Delivery: quieten smtp transport conn reuse vs. delivery race. Bug 1810
[exim.git] / src / src / tls-gnu.c
CommitLineData
059ec3d9
PH
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
3386088d 5/* Copyright (c) University of Cambridge 1995 - 2015 */
059ec3d9
PH
6/* See the file NOTICE for conditions of use and distribution. */
7
17c76198 8/* Copyright (c) Phil Pennock 2012 */
059ec3d9 9
17c76198
PP
10/* This file provides TLS/SSL support for Exim using the GnuTLS library,
11one of the available supported implementations. This file is #included into
12tls.c when USE_GNUTLS has been set.
059ec3d9 13
17c76198
PP
14The code herein is a revamp of GnuTLS integration using the current APIs; the
15original tls-gnu.c was based on a patch which was contributed by Nikos
16Mavroyanopoulos. The revamp is partially a rewrite, partially cut&paste as
17appropriate.
059ec3d9 18
17c76198
PP
19APIs current as of GnuTLS 2.12.18; note that the GnuTLS manual is for GnuTLS 3,
20which is not widely deployed by OS vendors. Will note issues below, which may
21assist in updating the code in the future. Another sources of hints is
22mod_gnutls for Apache (SNI callback registration and handling).
059ec3d9 23
17c76198
PP
24Keeping client and server variables more split than before and is currently
25the norm, in anticipation of TLS in ACL callouts.
059ec3d9 26
17c76198
PP
27I wanted to switch to gnutls_certificate_set_verify_function() so that
28certificate rejection could happen during handshake where it belongs, rather
29than being dropped afterwards, but that was introduced in 2.10.0 and Debian
30(6.0.5) is still on 2.8.6. So for now we have to stick with sub-par behaviour.
059ec3d9 31
17c76198
PP
32(I wasn't looking for libraries quite that old, when updating to get rid of
33compiler warnings of deprecated APIs. If it turns out that a lot of the rest
34require current GnuTLS, then we'll drop support for the ancient libraries).
35*/
b5aea5e1 36
17c76198
PP
37#include <gnutls/gnutls.h>
38/* needed for cert checks in verification and DN extraction: */
39#include <gnutls/x509.h>
40/* man-page is incorrect, gnutls_rnd() is not in gnutls.h: */
41#include <gnutls/crypto.h>
a5f239e4
PP
42/* needed to disable PKCS11 autoload unless requested */
43#if GNUTLS_VERSION_NUMBER >= 0x020c00
44# include <gnutls/pkcs11.h>
45#endif
7e07527a
JH
46#if GNUTLS_VERSION_NUMBER < 0x030103 && !defined(DISABLE_OCSP)
47# warning "GnuTLS library version too old; define DISABLE_OCSP in Makefile"
48# define DISABLE_OCSP
49#endif
0cbf2b82 50#if GNUTLS_VERSION_NUMBER < 0x020a00 && !defined(DISABLE_EVENT)
774ef2d7 51# warning "GnuTLS library version too old; tls:cert event unsupported"
0cbf2b82 52# define DISABLE_EVENT
a7538db1 53#endif
a7fec7a7
JH
54#if GNUTLS_VERSION_NUMBER >= 0x030306
55# define SUPPORT_CA_DIR
56#else
57# undef SUPPORT_CA_DIR
58#endif
11a04b5a 59#if GNUTLS_VERSION_NUMBER >= 0x030014
cb1d7830
JH
60# define SUPPORT_SYSDEFAULT_CABUNDLE
61#endif
7e07527a 62
f2de3a33 63#ifndef DISABLE_OCSP
2b4a568d
JH
64# include <gnutls/ocsp.h>
65#endif
059ec3d9 66
17c76198 67/* GnuTLS 2 vs 3
059ec3d9 68
17c76198
PP
69GnuTLS 3 only:
70 gnutls_global_set_audit_log_function()
059ec3d9 71
17c76198
PP
72Changes:
73 gnutls_certificate_verify_peers2(): is new, drop the 2 for old version
74*/
059ec3d9 75
17c76198 76/* Local static variables for GnuTLS */
059ec3d9 77
17c76198 78/* Values for verify_requirement */
059ec3d9 79
e51c7be2 80enum peer_verify_requirement
aa2a70ba 81 { VERIFY_NONE, VERIFY_OPTIONAL, VERIFY_REQUIRED };
059ec3d9 82
17c76198
PP
83/* This holds most state for server or client; with this, we can set up an
84outbound TLS-enabled connection in an ACL callout, while not stomping all
85over the TLS variables available for expansion.
059ec3d9 86
17c76198
PP
87Some of these correspond to variables in globals.c; those variables will
88be set to point to content in one of these instances, as appropriate for
89the stage of the process lifetime.
059ec3d9 90
389ca47a 91Not handled here: global tls_channelbinding_b64.
17c76198 92*/
059ec3d9 93
17c76198 94typedef struct exim_gnutls_state {
9d1c15ef 95 gnutls_session_t session;
17c76198 96 gnutls_certificate_credentials_t x509_cred;
9d1c15ef 97 gnutls_priority_t priority_cache;
17c76198 98 enum peer_verify_requirement verify_requirement;
9d1c15ef
JH
99 int fd_in;
100 int fd_out;
101 BOOL peer_cert_verified;
102 BOOL trigger_sni_changes;
103 BOOL have_set_peerdn;
17c76198 104 const struct host_item *host;
9d1c15ef
JH
105 gnutls_x509_crt_t peercert;
106 uschar *peerdn;
107 uschar *ciphersuite;
108 uschar *received_sni;
17c76198
PP
109
110 const uschar *tls_certificate;
111 const uschar *tls_privatekey;
112 const uschar *tls_sni; /* client send only, not received */
113 const uschar *tls_verify_certificates;
114 const uschar *tls_crl;
115 const uschar *tls_require_ciphers;
e51c7be2 116
17c76198
PP
117 uschar *exp_tls_certificate;
118 uschar *exp_tls_privatekey;
17c76198
PP
119 uschar *exp_tls_verify_certificates;
120 uschar *exp_tls_crl;
121 uschar *exp_tls_require_ciphers;
44662487 122 uschar *exp_tls_ocsp_file;
55414b25 123 const uschar *exp_tls_verify_cert_hostnames;
0cbf2b82 124#ifndef DISABLE_EVENT
a7538db1
JH
125 uschar *event_action;
126#endif
17c76198 127
389ca47a 128 tls_support *tlsp; /* set in tls_init() */
817d9f57 129
17c76198
PP
130 uschar *xfer_buffer;
131 int xfer_buffer_lwm;
132 int xfer_buffer_hwm;
133 int xfer_eof;
134 int xfer_error;
17c76198
PP
135} exim_gnutls_state_st;
136
137static const exim_gnutls_state_st exim_gnutls_state_init = {
4fe99a6c 138 NULL, NULL, NULL, VERIFY_NONE, -1, -1, FALSE, FALSE, FALSE,
75fe387d 139 NULL, NULL, NULL, NULL,
17c76198 140 NULL, NULL, NULL, NULL, NULL, NULL,
44662487 141 NULL, NULL, NULL, NULL, NULL, NULL, NULL,
01a4a5c5 142 NULL,
0cbf2b82 143#ifndef DISABLE_EVENT
a7538db1
JH
144 NULL,
145#endif
817d9f57 146 NULL,
17c76198 147 NULL, 0, 0, 0, 0,
17c76198 148};
83da1223 149
17c76198
PP
150/* Not only do we have our own APIs which don't pass around state, assuming
151it's held in globals, GnuTLS doesn't appear to let us register callback data
152for callbacks, or as part of the session, so we have to keep a "this is the
153context we're currently dealing with" pointer and rely upon being
154single-threaded to keep from processing data on an inbound TLS connection while
155talking to another TLS connection for an outbound check. This does mean that
156there's no way for heart-beats to be responded to, for the duration of the
a7538db1
JH
157second connection.
158XXX But see gnutls_session_get_ptr()
159*/
059ec3d9 160
17c76198 161static exim_gnutls_state_st state_server, state_client;
059ec3d9 162
17c76198
PP
163/* dh_params are initialised once within the lifetime of a process using TLS;
164if we used TLS in a long-lived daemon, we'd have to reconsider this. But we
165don't want to repeat this. */
83da1223 166
17c76198 167static gnutls_dh_params_t dh_server_params = NULL;
059ec3d9 168
17c76198 169/* No idea how this value was chosen; preserving it. Default is 3600. */
059ec3d9 170
17c76198 171static const int ssl_session_timeout = 200;
059ec3d9 172
17c76198 173static const char * const exim_default_gnutls_priority = "NORMAL";
83da1223 174
17c76198 175/* Guard library core initialisation */
83da1223 176
17c76198 177static BOOL exim_gnutls_base_init_done = FALSE;
059ec3d9 178
4fb7df6d 179#ifndef DISABLE_OCSP
9196d5bf 180static BOOL gnutls_buggy_ocsp = FALSE;
4fb7df6d 181#endif
9196d5bf 182
059ec3d9 183
17c76198 184/* ------------------------------------------------------------------------ */
17c76198 185/* macros */
83da1223 186
17c76198 187#define MAX_HOST_LEN 255
83da1223 188
17c76198
PP
189/* Set this to control gnutls_global_set_log_level(); values 0 to 9 will setup
190the library logging; a value less than 0 disables the calls to set up logging
191callbacks. */
2c17bb02 192#ifndef EXIM_GNUTLS_LIBRARY_LOG_LEVEL
a7538db1 193# define EXIM_GNUTLS_LIBRARY_LOG_LEVEL -1
2c17bb02 194#endif
83da1223 195
2c17bb02 196#ifndef EXIM_CLIENT_DH_MIN_BITS
a7538db1 197# define EXIM_CLIENT_DH_MIN_BITS 1024
2c17bb02 198#endif
83da1223 199
af3498d6
PP
200/* With GnuTLS 2.12.x+ we have gnutls_sec_param_to_pk_bits() with which we
201can ask for a bit-strength. Without that, we stick to the constant we had
202before, for now. */
2c17bb02 203#ifndef EXIM_SERVER_DH_BITS_PRE2_12
a7538db1 204# define EXIM_SERVER_DH_BITS_PRE2_12 1024
2c17bb02 205#endif
af3498d6 206
17c76198
PP
207#define exim_gnutls_err_check(Label) do { \
208 if (rc != GNUTLS_E_SUCCESS) { return tls_error((Label), gnutls_strerror(rc), host); } } while (0)
059ec3d9 209
17c76198 210#define expand_check_tlsvar(Varname) expand_check(state->Varname, US #Varname, &state->exp_##Varname)
83da1223 211
17c76198 212#if GNUTLS_VERSION_NUMBER >= 0x020c00
e51c7be2
JH
213# define HAVE_GNUTLS_SESSION_CHANNEL_BINDING
214# define HAVE_GNUTLS_SEC_PARAM_CONSTANTS
215# define HAVE_GNUTLS_RND
2519e60d
TL
216/* The security fix we provide with the gnutls_allow_auto_pkcs11 option
217 * (4.82 PP/09) introduces a compatibility regression. The symbol simply
218 * isn't available sometimes, so this needs to become a conditional
219 * compilation; the sanest way to deal with this being a problem on
220 * older OSes is to block it in the Local/Makefile with this compiler
221 * definition */
e51c7be2
JH
222# ifndef AVOID_GNUTLS_PKCS11
223# define HAVE_GNUTLS_PKCS11
224# endif /* AVOID_GNUTLS_PKCS11 */
17c76198 225#endif
83da1223 226
af3498d6
PP
227
228
229
230/* ------------------------------------------------------------------------ */
231/* Callback declarations */
232
233#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
234static void exim_gnutls_logger_cb(int level, const char *message);
235#endif
236
237static int exim_sni_handling_cb(gnutls_session_t session);
238
f2de3a33 239#ifndef DISABLE_OCSP
44662487
JH
240static int server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
241 gnutls_datum_t * ocsp_response);
242#endif
af3498d6
PP
243
244
245
17c76198
PP
246/* ------------------------------------------------------------------------ */
247/* Static functions */
059ec3d9
PH
248
249/*************************************************
250* Handle TLS error *
251*************************************************/
252
253/* Called from lots of places when errors occur before actually starting to do
254the TLS handshake, that is, while the session is still in clear. Always returns
255DEFER for a server and FAIL for a client so that most calls can use "return
256tls_error(...)" to do this processing and then give an appropriate return. A
257single function is used for both server and client, because it is called from
258some shared functions.
259
260Argument:
261 prefix text to include in the logged error
7199e1ee
TF
262 msg additional error string (may be NULL)
263 usually obtained from gnutls_strerror()
17c76198
PP
264 host NULL if setting up a server;
265 the connected host if setting up a client
059ec3d9
PH
266
267Returns: OK/DEFER/FAIL
268*/
269
270static int
17c76198 271tls_error(const uschar *prefix, const char *msg, const host_item *host)
059ec3d9 272{
17c76198
PP
273if (host)
274 {
c562fd30 275 log_write(0, LOG_MAIN, "H=%s [%s] TLS error on connection (%s)%s%s",
17c76198
PP
276 host->name, host->address, prefix, msg ? ": " : "", msg ? msg : "");
277 return FAIL;
278 }
279else
059ec3d9 280 {
7199e1ee 281 uschar *conn_info = smtp_get_connection_info();
17c76198 282 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0)
7199e1ee 283 conn_info += 5;
c562fd30 284 /* I'd like to get separated H= here, but too hard for now */
7199e1ee 285 log_write(0, LOG_MAIN, "TLS error on %s (%s)%s%s",
17c76198 286 conn_info, prefix, msg ? ": " : "", msg ? msg : "");
059ec3d9
PH
287 return DEFER;
288 }
059ec3d9
PH
289}
290
291
292
17c76198 293
059ec3d9 294/*************************************************
17c76198 295* Deal with logging errors during I/O *
059ec3d9
PH
296*************************************************/
297
17c76198 298/* We have to get the identity of the peer from saved data.
059ec3d9 299
17c76198
PP
300Argument:
301 state the current GnuTLS exim state container
302 rc the GnuTLS error code, or 0 if it's a local error
303 when text identifying read or write
304 text local error text when ec is 0
059ec3d9 305
17c76198 306Returns: nothing
059ec3d9
PH
307*/
308
17c76198
PP
309static void
310record_io_error(exim_gnutls_state_st *state, int rc, uschar *when, uschar *text)
059ec3d9 311{
17c76198 312const char *msg;
059ec3d9 313
17c76198
PP
314if (rc == GNUTLS_E_FATAL_ALERT_RECEIVED)
315 msg = CS string_sprintf("%s: %s", US gnutls_strerror(rc),
316 US gnutls_alert_get_name(gnutls_alert_get(state->session)));
317else
318 msg = gnutls_strerror(rc);
059ec3d9 319
17c76198
PP
320tls_error(when, msg, state->host);
321}
059ec3d9 322
059ec3d9 323
059ec3d9 324
059ec3d9 325
17c76198
PP
326/*************************************************
327* Set various Exim expansion vars *
328*************************************************/
059ec3d9 329
e51c7be2
JH
330#define exim_gnutls_cert_err(Label) \
331 do \
332 { \
333 if (rc != GNUTLS_E_SUCCESS) \
334 { \
335 DEBUG(D_tls) debug_printf("TLS: cert problem: %s: %s\n", \
336 (Label), gnutls_strerror(rc)); \
337 return rc; \
338 } \
339 } while (0)
9d1c15ef
JH
340
341static int
27f19eb4 342import_cert(const gnutls_datum_t * cert, gnutls_x509_crt_t * crtp)
9d1c15ef
JH
343{
344int rc;
345
346rc = gnutls_x509_crt_init(crtp);
347exim_gnutls_cert_err(US"gnutls_x509_crt_init (crt)");
348
349rc = gnutls_x509_crt_import(*crtp, cert, GNUTLS_X509_FMT_DER);
350exim_gnutls_cert_err(US"failed to import certificate [gnutls_x509_crt_import(cert)]");
351
352return rc;
353}
354
355#undef exim_gnutls_cert_err
356
357
17c76198
PP
358/* We set various Exim global variables from the state, once a session has
359been established. With TLS callouts, may need to change this to stack
360variables, or just re-call it with the server state after client callout
361has finished.
059ec3d9 362
9d1c15ef 363Make sure anything set here is unset in tls_getc().
17c76198
PP
364
365Sets:
366 tls_active fd
367 tls_bits strength indicator
368 tls_certificate_verified bool indicator
369 tls_channelbinding_b64 for some SASL mechanisms
370 tls_cipher a string
9d1c15ef 371 tls_peercert pointer to library internal
17c76198
PP
372 tls_peerdn a string
373 tls_sni a (UTF-8) string
9d1c15ef 374 tls_ourcert pointer to library internal
17c76198
PP
375
376Argument:
377 state the relevant exim_gnutls_state_st *
378*/
379
380static void
9d1c15ef 381extract_exim_vars_from_tls_state(exim_gnutls_state_st * state)
17c76198 382{
17c76198 383gnutls_cipher_algorithm_t cipher;
17c76198
PP
384#ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
385int old_pool;
386int rc;
387gnutls_datum_t channel;
388#endif
9d1c15ef 389tls_support * tlsp = state->tlsp;
17c76198 390
9d1c15ef 391tlsp->active = state->fd_out;
17c76198
PP
392
393cipher = gnutls_cipher_get(state->session);
394/* returns size in "bytes" */
9d1c15ef 395tlsp->bits = gnutls_cipher_get_key_size(cipher) * 8;
17c76198 396
9d1c15ef 397tlsp->cipher = state->ciphersuite;
17c76198 398
817d9f57 399DEBUG(D_tls) debug_printf("cipher: %s\n", state->ciphersuite);
17c76198 400
9d1c15ef 401tlsp->certificate_verified = state->peer_cert_verified;
059ec3d9 402
17c76198
PP
403/* note that tls_channelbinding_b64 is not saved to the spool file, since it's
404only available for use for authenticators while this TLS session is running. */
405
406tls_channelbinding_b64 = NULL;
407#ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
408channel.data = NULL;
409channel.size = 0;
410rc = gnutls_session_channel_binding(state->session, GNUTLS_CB_TLS_UNIQUE, &channel);
411if (rc) {
412 DEBUG(D_tls) debug_printf("Channel binding error: %s\n", gnutls_strerror(rc));
413} else {
414 old_pool = store_pool;
415 store_pool = POOL_PERM;
f4d091fb 416 tls_channelbinding_b64 = b64encode(channel.data, (int)channel.size);
17c76198
PP
417 store_pool = old_pool;
418 DEBUG(D_tls) debug_printf("Have channel bindings cached for possible auth usage.\n");
419}
420#endif
421
9d1c15ef
JH
422/* peercert is set in peer_status() */
423tlsp->peerdn = state->peerdn;
424tlsp->sni = state->received_sni;
425
426/* record our certificate */
427 {
27f19eb4 428 const gnutls_datum_t * cert = gnutls_certificate_get_ours(state->session);
9d1c15ef
JH
429 gnutls_x509_crt_t crt;
430
431 tlsp->ourcert = cert && import_cert(cert, &crt)==0 ? crt : NULL;
432 }
059ec3d9
PH
433}
434
435
436
17c76198 437
059ec3d9 438/*************************************************
575643cd 439* Setup up DH parameters *
059ec3d9
PH
440*************************************************/
441
575643cd 442/* Generating the D-H parameters may take a long time. They only need to
059ec3d9
PH
443be re-generated every so often, depending on security policy. What we do is to
444keep these parameters in a file in the spool directory. If the file does not
445exist, we generate them. This means that it is easy to cause a regeneration.
446
447The new file is written as a temporary file and renamed, so that an incomplete
448file is never present. If two processes both compute some new parameters, you
449waste a bit of effort, but it doesn't seem worth messing around with locking to
450prevent this.
451
059ec3d9
PH
452Returns: OK/DEFER/FAIL
453*/
454
455static int
17c76198 456init_server_dh(void)
059ec3d9 457{
17c76198
PP
458int fd, rc;
459unsigned int dh_bits;
27f19eb4 460gnutls_datum_t m;
a799883d
PP
461uschar filename_buf[PATH_MAX];
462uschar *filename = NULL;
17c76198 463size_t sz;
a799883d
PP
464uschar *exp_tls_dhparam;
465BOOL use_file_in_spool = FALSE;
466BOOL use_fixed_file = FALSE;
17c76198 467host_item *host = NULL; /* dummy for macros */
059ec3d9 468
17c76198 469DEBUG(D_tls) debug_printf("Initialising GnuTLS server params.\n");
059ec3d9 470
17c76198
PP
471rc = gnutls_dh_params_init(&dh_server_params);
472exim_gnutls_err_check(US"gnutls_dh_params_init");
059ec3d9 473
a799883d
PP
474m.data = NULL;
475m.size = 0;
476
477if (!expand_check(tls_dhparam, US"tls_dhparam", &exp_tls_dhparam))
478 return DEFER;
479
480if (!exp_tls_dhparam)
481 {
482 DEBUG(D_tls) debug_printf("Loading default hard-coded DH params\n");
483 m.data = US std_dh_prime_default();
484 m.size = Ustrlen(m.data);
485 }
486else if (Ustrcmp(exp_tls_dhparam, "historic") == 0)
487 use_file_in_spool = TRUE;
488else if (Ustrcmp(exp_tls_dhparam, "none") == 0)
489 {
490 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
491 return OK;
492 }
493else if (exp_tls_dhparam[0] != '/')
494 {
495 m.data = US std_dh_prime_named(exp_tls_dhparam);
496 if (m.data == NULL)
497 return tls_error(US"No standard prime named", CS exp_tls_dhparam, NULL);
498 m.size = Ustrlen(m.data);
499 }
500else
501 {
502 use_fixed_file = TRUE;
503 filename = exp_tls_dhparam;
504 }
505
506if (m.data)
507 {
508 rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM);
509 exim_gnutls_err_check(US"gnutls_dh_params_import_pkcs3");
510 DEBUG(D_tls) debug_printf("Loaded fixed standard D-H parameters\n");
511 return OK;
512 }
513
af3498d6
PP
514#ifdef HAVE_GNUTLS_SEC_PARAM_CONSTANTS
515/* If you change this constant, also change dh_param_fn_ext so that we can use a
17c76198
PP
516different filename and ensure we have sufficient bits. */
517dh_bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL);
518if (!dh_bits)
519 return tls_error(US"gnutls_sec_param_to_pk_bits() failed", NULL, NULL);
af3498d6 520DEBUG(D_tls)
b34fc30c 521 debug_printf("GnuTLS tells us that for D-H PK, NORMAL is %d bits.\n",
af3498d6
PP
522 dh_bits);
523#else
524dh_bits = EXIM_SERVER_DH_BITS_PRE2_12;
525DEBUG(D_tls)
526 debug_printf("GnuTLS lacks gnutls_sec_param_to_pk_bits(), using %d bits.\n",
527 dh_bits);
528#endif
059ec3d9 529
3375e053
PP
530/* Some clients have hard-coded limits. */
531if (dh_bits > tls_dh_max_bits)
532 {
533 DEBUG(D_tls)
534 debug_printf("tls_dh_max_bits clamping override, using %d bits instead.\n",
535 tls_dh_max_bits);
536 dh_bits = tls_dh_max_bits;
537 }
538
a799883d
PP
539if (use_file_in_spool)
540 {
541 if (!string_format(filename_buf, sizeof(filename_buf),
542 "%s/gnutls-params-%d", spool_directory, dh_bits))
543 return tls_error(US"overlong filename", NULL, NULL);
544 filename = filename_buf;
545 }
059ec3d9 546
b5aea5e1 547/* Open the cache file for reading and if successful, read it and set up the
575643cd 548parameters. */
059ec3d9
PH
549
550fd = Uopen(filename, O_RDONLY, 0);
b5aea5e1 551if (fd >= 0)
059ec3d9 552 {
b5aea5e1 553 struct stat statbuf;
17c76198
PP
554 FILE *fp;
555 int saved_errno;
556
557 if (fstat(fd, &statbuf) < 0) /* EIO */
558 {
559 saved_errno = errno;
560 (void)close(fd);
561 return tls_error(US"TLS cache stat failed", strerror(saved_errno), NULL);
562 }
563 if (!S_ISREG(statbuf.st_mode))
b5aea5e1
PH
564 {
565 (void)close(fd);
17c76198
PP
566 return tls_error(US"TLS cache not a file", NULL, NULL);
567 }
568 fp = fdopen(fd, "rb");
569 if (!fp)
570 {
571 saved_errno = errno;
572 (void)close(fd);
573 return tls_error(US"fdopen(TLS cache stat fd) failed",
574 strerror(saved_errno), NULL);
b5aea5e1 575 }
059ec3d9 576
b5aea5e1
PH
577 m.size = statbuf.st_size;
578 m.data = malloc(m.size);
579 if (m.data == NULL)
17c76198
PP
580 {
581 fclose(fp);
582 return tls_error(US"malloc failed", strerror(errno), NULL);
583 }
584 sz = fread(m.data, m.size, 1, fp);
585 if (!sz)
586 {
587 saved_errno = errno;
588 fclose(fp);
589 free(m.data);
590 return tls_error(US"fread failed", strerror(saved_errno), NULL);
591 }
592 fclose(fp);
b5aea5e1 593
17c76198 594 rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM);
b5aea5e1 595 free(m.data);
17c76198
PP
596 exim_gnutls_err_check(US"gnutls_dh_params_import_pkcs3");
597 DEBUG(D_tls) debug_printf("read D-H parameters from file \"%s\"\n", filename);
b5aea5e1
PH
598 }
599
600/* If the file does not exist, fall through to compute new data and cache it.
601If there was any other opening error, it is serious. */
602
182ad5cf
PH
603else if (errno == ENOENT)
604 {
17c76198 605 rc = -1;
182ad5cf 606 DEBUG(D_tls)
17c76198 607 debug_printf("D-H parameter cache file \"%s\" does not exist\n", filename);
182ad5cf
PH
608 }
609else
17c76198
PP
610 return tls_error(string_open_failed(errno, "\"%s\" for reading", filename),
611 NULL, NULL);
b5aea5e1
PH
612
613/* If ret < 0, either the cache file does not exist, or the data it contains
614is not useful. One particular case of this is when upgrading from an older
615release of Exim in which the data was stored in a different format. We don't
616try to be clever and support both formats; we just regenerate new data in this
617case. */
618
17c76198 619if (rc < 0)
b5aea5e1 620 {
17c76198 621 uschar *temp_fn;
201f5254 622 unsigned int dh_bits_gen = dh_bits;
059ec3d9 623
17c76198
PP
624 if ((PATH_MAX - Ustrlen(filename)) < 10)
625 return tls_error(US"Filename too long to generate replacement",
626 CS filename, NULL);
059ec3d9 627
17c76198
PP
628 temp_fn = string_copy(US "%s.XXXXXXX");
629 fd = mkstemp(CS temp_fn); /* modifies temp_fn */
059ec3d9 630 if (fd < 0)
17c76198 631 return tls_error(US"Unable to open temp file", strerror(errno), NULL);
059ec3d9
PH
632 (void)fchown(fd, exim_uid, exim_gid); /* Probably not necessary */
633
201f5254
PP
634 /* GnuTLS overshoots!
635 * If we ask for 2236, we might get 2237 or more.
636 * But there's no way to ask GnuTLS how many bits there really are.
637 * We can ask how many bits were used in a TLS session, but that's it!
638 * The prime itself is hidden behind too much abstraction.
639 * So we ask for less, and proceed on a wing and a prayer.
640 * First attempt, subtracted 3 for 2233 and got 2240.
641 */
cae6e576 642 if (dh_bits >= EXIM_CLIENT_DH_MIN_BITS + 10)
201f5254
PP
643 {
644 dh_bits_gen = dh_bits - 10;
645 DEBUG(D_tls)
646 debug_printf("being paranoid about DH generation, make it '%d' bits'\n",
647 dh_bits_gen);
648 }
649
650 DEBUG(D_tls)
651 debug_printf("requesting generation of %d bit Diffie-Hellman prime ...\n",
652 dh_bits_gen);
653 rc = gnutls_dh_params_generate2(dh_server_params, dh_bits_gen);
17c76198
PP
654 exim_gnutls_err_check(US"gnutls_dh_params_generate2");
655
656 /* gnutls_dh_params_export_pkcs3() will tell us the exact size, every time,
657 and I confirmed that a NULL call to get the size first is how the GnuTLS
658 sample apps handle this. */
659
660 sz = 0;
661 m.data = NULL;
662 rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM,
663 m.data, &sz);
664 if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
665 exim_gnutls_err_check(US"gnutls_dh_params_export_pkcs3(NULL) sizing");
666 m.size = sz;
b5aea5e1
PH
667 m.data = malloc(m.size);
668 if (m.data == NULL)
17c76198 669 return tls_error(US"memory allocation failed", strerror(errno), NULL);
1f00591e 670 /* this will return a size 1 less than the allocation size above */
17c76198 671 rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM,
1f00591e 672 m.data, &sz);
17c76198
PP
673 if (rc != GNUTLS_E_SUCCESS)
674 {
675 free(m.data);
676 exim_gnutls_err_check(US"gnutls_dh_params_export_pkcs3() real");
677 }
1f00591e 678 m.size = sz; /* shrink by 1, probably */
059ec3d9 679
17c76198
PP
680 sz = write_to_fd_buf(fd, m.data, (size_t) m.size);
681 if (sz != m.size)
682 {
683 free(m.data);
684 return tls_error(US"TLS cache write D-H params failed",
685 strerror(errno), NULL);
686 }
b5aea5e1 687 free(m.data);
17c76198
PP
688 sz = write_to_fd_buf(fd, US"\n", 1);
689 if (sz != 1)
690 return tls_error(US"TLS cache write D-H params final newline failed",
691 strerror(errno), NULL);
692
693 rc = close(fd);
694 if (rc)
695 return tls_error(US"TLS cache write close() failed",
696 strerror(errno), NULL);
059ec3d9 697
17c76198
PP
698 if (Urename(temp_fn, filename) < 0)
699 return tls_error(string_sprintf("failed to rename \"%s\" as \"%s\"",
700 temp_fn, filename), strerror(errno), NULL);
059ec3d9 701
17c76198 702 DEBUG(D_tls) debug_printf("wrote D-H parameters to file \"%s\"\n", filename);
059ec3d9
PH
703 }
704
17c76198 705DEBUG(D_tls) debug_printf("initialized server D-H parameters\n");
059ec3d9
PH
706return OK;
707}
708
709
710
711
712/*************************************************
17c76198 713* Variables re-expanded post-SNI *
059ec3d9
PH
714*************************************************/
715
17c76198
PP
716/* Called from both server and client code, via tls_init(), and also from
717the SNI callback after receiving an SNI, if tls_certificate includes "tls_sni".
718
719We can tell the two apart by state->received_sni being non-NULL in callback.
720
721The callback should not call us unless state->trigger_sni_changes is true,
722which we are responsible for setting on the first pass through.
059ec3d9
PH
723
724Arguments:
17c76198 725 state exim_gnutls_state_st *
059ec3d9
PH
726
727Returns: OK/DEFER/FAIL
728*/
729
730static int
17c76198 731tls_expand_session_files(exim_gnutls_state_st *state)
059ec3d9 732{
1365611d 733struct stat statbuf;
059ec3d9 734int rc;
17c76198
PP
735const host_item *host = state->host; /* macro should be reconsidered? */
736uschar *saved_tls_certificate = NULL;
737uschar *saved_tls_privatekey = NULL;
738uschar *saved_tls_verify_certificates = NULL;
739uschar *saved_tls_crl = NULL;
740int cert_count;
741
742/* We check for tls_sni *before* expansion. */
2b4a568d 743if (!host) /* server */
17c76198
PP
744 {
745 if (!state->received_sni)
746 {
d9b2312b
JH
747 if (state->tls_certificate &&
748 (Ustrstr(state->tls_certificate, US"tls_sni") ||
749 Ustrstr(state->tls_certificate, US"tls_in_sni") ||
750 Ustrstr(state->tls_certificate, US"tls_out_sni")
751 ))
17c76198
PP
752 {
753 DEBUG(D_tls) debug_printf("We will re-expand TLS session files if we receive SNI.\n");
754 state->trigger_sni_changes = TRUE;
755 }
756 }
757 else
758 {
1365611d 759 /* useful for debugging */
17c76198
PP
760 saved_tls_certificate = state->exp_tls_certificate;
761 saved_tls_privatekey = state->exp_tls_privatekey;
762 saved_tls_verify_certificates = state->exp_tls_verify_certificates;
763 saved_tls_crl = state->exp_tls_crl;
764 }
765 }
059ec3d9 766
1365611d
PP
767rc = gnutls_certificate_allocate_credentials(&state->x509_cred);
768exim_gnutls_err_check(US"gnutls_certificate_allocate_credentials");
769
17c76198
PP
770/* remember: expand_check_tlsvar() is expand_check() but fiddling with
771state members, assuming consistent naming; and expand_check() returns
772false if expansion failed, unless expansion was forced to fail. */
059ec3d9 773
17c76198
PP
774/* check if we at least have a certificate, before doing expensive
775D-H generation. */
059ec3d9 776
17c76198
PP
777if (!expand_check_tlsvar(tls_certificate))
778 return DEFER;
059ec3d9 779
17c76198 780/* certificate is mandatory in server, optional in client */
059ec3d9 781
17c76198
PP
782if ((state->exp_tls_certificate == NULL) ||
783 (*state->exp_tls_certificate == '\0'))
784 {
2b4a568d 785 if (!host)
17c76198
PP
786 return tls_error(US"no TLS server certificate is specified", NULL, NULL);
787 else
788 DEBUG(D_tls) debug_printf("TLS: no client certificate specified; okay\n");
789 }
059ec3d9 790
17c76198 791if (state->tls_privatekey && !expand_check_tlsvar(tls_privatekey))
059ec3d9
PH
792 return DEFER;
793
17c76198
PP
794/* tls_privatekey is optional, defaulting to same file as certificate */
795
796if (state->tls_privatekey == NULL || *state->tls_privatekey == '\0')
059ec3d9 797 {
17c76198
PP
798 state->tls_privatekey = state->tls_certificate;
799 state->exp_tls_privatekey = state->exp_tls_certificate;
059ec3d9 800 }
c91535f3 801
059ec3d9 802
17c76198 803if (state->exp_tls_certificate && *state->exp_tls_certificate)
059ec3d9
PH
804 {
805 DEBUG(D_tls) debug_printf("certificate file = %s\nkey file = %s\n",
17c76198
PP
806 state->exp_tls_certificate, state->exp_tls_privatekey);
807
808 if (state->received_sni)
de365ded 809 {
17c76198
PP
810 if ((Ustrcmp(state->exp_tls_certificate, saved_tls_certificate) == 0) &&
811 (Ustrcmp(state->exp_tls_privatekey, saved_tls_privatekey) == 0))
812 {
b34fc30c 813 DEBUG(D_tls) debug_printf("TLS SNI: cert and key unchanged\n");
17c76198
PP
814 }
815 else
816 {
b34fc30c 817 DEBUG(D_tls) debug_printf("TLS SNI: have a changed cert/key pair.\n");
17c76198 818 }
8e669ac1 819 }
059ec3d9 820
1365611d
PP
821 rc = gnutls_certificate_set_x509_key_file(state->x509_cred,
822 CS state->exp_tls_certificate, CS state->exp_tls_privatekey,
823 GNUTLS_X509_FMT_PEM);
824 exim_gnutls_err_check(
825 string_sprintf("cert/key setup: cert=%s key=%s",
826 state->exp_tls_certificate, state->exp_tls_privatekey));
827 DEBUG(D_tls) debug_printf("TLS: cert/key registered\n");
b34fc30c 828 } /* tls_certificate */
059ec3d9 829
2b4a568d
JH
830
831/* Set the OCSP stapling server info */
832
f2de3a33 833#ifndef DISABLE_OCSP
2b4a568d
JH
834if ( !host /* server */
835 && tls_ocsp_file
836 )
837 {
9196d5bf
JH
838 if (gnutls_buggy_ocsp)
839 {
840 DEBUG(D_tls) debug_printf("GnuTLS library is buggy for OCSP; avoiding\n");
841 }
842 else
843 {
844 if (!expand_check(tls_ocsp_file, US"tls_ocsp_file",
845 &state->exp_tls_ocsp_file))
846 return DEFER;
2b4a568d 847
9196d5bf
JH
848 /* Use the full callback method for stapling just to get observability.
849 More efficient would be to read the file once only, if it never changed
850 (due to SNI). Would need restart on file update, or watch datestamp. */
44662487 851
9196d5bf
JH
852 gnutls_certificate_set_ocsp_status_request_function(state->x509_cred,
853 server_ocsp_stapling_cb, state->exp_tls_ocsp_file);
2b4a568d 854
9196d5bf
JH
855 DEBUG(D_tls) debug_printf("OCSP response file = %s\n", state->exp_tls_ocsp_file);
856 }
2b4a568d
JH
857 }
858#endif
859
860
059ec3d9
PH
861/* Set the trusted CAs file if one is provided, and then add the CRL if one is
862provided. Experiment shows that, if the certificate file is empty, an unhelpful
863error message is provided. However, if we just refrain from setting anything up
864in that case, certificate verification fails, which seems to be the correct
865behaviour. */
866
610ff438 867if (state->tls_verify_certificates && *state->tls_verify_certificates)
059ec3d9 868 {
17c76198 869 if (!expand_check_tlsvar(tls_verify_certificates))
059ec3d9 870 return DEFER;
610ff438
JH
871#ifndef SUPPORT_SYSDEFAULT_CABUNDLE
872 if (Ustrcmp(state->exp_tls_verify_certificates, "system") == 0)
873 state->exp_tls_verify_certificates = NULL;
874#endif
17c76198
PP
875 if (state->tls_crl && *state->tls_crl)
876 if (!expand_check_tlsvar(tls_crl))
877 return DEFER;
059ec3d9 878
1365611d
PP
879 if (!(state->exp_tls_verify_certificates &&
880 *state->exp_tls_verify_certificates))
b34fc30c
PP
881 {
882 DEBUG(D_tls)
1365611d
PP
883 debug_printf("TLS: tls_verify_certificates expanded empty, ignoring\n");
884 /* With no tls_verify_certificates, we ignore tls_crl too */
17c76198 885 return OK;
b34fc30c 886 }
1365611d 887 }
83e2f8a2
PP
888else
889 {
890 DEBUG(D_tls)
891 debug_printf("TLS: tls_verify_certificates not set or empty, ignoring\n");
892 return OK;
893 }
17c76198 894
cb1d7830
JH
895#ifdef SUPPORT_SYSDEFAULT_CABUNDLE
896if (Ustrcmp(state->exp_tls_verify_certificates, "system") == 0)
897 cert_count = gnutls_certificate_set_x509_system_trust(state->x509_cred);
898else
899#endif
1365611d 900 {
cb1d7830
JH
901 if (Ustat(state->exp_tls_verify_certificates, &statbuf) < 0)
902 {
903 log_write(0, LOG_MAIN|LOG_PANIC, "could not stat %s "
904 "(tls_verify_certificates): %s", state->exp_tls_verify_certificates,
905 strerror(errno));
906 return DEFER;
907 }
17c76198 908
a7fec7a7 909#ifndef SUPPORT_CA_DIR
cb1d7830
JH
910 /* The test suite passes in /dev/null; we could check for that path explicitly,
911 but who knows if someone has some weird FIFO which always dumps some certs, or
912 other weirdness. The thing we really want to check is that it's not a
913 directory, since while OpenSSL supports that, GnuTLS does not.
60f914bc 914 So s/!S_ISREG/S_ISDIR/ and change some messaging ... */
cb1d7830
JH
915 if (S_ISDIR(statbuf.st_mode))
916 {
917 DEBUG(D_tls)
918 debug_printf("verify certificates path is a dir: \"%s\"\n",
919 state->exp_tls_verify_certificates);
920 log_write(0, LOG_MAIN|LOG_PANIC,
921 "tls_verify_certificates \"%s\" is a directory",
922 state->exp_tls_verify_certificates);
923 return DEFER;
924 }
a7fec7a7 925#endif
059ec3d9 926
cb1d7830
JH
927 DEBUG(D_tls) debug_printf("verify certificates = %s size=" OFF_T_FMT "\n",
928 state->exp_tls_verify_certificates, statbuf.st_size);
059ec3d9 929
cb1d7830
JH
930 if (statbuf.st_size == 0)
931 {
932 DEBUG(D_tls)
933 debug_printf("cert file empty, no certs, no verification, ignoring any CRL\n");
934 return OK;
935 }
059ec3d9 936
cb1d7830 937 cert_count =
a7fec7a7
JH
938
939#ifdef SUPPORT_CA_DIR
cb1d7830
JH
940 (statbuf.st_mode & S_IFMT) == S_IFDIR
941 ?
942 gnutls_certificate_set_x509_trust_dir(state->x509_cred,
943 CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM)
944 :
a7fec7a7 945#endif
cb1d7830
JH
946 gnutls_certificate_set_x509_trust_file(state->x509_cred,
947 CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM);
948 }
a7fec7a7 949
1365611d
PP
950if (cert_count < 0)
951 {
952 rc = cert_count;
cb1d7830 953 exim_gnutls_err_check(US"setting certificate trust");
1365611d
PP
954 }
955DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n", cert_count);
059ec3d9 956
5c8cda3a
PP
957if (state->tls_crl && *state->tls_crl &&
958 state->exp_tls_crl && *state->exp_tls_crl)
1365611d 959 {
5c8cda3a
PP
960 DEBUG(D_tls) debug_printf("loading CRL file = %s\n", state->exp_tls_crl);
961 cert_count = gnutls_certificate_set_x509_crl_file(state->x509_cred,
962 CS state->exp_tls_crl, GNUTLS_X509_FMT_PEM);
963 if (cert_count < 0)
1365611d 964 {
5c8cda3a 965 rc = cert_count;
1365611d
PP
966 exim_gnutls_err_check(US"gnutls_certificate_set_x509_crl_file");
967 }
5c8cda3a 968 DEBUG(D_tls) debug_printf("Processed %d CRLs.\n", cert_count);
1365611d 969 }
059ec3d9 970
059ec3d9
PH
971return OK;
972}
973
974
975
976
977/*************************************************
1365611d
PP
978* Set X.509 state variables *
979*************************************************/
980
981/* In GnuTLS, the registered cert/key are not replaced by a later
982set of a cert/key, so for SNI support we need a whole new x509_cred
983structure. Which means various other non-re-expanded pieces of state
984need to be re-set in the new struct, so the setting logic is pulled
985out to this.
986
987Arguments:
988 state exim_gnutls_state_st *
989
990Returns: OK/DEFER/FAIL
991*/
992
993static int
994tls_set_remaining_x509(exim_gnutls_state_st *state)
995{
996int rc;
997const host_item *host = state->host; /* macro should be reconsidered? */
998
999/* Create D-H parameters, or read them from the cache file. This function does
1000its own SMTP error messaging. This only happens for the server, TLS D-H ignores
1001client-side params. */
1002
1003if (!state->host)
1004 {
1005 if (!dh_server_params)
1006 {
1007 rc = init_server_dh();
1008 if (rc != OK) return rc;
1009 }
1010 gnutls_certificate_set_dh_params(state->x509_cred, dh_server_params);
1011 }
1012
1013/* Link the credentials to the session. */
1014
1015rc = gnutls_credentials_set(state->session, GNUTLS_CRD_CERTIFICATE, state->x509_cred);
1016exim_gnutls_err_check(US"gnutls_credentials_set");
1017
1018return OK;
1019}
1020
1021/*************************************************
17c76198 1022* Initialize for GnuTLS *
059ec3d9
PH
1023*************************************************/
1024
9196d5bf 1025
4fb7df6d
JH
1026#ifndef DISABLE_OCSP
1027
9196d5bf
JH
1028static BOOL
1029tls_is_buggy_ocsp(void)
1030{
1031const uschar * s;
1032uschar maj, mid, mic;
1033
1034s = CUS gnutls_check_version(NULL);
1035maj = atoi(CCS s);
1036if (maj == 3)
1037 {
1038 while (*s && *s != '.') s++;
1039 mid = atoi(CCS ++s);
1040 if (mid <= 2)
1041 return TRUE;
1042 else if (mid >= 5)
1043 return FALSE;
1044 else
1045 {
1046 while (*s && *s != '.') s++;
1047 mic = atoi(CCS ++s);
1048 return mic <= (mid == 3 ? 16 : 3);
1049 }
1050 }
1051return FALSE;
1052}
1053
4fb7df6d 1054#endif
9196d5bf
JH
1055
1056
17c76198
PP
1057/* Called from both server and client code. In the case of a server, errors
1058before actual TLS negotiation return DEFER.
059ec3d9
PH
1059
1060Arguments:
17c76198
PP
1061 host connected host, if client; NULL if server
1062 certificate certificate file
1063 privatekey private key file
1064 sni TLS SNI to send, sometimes when client; else NULL
1065 cas CA certs file
1066 crl CRL file
1067 require_ciphers tls_require_ciphers setting
817d9f57 1068 caller_state returned state-info structure
059ec3d9 1069
17c76198 1070Returns: OK/DEFER/FAIL
059ec3d9
PH
1071*/
1072
17c76198
PP
1073static int
1074tls_init(
1075 const host_item *host,
1076 const uschar *certificate,
1077 const uschar *privatekey,
1078 const uschar *sni,
1079 const uschar *cas,
1080 const uschar *crl,
1081 const uschar *require_ciphers,
1082 exim_gnutls_state_st **caller_state)
059ec3d9 1083{
17c76198
PP
1084exim_gnutls_state_st *state;
1085int rc;
1086size_t sz;
1087const char *errpos;
1088uschar *p;
1089BOOL want_default_priorities;
1090
1091if (!exim_gnutls_base_init_done)
059ec3d9 1092 {
17c76198
PP
1093 DEBUG(D_tls) debug_printf("GnuTLS global init required.\n");
1094
a5f239e4
PP
1095#ifdef HAVE_GNUTLS_PKCS11
1096 /* By default, gnutls_global_init will init PKCS11 support in auto mode,
1097 which loads modules from a config file, which sounds good and may be wanted
1098 by some sysadmin, but also means in common configurations that GNOME keyring
1099 environment variables are used and so breaks for users calling mailq.
1100 To prevent this, we init PKCS11 first, which is the documented approach. */
2519e60d 1101 if (!gnutls_allow_auto_pkcs11)
a5f239e4
PP
1102 {
1103 rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
1104 exim_gnutls_err_check(US"gnutls_pkcs11_init");
1105 }
1106#endif
1107
17c76198
PP
1108 rc = gnutls_global_init();
1109 exim_gnutls_err_check(US"gnutls_global_init");
1110
1111#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
1112 DEBUG(D_tls)
059ec3d9 1113 {
17c76198
PP
1114 gnutls_global_set_log_function(exim_gnutls_logger_cb);
1115 /* arbitrarily chosen level; bump upto 9 for more */
1116 gnutls_global_set_log_level(EXIM_GNUTLS_LIBRARY_LOG_LEVEL);
059ec3d9 1117 }
17c76198
PP
1118#endif
1119
4fb7df6d
JH
1120#ifndef DISABLE_OCSP
1121 if (tls_ocsp_file && (gnutls_buggy_ocsp = tls_is_buggy_ocsp()))
9196d5bf 1122 log_write(0, LOG_MAIN, "OCSP unusable with this GnuTLS library version");
4fb7df6d 1123#endif
9196d5bf 1124
17c76198 1125 exim_gnutls_base_init_done = TRUE;
059ec3d9 1126 }
059ec3d9 1127
17c76198
PP
1128if (host)
1129 {
1130 state = &state_client;
1131 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
817d9f57 1132 state->tlsp = &tls_out;
17c76198
PP
1133 DEBUG(D_tls) debug_printf("initialising GnuTLS client session\n");
1134 rc = gnutls_init(&state->session, GNUTLS_CLIENT);
1135 }
1136else
1137 {
1138 state = &state_server;
1139 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
817d9f57 1140 state->tlsp = &tls_in;
17c76198
PP
1141 DEBUG(D_tls) debug_printf("initialising GnuTLS server session\n");
1142 rc = gnutls_init(&state->session, GNUTLS_SERVER);
1143 }
1144exim_gnutls_err_check(US"gnutls_init");
059ec3d9 1145
17c76198 1146state->host = host;
059ec3d9 1147
17c76198
PP
1148state->tls_certificate = certificate;
1149state->tls_privatekey = privatekey;
5779e6aa 1150state->tls_require_ciphers = require_ciphers;
17c76198
PP
1151state->tls_sni = sni;
1152state->tls_verify_certificates = cas;
1153state->tls_crl = crl;
059ec3d9 1154
17c76198
PP
1155/* This handles the variables that might get re-expanded after TLS SNI;
1156that's tls_certificate, tls_privatekey, tls_verify_certificates, tls_crl */
059ec3d9 1157
17c76198
PP
1158DEBUG(D_tls)
1159 debug_printf("Expanding various TLS configuration options for session credentials.\n");
1160rc = tls_expand_session_files(state);
1161if (rc != OK) return rc;
059ec3d9 1162
1365611d
PP
1163/* These are all other parts of the x509_cred handling, since SNI in GnuTLS
1164requires a new structure afterwards. */
83da1223 1165
1365611d
PP
1166rc = tls_set_remaining_x509(state);
1167if (rc != OK) return rc;
83da1223 1168
17c76198
PP
1169/* set SNI in client, only */
1170if (host)
1171 {
0df4ab80 1172 if (!expand_check(sni, US"tls_out_sni", &state->tlsp->sni))
17c76198 1173 return DEFER;
0df4ab80 1174 if (state->tlsp->sni && *state->tlsp->sni)
17c76198
PP
1175 {
1176 DEBUG(D_tls)
0df4ab80
JH
1177 debug_printf("Setting TLS client SNI to \"%s\"\n", state->tlsp->sni);
1178 sz = Ustrlen(state->tlsp->sni);
17c76198 1179 rc = gnutls_server_name_set(state->session,
0df4ab80 1180 GNUTLS_NAME_DNS, state->tlsp->sni, sz);
17c76198
PP
1181 exim_gnutls_err_check(US"gnutls_server_name_set");
1182 }
1183 }
1184else if (state->tls_sni)
1185 DEBUG(D_tls) debug_printf("*** PROBABLY A BUG *** " \
1186 "have an SNI set for a client [%s]\n", state->tls_sni);
83da1223 1187
17c76198 1188/* This is the priority string support,
42bfef1e 1189http://www.gnutls.org/manual/html_node/Priority-Strings.html
17c76198
PP
1190and replaces gnutls_require_kx, gnutls_require_mac & gnutls_require_protocols.
1191This was backwards incompatible, but means Exim no longer needs to track
1192all algorithms and provide string forms for them. */
83da1223 1193
17c76198 1194want_default_priorities = TRUE;
83da1223 1195
17c76198 1196if (state->tls_require_ciphers && *state->tls_require_ciphers)
83da1223 1197 {
17c76198
PP
1198 if (!expand_check_tlsvar(tls_require_ciphers))
1199 return DEFER;
1200 if (state->exp_tls_require_ciphers && *state->exp_tls_require_ciphers)
83da1223 1201 {
17c76198
PP
1202 DEBUG(D_tls) debug_printf("GnuTLS session cipher/priority \"%s\"\n",
1203 state->exp_tls_require_ciphers);
1204
1205 rc = gnutls_priority_init(&state->priority_cache,
1206 CS state->exp_tls_require_ciphers, &errpos);
1207 want_default_priorities = FALSE;
1208 p = state->exp_tls_require_ciphers;
83da1223
PH
1209 }
1210 }
17c76198
PP
1211if (want_default_priorities)
1212 {
83e2f8a2
PP
1213 DEBUG(D_tls)
1214 debug_printf("GnuTLS using default session cipher/priority \"%s\"\n",
1215 exim_default_gnutls_priority);
17c76198
PP
1216 rc = gnutls_priority_init(&state->priority_cache,
1217 exim_default_gnutls_priority, &errpos);
1218 p = US exim_default_gnutls_priority;
1219 }
83da1223 1220
17c76198
PP
1221exim_gnutls_err_check(string_sprintf(
1222 "gnutls_priority_init(%s) failed at offset %ld, \"%.6s..\"",
1223 p, errpos - CS p, errpos));
1224
1225rc = gnutls_priority_set(state->session, state->priority_cache);
1226exim_gnutls_err_check(US"gnutls_priority_set");
1227
1228gnutls_db_set_cache_expiration(state->session, ssl_session_timeout);
1229
1230/* Reduce security in favour of increased compatibility, if the admin
1231decides to make that trade-off. */
1232if (gnutls_compat_mode)
83da1223 1233 {
17c76198
PP
1234#if LIBGNUTLS_VERSION_NUMBER >= 0x020104
1235 DEBUG(D_tls) debug_printf("lowering GnuTLS security, compatibility mode\n");
1236 gnutls_session_enable_compatibility_mode(state->session);
1237#else
1238 DEBUG(D_tls) debug_printf("Unable to set gnutls_compat_mode - GnuTLS version too old\n");
1239#endif
83da1223
PH
1240 }
1241
17c76198 1242*caller_state = state;
17c76198 1243return OK;
83da1223
PH
1244}
1245
1246
1247
83da1223 1248/*************************************************
17c76198 1249* Extract peer information *
059ec3d9
PH
1250*************************************************/
1251
17c76198 1252/* Called from both server and client code.
4fe99a6c
PP
1253Only this is allowed to set state->peerdn and state->have_set_peerdn
1254and we use that to detect double-calls.
059ec3d9 1255
75fe387d
PP
1256NOTE: the state blocks last while the TLS connection is up, which is fine
1257for logging in the server side, but for the client side, we log after teardown
1258in src/deliver.c. While the session is up, we can twist about states and
1259repoint tls_* globals, but those variables used for logging or other variable
1260expansion that happens _after_ delivery need to have a longer life-time.
1261
1262So for those, we get the data from POOL_PERM; the re-invoke guard keeps us from
1263doing this more than once per generation of a state context. We set them in
1264the state context, and repoint tls_* to them. After the state goes away, the
1265tls_* copies of the pointers remain valid and client delivery logging is happy.
1266
1267tls_certificate_verified is a BOOL, so the tls_peerdn and tls_cipher issues
1268don't apply.
1269
059ec3d9 1270Arguments:
17c76198 1271 state exim_gnutls_state_st *
059ec3d9 1272
17c76198 1273Returns: OK/DEFER/FAIL
059ec3d9
PH
1274*/
1275
17c76198
PP
1276static int
1277peer_status(exim_gnutls_state_st *state)
059ec3d9 1278{
75fe387d 1279uschar cipherbuf[256];
27f19eb4 1280const gnutls_datum_t *cert_list;
75fe387d 1281int old_pool, rc;
17c76198 1282unsigned int cert_list_size = 0;
4fe99a6c
PP
1283gnutls_protocol_t protocol;
1284gnutls_cipher_algorithm_t cipher;
1285gnutls_kx_algorithm_t kx;
1286gnutls_mac_algorithm_t mac;
17c76198
PP
1287gnutls_certificate_type_t ct;
1288gnutls_x509_crt_t crt;
4fe99a6c 1289uschar *p, *dn_buf;
17c76198 1290size_t sz;
059ec3d9 1291
4fe99a6c 1292if (state->have_set_peerdn)
17c76198 1293 return OK;
4fe99a6c 1294state->have_set_peerdn = TRUE;
059ec3d9 1295
4fe99a6c 1296state->peerdn = NULL;
059ec3d9 1297
4fe99a6c
PP
1298/* tls_cipher */
1299cipher = gnutls_cipher_get(state->session);
1300protocol = gnutls_protocol_get_version(state->session);
1301mac = gnutls_mac_get(state->session);
1302kx = gnutls_kx_get(state->session);
1303
75fe387d 1304string_format(cipherbuf, sizeof(cipherbuf),
4fe99a6c
PP
1305 "%s:%s:%d",
1306 gnutls_protocol_get_name(protocol),
1307 gnutls_cipher_suite_get_name(kx, cipher, mac),
1308 (int) gnutls_cipher_get_key_size(cipher) * 8);
1309
1310/* I don't see a way that spaces could occur, in the current GnuTLS
1311code base, but it was a concern in the old code and perhaps older GnuTLS
1312releases did return "TLS 1.0"; play it safe, just in case. */
75fe387d 1313for (p = cipherbuf; *p != '\0'; ++p)
4fe99a6c
PP
1314 if (isspace(*p))
1315 *p = '-';
75fe387d
PP
1316old_pool = store_pool;
1317store_pool = POOL_PERM;
1318state->ciphersuite = string_copy(cipherbuf);
1319store_pool = old_pool;
817d9f57 1320state->tlsp->cipher = state->ciphersuite;
4fe99a6c
PP
1321
1322/* tls_peerdn */
17c76198 1323cert_list = gnutls_certificate_get_peers(state->session, &cert_list_size);
83da1223 1324
17c76198
PP
1325if (cert_list == NULL || cert_list_size == 0)
1326 {
17c76198
PP
1327 DEBUG(D_tls) debug_printf("TLS: no certificate from peer (%p & %d)\n",
1328 cert_list, cert_list_size);
e51c7be2 1329 if (state->verify_requirement >= VERIFY_REQUIRED)
17c76198
PP
1330 return tls_error(US"certificate verification failed",
1331 "no certificate received from peer", state->host);
1332 return OK;
1333 }
059ec3d9 1334
17c76198
PP
1335ct = gnutls_certificate_type_get(state->session);
1336if (ct != GNUTLS_CRT_X509)
059ec3d9 1337 {
17c76198 1338 const char *ctn = gnutls_certificate_type_get_name(ct);
17c76198
PP
1339 DEBUG(D_tls)
1340 debug_printf("TLS: peer cert not X.509 but instead \"%s\"\n", ctn);
e51c7be2 1341 if (state->verify_requirement >= VERIFY_REQUIRED)
17c76198
PP
1342 return tls_error(US"certificate verification not possible, unhandled type",
1343 ctn, state->host);
1344 return OK;
83da1223 1345 }
059ec3d9 1346
e51c7be2
JH
1347#define exim_gnutls_peer_err(Label) \
1348 do { \
1349 if (rc != GNUTLS_E_SUCCESS) \
1350 { \
1351 DEBUG(D_tls) debug_printf("TLS: peer cert problem: %s: %s\n", \
1352 (Label), gnutls_strerror(rc)); \
1353 if (state->verify_requirement >= VERIFY_REQUIRED) \
1354 return tls_error((Label), gnutls_strerror(rc), state->host); \
1355 return OK; \
1356 } \
1357 } while (0)
17c76198 1358
9d1c15ef
JH
1359rc = import_cert(&cert_list[0], &crt);
1360exim_gnutls_peer_err(US"cert 0");
1361
1362state->tlsp->peercert = state->peercert = crt;
17c76198 1363
17c76198
PP
1364sz = 0;
1365rc = gnutls_x509_crt_get_dn(crt, NULL, &sz);
1366if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
83da1223 1367 {
17c76198
PP
1368 exim_gnutls_peer_err(US"getting size for cert DN failed");
1369 return FAIL; /* should not happen */
059ec3d9 1370 }
17c76198
PP
1371dn_buf = store_get_perm(sz);
1372rc = gnutls_x509_crt_get_dn(crt, CS dn_buf, &sz);
1373exim_gnutls_peer_err(US"failed to extract certificate DN [gnutls_x509_crt_get_dn(cert 0)]");
9d1c15ef 1374
17c76198
PP
1375state->peerdn = dn_buf;
1376
1377return OK;
1378#undef exim_gnutls_peer_err
1379}
059ec3d9 1380
059ec3d9 1381
059ec3d9 1382
059ec3d9 1383
17c76198
PP
1384/*************************************************
1385* Verify peer certificate *
1386*************************************************/
059ec3d9 1387
17c76198
PP
1388/* Called from both server and client code.
1389*Should* be using a callback registered with
1390gnutls_certificate_set_verify_function() to fail the handshake if we dislike
1391the peer information, but that's too new for some OSes.
059ec3d9 1392
17c76198
PP
1393Arguments:
1394 state exim_gnutls_state_st *
1395 error where to put an error message
059ec3d9 1396
17c76198
PP
1397Returns:
1398 FALSE if the session should be rejected
1399 TRUE if the cert is okay or we just don't care
1400*/
059ec3d9 1401
17c76198
PP
1402static BOOL
1403verify_certificate(exim_gnutls_state_st *state, const char **error)
1404{
1405int rc;
1406unsigned int verify;
1407
1408*error = NULL;
1409
0a92f87f 1410if ((rc = peer_status(state)) != OK)
e6060e2c 1411 {
17c76198 1412 verify = GNUTLS_CERT_INVALID;
0a92f87f 1413 *error = "certificate not supplied";
17c76198
PP
1414 }
1415else
17c76198 1416 rc = gnutls_certificate_verify_peers2(state->session, &verify);
e6060e2c 1417
17c76198
PP
1418/* Handle the result of verification. INVALID seems to be set as well
1419as REVOKED, but leave the test for both. */
059ec3d9 1420
e51c7be2
JH
1421if (rc < 0 ||
1422 verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED)
1423 )
17c76198
PP
1424 {
1425 state->peer_cert_verified = FALSE;
0a92f87f
JH
1426 if (!*error)
1427 *error = verify & GNUTLS_CERT_REVOKED
1428 ? "certificate revoked" : "certificate invalid";
059ec3d9 1429
17c76198 1430 DEBUG(D_tls)
e51c7be2 1431 debug_printf("TLS certificate verification failed (%s): peerdn=\"%s\"\n",
4fe99a6c 1432 *error, state->peerdn ? state->peerdn : US"<unset>");
059ec3d9 1433
e51c7be2 1434 if (state->verify_requirement >= VERIFY_REQUIRED)
17c76198 1435 {
e51c7be2
JH
1436 gnutls_alert_send(state->session,
1437 GNUTLS_AL_FATAL, GNUTLS_A_BAD_CERTIFICATE);
17c76198
PP
1438 return FALSE;
1439 }
1440 DEBUG(D_tls)
4789da3a 1441 debug_printf("TLS verify failure overridden (host in tls_try_verify_hosts)\n");
17c76198 1442 }
e51c7be2 1443
17c76198
PP
1444else
1445 {
aa2a70ba 1446 if (state->exp_tls_verify_cert_hostnames)
e51c7be2
JH
1447 {
1448 int sep = 0;
55414b25 1449 const uschar * list = state->exp_tls_verify_cert_hostnames;
e51c7be2
JH
1450 uschar * name;
1451 while (name = string_nextinlist(&list, &sep, NULL, 0))
1452 if (gnutls_x509_crt_check_hostname(state->tlsp->peercert, CS name))
1453 break;
1454 if (!name)
1455 {
1456 DEBUG(D_tls)
1457 debug_printf("TLS certificate verification failed: cert name mismatch\n");
aa2a70ba
JH
1458 if (state->verify_requirement >= VERIFY_REQUIRED)
1459 {
1460 gnutls_alert_send(state->session,
1461 GNUTLS_AL_FATAL, GNUTLS_A_BAD_CERTIFICATE);
1462 return FALSE;
1463 }
1464 return TRUE;
e51c7be2
JH
1465 }
1466 }
17c76198 1467 state->peer_cert_verified = TRUE;
e51c7be2 1468 DEBUG(D_tls) debug_printf("TLS certificate verified: peerdn=\"%s\"\n",
4fe99a6c 1469 state->peerdn ? state->peerdn : US"<unset>");
17c76198 1470 }
059ec3d9 1471
817d9f57 1472state->tlsp->peerdn = state->peerdn;
059ec3d9 1473
17c76198
PP
1474return TRUE;
1475}
059ec3d9 1476
17c76198
PP
1477
1478
1479
1480/* ------------------------------------------------------------------------ */
1481/* Callbacks */
1482
1483/* Logging function which can be registered with
1484 * gnutls_global_set_log_function()
1485 * gnutls_global_set_log_level() 0..9
1486 */
af3498d6 1487#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
059ec3d9 1488static void
17c76198 1489exim_gnutls_logger_cb(int level, const char *message)
059ec3d9 1490{
8c79eebf
PP
1491 size_t len = strlen(message);
1492 if (len < 1)
1493 {
1494 DEBUG(D_tls) debug_printf("GnuTLS<%d> empty debug message\n", level);
1495 return;
1496 }
1497 DEBUG(D_tls) debug_printf("GnuTLS<%d>: %s%s", level, message,
1498 message[len-1] == '\n' ? "" : "\n");
17c76198 1499}
af3498d6 1500#endif
059ec3d9 1501
059ec3d9 1502
17c76198
PP
1503/* Called after client hello, should handle SNI work.
1504This will always set tls_sni (state->received_sni) if available,
1505and may trigger presenting different certificates,
1506if state->trigger_sni_changes is TRUE.
059ec3d9 1507
17c76198
PP
1508Should be registered with
1509 gnutls_handshake_set_post_client_hello_function()
059ec3d9 1510
17c76198
PP
1511"This callback must return 0 on success or a gnutls error code to terminate the
1512handshake.".
059ec3d9 1513
17c76198
PP
1514For inability to get SNI information, we return 0.
1515We only return non-zero if re-setup failed.
817d9f57 1516Only used for server-side TLS.
17c76198 1517*/
44bbabb5 1518
17c76198
PP
1519static int
1520exim_sni_handling_cb(gnutls_session_t session)
1521{
1522char sni_name[MAX_HOST_LEN];
1523size_t data_len = MAX_HOST_LEN;
817d9f57 1524exim_gnutls_state_st *state = &state_server;
17c76198
PP
1525unsigned int sni_type;
1526int rc, old_pool;
1527
1528rc = gnutls_server_name_get(session, sni_name, &data_len, &sni_type, 0);
b34fc30c
PP
1529if (rc != GNUTLS_E_SUCCESS)
1530 {
1531 DEBUG(D_tls) {
1532 if (rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
1533 debug_printf("TLS: no SNI presented in handshake.\n");
1534 else
1535 debug_printf("TLS failure: gnutls_server_name_get(): %s [%d]\n",
1536 gnutls_strerror(rc), rc);
1537 };
1538 return 0;
1539 }
1540
17c76198
PP
1541if (sni_type != GNUTLS_NAME_DNS)
1542 {
1543 DEBUG(D_tls) debug_printf("TLS: ignoring SNI of unhandled type %u\n", sni_type);
1544 return 0;
1545 }
44bbabb5 1546
17c76198
PP
1547/* We now have a UTF-8 string in sni_name */
1548old_pool = store_pool;
1549store_pool = POOL_PERM;
1550state->received_sni = string_copyn(US sni_name, data_len);
1551store_pool = old_pool;
1552
1553/* We set this one now so that variable expansions below will work */
817d9f57 1554state->tlsp->sni = state->received_sni;
17c76198
PP
1555
1556DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", sni_name,
1557 state->trigger_sni_changes ? "" : " (unused for certificate selection)");
1558
1559if (!state->trigger_sni_changes)
1560 return 0;
1561
1562rc = tls_expand_session_files(state);
1563if (rc != OK)
1564 {
1565 /* If the setup of certs/etc failed before handshake, TLS would not have
1566 been offered. The best we can do now is abort. */
1567 return GNUTLS_E_APPLICATION_ERROR_MIN;
1568 }
1569
1365611d
PP
1570rc = tls_set_remaining_x509(state);
1571if (rc != OK) return GNUTLS_E_APPLICATION_ERROR_MIN;
1572
1573return 0;
059ec3d9
PH
1574}
1575
1576
1577
f2de3a33 1578#ifndef DISABLE_OCSP
44662487
JH
1579
1580static int
1581server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
1582 gnutls_datum_t * ocsp_response)
1583{
1584int ret;
1585
44662487
JH
1586if ((ret = gnutls_load_file(ptr, ocsp_response)) < 0)
1587 {
1588 DEBUG(D_tls) debug_printf("Failed to load ocsp stapling file %s\n",
1589 (char *)ptr);
018058b2 1590 tls_in.ocsp = OCSP_NOT_RESP;
44662487
JH
1591 return GNUTLS_E_NO_CERTIFICATE_STATUS;
1592 }
1593
018058b2 1594tls_in.ocsp = OCSP_VFY_NOT_TRIED;
44662487
JH
1595return 0;
1596}
1597
1598#endif
1599
1600
0cbf2b82 1601#ifndef DISABLE_EVENT
a7538db1
JH
1602/*
1603We use this callback to get observability and detail-level control
723fe533
JH
1604for an exim TLS connection (either direction), raising a tls:cert event
1605for each cert in the chain presented by the peer. Any event
a7538db1
JH
1606can deny verification.
1607
1608Return 0 for the handshake to continue or non-zero to terminate.
1609*/
1610
1611static int
723fe533 1612verify_cb(gnutls_session_t session)
a7538db1 1613{
27f19eb4 1614const gnutls_datum_t * cert_list;
a7538db1
JH
1615unsigned int cert_list_size = 0;
1616gnutls_x509_crt_t crt;
1617int rc;
b30275b8 1618uschar * yield;
a7538db1
JH
1619exim_gnutls_state_st * state = gnutls_session_get_ptr(session);
1620
1621cert_list = gnutls_certificate_get_peers(session, &cert_list_size);
1622if (cert_list)
1623 while (cert_list_size--)
1624 {
1625 rc = import_cert(&cert_list[cert_list_size], &crt);
1626 if (rc != GNUTLS_E_SUCCESS)
1627 {
1628 DEBUG(D_tls) debug_printf("TLS: peer cert problem: depth %d: %s\n",
1629 cert_list_size, gnutls_strerror(rc));
1630 break;
1631 }
1632
1633 state->tlsp->peercert = crt;
b30275b8
JH
1634 if ((yield = event_raise(state->event_action,
1635 US"tls:cert", string_sprintf("%d", cert_list_size))))
a7538db1
JH
1636 {
1637 log_write(0, LOG_MAIN,
b30275b8
JH
1638 "SSL verify denied by event-action: depth=%d: %s",
1639 cert_list_size, yield);
a7538db1
JH
1640 return 1; /* reject */
1641 }
1642 state->tlsp->peercert = NULL;
1643 }
1644
1645return 0;
1646}
1647
1648#endif
44662487
JH
1649
1650
17c76198
PP
1651
1652/* ------------------------------------------------------------------------ */
1653/* Exported functions */
1654
1655
1656
1657
059ec3d9
PH
1658/*************************************************
1659* Start a TLS session in a server *
1660*************************************************/
1661
1662/* This is called when Exim is running as a server, after having received
1663the STARTTLS command. It must respond to that command, and then negotiate
1664a TLS session.
1665
1666Arguments:
83da1223 1667 require_ciphers list of allowed ciphers or NULL
059ec3d9
PH
1668
1669Returns: OK on success
1670 DEFER for errors before the start of the negotiation
1671 FAIL for errors during the negotation; the server can't
1672 continue running.
1673*/
1674
1675int
17c76198 1676tls_server_start(const uschar *require_ciphers)
059ec3d9
PH
1677{
1678int rc;
7199e1ee 1679const char *error;
17c76198 1680exim_gnutls_state_st *state = NULL;
059ec3d9
PH
1681
1682/* Check for previous activation */
817d9f57 1683if (tls_in.active >= 0)
059ec3d9 1684 {
17c76198 1685 tls_error(US"STARTTLS received after TLS started", "", NULL);
059ec3d9
PH
1686 smtp_printf("554 Already in TLS\r\n");
1687 return FAIL;
1688 }
1689
1690/* Initialize the library. If it fails, it will already have logged the error
1691and sent an SMTP response. */
1692
17c76198 1693DEBUG(D_tls) debug_printf("initialising GnuTLS as a server\n");
059ec3d9 1694
17c76198
PP
1695rc = tls_init(NULL, tls_certificate, tls_privatekey,
1696 NULL, tls_verify_certificates, tls_crl,
1697 require_ciphers, &state);
059ec3d9
PH
1698if (rc != OK) return rc;
1699
059ec3d9
PH
1700/* If this is a host for which certificate verification is mandatory or
1701optional, set up appropriately. */
1702
059ec3d9 1703if (verify_check_host(&tls_verify_hosts) == OK)
17c76198 1704 {
e51c7be2
JH
1705 DEBUG(D_tls)
1706 debug_printf("TLS: a client certificate will be required.\n");
17c76198
PP
1707 state->verify_requirement = VERIFY_REQUIRED;
1708 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
1709 }
059ec3d9 1710else if (verify_check_host(&tls_try_verify_hosts) == OK)
17c76198 1711 {
e51c7be2
JH
1712 DEBUG(D_tls)
1713 debug_printf("TLS: a client certificate will be requested but not required.\n");
17c76198
PP
1714 state->verify_requirement = VERIFY_OPTIONAL;
1715 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
1716 }
1717else
1718 {
e51c7be2
JH
1719 DEBUG(D_tls)
1720 debug_printf("TLS: a client certificate will not be requested.\n");
17c76198
PP
1721 state->verify_requirement = VERIFY_NONE;
1722 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
1723 }
059ec3d9 1724
0cbf2b82 1725#ifndef DISABLE_EVENT
723fe533
JH
1726if (event_action)
1727 {
1728 state->event_action = event_action;
1729 gnutls_session_set_ptr(state->session, state);
1730 gnutls_certificate_set_verify_function(state->x509_cred, verify_cb);
1731 }
1732#endif
1733
17c76198
PP
1734/* Register SNI handling; always, even if not in tls_certificate, so that the
1735expansion variable $tls_sni is always available. */
059ec3d9 1736
17c76198
PP
1737gnutls_handshake_set_post_client_hello_function(state->session,
1738 exim_sni_handling_cb);
059ec3d9
PH
1739
1740/* Set context and tell client to go ahead, except in the case of TLS startup
1741on connection, where outputting anything now upsets the clients and tends to
1742make them disconnect. We need to have an explicit fflush() here, to force out
1743the response. Other smtp_printf() calls do not need it, because in non-TLS
1744mode, the fflush() happens when smtp_getc() is called. */
1745
817d9f57 1746if (!state->tlsp->on_connect)
059ec3d9
PH
1747 {
1748 smtp_printf("220 TLS go ahead\r\n");
9d1c15ef 1749 fflush(smtp_out);
059ec3d9
PH
1750 }
1751
1752/* Now negotiate the TLS session. We put our own timer on it, since it seems
1753that the GnuTLS library doesn't. */
1754
17c76198 1755gnutls_transport_set_ptr2(state->session,
27f19eb4
JH
1756 (gnutls_transport_ptr_t)(long) fileno(smtp_in),
1757 (gnutls_transport_ptr_t)(long) fileno(smtp_out));
17c76198
PP
1758state->fd_in = fileno(smtp_in);
1759state->fd_out = fileno(smtp_out);
059ec3d9
PH
1760
1761sigalrm_seen = FALSE;
1762if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
17c76198
PP
1763do
1764 {
1765 rc = gnutls_handshake(state->session);
619b2b25
PP
1766 } while ((rc == GNUTLS_E_AGAIN) ||
1767 (rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen));
059ec3d9
PH
1768alarm(0);
1769
17c76198 1770if (rc != GNUTLS_E_SUCCESS)
059ec3d9 1771 {
17c76198
PP
1772 tls_error(US"gnutls_handshake",
1773 sigalrm_seen ? "timed out" : gnutls_strerror(rc), NULL);
059ec3d9
PH
1774 /* It seems that, except in the case of a timeout, we have to close the
1775 connection right here; otherwise if the other end is running OpenSSL it hangs
1776 until the server times out. */
1777
1778 if (!sigalrm_seen)
1779 {
f1e894f3
PH
1780 (void)fclose(smtp_out);
1781 (void)fclose(smtp_in);
059ec3d9
PH
1782 }
1783
1784 return FAIL;
1785 }
1786
1787DEBUG(D_tls) debug_printf("gnutls_handshake was successful\n");
1788
17c76198
PP
1789/* Verify after the fact */
1790
9d1c15ef
JH
1791if ( state->verify_requirement != VERIFY_NONE
1792 && !verify_certificate(state, &error))
059ec3d9 1793 {
9d1c15ef 1794 if (state->verify_requirement != VERIFY_OPTIONAL)
17c76198 1795 {
9d1c15ef
JH
1796 tls_error(US"certificate verification failed", error, NULL);
1797 return FAIL;
17c76198 1798 }
9d1c15ef
JH
1799 DEBUG(D_tls)
1800 debug_printf("TLS: continuing on only because verification was optional, after: %s\n",
1801 error);
059ec3d9
PH
1802 }
1803
17c76198
PP
1804/* Figure out peer DN, and if authenticated, etc. */
1805
1806rc = peer_status(state);
1807if (rc != OK) return rc;
1808
1809/* Sets various Exim expansion variables; always safe within server */
1810
9d1c15ef 1811extract_exim_vars_from_tls_state(state);
059ec3d9
PH
1812
1813/* TLS has been set up. Adjust the input functions to read via TLS,
1814and initialize appropriately. */
1815
17c76198 1816state->xfer_buffer = store_malloc(ssl_xfer_buffer_size);
059ec3d9
PH
1817
1818receive_getc = tls_getc;
1819receive_ungetc = tls_ungetc;
1820receive_feof = tls_feof;
1821receive_ferror = tls_ferror;
58eb016e 1822receive_smtp_buffered = tls_smtp_buffered;
059ec3d9 1823
059ec3d9
PH
1824return OK;
1825}
1826
1827
1828
1829
aa2a70ba
JH
1830static void
1831tls_client_setup_hostname_checks(host_item * host, exim_gnutls_state_st * state,
1832 smtp_transport_options_block * ob)
1833{
5130845b 1834if (verify_check_given_host(&ob->tls_verify_cert_hostnames, host) == OK)
aa2a70ba 1835 {
4af0d74a 1836 state->exp_tls_verify_cert_hostnames =
8c5d388a 1837#ifdef SUPPORT_I18N
4af0d74a
JH
1838 string_domain_utf8_to_alabel(host->name, NULL);
1839#else
1840 host->name;
1841#endif
aa2a70ba
JH
1842 DEBUG(D_tls)
1843 debug_printf("TLS: server cert verification includes hostname: \"%s\".\n",
1844 state->exp_tls_verify_cert_hostnames);
1845 }
1846}
aa2a70ba
JH
1847
1848
059ec3d9
PH
1849/*************************************************
1850* Start a TLS session in a client *
1851*************************************************/
1852
1853/* Called from the smtp transport after STARTTLS has been accepted.
1854
1855Arguments:
1856 fd the fd of the connection
1857 host connected host (for messages)
83da1223 1858 addr the first address (not used)
a7538db1 1859 tb transport (always smtp)
059ec3d9
PH
1860
1861Returns: OK/DEFER/FAIL (because using common functions),
1862 but for a client, DEFER and FAIL have the same meaning
1863*/
1864
1865int
17c76198 1866tls_client_start(int fd, host_item *host,
f5d78688 1867 address_item *addr ARG_UNUSED,
0e66b3b6
JH
1868 transport_instance *tb
1869#ifdef EXPERIMENTAL_DANE
b2ba1b4c 1870 , dns_answer * unused_tlsa_dnsa
0e66b3b6
JH
1871#endif
1872 )
059ec3d9 1873{
a7538db1
JH
1874smtp_transport_options_block *ob =
1875 (smtp_transport_options_block *)tb->options_block;
059ec3d9 1876int rc;
17c76198
PP
1877const char *error;
1878exim_gnutls_state_st *state = NULL;
f2de3a33 1879#ifndef DISABLE_OCSP
5130845b
JH
1880BOOL require_ocsp =
1881 verify_check_given_host(&ob->hosts_require_ocsp, host) == OK;
44662487 1882BOOL request_ocsp = require_ocsp ? TRUE
5130845b 1883 : verify_check_given_host(&ob->hosts_request_ocsp, host) == OK;
2b4a568d 1884#endif
059ec3d9 1885
17c76198 1886DEBUG(D_tls) debug_printf("initialising GnuTLS as a client on fd %d\n", fd);
059ec3d9 1887
65867078
JH
1888if ((rc = tls_init(host, ob->tls_certificate, ob->tls_privatekey,
1889 ob->tls_sni, ob->tls_verify_certificates, ob->tls_crl,
1890 ob->tls_require_ciphers, &state)) != OK)
2b4a568d 1891 return rc;
059ec3d9 1892
54c90be1 1893 {
65867078
JH
1894 int dh_min_bits = ob->tls_dh_min_bits;
1895 if (dh_min_bits < EXIM_CLIENT_DH_MIN_MIN_BITS)
1896 {
1897 DEBUG(D_tls)
1898 debug_printf("WARNING: tls_dh_min_bits far too low,"
1899 " clamping %d up to %d\n",
1900 dh_min_bits, EXIM_CLIENT_DH_MIN_MIN_BITS);
1901 dh_min_bits = EXIM_CLIENT_DH_MIN_MIN_BITS;
1902 }
54c90be1 1903
65867078
JH
1904 DEBUG(D_tls) debug_printf("Setting D-H prime minimum"
1905 " acceptable bits to %d\n",
1906 dh_min_bits);
1907 gnutls_dh_set_prime_bits(state->session, dh_min_bits);
1908 }
83da1223 1909
94431adb 1910/* Stick to the old behaviour for compatibility if tls_verify_certificates is
2b4a568d
JH
1911set but both tls_verify_hosts and tls_try_verify_hosts are unset. Check only
1912the specified host patterns if one of them is defined */
1913
aa2a70ba
JH
1914if ( ( state->exp_tls_verify_certificates
1915 && !ob->tls_verify_hosts
610ff438 1916 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
aa2a70ba 1917 )
5130845b 1918 || verify_check_given_host(&ob->tls_verify_hosts, host) == OK
2b4a568d 1919 )
17c76198 1920 {
aa2a70ba 1921 tls_client_setup_hostname_checks(host, state, ob);
aa2a70ba
JH
1922 DEBUG(D_tls)
1923 debug_printf("TLS: server certificate verification required.\n");
1924 state->verify_requirement = VERIFY_REQUIRED;
52f93eed
WB
1925 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
1926 }
5130845b 1927else if (verify_check_given_host(&ob->tls_try_verify_hosts, host) == OK)
52f93eed 1928 {
aa2a70ba 1929 tls_client_setup_hostname_checks(host, state, ob);
e51c7be2
JH
1930 DEBUG(D_tls)
1931 debug_printf("TLS: server certificate verification optional.\n");
52f93eed 1932 state->verify_requirement = VERIFY_OPTIONAL;
17c76198
PP
1933 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
1934 }
1935else
1936 {
e51c7be2
JH
1937 DEBUG(D_tls)
1938 debug_printf("TLS: server certificate verification not required.\n");
52f93eed
WB
1939 state->verify_requirement = VERIFY_NONE;
1940 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
17c76198 1941 }
059ec3d9 1942
f2de3a33
JH
1943#ifndef DISABLE_OCSP
1944 /* supported since GnuTLS 3.1.3 */
44662487 1945if (request_ocsp)
9d1c15ef
JH
1946 {
1947 DEBUG(D_tls) debug_printf("TLS: will request OCSP stapling\n");
65867078
JH
1948 if ((rc = gnutls_ocsp_status_request_enable_client(state->session,
1949 NULL, 0, NULL)) != OK)
9d1c15ef
JH
1950 return tls_error(US"cert-status-req",
1951 gnutls_strerror(rc), state->host);
44662487 1952 tls_out.ocsp = OCSP_NOT_RESP;
9d1c15ef 1953 }
2b4a568d
JH
1954#endif
1955
0cbf2b82 1956#ifndef DISABLE_EVENT
774ef2d7 1957if (tb->event_action)
a7538db1 1958 {
774ef2d7 1959 state->event_action = tb->event_action;
a7538db1 1960 gnutls_session_set_ptr(state->session, state);
723fe533 1961 gnutls_certificate_set_verify_function(state->x509_cred, verify_cb);
a7538db1
JH
1962 }
1963#endif
1964
27f19eb4 1965gnutls_transport_set_ptr(state->session, (gnutls_transport_ptr_t)(long) fd);
17c76198
PP
1966state->fd_in = fd;
1967state->fd_out = fd;
059ec3d9 1968
9d1c15ef 1969DEBUG(D_tls) debug_printf("about to gnutls_handshake\n");
059ec3d9
PH
1970/* There doesn't seem to be a built-in timeout on connection. */
1971
1972sigalrm_seen = FALSE;
65867078 1973alarm(ob->command_timeout);
17c76198
PP
1974do
1975 {
1976 rc = gnutls_handshake(state->session);
619b2b25
PP
1977 } while ((rc == GNUTLS_E_AGAIN) ||
1978 (rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen));
059ec3d9
PH
1979alarm(0);
1980
4fe99a6c
PP
1981if (rc != GNUTLS_E_SUCCESS)
1982 return tls_error(US"gnutls_handshake",
1983 sigalrm_seen ? "timed out" : gnutls_strerror(rc), state->host);
1984
17c76198 1985DEBUG(D_tls) debug_printf("gnutls_handshake was successful\n");
059ec3d9 1986
17c76198 1987/* Verify late */
059ec3d9 1988
17c76198
PP
1989if (state->verify_requirement != VERIFY_NONE &&
1990 !verify_certificate(state, &error))
1991 return tls_error(US"certificate verification failed", error, state->host);
059ec3d9 1992
f2de3a33 1993#ifndef DISABLE_OCSP
2b4a568d
JH
1994if (require_ocsp)
1995 {
1996 DEBUG(D_tls)
1997 {
1998 gnutls_datum_t stapling;
1999 gnutls_ocsp_resp_t resp;
2000 gnutls_datum_t printed;
2001 if ( (rc= gnutls_ocsp_status_request_get(state->session, &stapling)) == 0
2002 && (rc= gnutls_ocsp_resp_init(&resp)) == 0
2003 && (rc= gnutls_ocsp_resp_import(resp, &stapling)) == 0
2004 && (rc= gnutls_ocsp_resp_print(resp, GNUTLS_OCSP_PRINT_FULL, &printed)) == 0
2005 )
2006 {
65867078 2007 debug_printf("%.4096s", printed.data);
2b4a568d
JH
2008 gnutls_free(printed.data);
2009 }
2010 else
2011 (void) tls_error(US"ocsp decode", gnutls_strerror(rc), state->host);
2012 }
2013
2b4a568d 2014 if (gnutls_ocsp_status_request_is_checked(state->session, 0) == 0)
018058b2
JH
2015 {
2016 tls_out.ocsp = OCSP_FAILED;
2b4a568d 2017 return tls_error(US"certificate status check failed", NULL, state->host);
018058b2 2018 }
2b4a568d 2019 DEBUG(D_tls) debug_printf("Passed OCSP checking\n");
44662487 2020 tls_out.ocsp = OCSP_VFIED;
2b4a568d
JH
2021 }
2022#endif
2023
17c76198 2024/* Figure out peer DN, and if authenticated, etc. */
059ec3d9 2025
2b4a568d
JH
2026if ((rc = peer_status(state)) != OK)
2027 return rc;
059ec3d9 2028
4fe99a6c 2029/* Sets various Exim expansion variables; may need to adjust for ACL callouts */
059ec3d9 2030
9d1c15ef 2031extract_exim_vars_from_tls_state(state);
059ec3d9 2032
059ec3d9
PH
2033return OK;
2034}
2035
2036
2037
17c76198 2038
059ec3d9 2039/*************************************************
17c76198 2040* Close down a TLS session *
059ec3d9
PH
2041*************************************************/
2042
17c76198
PP
2043/* This is also called from within a delivery subprocess forked from the
2044daemon, to shut down the TLS library, without actually doing a shutdown (which
2045would tamper with the TLS session in the parent process).
059ec3d9 2046
17c76198
PP
2047Arguments: TRUE if gnutls_bye is to be called
2048Returns: nothing
059ec3d9
PH
2049*/
2050
17c76198 2051void
817d9f57 2052tls_close(BOOL is_server, BOOL shutdown)
059ec3d9 2053{
817d9f57 2054exim_gnutls_state_st *state = is_server ? &state_server : &state_client;
059ec3d9 2055
389ca47a 2056if (!state->tlsp || state->tlsp->active < 0) return; /* TLS was not active */
17c76198
PP
2057
2058if (shutdown)
2059 {
2060 DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS\n");
2061 gnutls_bye(state->session, GNUTLS_SHUT_WR);
2062 }
2063
2064gnutls_deinit(state->session);
2065
389ca47a 2066state->tlsp->active = -1;
17c76198
PP
2067memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
2068
2069if ((state_server.session == NULL) && (state_client.session == NULL))
2070 {
2071 gnutls_global_deinit();
2072 exim_gnutls_base_init_done = FALSE;
2073 }
7199e1ee 2074
059ec3d9
PH
2075}
2076
2077
2078
17c76198 2079
059ec3d9
PH
2080/*************************************************
2081* TLS version of getc *
2082*************************************************/
2083
2084/* This gets the next byte from the TLS input buffer. If the buffer is empty,
2085it refills the buffer via the GnuTLS reading function.
817d9f57 2086Only used by the server-side TLS.
059ec3d9 2087
17c76198
PP
2088This feeds DKIM and should be used for all message-body reads.
2089
059ec3d9
PH
2090Arguments: none
2091Returns: the next character or EOF
2092*/
2093
2094int
2095tls_getc(void)
2096{
817d9f57 2097exim_gnutls_state_st *state = &state_server;
17c76198 2098if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
059ec3d9 2099 {
17c76198 2100 ssize_t inbytes;
059ec3d9 2101
17c76198
PP
2102 DEBUG(D_tls) debug_printf("Calling gnutls_record_recv(%p, %p, %u)\n",
2103 state->session, state->xfer_buffer, ssl_xfer_buffer_size);
059ec3d9
PH
2104
2105 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
17c76198 2106 inbytes = gnutls_record_recv(state->session, state->xfer_buffer,
059ec3d9
PH
2107 ssl_xfer_buffer_size);
2108 alarm(0);
2109
2110 /* A zero-byte return appears to mean that the TLS session has been
2111 closed down, not that the socket itself has been closed down. Revert to
2112 non-TLS handling. */
2113
2114 if (inbytes == 0)
2115 {
2116 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
2117
2118 receive_getc = smtp_getc;
2119 receive_ungetc = smtp_ungetc;
2120 receive_feof = smtp_feof;
2121 receive_ferror = smtp_ferror;
58eb016e 2122 receive_smtp_buffered = smtp_buffered;
059ec3d9 2123
17c76198
PP
2124 gnutls_deinit(state->session);
2125 state->session = NULL;
817d9f57
JH
2126 state->tlsp->active = -1;
2127 state->tlsp->bits = 0;
2128 state->tlsp->certificate_verified = FALSE;
9d1c15ef 2129 tls_channelbinding_b64 = NULL;
817d9f57 2130 state->tlsp->cipher = NULL;
9d1c15ef 2131 state->tlsp->peercert = NULL;
817d9f57 2132 state->tlsp->peerdn = NULL;
059ec3d9
PH
2133
2134 return smtp_getc();
2135 }
2136
2137 /* Handle genuine errors */
2138
2139 else if (inbytes < 0)
2140 {
17c76198
PP
2141 record_io_error(state, (int) inbytes, US"recv", NULL);
2142 state->xfer_error = 1;
059ec3d9
PH
2143 return EOF;
2144 }
80a47a2c 2145#ifndef DISABLE_DKIM
17c76198 2146 dkim_exim_verify_feed(state->xfer_buffer, inbytes);
80a47a2c 2147#endif
17c76198
PP
2148 state->xfer_buffer_hwm = (int) inbytes;
2149 state->xfer_buffer_lwm = 0;
059ec3d9
PH
2150 }
2151
059ec3d9
PH
2152/* Something in the buffer; return next uschar */
2153
17c76198 2154return state->xfer_buffer[state->xfer_buffer_lwm++];
059ec3d9
PH
2155}
2156
2157
2158
17c76198 2159
059ec3d9
PH
2160/*************************************************
2161* Read bytes from TLS channel *
2162*************************************************/
2163
17c76198
PP
2164/* This does not feed DKIM, so if the caller uses this for reading message body,
2165then the caller must feed DKIM.
817d9f57 2166
059ec3d9
PH
2167Arguments:
2168 buff buffer of data
2169 len size of buffer
2170
2171Returns: the number of bytes read
2172 -1 after a failed read
2173*/
2174
2175int
817d9f57 2176tls_read(BOOL is_server, uschar *buff, size_t len)
059ec3d9 2177{
817d9f57 2178exim_gnutls_state_st *state = is_server ? &state_server : &state_client;
17c76198 2179ssize_t inbytes;
059ec3d9 2180
17c76198
PP
2181if (len > INT_MAX)
2182 len = INT_MAX;
059ec3d9 2183
17c76198
PP
2184if (state->xfer_buffer_lwm < state->xfer_buffer_hwm)
2185 DEBUG(D_tls)
2186 debug_printf("*** PROBABLY A BUG *** " \
2187 "tls_read() called with data in the tls_getc() buffer, %d ignored\n",
2188 state->xfer_buffer_hwm - state->xfer_buffer_lwm);
2189
2190DEBUG(D_tls)
2191 debug_printf("Calling gnutls_record_recv(%p, %p, " SIZE_T_FMT ")\n",
2192 state->session, buff, len);
2193
2194inbytes = gnutls_record_recv(state->session, buff, len);
059ec3d9
PH
2195if (inbytes > 0) return inbytes;
2196if (inbytes == 0)
2197 {
2198 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
2199 }
17c76198 2200else record_io_error(state, (int)inbytes, US"recv", NULL);
059ec3d9
PH
2201
2202return -1;
2203}
2204
2205
2206
17c76198 2207
059ec3d9
PH
2208/*************************************************
2209* Write bytes down TLS channel *
2210*************************************************/
2211
2212/*
2213Arguments:
817d9f57 2214 is_server channel specifier
059ec3d9
PH
2215 buff buffer of data
2216 len number of bytes
2217
2218Returns: the number of bytes after a successful write,
2219 -1 after a failed write
2220*/
2221
2222int
817d9f57 2223tls_write(BOOL is_server, const uschar *buff, size_t len)
059ec3d9 2224{
17c76198
PP
2225ssize_t outbytes;
2226size_t left = len;
817d9f57 2227exim_gnutls_state_st *state = is_server ? &state_server : &state_client;
059ec3d9 2228
17c76198 2229DEBUG(D_tls) debug_printf("tls_do_write(%p, " SIZE_T_FMT ")\n", buff, left);
059ec3d9
PH
2230while (left > 0)
2231 {
17c76198
PP
2232 DEBUG(D_tls) debug_printf("gnutls_record_send(SSL, %p, " SIZE_T_FMT ")\n",
2233 buff, left);
2234 outbytes = gnutls_record_send(state->session, buff, left);
059ec3d9 2235
17c76198 2236 DEBUG(D_tls) debug_printf("outbytes=" SSIZE_T_FMT "\n", outbytes);
059ec3d9
PH
2237 if (outbytes < 0)
2238 {
17c76198 2239 record_io_error(state, outbytes, US"send", NULL);
059ec3d9
PH
2240 return -1;
2241 }
2242 if (outbytes == 0)
2243 {
17c76198 2244 record_io_error(state, 0, US"send", US"TLS channel closed on write");
059ec3d9
PH
2245 return -1;
2246 }
2247
2248 left -= outbytes;
2249 buff += outbytes;
2250 }
2251
17c76198
PP
2252if (len > INT_MAX)
2253 {
2254 DEBUG(D_tls)
2255 debug_printf("Whoops! Wrote more bytes (" SIZE_T_FMT ") than INT_MAX\n",
2256 len);
2257 len = INT_MAX;
2258 }
2259
2260return (int) len;
059ec3d9
PH
2261}
2262
2263
2264
17c76198 2265
059ec3d9 2266/*************************************************
17c76198 2267* Random number generation *
059ec3d9
PH
2268*************************************************/
2269
17c76198
PP
2270/* Pseudo-random number generation. The result is not expected to be
2271cryptographically strong but not so weak that someone will shoot themselves
2272in the foot using it as a nonce in input in some email header scheme or
2273whatever weirdness they'll twist this into. The result should handle fork()
2274and avoid repeating sequences. OpenSSL handles that for us.
059ec3d9 2275
17c76198
PP
2276Arguments:
2277 max range maximum
2278Returns a random number in range [0, max-1]
059ec3d9
PH
2279*/
2280
af3498d6 2281#ifdef HAVE_GNUTLS_RND
17c76198
PP
2282int
2283vaguely_random_number(int max)
059ec3d9 2284{
17c76198
PP
2285unsigned int r;
2286int i, needed_len;
2287uschar *p;
2288uschar smallbuf[sizeof(r)];
2289
2290if (max <= 1)
2291 return 0;
2292
2293needed_len = sizeof(r);
2294/* Don't take 8 times more entropy than needed if int is 8 octets and we were
2295 * asked for a number less than 10. */
2296for (r = max, i = 0; r; ++i)
2297 r >>= 1;
2298i = (i + 7) / 8;
2299if (i < needed_len)
2300 needed_len = i;
2301
2302i = gnutls_rnd(GNUTLS_RND_NONCE, smallbuf, needed_len);
2303if (i < 0)
059ec3d9 2304 {
17c76198
PP
2305 DEBUG(D_all) debug_printf("gnutls_rnd() failed, using fallback.\n");
2306 return vaguely_random_number_fallback(max);
2307 }
2308r = 0;
2309for (p = smallbuf; needed_len; --needed_len, ++p)
2310 {
2311 r *= 256;
2312 r += *p;
059ec3d9
PH
2313 }
2314
17c76198
PP
2315/* We don't particularly care about weighted results; if someone wants
2316 * smooth distribution and cares enough then they should submit a patch then. */
2317return r % max;
059ec3d9 2318}
af3498d6
PP
2319#else /* HAVE_GNUTLS_RND */
2320int
2321vaguely_random_number(int max)
2322{
2323 return vaguely_random_number_fallback(max);
2324}
2325#endif /* HAVE_GNUTLS_RND */
059ec3d9 2326
36f12725
NM
2327
2328
2329
2330/*************************************************
3375e053
PP
2331* Let tls_require_ciphers be checked at startup *
2332*************************************************/
2333
2334/* The tls_require_ciphers option, if set, must be something which the
2335library can parse.
2336
2337Returns: NULL on success, or error message
2338*/
2339
2340uschar *
2341tls_validate_require_cipher(void)
2342{
2343int rc;
2344uschar *expciphers = NULL;
2345gnutls_priority_t priority_cache;
2346const char *errpos;
2347
2348#define validate_check_rc(Label) do { \
2349 if (rc != GNUTLS_E_SUCCESS) { if (exim_gnutls_base_init_done) gnutls_global_deinit(); \
2350 return string_sprintf("%s failed: %s", (Label), gnutls_strerror(rc)); } } while (0)
2351#define return_deinit(Label) do { gnutls_global_deinit(); return (Label); } while (0)
2352
2353if (exim_gnutls_base_init_done)
2354 log_write(0, LOG_MAIN|LOG_PANIC,
2355 "already initialised GnuTLS, Exim developer bug");
2356
a5f239e4 2357#ifdef HAVE_GNUTLS_PKCS11
2519e60d 2358if (!gnutls_allow_auto_pkcs11)
a5f239e4
PP
2359 {
2360 rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
2361 validate_check_rc(US"gnutls_pkcs11_init");
2362 }
2363#endif
3375e053
PP
2364rc = gnutls_global_init();
2365validate_check_rc(US"gnutls_global_init()");
2366exim_gnutls_base_init_done = TRUE;
2367
2368if (!(tls_require_ciphers && *tls_require_ciphers))
2369 return_deinit(NULL);
2370
2371if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers))
2372 return_deinit(US"failed to expand tls_require_ciphers");
2373
2374if (!(expciphers && *expciphers))
2375 return_deinit(NULL);
2376
2377DEBUG(D_tls)
2378 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
2379
2380rc = gnutls_priority_init(&priority_cache, CS expciphers, &errpos);
2381validate_check_rc(string_sprintf(
2382 "gnutls_priority_init(%s) failed at offset %ld, \"%.8s..\"",
2383 expciphers, errpos - CS expciphers, errpos));
2384
2385#undef return_deinit
2386#undef validate_check_rc
2387gnutls_global_deinit();
2388
2389return NULL;
2390}
2391
2392
2393
2394
2395/*************************************************
36f12725
NM
2396* Report the library versions. *
2397*************************************************/
2398
2399/* See a description in tls-openssl.c for an explanation of why this exists.
2400
2401Arguments: a FILE* to print the results to
2402Returns: nothing
2403*/
2404
2405void
2406tls_version_report(FILE *f)
2407{
754a0503
PP
2408fprintf(f, "Library version: GnuTLS: Compile: %s\n"
2409 " Runtime: %s\n",
2410 LIBGNUTLS_VERSION,
2411 gnutls_check_version(NULL));
36f12725
NM
2412}
2413
2b4a568d
JH
2414/* vi: aw ai sw=2
2415*/
059ec3d9 2416/* End of tls-gnu.c */