
PP
1217state->tls_sni = sni;
1218state->tls_verify_certificates = cas;
1219state->tls_crl = crl;
059ec3d9 1220
17c76198
PP
1221/* This handles the variables that might get re-expanded after TLS SNI;
1222that's tls_certificate, tls_privatekey, tls_verify_certificates, tls_crl */
059ec3d9 1223
17c76198
PP
1224DEBUG(D_tls)
1225 debug_printf("Expanding various TLS configuration options for session credentials.\n");
cf0c6164 1226if ((rc = tls_expand_session_files(state, errstr)) != OK) return rc;
059ec3d9 1227
1365611d
PP
1228/* These are all other parts of the x509_cred handling, since SNI in GnuTLS
1229requires a new structure afterwards. */
83da1223 1230
cf0c6164 1231if ((rc = tls_set_remaining_x509(state, errstr)) != OK) return rc;
83da1223 1232
17c76198
PP
1233/* set SNI in client, only */
1234if (host)
1235 {
cf0c6164 1236 if (!expand_check(sni, US"tls_out_sni", &state->tlsp->sni, errstr))
17c76198 1237 return DEFER;
0df4ab80 1238 if (state->tlsp->sni && *state->tlsp->sni)
17c76198
PP
1239 {
1240 DEBUG(D_tls)
0df4ab80
JH
1241 debug_printf("Setting TLS client SNI to \"%s\"\n", state->tlsp->sni);
1242 sz = Ustrlen(state->tlsp->sni);
17c76198 1243 rc = gnutls_server_name_set(state->session,
0df4ab80 1244 GNUTLS_NAME_DNS, state->tlsp->sni, sz);
17c76198
PP
1245 exim_gnutls_err_check(US"gnutls_server_name_set");
1246 }
1247 }
1248else if (state->tls_sni)
1249 DEBUG(D_tls) debug_printf("*** PROBABLY A BUG *** " \
1250 "have an SNI set for a client [%s]\n", state->tls_sni);
83da1223 1251
17c76198 1252/* This is the priority string support,
42bfef1e 1253http://www.gnutls.org/manual/html_node/Priority-Strings.html
17c76198
PP
1254and replaces gnutls_require_kx, gnutls_require_mac & gnutls_require_protocols.
1255This was backwards incompatible, but means Exim no longer needs to track
1256all algorithms and provide string forms for them. */
83da1223 1257
17c76198 1258want_default_priorities = TRUE;
83da1223 1259
17c76198 1260if (state->tls_require_ciphers && *state->tls_require_ciphers)
83da1223 1261 {
cf0c6164 1262 if (!expand_check_tlsvar(tls_require_ciphers, errstr))
17c76198
PP
1263 return DEFER;
1264 if (state->exp_tls_require_ciphers && *state->exp_tls_require_ciphers)
83da1223 1265 {
17c76198
PP
1266 DEBUG(D_tls) debug_printf("GnuTLS session cipher/priority \"%s\"\n",
1267 state->exp_tls_require_ciphers);
1268
1269 rc = gnutls_priority_init(&state->priority_cache,
1270 CS state->exp_tls_require_ciphers, &errpos);
1271 want_default_priorities = FALSE;
1272 p = state->exp_tls_require_ciphers;
83da1223
PH
1273 }
1274 }
17c76198
PP
1275if (want_default_priorities)
1276 {
83e2f8a2
PP
1277 DEBUG(D_tls)
1278 debug_printf("GnuTLS using default session cipher/priority \"%s\"\n",
1279 exim_default_gnutls_priority);
17c76198
PP
1280 rc = gnutls_priority_init(&state->priority_cache,
1281 exim_default_gnutls_priority, &errpos);
1282 p = US exim_default_gnutls_priority;
1283 }
83da1223 1284
17c76198
PP
1285exim_gnutls_err_check(string_sprintf(
1286 "gnutls_priority_init(%s) failed at offset %ld, \"%.6s..\"",
1287 p, errpos - CS p, errpos));
1288
1289rc = gnutls_priority_set(state->session, state->priority_cache);
1290exim_gnutls_err_check(US"gnutls_priority_set");
1291
1292gnutls_db_set_cache_expiration(state->session, ssl_session_timeout);
1293
1294/* Reduce security in favour of increased compatibility, if the admin
1295decides to make that trade-off. */
1296if (gnutls_compat_mode)
83da1223 1297 {
17c76198
PP
1298#if LIBGNUTLS_VERSION_NUMBER >= 0x020104
1299 DEBUG(D_tls) debug_printf("lowering GnuTLS security, compatibility mode\n");
1300 gnutls_session_enable_compatibility_mode(state->session);
1301#else
1302 DEBUG(D_tls) debug_printf("Unable to set gnutls_compat_mode - GnuTLS version too old\n");
1303#endif
83da1223
PH
1304 }
1305
17c76198 1306*caller_state = state;
17c76198 1307return OK;
83da1223
PH
1308}
1309
1310
1311
83da1223 1312/*************************************************
17c76198 1313* Extract peer information *
059ec3d9
PH
1314*************************************************/
1315
17c76198 1316/* Called from both server and client code.
4fe99a6c
PP
1317Only this is allowed to set state->peerdn and state->have_set_peerdn
1318and we use that to detect double-calls.
059ec3d9 1319
75fe387d
PP
1320NOTE: the state blocks last while the TLS connection is up, which is fine
1321for logging in the server side, but for the client side, we log after teardown
1322in src/deliver.c. While the session is up, we can twist about states and
1323repoint tls_* globals, but those variables used for logging or other variable
1324expansion that happens _after_ delivery need to have a longer life-time.
1325
1326So for those, we get the data from POOL_PERM; the re-invoke guard keeps us from
1327doing this more than once per generation of a state context. We set them in
1328the state context, and repoint tls_* to them. After the state goes away, the
1329tls_* copies of the pointers remain valid and client delivery logging is happy.
1330
1331tls_certificate_verified is a BOOL, so the tls_peerdn and tls_cipher issues
1332don't apply.
1333
059ec3d9 1334Arguments:
17c76198 1335 state exim_gnutls_state_st *
cf0c6164 1336 errstr pointer to error string
059ec3d9 1337
17c76198 1338Returns: OK/DEFER/FAIL
059ec3d9
PH
1339*/
1340
17c76198 1341static int
cf0c6164 1342peer_status(exim_gnutls_state_st *state, uschar ** errstr)
059ec3d9 1343{
75fe387d 1344uschar cipherbuf[256];
27f19eb4 1345const gnutls_datum_t *cert_list;
75fe387d 1346int old_pool, rc;
17c76198 1347unsigned int cert_list_size = 0;
4fe99a6c
PP
1348gnutls_protocol_t protocol;
1349gnutls_cipher_algorithm_t cipher;
1350gnutls_kx_algorithm_t kx;
1351gnutls_mac_algorithm_t mac;
17c76198
PP
1352gnutls_certificate_type_t ct;
1353gnutls_x509_crt_t crt;
4fe99a6c 1354uschar *p, *dn_buf;
17c76198 1355size_t sz;
059ec3d9 1356
4fe99a6c 1357if (state->have_set_peerdn)
17c76198 1358 return OK;
4fe99a6c 1359state->have_set_peerdn = TRUE;
059ec3d9 1360
4fe99a6c 1361state->peerdn = NULL;
059ec3d9 1362
4fe99a6c
PP
1363/* tls_cipher */
1364cipher = gnutls_cipher_get(state->session);
1365protocol = gnutls_protocol_get_version(state->session);
1366mac = gnutls_mac_get(state->session);
1367kx = gnutls_kx_get(state->session);
1368
75fe387d 1369string_format(cipherbuf, sizeof(cipherbuf),
4fe99a6c
PP
1370 "%s:%s:%d",
1371 gnutls_protocol_get_name(protocol),
1372 gnutls_cipher_suite_get_name(kx, cipher, mac),
1373 (int) gnutls_cipher_get_key_size(cipher) * 8);
1374
1375/* I don't see a way that spaces could occur, in the current GnuTLS
1376code base, but it was a concern in the old code and perhaps older GnuTLS
1377releases did return "TLS 1.0"; play it safe, just in case. */
75fe387d 1378for (p = cipherbuf; *p != '\0'; ++p)
4fe99a6c
PP
1379 if (isspace(*p))
1380 *p = '-';
75fe387d
PP
1381old_pool = store_pool;
1382store_pool = POOL_PERM;
1383state->ciphersuite = string_copy(cipherbuf);
1384store_pool = old_pool;
817d9f57 1385state->tlsp->cipher = state->ciphersuite;
4fe99a6c
PP
1386
1387/* tls_peerdn */
17c76198 1388cert_list = gnutls_certificate_get_peers(state->session, &cert_list_size);
83da1223 1389
17c76198
PP
1390if (cert_list == NULL || cert_list_size == 0)
1391 {
17c76198
PP
1392 DEBUG(D_tls) debug_printf("TLS: no certificate from peer (%p & %d)\n",
1393 cert_list, cert_list_size);
e51c7be2 1394 if (state->verify_requirement >= VERIFY_REQUIRED)
17c76198 1395 return tls_error(US"certificate verification failed",
cf0c6164 1396 "no certificate received from peer", state->host, errstr);
17c76198
PP
1397 return OK;
1398 }
059ec3d9 1399
17c76198
PP
1400ct = gnutls_certificate_type_get(state->session);
1401if (ct != GNUTLS_CRT_X509)
059ec3d9 1402 {
17c76198 1403 const char *ctn = gnutls_certificate_type_get_name(ct);
17c76198
PP
1404 DEBUG(D_tls)
1405 debug_printf("TLS: peer cert not X.509 but instead \"%s\"\n", ctn);
e51c7be2 1406 if (state->verify_requirement >= VERIFY_REQUIRED)
17c76198 1407 return tls_error(US"certificate verification not possible, unhandled type",
cf0c6164 1408 ctn, state->host, errstr);
17c76198 1409 return OK;
83da1223 1410 }
059ec3d9 1411
e51c7be2
JH
1412#define exim_gnutls_peer_err(Label) \
1413 do { \
1414 if (rc != GNUTLS_E_SUCCESS) \
1415 { \
1416 DEBUG(D_tls) debug_printf("TLS: peer cert problem: %s: %s\n", \
1417 (Label), gnutls_strerror(rc)); \
1418 if (state->verify_requirement >= VERIFY_REQUIRED) \
cf0c6164 1419 return tls_error((Label), gnutls_strerror(rc), state->host, errstr); \
e51c7be2
JH
1420 return OK; \
1421 } \
1422 } while (0)
17c76198 1423
9d1c15ef
JH
1424rc = import_cert(&cert_list[0], &crt);
1425exim_gnutls_peer_err(US"cert 0");
1426
1427state->tlsp->peercert = state->peercert = crt;
17c76198 1428
17c76198
PP
1429sz = 0;
1430rc = gnutls_x509_crt_get_dn(crt, NULL, &sz);
1431if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
83da1223 1432 {
17c76198
PP
1433 exim_gnutls_peer_err(US"getting size for cert DN failed");
1434 return FAIL; /* should not happen */
059ec3d9 1435 }
17c76198
PP
1436dn_buf = store_get_perm(sz);
1437rc = gnutls_x509_crt_get_dn(crt, CS dn_buf, &sz);
1438exim_gnutls_peer_err(US"failed to extract certificate DN [gnutls_x509_crt_get_dn(cert 0)]");
9d1c15ef 1439
17c76198
PP
1440state->peerdn = dn_buf;
1441
1442return OK;
1443#undef exim_gnutls_peer_err
1444}
059ec3d9 1445
059ec3d9 1446
059ec3d9 1447
059ec3d9 1448
17c76198
PP
1449/*************************************************
1450* Verify peer certificate *
1451*************************************************/
059ec3d9 1452
17c76198
PP
1453/* Called from both server and client code.
1454*Should* be using a callback registered with
1455gnutls_certificate_set_verify_function() to fail the handshake if we dislike
1456the peer information, but that's too new for some OSes.
059ec3d9 1457
17c76198
PP
1458Arguments:
1459 state exim_gnutls_state_st *
cf0c6164 1460 errstr where to put an error message
059ec3d9 1461
17c76198
PP
1462Returns:
1463 FALSE if the session should be rejected
1464 TRUE if the cert is okay or we just don't care
1465*/
059ec3d9 1466
17c76198 1467static BOOL
cf0c6164 1468verify_certificate(exim_gnutls_state_st *state, uschar ** errstr)
17c76198
PP
1469{
1470int rc;
1471unsigned int verify;
1472
cf0c6164 1473*errstr = NULL;
17c76198 1474
cf0c6164 1475if ((rc = peer_status(state, errstr)) != OK)
e6060e2c 1476 {
17c76198 1477 verify = GNUTLS_CERT_INVALID;
cf0c6164 1478 *errstr = US"certificate not supplied";
17c76198
PP
1479 }
1480else
17c76198 1481 rc = gnutls_certificate_verify_peers2(state->session, &verify);
e6060e2c 1482
17c76198
PP
1483/* Handle the result of verification. INVALID seems to be set as well
1484as REVOKED, but leave the test for both. */
059ec3d9 1485
e51c7be2
JH
1486if (rc < 0 ||
1487 verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED)
1488 )
17c76198
PP
1489 {
1490 state->peer_cert_verified = FALSE;
cf0c6164
JH
1491 if (!*errstr)
1492 *errstr = verify & GNUTLS_CERT_REVOKED
1493 ? US"certificate revoked" : US"certificate invalid";
059ec3d9 1494
17c76198 1495 DEBUG(D_tls)
e51c7be2 1496 debug_printf("TLS certificate verification failed (%s): peerdn=\"%s\"\n",
cf0c6164 1497 *errstr, state->peerdn ? state->peerdn : US"<unset>");
059ec3d9 1498
e51c7be2 1499 if (state->verify_requirement >= VERIFY_REQUIRED)
17c76198 1500 {
e51c7be2
JH
1501 gnutls_alert_send(state->session,
1502 GNUTLS_AL_FATAL, GNUTLS_A_BAD_CERTIFICATE);
17c76198
PP
1503 return FALSE;
1504 }
1505 DEBUG(D_tls)
4789da3a 1506 debug_printf("TLS verify failure overridden (host in tls_try_verify_hosts)\n");
17c76198 1507 }
e51c7be2 1508
17c76198
PP
1509else
1510 {
aa2a70ba 1511 if (state->exp_tls_verify_cert_hostnames)
e51c7be2
JH
1512 {
1513 int sep = 0;
55414b25 1514 const uschar * list = state->exp_tls_verify_cert_hostnames;
e51c7be2 1515 uschar * name;
76075bb5 1516 while ((name = string_nextinlist(&list, &sep, NULL, 0)))
e51c7be2
JH
1517 if (gnutls_x509_crt_check_hostname(state->tlsp->peercert, CS name))
1518 break;
1519 if (!name)
1520 {
1521 DEBUG(D_tls)
1522 debug_printf("TLS certificate verification failed: cert name mismatch\n");
aa2a70ba
JH
1523 if (state->verify_requirement >= VERIFY_REQUIRED)
1524 {
1525 gnutls_alert_send(state->session,
1526 GNUTLS_AL_FATAL, GNUTLS_A_BAD_CERTIFICATE);
1527 return FALSE;
1528 }
1529 return TRUE;
e51c7be2
JH
1530 }
1531 }
17c76198 1532 state->peer_cert_verified = TRUE;
e51c7be2 1533 DEBUG(D_tls) debug_printf("TLS certificate verified: peerdn=\"%s\"\n",
4fe99a6c 1534 state->peerdn ? state->peerdn : US"<unset>");
17c76198 1535 }
059ec3d9 1536
817d9f57 1537state->tlsp->peerdn = state->peerdn;
059ec3d9 1538
17c76198
PP
1539return TRUE;
1540}
059ec3d9 1541
17c76198
PP
1542
1543
1544
1545/* ------------------------------------------------------------------------ */
1546/* Callbacks */
1547
1548/* Logging function which can be registered with
1549 * gnutls_global_set_log_function()
1550 * gnutls_global_set_log_level() 0..9
1551 */
af3498d6 1552#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
059ec3d9 1553static void
17c76198 1554exim_gnutls_logger_cb(int level, const char *message)
059ec3d9 1555{
8c79eebf
PP
1556 size_t len = strlen(message);
1557 if (len < 1)
1558 {
1559 DEBUG(D_tls) debug_printf("GnuTLS<%d> empty debug message\n", level);
1560 return;
1561 }
1562 DEBUG(D_tls) debug_printf("GnuTLS<%d>: %s%s", level, message,
1563 message[len-1] == '\n' ? "" : "\n");
17c76198 1564}
af3498d6 1565#endif
059ec3d9 1566
059ec3d9 1567
17c76198
PP
1568/* Called after client hello, should handle SNI work.
1569This will always set tls_sni (state->received_sni) if available,
1570and may trigger presenting different certificates,
1571if state->trigger_sni_changes is TRUE.
059ec3d9 1572
17c76198
PP
1573Should be registered with
1574 gnutls_handshake_set_post_client_hello_function()
059ec3d9 1575
17c76198
PP
1576"This callback must return 0 on success or a gnutls error code to terminate the
1577handshake.".
059ec3d9 1578
17c76198
PP
1579For inability to get SNI information, we return 0.
1580We only return non-zero if re-setup failed.
817d9f57 1581Only used for server-side TLS.
17c76198 1582*/
44bbabb5 1583
17c76198
PP
1584static int
1585exim_sni_handling_cb(gnutls_session_t session)
1586{
1587char sni_name[MAX_HOST_LEN];
1588size_t data_len = MAX_HOST_LEN;
817d9f57 1589exim_gnutls_state_st *state = &state_server;
17c76198
PP
1590unsigned int sni_type;
1591int rc, old_pool;
cf0c6164 1592uschar * dummy_errstr;
17c76198
PP
1593
1594rc = gnutls_server_name_get(session, sni_name, &data_len, &sni_type, 0);
b34fc30c
PP
1595if (rc != GNUTLS_E_SUCCESS)
1596 {
1597 DEBUG(D_tls) {
1598 if (rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
1599 debug_printf("TLS: no SNI presented in handshake.\n");
1600 else
1601 debug_printf("TLS failure: gnutls_server_name_get(): %s [%d]\n",
1602 gnutls_strerror(rc), rc);
cf0c6164 1603 }
b34fc30c
PP
1604 return 0;
1605 }
1606
17c76198
PP
1607if (sni_type != GNUTLS_NAME_DNS)
1608 {
1609 DEBUG(D_tls) debug_printf("TLS: ignoring SNI of unhandled type %u\n", sni_type);
1610 return 0;
1611 }
44bbabb5 1612
17c76198
PP
1613/* We now have a UTF-8 string in sni_name */
1614old_pool = store_pool;
1615store_pool = POOL_PERM;
1616state->received_sni = string_copyn(US sni_name, data_len);
1617store_pool = old_pool;
1618
1619/* We set this one now so that variable expansions below will work */
817d9f57 1620state->tlsp->sni = state->received_sni;
17c76198
PP
1621
1622DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", sni_name,
1623 state->trigger_sni_changes ? "" : " (unused for certificate selection)");
1624
1625if (!state->trigger_sni_changes)
1626 return 0;
1627
cf0c6164 1628if ((rc = tls_expand_session_files(state, &dummy_errstr)) != OK)
17c76198
PP
1629 {
1630 /* If the setup of certs/etc failed before handshake, TLS would not have
1631 been offered. The best we can do now is abort. */
1632 return GNUTLS_E_APPLICATION_ERROR_MIN;
1633 }
1634
cf0c6164 1635rc = tls_set_remaining_x509(state, &dummy_errstr);
1365611d
PP
1636if (rc != OK) return GNUTLS_E_APPLICATION_ERROR_MIN;
1637
1638return 0;
059ec3d9
PH
1639}
1640
1641
1642
f2de3a33 1643#ifndef DISABLE_OCSP
44662487
JH
1644
1645static int
1646server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
1647 gnutls_datum_t * ocsp_response)
1648{
1649int ret;
1650
44662487
JH
1651if ((ret = gnutls_load_file(ptr, ocsp_response)) < 0)
1652 {
1653 DEBUG(D_tls) debug_printf("Failed to load ocsp stapling file %s\n",
1654 (char *)ptr);
018058b2 1655 tls_in.ocsp = OCSP_NOT_RESP;
44662487
JH
1656 return GNUTLS_E_NO_CERTIFICATE_STATUS;
1657 }
1658
018058b2 1659tls_in.ocsp = OCSP_VFY_NOT_TRIED;
44662487
JH
1660return 0;
1661}
1662
1663#endif
1664
1665
0cbf2b82 1666#ifndef DISABLE_EVENT
a7538db1
JH
1667/*
1668We use this callback to get observability and detail-level control
723fe533
JH
1669for an exim TLS connection (either direction), raising a tls:cert event
1670for each cert in the chain presented by the peer. Any event
a7538db1
JH
1671can deny verification.
1672
1673Return 0 for the handshake to continue or non-zero to terminate.
1674*/
1675
1676static int
723fe533 1677verify_cb(gnutls_session_t session)
a7538db1 1678{
27f19eb4 1679const gnutls_datum_t * cert_list;
a7538db1
JH
1680unsigned int cert_list_size = 0;
1681gnutls_x509_crt_t crt;
1682int rc;
b30275b8 1683uschar * yield;
a7538db1
JH
1684exim_gnutls_state_st * state = gnutls_session_get_ptr(session);
1685
1686cert_list = gnutls_certificate_get_peers(session, &cert_list_size);
1687if (cert_list)
1688 while (cert_list_size--)
1689 {
1690 rc = import_cert(&cert_list[cert_list_size], &crt);
1691 if (rc != GNUTLS_E_SUCCESS)
1692 {
1693 DEBUG(D_tls) debug_printf("TLS: peer cert problem: depth %d: %s\n",
1694 cert_list_size, gnutls_strerror(rc));
1695 break;
1696 }
1697
1698 state->tlsp->peercert = crt;
b30275b8
JH
1699 if ((yield = event_raise(state->event_action,
1700 US"tls:cert", string_sprintf("%d", cert_list_size))))
a7538db1
JH
1701 {
1702 log_write(0, LOG_MAIN,
b30275b8
JH
1703 "SSL verify denied by event-action: depth=%d: %s",
1704 cert_list_size, yield);
a7538db1
JH
1705 return 1; /* reject */
1706 }
1707 state->tlsp->peercert = NULL;
1708 }
1709
1710return 0;
1711}
1712
1713#endif
44662487
JH
1714
1715
17c76198
PP
1716
1717/* ------------------------------------------------------------------------ */
1718/* Exported functions */
1719
1720
1721
1722
059ec3d9
PH
1723/*************************************************
1724* Start a TLS session in a server *
1725*************************************************/
1726
1727/* This is called when Exim is running as a server, after having received
1728the STARTTLS command. It must respond to that command, and then negotiate
1729a TLS session.
1730
1731Arguments:
83da1223 1732 require_ciphers list of allowed ciphers or NULL
cf0c6164 1733 errstr pointer to error string
059ec3d9
PH
1734
1735Returns: OK on success
1736 DEFER for errors before the start of the negotiation
4c04137d 1737 FAIL for errors during the negotiation; the server can't
059ec3d9
PH
1738 continue running.
1739*/
1740
1741int
cf0c6164 1742tls_server_start(const uschar * require_ciphers, uschar ** errstr)
059ec3d9
PH
1743{
1744int rc;
cf0c6164 1745exim_gnutls_state_st * state = NULL;
059ec3d9
PH
1746
1747/* Check for previous activation */
817d9f57 1748if (tls_in.active >= 0)
059ec3d9 1749 {
cf0c6164 1750 tls_error(US"STARTTLS received after TLS started", "", NULL, errstr);
925ac8e4 1751 smtp_printf("554 Already in TLS\r\n", FALSE);
059ec3d9
PH
1752 return FAIL;
1753 }
1754
1755/* Initialize the library. If it fails, it will already have logged the error
1756and sent an SMTP response. */
1757
17c76198 1758DEBUG(D_tls) debug_printf("initialising GnuTLS as a server\n");
059ec3d9 1759
cf0c6164 1760if ((rc = tls_init(NULL, tls_certificate, tls_privatekey,
17c76198 1761 NULL, tls_verify_certificates, tls_crl,
cf0c6164 1762 require_ciphers, &state, errstr)) != OK) return rc;
059ec3d9 1763
059ec3d9
PH
1764/* If this is a host for which certificate verification is mandatory or
1765optional, set up appropriately. */
1766
059ec3d9 1767if (verify_check_host(&tls_verify_hosts) == OK)
17c76198 1768 {
e51c7be2
JH
1769 DEBUG(D_tls)
1770 debug_printf("TLS: a client certificate will be required.\n");
17c76198
PP
1771 state->verify_requirement = VERIFY_REQUIRED;
1772 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
1773 }
059ec3d9 1774else if (verify_check_host(&tls_try_verify_hosts) == OK)
17c76198 1775 {
e51c7be2
JH
1776 DEBUG(D_tls)
1777 debug_printf("TLS: a client certificate will be requested but not required.\n");
17c76198
PP
1778 state->verify_requirement = VERIFY_OPTIONAL;
1779 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
1780 }
1781else
1782 {
e51c7be2
JH
1783 DEBUG(D_tls)
1784 debug_printf("TLS: a client certificate will not be requested.\n");
17c76198
PP
1785 state->verify_requirement = VERIFY_NONE;
1786 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
1787 }
059ec3d9 1788
0cbf2b82 1789#ifndef DISABLE_EVENT
723fe533
JH
1790if (event_action)
1791 {
1792 state->event_action = event_action;
1793 gnutls_session_set_ptr(state->session, state);
1794 gnutls_certificate_set_verify_function(state->x509_cred, verify_cb);
1795 }
1796#endif
1797
17c76198
PP
1798/* Register SNI handling; always, even if not in tls_certificate, so that the
1799expansion variable $tls_sni is always available. */
059ec3d9 1800
17c76198
PP
1801gnutls_handshake_set_post_client_hello_function(state->session,
1802 exim_sni_handling_cb);
059ec3d9
PH
1803
1804/* Set context and tell client to go ahead, except in the case of TLS startup
1805on connection, where outputting anything now upsets the clients and tends to
1806make them disconnect. We need to have an explicit fflush() here, to force out
1807the response. Other smtp_printf() calls do not need it, because in non-TLS
1808mode, the fflush() happens when smtp_getc() is called. */
1809
817d9f57 1810if (!state->tlsp->on_connect)
059ec3d9 1811 {
925ac8e4 1812 smtp_printf("220 TLS go ahead\r\n", FALSE);
9d1c15ef 1813 fflush(smtp_out);
059ec3d9
PH
1814 }
1815
1816/* Now negotiate the TLS session. We put our own timer on it, since it seems
1817that the GnuTLS library doesn't. */
1818
17c76198 1819gnutls_transport_set_ptr2(state->session,
27f19eb4
JH
1820 (gnutls_transport_ptr_t)(long) fileno(smtp_in),
1821 (gnutls_transport_ptr_t)(long) fileno(smtp_out));
17c76198
PP
1822state->fd_in = fileno(smtp_in);
1823state->fd_out = fileno(smtp_out);
059ec3d9
PH
1824
1825sigalrm_seen = FALSE;
1826if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
17c76198 1827do
17c76198 1828 rc = gnutls_handshake(state->session);
157a7880 1829while (rc == GNUTLS_E_AGAIN || rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen);
059ec3d9
PH
1830alarm(0);
1831
17c76198 1832if (rc != GNUTLS_E_SUCCESS)
059ec3d9 1833 {
059ec3d9
PH
1834 /* It seems that, except in the case of a timeout, we have to close the
1835 connection right here; otherwise if the other end is running OpenSSL it hangs
1836 until the server times out. */
1837
60d10ce7 1838 if (sigalrm_seen)
ad7fc6eb 1839 {
cf0c6164 1840 tls_error(US"gnutls_handshake", "timed out", NULL, errstr);
ad7fc6eb
JH
1841 gnutls_db_remove_session(state->session);
1842 }
60d10ce7 1843 else
059ec3d9 1844 {
cf0c6164 1845 tls_error(US"gnutls_handshake", gnutls_strerror(rc), NULL, errstr);
f5d25c2b 1846 (void) gnutls_alert_send_appropriate(state->session, rc);
ad7fc6eb 1847 gnutls_deinit(state->session);
ed62aae3 1848 gnutls_certificate_free_credentials(state->x509_cred);
60d10ce7 1849 millisleep(500);
ad7fc6eb 1850 shutdown(state->fd_out, SHUT_WR);
60d10ce7 1851 for (rc = 1024; fgetc(smtp_in) != EOF && rc > 0; ) rc--; /* drain skt */
f1e894f3
PH
1852 (void)fclose(smtp_out);
1853 (void)fclose(smtp_in);
60d10ce7 1854 smtp_out = smtp_in = NULL;
059ec3d9
PH
1855 }
1856
1857 return FAIL;
1858 }
1859
1860DEBUG(D_tls) debug_printf("gnutls_handshake was successful\n");
1861
17c76198
PP
1862/* Verify after the fact */
1863
9d1c15ef 1864if ( state->verify_requirement != VERIFY_NONE
cf0c6164 1865 && !verify_certificate(state, errstr))
059ec3d9 1866 {
9d1c15ef 1867 if (state->verify_requirement != VERIFY_OPTIONAL)
17c76198 1868 {
cf0c6164 1869 (void) tls_error(US"certificate verification failed", *errstr, NULL, errstr);
9d1c15ef 1870 return FAIL;
17c76198 1871 }
9d1c15ef
JH
1872 DEBUG(D_tls)
1873 debug_printf("TLS: continuing on only because verification was optional, after: %s\n",
cf0c6164 1874 *errstr);
059ec3d9
PH
1875 }
1876
17c76198
PP
1877/* Figure out peer DN, and if authenticated, etc. */
1878
cf0c6164 1879if ((rc = peer_status(state, NULL)) != OK) return rc;
17c76198
PP
1880
1881/* Sets various Exim expansion variables; always safe within server */
1882
9d1c15ef 1883extract_exim_vars_from_tls_state(state);
059ec3d9
PH
1884
1885/* TLS has been set up. Adjust the input functions to read via TLS,
1886and initialize appropriately. */
1887
17c76198 1888state->xfer_buffer = store_malloc(ssl_xfer_buffer_size);
059ec3d9
PH
1889
1890receive_getc = tls_getc;
0d81dabc 1891receive_getbuf = tls_getbuf;
584e96c6 1892receive_get_cache = tls_get_cache;
059ec3d9
PH
1893receive_ungetc = tls_ungetc;
1894receive_feof = tls_feof;
1895receive_ferror = tls_ferror;
58eb016e 1896receive_smtp_buffered = tls_smtp_buffered;
059ec3d9 1897
059ec3d9
PH
1898return OK;
1899}
1900
1901
1902
1903
aa2a70ba
JH
1904static void
1905tls_client_setup_hostname_checks(host_item * host, exim_gnutls_state_st * state,
1906 smtp_transport_options_block * ob)
1907{
5130845b 1908if (verify_check_given_host(&ob->tls_verify_cert_hostnames, host) == OK)
aa2a70ba 1909 {
4af0d74a 1910 state->exp_tls_verify_cert_hostnames =
8c5d388a 1911#ifdef SUPPORT_I18N
4af0d74a
JH
1912 string_domain_utf8_to_alabel(host->name, NULL);
1913#else
1914 host->name;
1915#endif
aa2a70ba
JH
1916 DEBUG(D_tls)
1917 debug_printf("TLS: server cert verification includes hostname: \"%s\".\n",
1918 state->exp_tls_verify_cert_hostnames);
1919 }
1920}
aa2a70ba
JH
1921
1922
059ec3d9
PH
1923/*************************************************
1924* Start a TLS session in a client *
1925*************************************************/
1926
1927/* Called from the smtp transport after STARTTLS has been accepted.
1928
1929Arguments:
1930 fd the fd of the connection
1931 host connected host (for messages)
83da1223 1932 addr the first address (not used)
a7538db1 1933 tb transport (always smtp)
059ec3d9 1934
cf0c6164
JH
1935 errstr error string pointer
1936
059ec3d9
PH
1937Returns: OK/DEFER/FAIL (because using common functions),
1938 but for a client, DEFER and FAIL have the same meaning
1939*/
1940
1941int
17c76198 1942tls_client_start(int fd, host_item *host,
f5d78688 1943 address_item *addr ARG_UNUSED,
cf0c6164 1944 transport_instance * tb,
0e66b3b6 1945#ifdef EXPERIMENTAL_DANE
cf0c6164 1946 dns_answer * tlsa_dnsa ARG_UNUSED,
0e66b3b6 1947#endif
cf0c6164 1948 uschar ** errstr)
059ec3d9 1949{
a7538db1
JH
1950smtp_transport_options_block *ob =
1951 (smtp_transport_options_block *)tb->options_block;
059ec3d9 1952int rc;
17c76198 1953exim_gnutls_state_st *state = NULL;
f2de3a33 1954#ifndef DISABLE_OCSP
5130845b
JH
1955BOOL require_ocsp =
1956 verify_check_given_host(&ob->hosts_require_ocsp, host) == OK;
44662487 1957BOOL request_ocsp = require_ocsp ? TRUE
5130845b 1958 : verify_check_given_host(&ob->hosts_request_ocsp, host) == OK;
2b4a568d 1959#endif
059ec3d9 1960
17c76198 1961DEBUG(D_tls) debug_printf("initialising GnuTLS as a client on fd %d\n", fd);
059ec3d9 1962
65867078
JH
1963if ((rc = tls_init(host, ob->tls_certificate, ob->tls_privatekey,
1964 ob->tls_sni, ob->tls_verify_certificates, ob->tls_crl,
cf0c6164 1965 ob->tls_require_ciphers, &state, errstr)) != OK)
2b4a568d 1966 return rc;
059ec3d9 1967
54c90be1 1968 {
65867078
JH
1969 int dh_min_bits = ob->tls_dh_min_bits;
1970 if (dh_min_bits < EXIM_CLIENT_DH_MIN_MIN_BITS)
1971 {
1972 DEBUG(D_tls)
1973 debug_printf("WARNING: tls_dh_min_bits far too low,"
1974 " clamping %d up to %d\n",
1975 dh_min_bits, EXIM_CLIENT_DH_MIN_MIN_BITS);
1976 dh_min_bits = EXIM_CLIENT_DH_MIN_MIN_BITS;
1977 }
54c90be1 1978
65867078
JH
1979 DEBUG(D_tls) debug_printf("Setting D-H prime minimum"
1980 " acceptable bits to %d\n",
1981 dh_min_bits);
1982 gnutls_dh_set_prime_bits(state->session, dh_min_bits);
1983 }
83da1223 1984
94431adb 1985/* Stick to the old behaviour for compatibility if tls_verify_certificates is
2b4a568d
JH
1986set but both tls_verify_hosts and tls_try_verify_hosts are unset. Check only
1987the specified host patterns if one of them is defined */
1988
aa2a70ba
JH
1989if ( ( state->exp_tls_verify_certificates
1990 && !ob->tls_verify_hosts
610ff438 1991 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
aa2a70ba 1992 )
5130845b 1993 || verify_check_given_host(&ob->tls_verify_hosts, host) == OK
2b4a568d 1994 )
17c76198 1995 {
aa2a70ba 1996 tls_client_setup_hostname_checks(host, state, ob);
aa2a70ba
JH
1997 DEBUG(D_tls)
1998 debug_printf("TLS: server certificate verification required.\n");
1999 state->verify_requirement = VERIFY_REQUIRED;
52f93eed
WB
2000 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
2001 }
5130845b 2002else if (verify_check_given_host(&ob->tls_try_verify_hosts, host) == OK)
52f93eed 2003 {
aa2a70ba 2004 tls_client_setup_hostname_checks(host, state, ob);
e51c7be2
JH
2005 DEBUG(D_tls)
2006 debug_printf("TLS: server certificate verification optional.\n");
52f93eed 2007 state->verify_requirement = VERIFY_OPTIONAL;
17c76198
PP
2008 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
2009 }
2010else
2011 {
e51c7be2
JH
2012 DEBUG(D_tls)
2013 debug_printf("TLS: server certificate verification not required.\n");
52f93eed
WB
2014 state->verify_requirement = VERIFY_NONE;
2015 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
17c76198 2016 }
059ec3d9 2017
f2de3a33
JH
2018#ifndef DISABLE_OCSP
2019 /* supported since GnuTLS 3.1.3 */
44662487 2020if (request_ocsp)
9d1c15ef
JH
2021 {
2022 DEBUG(D_tls) debug_printf("TLS: will request OCSP stapling\n");
65867078
JH
2023 if ((rc = gnutls_ocsp_status_request_enable_client(state->session,
2024 NULL, 0, NULL)) != OK)
9d1c15ef 2025 return tls_error(US"cert-status-req",
cf0c6164 2026 gnutls_strerror(rc), state->host, errstr);
44662487 2027 tls_out.ocsp = OCSP_NOT_RESP;
9d1c15ef 2028 }
2b4a568d
JH
2029#endif
2030
0cbf2b82 2031#ifndef DISABLE_EVENT
774ef2d7 2032if (tb->event_action)
a7538db1 2033 {
774ef2d7 2034 state->event_action = tb->event_action;
a7538db1 2035 gnutls_session_set_ptr(state->session, state);
723fe533 2036 gnutls_certificate_set_verify_function(state->x509_cred, verify_cb);
a7538db1
JH
2037 }
2038#endif
2039
27f19eb4 2040gnutls_transport_set_ptr(state->session, (gnutls_transport_ptr_t)(long) fd);
17c76198
PP
2041state->fd_in = fd;
2042state->fd_out = fd;
059ec3d9 2043
9d1c15ef 2044DEBUG(D_tls) debug_printf("about to gnutls_handshake\n");
059ec3d9
PH
2045/* There doesn't seem to be a built-in timeout on connection. */
2046
2047sigalrm_seen = FALSE;
65867078 2048alarm(ob->command_timeout);
17c76198
PP
2049do
2050 {
2051 rc = gnutls_handshake(state->session);
619b2b25
PP
2052 } while ((rc == GNUTLS_E_AGAIN) ||
2053 (rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen));
059ec3d9
PH
2054alarm(0);
2055
4fe99a6c 2056if (rc != GNUTLS_E_SUCCESS)
60d10ce7
JH
2057 if (sigalrm_seen)
2058 {
2059 gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_USER_CANCELED);
cf0c6164 2060 return tls_error(US"gnutls_handshake", "timed out", state->host, errstr);
60d10ce7
JH
2061 }
2062 else
cf0c6164 2063 return tls_error(US"gnutls_handshake", gnutls_strerror(rc), state->host, errstr);
4fe99a6c 2064
17c76198 2065DEBUG(D_tls) debug_printf("gnutls_handshake was successful\n");
059ec3d9 2066
17c76198 2067/* Verify late */
059ec3d9 2068
17c76198 2069if (state->verify_requirement != VERIFY_NONE &&
cf0c6164
JH
2070 !verify_certificate(state, errstr))
2071 return tls_error(US"certificate verification failed", *errstr, state->host, errstr);
059ec3d9 2072
f2de3a33 2073#ifndef DISABLE_OCSP
2b4a568d
JH
2074if (require_ocsp)
2075 {
2076 DEBUG(D_tls)
2077 {
2078 gnutls_datum_t stapling;
2079 gnutls_ocsp_resp_t resp;
2080 gnutls_datum_t printed;
2081 if ( (rc= gnutls_ocsp_status_request_get(state->session, &stapling)) == 0
2082 && (rc= gnutls_ocsp_resp_init(&resp)) == 0
2083 && (rc= gnutls_ocsp_resp_import(resp, &stapling)) == 0
2084 && (rc= gnutls_ocsp_resp_print(resp, GNUTLS_OCSP_PRINT_FULL, &printed)) == 0
2085 )
2086 {
65867078 2087 debug_printf("%.4096s", printed.data);
2b4a568d
JH
2088 gnutls_free(printed.data);
2089 }
2090 else
cf0c6164 2091 (void) tls_error(US"ocsp decode", gnutls_strerror(rc), state->host, errstr);
2b4a568d
JH
2092 }
2093
2b4a568d 2094 if (gnutls_ocsp_status_request_is_checked(state->session, 0) == 0)
018058b2
JH
2095 {
2096 tls_out.ocsp = OCSP_FAILED;
cf0c6164 2097 return tls_error(US"certificate status check failed", NULL, state->host, errstr);
018058b2 2098 }
2b4a568d 2099 DEBUG(D_tls) debug_printf("Passed OCSP checking\n");
44662487 2100 tls_out.ocsp = OCSP_VFIED;
2b4a568d
JH
2101 }
2102#endif
2103
17c76198 2104/* Figure out peer DN, and if authenticated, etc. */
059ec3d9 2105
cf0c6164 2106if ((rc = peer_status(state, errstr)) != OK)
2b4a568d 2107 return rc;
059ec3d9 2108
4fe99a6c 2109/* Sets various Exim expansion variables; may need to adjust for ACL callouts */
059ec3d9 2110
9d1c15ef 2111extract_exim_vars_from_tls_state(state);
059ec3d9 2112
059ec3d9
PH
2113return OK;
2114}
2115
2116
2117
17c76198 2118
059ec3d9 2119/*************************************************
17c76198 2120* Close down a TLS session *
059ec3d9
PH
2121*************************************************/
2122
17c76198
PP
2123/* This is also called from within a delivery subprocess forked from the
2124daemon, to shut down the TLS library, without actually doing a shutdown (which
2125would tamper with the TLS session in the parent process).
059ec3d9 2126
17c76198
PP
2127Arguments: TRUE if gnutls_bye is to be called
2128Returns: nothing
059ec3d9
PH
2129*/
2130
17c76198 2131void
817d9f57 2132tls_close(BOOL is_server, BOOL shutdown)
059ec3d9 2133{
817d9f57 2134exim_gnutls_state_st *state = is_server ? &state_server : &state_client;
059ec3d9 2135
389ca47a 2136if (!state->tlsp || state->tlsp->active < 0) return; /* TLS was not active */
17c76198
PP
2137
2138if (shutdown)
2139 {
f5723109 2140 DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS\n");
17c76198
PP
2141 gnutls_bye(state->session, GNUTLS_SHUT_WR);
2142 }
2143
2144gnutls_deinit(state->session);
ed62aae3
HSHR
2145gnutls_certificate_free_credentials(state->x509_cred);
2146
17c76198 2147
389ca47a 2148state->tlsp->active = -1;
17c76198
PP
2149memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
2150
2151if ((state_server.session == NULL) && (state_client.session == NULL))
2152 {
2153 gnutls_global_deinit();
2154 exim_gnutls_base_init_done = FALSE;
2155 }
059ec3d9
PH
2156}
2157
2158
2159
17c76198 2160
0d81dabc
JH
2161static BOOL
2162tls_refill(unsigned lim)
2163{
2164exim_gnutls_state_st * state = &state_server;
2165ssize_t inbytes;
2166
2167DEBUG(D_tls) debug_printf("Calling gnutls_record_recv(%p, %p, %u)\n",
2168 state->session, state->xfer_buffer, ssl_xfer_buffer_size);
2169
2170if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
2171inbytes = gnutls_record_recv(state->session, state->xfer_buffer,
2172 MIN(ssl_xfer_buffer_size, lim));
2173alarm(0);
2174
2175/* Timeouts do not get this far; see command_timeout_handler().
2176 A zero-byte return appears to mean that the TLS session has been
2177 closed down, not that the socket itself has been closed down. Revert to
2178 non-TLS handling. */
2179
2180if (sigalrm_seen)
2181 {
2182 DEBUG(D_tls) debug_printf("Got tls read timeout\n");
2183 state->xfer_error = 1;
2184 return FALSE;
2185 }
2186
2187else if (inbytes == 0)
2188 {
2189 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
2190
2191 receive_getc = smtp_getc;
2192 receive_getbuf = smtp_getbuf;
2193 receive_get_cache = smtp_get_cache;
2194 receive_ungetc = smtp_ungetc;
2195 receive_feof = smtp_feof;
2196 receive_ferror = smtp_ferror;
2197 receive_smtp_buffered = smtp_buffered;
2198
2199 gnutls_deinit(state->session);
2200 gnutls_certificate_free_credentials(state->x509_cred);
2201
2202 state->session = NULL;
2203 state->tlsp->active = -1;
2204 state->tlsp->bits = 0;
2205 state->tlsp->certificate_verified = FALSE;
2206 tls_channelbinding_b64 = NULL;
2207 state->tlsp->cipher = NULL;
2208 state->tlsp->peercert = NULL;
2209 state->tlsp->peerdn = NULL;
2210
2211 return FALSE;
2212 }
2213
2214/* Handle genuine errors */
2215
2216else if (inbytes < 0)
2217 {
2218 record_io_error(state, (int) inbytes, US"recv", NULL);
2219 state->xfer_error = 1;
2220 return FALSE;
2221 }
2222#ifndef DISABLE_DKIM
2223dkim_exim_verify_feed(state->xfer_buffer, inbytes);
2224#endif
2225state->xfer_buffer_hwm = (int) inbytes;
2226state->xfer_buffer_lwm = 0;
2227return TRUE;
2228}
2229
059ec3d9
PH
2230/*************************************************
2231* TLS version of getc *
2232*************************************************/
2233
2234/* This gets the next byte from the TLS input buffer. If the buffer is empty,
2235it refills the buffer via the GnuTLS reading function.
817d9f57 2236Only used by the server-side TLS.
059ec3d9 2237
17c76198
PP
2238This feeds DKIM and should be used for all message-body reads.
2239
bd8fbe36 2240Arguments: lim Maximum amount to read/bufffer
059ec3d9
PH
2241Returns: the next character or EOF
2242*/
2243
2244int
bd8fbe36 2245tls_getc(unsigned lim)
059ec3d9 2246{
0d81dabc 2247exim_gnutls_state_st * state = &state_server;
059ec3d9 2248
0d81dabc
JH
2249if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
2250 if (!tls_refill(lim))
2251 return state->xfer_error ? EOF : smtp_getc(lim);
ed62aae3 2252
0d81dabc 2253/* Something in the buffer; return next uschar */
059ec3d9 2254
0d81dabc
JH
2255return state->xfer_buffer[state->xfer_buffer_lwm++];
2256}
059ec3d9 2257
0d81dabc
JH
2258uschar *
2259tls_getbuf(unsigned * len)
2260{
2261exim_gnutls_state_st * state = &state_server;
2262unsigned size;
2263uschar * buf;
059ec3d9 2264
0d81dabc
JH
2265if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
2266 if (!tls_refill(*len))
059ec3d9 2267 {
0d81dabc
JH
2268 if (!state->xfer_error) return smtp_getbuf(len);
2269 *len = 0;
2270 return NULL;
059ec3d9 2271 }
059ec3d9 2272
0d81dabc
JH
2273if ((size = state->xfer_buffer_hwm - state->xfer_buffer_lwm) > *len)
2274 size = *len;
2275buf = &state->xfer_buffer[state->xfer_buffer_lwm];
2276state->xfer_buffer_lwm += size;
2277*len = size;
2278return buf;
059ec3d9
PH
2279}
2280
0d81dabc 2281
584e96c6
JH
2282void
2283tls_get_cache()
2284{
9960d1e5 2285#ifndef DISABLE_DKIM
584e96c6
JH
2286exim_gnutls_state_st * state = &state_server;
2287int n = state->xfer_buffer_hwm - state->xfer_buffer_lwm;
2288if (n > 0)
2289 dkim_exim_verify_feed(state->xfer_buffer+state->xfer_buffer_lwm, n);
584e96c6 2290#endif
9960d1e5 2291}
584e96c6 2292
059ec3d9 2293
925ac8e4
JH
2294BOOL
2295tls_could_read(void)
2296{
2297return state_server.xfer_buffer_lwm < state_server.xfer_buffer_hwm
2298 || gnutls_record_check_pending(state_server.session) > 0;
2299}
2300
2301
059ec3d9 2302
17c76198 2303
059ec3d9
PH
2304/*************************************************
2305* Read bytes from TLS channel *
2306*************************************************/
2307
17c76198
PP
2308/* This does not feed DKIM, so if the caller uses this for reading message body,
2309then the caller must feed DKIM.
817d9f57 2310
059ec3d9
PH
2311Arguments:
2312 buff buffer of data
2313 len size of buffer
2314
2315Returns: the number of bytes read
2316 -1 after a failed read
2317*/
2318
2319int
817d9f57 2320tls_read(BOOL is_server, uschar *buff, size_t len)
059ec3d9 2321{
817d9f57 2322exim_gnutls_state_st *state = is_server ? &state_server : &state_client;
17c76198 2323ssize_t inbytes;
059ec3d9 2324
17c76198
PP
2325if (len > INT_MAX)
2326 len = INT_MAX;
059ec3d9 2327
17c76198
PP
2328if (state->xfer_buffer_lwm < state->xfer_buffer_hwm)
2329 DEBUG(D_tls)
2330 debug_printf("*** PROBABLY A BUG *** " \
2331 "tls_read() called with data in the tls_getc() buffer, %d ignored\n",
2332 state->xfer_buffer_hwm - state->xfer_buffer_lwm);
2333
2334DEBUG(D_tls)
2335 debug_printf("Calling gnutls_record_recv(%p, %p, " SIZE_T_FMT ")\n",
2336 state->session, buff, len);
2337
2338inbytes = gnutls_record_recv(state->session, buff, len);
059ec3d9
PH
2339if (inbytes > 0) return inbytes;
2340if (inbytes == 0)
2341 {
2342 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
2343 }
17c76198 2344else record_io_error(state, (int)inbytes, US"recv", NULL);
059ec3d9
PH
2345
2346return -1;
2347}
2348
2349
2350
17c76198 2351
059ec3d9
PH
2352/*************************************************
2353* Write bytes down TLS channel *
2354*************************************************/
2355
2356/*
2357Arguments:
817d9f57 2358 is_server channel specifier
059ec3d9
PH
2359 buff buffer of data
2360 len number of bytes
925ac8e4 2361 more more data expected soon
059ec3d9
PH
2362
2363Returns: the number of bytes after a successful write,
2364 -1 after a failed write
2365*/
2366
2367int
925ac8e4 2368tls_write(BOOL is_server, const uschar *buff, size_t len, BOOL more)
059ec3d9 2369{
17c76198
PP
2370ssize_t outbytes;
2371size_t left = len;
817d9f57 2372exim_gnutls_state_st *state = is_server ? &state_server : &state_client;
925ac8e4
JH
2373#ifdef SUPPORT_CORK
2374static BOOL corked = FALSE;
2375
2376if (more && !corked) gnutls_record_cork(state->session);
2377#endif
2378
2379DEBUG(D_tls) debug_printf("%s(%p, " SIZE_T_FMT "%s)\n", __FUNCTION__,
2380 buff, left, more ? ", more" : "");
059ec3d9 2381
059ec3d9
PH
2382while (left > 0)
2383 {
17c76198
PP
2384 DEBUG(D_tls) debug_printf("gnutls_record_send(SSL, %p, " SIZE_T_FMT ")\n",
2385 buff, left);
2386 outbytes = gnutls_record_send(state->session, buff, left);
059ec3d9 2387
17c76198 2388 DEBUG(D_tls) debug_printf("outbytes=" SSIZE_T_FMT "\n", outbytes);
059ec3d9
PH
2389 if (outbytes < 0)
2390 {
17c76198 2391 record_io_error(state, outbytes, US"send", NULL);
059ec3d9
PH
2392 return -1;
2393 }
2394 if (outbytes == 0)
2395 {
17c76198 2396 record_io_error(state, 0, US"send", US"TLS channel closed on write");
059ec3d9
PH
2397 return -1;
2398 }
2399
2400 left -= outbytes;
2401 buff += outbytes;
2402 }
2403
17c76198
PP
2404if (len > INT_MAX)
2405 {
2406 DEBUG(D_tls)
2407 debug_printf("Whoops! Wrote more bytes (" SIZE_T_FMT ") than INT_MAX\n",
2408 len);
2409 len = INT_MAX;
2410 }
2411
925ac8e4
JH
2412#ifdef SUPPORT_CORK
2413if (more != corked)
2414 {
2415 if (!more) (void) gnutls_record_uncork(state->session, 0);
2416 corked = more;
2417 }
2418#endif
2419
17c76198 2420return (int) len;
059ec3d9
PH
2421}
2422
2423
2424
17c76198 2425
059ec3d9 2426/*************************************************
17c76198 2427* Random number generation *
059ec3d9
PH
2428*************************************************/
2429
17c76198
PP
2430/* Pseudo-random number generation. The result is not expected to be
2431cryptographically strong but not so weak that someone will shoot themselves
2432in the foot using it as a nonce in input in some email header scheme or
2433whatever weirdness they'll twist this into. The result should handle fork()
2434and avoid repeating sequences. OpenSSL handles that for us.
059ec3d9 2435
17c76198
PP
2436Arguments:
2437 max range maximum
2438Returns a random number in range [0, max-1]
059ec3d9
PH
2439*/
2440
af3498d6 2441#ifdef HAVE_GNUTLS_RND
17c76198
PP
2442int
2443vaguely_random_number(int max)
059ec3d9 2444{
17c76198
PP
2445unsigned int r;
2446int i, needed_len;
2447uschar *p;
2448uschar smallbuf[sizeof(r)];
2449
2450if (max <= 1)
2451 return 0;
2452
2453needed_len = sizeof(r);
2454/* Don't take 8 times more entropy than needed if int is 8 octets and we were
2455 * asked for a number less than 10. */
2456for (r = max, i = 0; r; ++i)
2457 r >>= 1;
2458i = (i + 7) / 8;
2459if (i < needed_len)
2460 needed_len = i;
2461
2462i = gnutls_rnd(GNUTLS_RND_NONCE, smallbuf, needed_len);
2463if (i < 0)
059ec3d9 2464 {
17c76198
PP
2465 DEBUG(D_all) debug_printf("gnutls_rnd() failed, using fallback.\n");
2466 return vaguely_random_number_fallback(max);
2467 }
2468r = 0;
2469for (p = smallbuf; needed_len; --needed_len, ++p)
2470 {
2471 r *= 256;
2472 r += *p;
059ec3d9
PH
2473 }
2474
17c76198
PP
2475/* We don't particularly care about weighted results; if someone wants
2476 * smooth distribution and cares enough then they should submit a patch then. */
2477return r % max;
059ec3d9 2478}
af3498d6
PP
2479#else /* HAVE_GNUTLS_RND */
2480int
2481vaguely_random_number(int max)
2482{
2483 return vaguely_random_number_fallback(max);
2484}
2485#endif /* HAVE_GNUTLS_RND */
059ec3d9 2486
36f12725
NM
2487
2488
2489
2490/*************************************************
3375e053
PP
2491* Let tls_require_ciphers be checked at startup *
2492*************************************************/
2493
2494/* The tls_require_ciphers option, if set, must be something which the
2495library can parse.
2496
2497Returns: NULL on success, or error message
2498*/
2499
2500uschar *
2501tls_validate_require_cipher(void)
2502{
2503int rc;
2504uschar *expciphers = NULL;
2505gnutls_priority_t priority_cache;
2506const char *errpos;
cf0c6164 2507uschar * dummy_errstr;
3375e053
PP
2508
2509#define validate_check_rc(Label) do { \
2510 if (rc != GNUTLS_E_SUCCESS) { if (exim_gnutls_base_init_done) gnutls_global_deinit(); \
2511 return string_sprintf("%s failed: %s", (Label), gnutls_strerror(rc)); } } while (0)
2512#define return_deinit(Label) do { gnutls_global_deinit(); return (Label); } while (0)
2513
2514if (exim_gnutls_base_init_done)
2515 log_write(0, LOG_MAIN|LOG_PANIC,
2516 "already initialised GnuTLS, Exim developer bug");
2517
a5f239e4 2518#ifdef HAVE_GNUTLS_PKCS11
2519e60d 2519if (!gnutls_allow_auto_pkcs11)
a5f239e4
PP
2520 {
2521 rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
2522 validate_check_rc(US"gnutls_pkcs11_init");
2523 }
2524#endif
3375e053
PP
2525rc = gnutls_global_init();
2526validate_check_rc(US"gnutls_global_init()");
2527exim_gnutls_base_init_done = TRUE;
2528
2529if (!(tls_require_ciphers && *tls_require_ciphers))
2530 return_deinit(NULL);
2531
cf0c6164
JH
2532if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers,
2533 &dummy_errstr))
3375e053
PP
2534 return_deinit(US"failed to expand tls_require_ciphers");
2535
2536if (!(expciphers && *expciphers))
2537 return_deinit(NULL);
2538
2539DEBUG(D_tls)
2540 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
2541
2542rc = gnutls_priority_init(&priority_cache, CS expciphers, &errpos);
2543validate_check_rc(string_sprintf(
2544 "gnutls_priority_init(%s) failed at offset %ld, \"%.8s..\"",
2545 expciphers, errpos - CS expciphers, errpos));
2546
2547#undef return_deinit
2548#undef validate_check_rc
2549gnutls_global_deinit();
2550
2551return NULL;
2552}
2553
2554
2555
2556
2557/*************************************************
36f12725
NM
2558* Report the library versions. *
2559*************************************************/
2560
2561/* See a description in tls-openssl.c for an explanation of why this exists.
2562
2563Arguments: a FILE* to print the results to
2564Returns: nothing
2565*/
2566
2567void
2568tls_version_report(FILE *f)
2569{
754a0503
PP
2570fprintf(f, "Library version: GnuTLS: Compile: %s\n"
2571 " Runtime: %s\n",
2572 LIBGNUTLS_VERSION,
2573 gnutls_check_version(NULL));
36f12725
NM
2574}
2575
2b4a568d
JH
2576/* vi: aw ai sw=2
2577*/
059ec3d9 2578/* End of tls-gnu.c */