Testsuite: move CRL testcases away from using SHA1-signed certs
[exim.git] / src / src / tls-gnu.c
CommitLineData
059ec3d9
PH
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
9242a7e8 5/* Copyright (c) University of Cambridge 1995 - 2017 */
059ec3d9
PH
6/* See the file NOTICE for conditions of use and distribution. */
7
17c76198 8/* Copyright (c) Phil Pennock 2012 */
059ec3d9 9
17c76198
PP
10/* This file provides TLS/SSL support for Exim using the GnuTLS library,
11one of the available supported implementations. This file is #included into
12tls.c when USE_GNUTLS has been set.
059ec3d9 13
17c76198
PP
14The code herein is a revamp of GnuTLS integration using the current APIs; the
15original tls-gnu.c was based on a patch which was contributed by Nikos
6aa6fc9c 16Mavrogiannopoulos. The revamp is partially a rewrite, partially cut&paste as
17c76198 17appropriate.
059ec3d9 18
17c76198
PP
19APIs current as of GnuTLS 2.12.18; note that the GnuTLS manual is for GnuTLS 3,
20which is not widely deployed by OS vendors. Will note issues below, which may
21assist in updating the code in the future. Another sources of hints is
22mod_gnutls for Apache (SNI callback registration and handling).
059ec3d9 23
17c76198
PP
24Keeping client and server variables more split than before and is currently
25the norm, in anticipation of TLS in ACL callouts.
059ec3d9 26
17c76198
PP
27I wanted to switch to gnutls_certificate_set_verify_function() so that
28certificate rejection could happen during handshake where it belongs, rather
29than being dropped afterwards, but that was introduced in 2.10.0 and Debian
30(6.0.5) is still on 2.8.6. So for now we have to stick with sub-par behaviour.
059ec3d9 31
17c76198
PP
32(I wasn't looking for libraries quite that old, when updating to get rid of
33compiler warnings of deprecated APIs. If it turns out that a lot of the rest
34require current GnuTLS, then we'll drop support for the ancient libraries).
35*/
b5aea5e1 36
17c76198
PP
37#include <gnutls/gnutls.h>
38/* needed for cert checks in verification and DN extraction: */
39#include <gnutls/x509.h>
40/* man-page is incorrect, gnutls_rnd() is not in gnutls.h: */
41#include <gnutls/crypto.h>
a5f239e4
PP
42/* needed to disable PKCS11 autoload unless requested */
43#if GNUTLS_VERSION_NUMBER >= 0x020c00
44# include <gnutls/pkcs11.h>
76075bb5 45# define SUPPORT_PARAM_TO_PK_BITS
a5f239e4 46#endif
7e07527a
JH
47#if GNUTLS_VERSION_NUMBER < 0x030103 && !defined(DISABLE_OCSP)
48# warning "GnuTLS library version too old; define DISABLE_OCSP in Makefile"
49# define DISABLE_OCSP
50#endif
0cbf2b82 51#if GNUTLS_VERSION_NUMBER < 0x020a00 && !defined(DISABLE_EVENT)
774ef2d7 52# warning "GnuTLS library version too old; tls:cert event unsupported"
0cbf2b82 53# define DISABLE_EVENT
a7538db1 54#endif
a7fec7a7
JH
55#if GNUTLS_VERSION_NUMBER >= 0x030306
56# define SUPPORT_CA_DIR
57#else
58# undef SUPPORT_CA_DIR
59#endif
11a04b5a 60#if GNUTLS_VERSION_NUMBER >= 0x030014
cb1d7830
JH
61# define SUPPORT_SYSDEFAULT_CABUNDLE
62#endif
925ac8e4
JH
63#if GNUTLS_VERSION_NUMBER >= 0x030109
64# define SUPPORT_CORK
65#endif
47195144
JH
66#if GNUTLS_VERSION_NUMBER >= 0x030506 && !defined(DISABLE_OCSP)
67# define SUPPORT_SRV_OCSP_STACK
68#endif
7e07527a 69
f2de3a33 70#ifndef DISABLE_OCSP
2b4a568d
JH
71# include <gnutls/ocsp.h>
72#endif
059ec3d9 73
17c76198 74/* GnuTLS 2 vs 3
059ec3d9 75
17c76198
PP
76GnuTLS 3 only:
77 gnutls_global_set_audit_log_function()
059ec3d9 78
17c76198
PP
79Changes:
80 gnutls_certificate_verify_peers2(): is new, drop the 2 for old version
81*/
059ec3d9 82
17c76198 83/* Local static variables for GnuTLS */
059ec3d9 84
17c76198 85/* Values for verify_requirement */
059ec3d9 86
e51c7be2 87enum peer_verify_requirement
aa2a70ba 88 { VERIFY_NONE, VERIFY_OPTIONAL, VERIFY_REQUIRED };
059ec3d9 89
17c76198
PP
90/* This holds most state for server or client; with this, we can set up an
91outbound TLS-enabled connection in an ACL callout, while not stomping all
92over the TLS variables available for expansion.
059ec3d9 93
17c76198
PP
94Some of these correspond to variables in globals.c; those variables will
95be set to point to content in one of these instances, as appropriate for
96the stage of the process lifetime.
059ec3d9 97
389ca47a 98Not handled here: global tls_channelbinding_b64.
17c76198 99*/
059ec3d9 100
17c76198 101typedef struct exim_gnutls_state {
9d1c15ef 102 gnutls_session_t session;
17c76198 103 gnutls_certificate_credentials_t x509_cred;
9d1c15ef 104 gnutls_priority_t priority_cache;
17c76198 105 enum peer_verify_requirement verify_requirement;
9d1c15ef
JH
106 int fd_in;
107 int fd_out;
108 BOOL peer_cert_verified;
109 BOOL trigger_sni_changes;
110 BOOL have_set_peerdn;
17c76198 111 const struct host_item *host;
9d1c15ef
JH
112 gnutls_x509_crt_t peercert;
113 uschar *peerdn;
114 uschar *ciphersuite;
115 uschar *received_sni;
17c76198
PP
116
117 const uschar *tls_certificate;
118 const uschar *tls_privatekey;
119 const uschar *tls_sni; /* client send only, not received */
120 const uschar *tls_verify_certificates;
121 const uschar *tls_crl;
122 const uschar *tls_require_ciphers;
e51c7be2 123
17c76198
PP
124 uschar *exp_tls_certificate;
125 uschar *exp_tls_privatekey;
17c76198
PP
126 uschar *exp_tls_verify_certificates;
127 uschar *exp_tls_crl;
128 uschar *exp_tls_require_ciphers;
55414b25 129 const uschar *exp_tls_verify_cert_hostnames;
0cbf2b82 130#ifndef DISABLE_EVENT
a7538db1
JH
131 uschar *event_action;
132#endif
17c76198 133
389ca47a 134 tls_support *tlsp; /* set in tls_init() */
817d9f57 135
17c76198
PP
136 uschar *xfer_buffer;
137 int xfer_buffer_lwm;
138 int xfer_buffer_hwm;
139 int xfer_eof;
140 int xfer_error;
17c76198
PP
141} exim_gnutls_state_st;
142
143static const exim_gnutls_state_st exim_gnutls_state_init = {
f2ed27cf
JH
144 .session = NULL,
145 .x509_cred = NULL,
146 .priority_cache = NULL,
147 .verify_requirement = VERIFY_NONE,
148 .fd_in = -1,
149 .fd_out = -1,
150 .peer_cert_verified = FALSE,
151 .trigger_sni_changes =FALSE,
152 .have_set_peerdn = FALSE,
153 .host = NULL,
154 .peercert = NULL,
155 .peerdn = NULL,
156 .ciphersuite = NULL,
157 .received_sni = NULL,
158
159 .tls_certificate = NULL,
160 .tls_privatekey = NULL,
161 .tls_sni = NULL,
162 .tls_verify_certificates = NULL,
163 .tls_crl = NULL,
164 .tls_require_ciphers =NULL,
165
166 .exp_tls_certificate = NULL,
167 .exp_tls_privatekey = NULL,
168 .exp_tls_verify_certificates = NULL,
169 .exp_tls_crl = NULL,
170 .exp_tls_require_ciphers = NULL,
f2ed27cf 171 .exp_tls_verify_cert_hostnames = NULL,
0cbf2b82 172#ifndef DISABLE_EVENT
f2ed27cf 173 .event_action = NULL,
a7538db1 174#endif
f2ed27cf
JH
175 .tlsp = NULL,
176
177 .xfer_buffer = NULL,
178 .xfer_buffer_lwm = 0,
179 .xfer_buffer_hwm = 0,
180 .xfer_eof = 0,
181 .xfer_error = 0,
17c76198 182};
83da1223 183
17c76198
PP
184/* Not only do we have our own APIs which don't pass around state, assuming
185it's held in globals, GnuTLS doesn't appear to let us register callback data
186for callbacks, or as part of the session, so we have to keep a "this is the
187context we're currently dealing with" pointer and rely upon being
188single-threaded to keep from processing data on an inbound TLS connection while
189talking to another TLS connection for an outbound check. This does mean that
190there's no way for heart-beats to be responded to, for the duration of the
a7538db1
JH
191second connection.
192XXX But see gnutls_session_get_ptr()
193*/
059ec3d9 194
17c76198 195static exim_gnutls_state_st state_server, state_client;
059ec3d9 196
17c76198
PP
197/* dh_params are initialised once within the lifetime of a process using TLS;
198if we used TLS in a long-lived daemon, we'd have to reconsider this. But we
199don't want to repeat this. */
83da1223 200
17c76198 201static gnutls_dh_params_t dh_server_params = NULL;
059ec3d9 202
17c76198 203/* No idea how this value was chosen; preserving it. Default is 3600. */
059ec3d9 204
17c76198 205static const int ssl_session_timeout = 200;
059ec3d9 206
17c76198 207static const char * const exim_default_gnutls_priority = "NORMAL";
83da1223 208
17c76198 209/* Guard library core initialisation */
83da1223 210
17c76198 211static BOOL exim_gnutls_base_init_done = FALSE;
059ec3d9 212
4fb7df6d 213#ifndef DISABLE_OCSP
9196d5bf 214static BOOL gnutls_buggy_ocsp = FALSE;
4fb7df6d 215#endif
9196d5bf 216
059ec3d9 217
17c76198 218/* ------------------------------------------------------------------------ */
17c76198 219/* macros */
83da1223 220
17c76198 221#define MAX_HOST_LEN 255
83da1223 222
17c76198
PP
223/* Set this to control gnutls_global_set_log_level(); values 0 to 9 will setup
224the library logging; a value less than 0 disables the calls to set up logging
ef9da2ee
JH
225callbacks. Possibly GNuTLS also looks for an environment variable
226"GNUTLS_DEBUG_LEVEL". */
2c17bb02 227#ifndef EXIM_GNUTLS_LIBRARY_LOG_LEVEL
a7538db1 228# define EXIM_GNUTLS_LIBRARY_LOG_LEVEL -1
2c17bb02 229#endif
83da1223 230
2c17bb02 231#ifndef EXIM_CLIENT_DH_MIN_BITS
a7538db1 232# define EXIM_CLIENT_DH_MIN_BITS 1024
2c17bb02 233#endif
83da1223 234
af3498d6
PP
235/* With GnuTLS 2.12.x+ we have gnutls_sec_param_to_pk_bits() with which we
236can ask for a bit-strength. Without that, we stick to the constant we had
237before, for now. */
2c17bb02 238#ifndef EXIM_SERVER_DH_BITS_PRE2_12
a7538db1 239# define EXIM_SERVER_DH_BITS_PRE2_12 1024
2c17bb02 240#endif
af3498d6 241
47195144
JH
242#define exim_gnutls_err_check(rc, Label) do { \
243 if ((rc) != GNUTLS_E_SUCCESS) \
cf0c6164
JH
244 return tls_error((Label), gnutls_strerror(rc), host, errstr); \
245 } while (0)
059ec3d9 246
cf0c6164
JH
247#define expand_check_tlsvar(Varname, errstr) \
248 expand_check(state->Varname, US #Varname, &state->exp_##Varname, errstr)
83da1223 249
17c76198 250#if GNUTLS_VERSION_NUMBER >= 0x020c00
e51c7be2
JH
251# define HAVE_GNUTLS_SESSION_CHANNEL_BINDING
252# define HAVE_GNUTLS_SEC_PARAM_CONSTANTS
253# define HAVE_GNUTLS_RND
2519e60d
TL
254/* The security fix we provide with the gnutls_allow_auto_pkcs11 option
255 * (4.82 PP/09) introduces a compatibility regression. The symbol simply
256 * isn't available sometimes, so this needs to become a conditional
257 * compilation; the sanest way to deal with this being a problem on
258 * older OSes is to block it in the Local/Makefile with this compiler
259 * definition */
e51c7be2
JH
260# ifndef AVOID_GNUTLS_PKCS11
261# define HAVE_GNUTLS_PKCS11
262# endif /* AVOID_GNUTLS_PKCS11 */
17c76198 263#endif
83da1223 264
af3498d6
PP
265
266
267
268/* ------------------------------------------------------------------------ */
269/* Callback declarations */
270
271#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
272static void exim_gnutls_logger_cb(int level, const char *message);
273#endif
274
275static int exim_sni_handling_cb(gnutls_session_t session);
276
f2de3a33 277#ifndef DISABLE_OCSP
44662487
JH
278static int server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
279 gnutls_datum_t * ocsp_response);
280#endif
af3498d6
PP
281
282
283
17c76198
PP
284/* ------------------------------------------------------------------------ */
285/* Static functions */
059ec3d9
PH
286
287/*************************************************
288* Handle TLS error *
289*************************************************/
290
291/* Called from lots of places when errors occur before actually starting to do
292the TLS handshake, that is, while the session is still in clear. Always returns
293DEFER for a server and FAIL for a client so that most calls can use "return
294tls_error(...)" to do this processing and then give an appropriate return. A
295single function is used for both server and client, because it is called from
296some shared functions.
297
298Argument:
299 prefix text to include in the logged error
7199e1ee
TF
300 msg additional error string (may be NULL)
301 usually obtained from gnutls_strerror()
17c76198
PP
302 host NULL if setting up a server;
303 the connected host if setting up a client
cf0c6164 304 errstr pointer to returned error string
059ec3d9
PH
305
306Returns: OK/DEFER/FAIL
307*/
308
309static int
cf0c6164
JH
310tls_error(const uschar *prefix, const char *msg, const host_item *host,
311 uschar ** errstr)
059ec3d9 312{
cf0c6164
JH
313if (errstr)
314 *errstr = string_sprintf("(%s)%s%s", prefix, msg ? ": " : "", msg ? msg : "");
315return host ? FAIL : DEFER;
059ec3d9
PH
316}
317
318
319
17c76198 320
059ec3d9 321/*************************************************
17c76198 322* Deal with logging errors during I/O *
059ec3d9
PH
323*************************************************/
324
17c76198 325/* We have to get the identity of the peer from saved data.
059ec3d9 326
17c76198
PP
327Argument:
328 state the current GnuTLS exim state container
329 rc the GnuTLS error code, or 0 if it's a local error
330 when text identifying read or write
331 text local error text when ec is 0
059ec3d9 332
17c76198 333Returns: nothing
059ec3d9
PH
334*/
335
17c76198
PP
336static void
337record_io_error(exim_gnutls_state_st *state, int rc, uschar *when, uschar *text)
059ec3d9 338{
cf0c6164
JH
339const char * msg;
340uschar * errstr;
059ec3d9 341
17c76198
PP
342if (rc == GNUTLS_E_FATAL_ALERT_RECEIVED)
343 msg = CS string_sprintf("%s: %s", US gnutls_strerror(rc),
344 US gnutls_alert_get_name(gnutls_alert_get(state->session)));
345else
346 msg = gnutls_strerror(rc);
059ec3d9 347
cf0c6164
JH
348(void) tls_error(when, msg, state->host, &errstr);
349
350if (state->host)
351 log_write(0, LOG_MAIN, "H=%s [%s] TLS error on connection %s",
352 state->host->name, state->host->address, errstr);
353else
354 {
355 uschar * conn_info = smtp_get_connection_info();
356 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0) conn_info += 5;
357 /* I'd like to get separated H= here, but too hard for now */
358 log_write(0, LOG_MAIN, "TLS error on %s %s", conn_info, errstr);
359 }
17c76198 360}
059ec3d9 361
059ec3d9 362
059ec3d9 363
059ec3d9 364
17c76198
PP
365/*************************************************
366* Set various Exim expansion vars *
367*************************************************/
059ec3d9 368
e51c7be2
JH
369#define exim_gnutls_cert_err(Label) \
370 do \
371 { \
372 if (rc != GNUTLS_E_SUCCESS) \
373 { \
374 DEBUG(D_tls) debug_printf("TLS: cert problem: %s: %s\n", \
375 (Label), gnutls_strerror(rc)); \
376 return rc; \
377 } \
378 } while (0)
9d1c15ef
JH
379
380static int
27f19eb4 381import_cert(const gnutls_datum_t * cert, gnutls_x509_crt_t * crtp)
9d1c15ef
JH
382{
383int rc;
384
385rc = gnutls_x509_crt_init(crtp);
386exim_gnutls_cert_err(US"gnutls_x509_crt_init (crt)");
387
388rc = gnutls_x509_crt_import(*crtp, cert, GNUTLS_X509_FMT_DER);
389exim_gnutls_cert_err(US"failed to import certificate [gnutls_x509_crt_import(cert)]");
390
391return rc;
392}
393
394#undef exim_gnutls_cert_err
395
396
17c76198
PP
397/* We set various Exim global variables from the state, once a session has
398been established. With TLS callouts, may need to change this to stack
399variables, or just re-call it with the server state after client callout
400has finished.
059ec3d9 401
9d1c15ef 402Make sure anything set here is unset in tls_getc().
17c76198
PP
403
404Sets:
405 tls_active fd
406 tls_bits strength indicator
407 tls_certificate_verified bool indicator
408 tls_channelbinding_b64 for some SASL mechanisms
409 tls_cipher a string
9d1c15ef 410 tls_peercert pointer to library internal
17c76198
PP
411 tls_peerdn a string
412 tls_sni a (UTF-8) string
9d1c15ef 413 tls_ourcert pointer to library internal
17c76198
PP
414
415Argument:
416 state the relevant exim_gnutls_state_st *
417*/
418
419static void
9d1c15ef 420extract_exim_vars_from_tls_state(exim_gnutls_state_st * state)
17c76198 421{
17c76198 422gnutls_cipher_algorithm_t cipher;
17c76198
PP
423#ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
424int old_pool;
425int rc;
426gnutls_datum_t channel;
427#endif
9d1c15ef 428tls_support * tlsp = state->tlsp;
17c76198 429
9d1c15ef 430tlsp->active = state->fd_out;
17c76198
PP
431
432cipher = gnutls_cipher_get(state->session);
433/* returns size in "bytes" */
9d1c15ef 434tlsp->bits = gnutls_cipher_get_key_size(cipher) * 8;
17c76198 435
9d1c15ef 436tlsp->cipher = state->ciphersuite;
17c76198 437
817d9f57 438DEBUG(D_tls) debug_printf("cipher: %s\n", state->ciphersuite);
17c76198 439
9d1c15ef 440tlsp->certificate_verified = state->peer_cert_verified;
059ec3d9 441
17c76198
PP
442/* note that tls_channelbinding_b64 is not saved to the spool file, since it's
443only available for use for authenticators while this TLS session is running. */
444
445tls_channelbinding_b64 = NULL;
446#ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
447channel.data = NULL;
448channel.size = 0;
449rc = gnutls_session_channel_binding(state->session, GNUTLS_CB_TLS_UNIQUE, &channel);
450if (rc) {
451 DEBUG(D_tls) debug_printf("Channel binding error: %s\n", gnutls_strerror(rc));
452} else {
453 old_pool = store_pool;
454 store_pool = POOL_PERM;
f4d091fb 455 tls_channelbinding_b64 = b64encode(channel.data, (int)channel.size);
17c76198
PP
456 store_pool = old_pool;
457 DEBUG(D_tls) debug_printf("Have channel bindings cached for possible auth usage.\n");
458}
459#endif
460
9d1c15ef
JH
461/* peercert is set in peer_status() */
462tlsp->peerdn = state->peerdn;
463tlsp->sni = state->received_sni;
464
465/* record our certificate */
466 {
27f19eb4 467 const gnutls_datum_t * cert = gnutls_certificate_get_ours(state->session);
9d1c15ef
JH
468 gnutls_x509_crt_t crt;
469
470 tlsp->ourcert = cert && import_cert(cert, &crt)==0 ? crt : NULL;
471 }
059ec3d9
PH
472}
473
474
475
17c76198 476
059ec3d9 477/*************************************************
575643cd 478* Setup up DH parameters *
059ec3d9
PH
479*************************************************/
480
575643cd 481/* Generating the D-H parameters may take a long time. They only need to
059ec3d9
PH
482be re-generated every so often, depending on security policy. What we do is to
483keep these parameters in a file in the spool directory. If the file does not
484exist, we generate them. This means that it is easy to cause a regeneration.
485
486The new file is written as a temporary file and renamed, so that an incomplete
487file is never present. If two processes both compute some new parameters, you
488waste a bit of effort, but it doesn't seem worth messing around with locking to
489prevent this.
490
059ec3d9
PH
491Returns: OK/DEFER/FAIL
492*/
493
494static int
cf0c6164 495init_server_dh(uschar ** errstr)
059ec3d9 496{
17c76198
PP
497int fd, rc;
498unsigned int dh_bits;
27f19eb4 499gnutls_datum_t m;
a799883d
PP
500uschar filename_buf[PATH_MAX];
501uschar *filename = NULL;
17c76198 502size_t sz;
a799883d
PP
503uschar *exp_tls_dhparam;
504BOOL use_file_in_spool = FALSE;
505BOOL use_fixed_file = FALSE;
17c76198 506host_item *host = NULL; /* dummy for macros */
059ec3d9 507
17c76198 508DEBUG(D_tls) debug_printf("Initialising GnuTLS server params.\n");
059ec3d9 509
17c76198 510rc = gnutls_dh_params_init(&dh_server_params);
47195144 511exim_gnutls_err_check(rc, US"gnutls_dh_params_init");
059ec3d9 512
a799883d
PP
513m.data = NULL;
514m.size = 0;
515
cf0c6164 516if (!expand_check(tls_dhparam, US"tls_dhparam", &exp_tls_dhparam, errstr))
a799883d
PP
517 return DEFER;
518
519if (!exp_tls_dhparam)
520 {
521 DEBUG(D_tls) debug_printf("Loading default hard-coded DH params\n");
522 m.data = US std_dh_prime_default();
523 m.size = Ustrlen(m.data);
524 }
525else if (Ustrcmp(exp_tls_dhparam, "historic") == 0)
526 use_file_in_spool = TRUE;
527else if (Ustrcmp(exp_tls_dhparam, "none") == 0)
528 {
529 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
530 return OK;
531 }
532else if (exp_tls_dhparam[0] != '/')
533 {
f5d25c2b 534 if (!(m.data = US std_dh_prime_named(exp_tls_dhparam)))
cf0c6164 535 return tls_error(US"No standard prime named", CS exp_tls_dhparam, NULL, errstr);
a799883d
PP
536 m.size = Ustrlen(m.data);
537 }
538else
539 {
540 use_fixed_file = TRUE;
541 filename = exp_tls_dhparam;
542 }
543
544if (m.data)
545 {
546 rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM);
47195144 547 exim_gnutls_err_check(rc, US"gnutls_dh_params_import_pkcs3");
a799883d
PP
548 DEBUG(D_tls) debug_printf("Loaded fixed standard D-H parameters\n");
549 return OK;
550 }
551
af3498d6
PP
552#ifdef HAVE_GNUTLS_SEC_PARAM_CONSTANTS
553/* If you change this constant, also change dh_param_fn_ext so that we can use a
17c76198
PP
554different filename and ensure we have sufficient bits. */
555dh_bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL);
556if (!dh_bits)
cf0c6164 557 return tls_error(US"gnutls_sec_param_to_pk_bits() failed", NULL, NULL, errstr);
af3498d6 558DEBUG(D_tls)
b34fc30c 559 debug_printf("GnuTLS tells us that for D-H PK, NORMAL is %d bits.\n",
af3498d6
PP
560 dh_bits);
561#else
562dh_bits = EXIM_SERVER_DH_BITS_PRE2_12;
563DEBUG(D_tls)
564 debug_printf("GnuTLS lacks gnutls_sec_param_to_pk_bits(), using %d bits.\n",
565 dh_bits);
566#endif
059ec3d9 567
3375e053
PP
568/* Some clients have hard-coded limits. */
569if (dh_bits > tls_dh_max_bits)
570 {
571 DEBUG(D_tls)
572 debug_printf("tls_dh_max_bits clamping override, using %d bits instead.\n",
573 tls_dh_max_bits);
574 dh_bits = tls_dh_max_bits;
575 }
576
a799883d
PP
577if (use_file_in_spool)
578 {
579 if (!string_format(filename_buf, sizeof(filename_buf),
580 "%s/gnutls-params-%d", spool_directory, dh_bits))
cf0c6164 581 return tls_error(US"overlong filename", NULL, NULL, errstr);
a799883d
PP
582 filename = filename_buf;
583 }
059ec3d9 584
b5aea5e1 585/* Open the cache file for reading and if successful, read it and set up the
575643cd 586parameters. */
059ec3d9 587
f5d25c2b 588if ((fd = Uopen(filename, O_RDONLY, 0)) >= 0)
059ec3d9 589 {
b5aea5e1 590 struct stat statbuf;
17c76198
PP
591 FILE *fp;
592 int saved_errno;
593
594 if (fstat(fd, &statbuf) < 0) /* EIO */
595 {
596 saved_errno = errno;
597 (void)close(fd);
cf0c6164 598 return tls_error(US"TLS cache stat failed", strerror(saved_errno), NULL, errstr);
17c76198
PP
599 }
600 if (!S_ISREG(statbuf.st_mode))
b5aea5e1
PH
601 {
602 (void)close(fd);
cf0c6164 603 return tls_error(US"TLS cache not a file", NULL, NULL, errstr);
17c76198 604 }
40c90bca 605 if (!(fp = fdopen(fd, "rb")))
17c76198
PP
606 {
607 saved_errno = errno;
608 (void)close(fd);
609 return tls_error(US"fdopen(TLS cache stat fd) failed",
cf0c6164 610 strerror(saved_errno), NULL, errstr);
b5aea5e1 611 }
059ec3d9 612
b5aea5e1 613 m.size = statbuf.st_size;
40c90bca 614 if (!(m.data = malloc(m.size)))
17c76198
PP
615 {
616 fclose(fp);
cf0c6164 617 return tls_error(US"malloc failed", strerror(errno), NULL, errstr);
17c76198 618 }
40c90bca 619 if (!(sz = fread(m.data, m.size, 1, fp)))
17c76198
PP
620 {
621 saved_errno = errno;
622 fclose(fp);
623 free(m.data);
cf0c6164 624 return tls_error(US"fread failed", strerror(saved_errno), NULL, errstr);
17c76198
PP
625 }
626 fclose(fp);
b5aea5e1 627
17c76198 628 rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM);
b5aea5e1 629 free(m.data);
47195144 630 exim_gnutls_err_check(rc, US"gnutls_dh_params_import_pkcs3");
17c76198 631 DEBUG(D_tls) debug_printf("read D-H parameters from file \"%s\"\n", filename);
b5aea5e1
PH
632 }
633
634/* If the file does not exist, fall through to compute new data and cache it.
635If there was any other opening error, it is serious. */
636
182ad5cf
PH
637else if (errno == ENOENT)
638 {
17c76198 639 rc = -1;
182ad5cf 640 DEBUG(D_tls)
17c76198 641 debug_printf("D-H parameter cache file \"%s\" does not exist\n", filename);
182ad5cf
PH
642 }
643else
17c76198 644 return tls_error(string_open_failed(errno, "\"%s\" for reading", filename),
cf0c6164 645 NULL, NULL, errstr);
b5aea5e1
PH
646
647/* If ret < 0, either the cache file does not exist, or the data it contains
648is not useful. One particular case of this is when upgrading from an older
649release of Exim in which the data was stored in a different format. We don't
650try to be clever and support both formats; we just regenerate new data in this
651case. */
652
17c76198 653if (rc < 0)
b5aea5e1 654 {
17c76198 655 uschar *temp_fn;
201f5254 656 unsigned int dh_bits_gen = dh_bits;
059ec3d9 657
17c76198
PP
658 if ((PATH_MAX - Ustrlen(filename)) < 10)
659 return tls_error(US"Filename too long to generate replacement",
cf0c6164 660 CS filename, NULL, errstr);
059ec3d9 661
17c76198 662 temp_fn = string_copy(US "%s.XXXXXXX");
f5d25c2b 663 if ((fd = mkstemp(CS temp_fn)) < 0) /* modifies temp_fn */
cf0c6164 664 return tls_error(US"Unable to open temp file", strerror(errno), NULL, errstr);
059ec3d9
PH
665 (void)fchown(fd, exim_uid, exim_gid); /* Probably not necessary */
666
201f5254
PP
667 /* GnuTLS overshoots!
668 * If we ask for 2236, we might get 2237 or more.
669 * But there's no way to ask GnuTLS how many bits there really are.
670 * We can ask how many bits were used in a TLS session, but that's it!
671 * The prime itself is hidden behind too much abstraction.
672 * So we ask for less, and proceed on a wing and a prayer.
673 * First attempt, subtracted 3 for 2233 and got 2240.
674 */
cae6e576 675 if (dh_bits >= EXIM_CLIENT_DH_MIN_BITS + 10)
201f5254
PP
676 {
677 dh_bits_gen = dh_bits - 10;
678 DEBUG(D_tls)
679 debug_printf("being paranoid about DH generation, make it '%d' bits'\n",
680 dh_bits_gen);
681 }
682
683 DEBUG(D_tls)
684 debug_printf("requesting generation of %d bit Diffie-Hellman prime ...\n",
685 dh_bits_gen);
686 rc = gnutls_dh_params_generate2(dh_server_params, dh_bits_gen);
47195144 687 exim_gnutls_err_check(rc, US"gnutls_dh_params_generate2");
17c76198
PP
688
689 /* gnutls_dh_params_export_pkcs3() will tell us the exact size, every time,
690 and I confirmed that a NULL call to get the size first is how the GnuTLS
691 sample apps handle this. */
692
693 sz = 0;
694 m.data = NULL;
695 rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM,
696 m.data, &sz);
697 if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
47195144 698 exim_gnutls_err_check(rc, US"gnutls_dh_params_export_pkcs3(NULL) sizing");
17c76198 699 m.size = sz;
40c90bca 700 if (!(m.data = malloc(m.size)))
cf0c6164 701 return tls_error(US"memory allocation failed", strerror(errno), NULL, errstr);
40c90bca 702
1f00591e 703 /* this will return a size 1 less than the allocation size above */
17c76198 704 rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM,
1f00591e 705 m.data, &sz);
17c76198
PP
706 if (rc != GNUTLS_E_SUCCESS)
707 {
708 free(m.data);
47195144 709 exim_gnutls_err_check(rc, US"gnutls_dh_params_export_pkcs3() real");
17c76198 710 }
1f00591e 711 m.size = sz; /* shrink by 1, probably */
059ec3d9 712
f5d25c2b 713 if ((sz = write_to_fd_buf(fd, m.data, (size_t) m.size)) != m.size)
17c76198
PP
714 {
715 free(m.data);
716 return tls_error(US"TLS cache write D-H params failed",
cf0c6164 717 strerror(errno), NULL, errstr);
17c76198 718 }
b5aea5e1 719 free(m.data);
f5d25c2b 720 if ((sz = write_to_fd_buf(fd, US"\n", 1)) != 1)
17c76198 721 return tls_error(US"TLS cache write D-H params final newline failed",
cf0c6164 722 strerror(errno), NULL, errstr);
17c76198 723
f5d25c2b 724 if ((rc = close(fd)))
cf0c6164 725 return tls_error(US"TLS cache write close() failed", strerror(errno), NULL, errstr);
059ec3d9 726
17c76198
PP
727 if (Urename(temp_fn, filename) < 0)
728 return tls_error(string_sprintf("failed to rename \"%s\" as \"%s\"",
cf0c6164 729 temp_fn, filename), strerror(errno), NULL, errstr);
059ec3d9 730
17c76198 731 DEBUG(D_tls) debug_printf("wrote D-H parameters to file \"%s\"\n", filename);
059ec3d9
PH
732 }
733
17c76198 734DEBUG(D_tls) debug_printf("initialized server D-H parameters\n");
059ec3d9
PH
735return OK;
736}
737
738
739
740
23bb6982
JH
741/* Create and install a selfsigned certificate, for use in server mode */
742
743static int
cf0c6164 744tls_install_selfsign(exim_gnutls_state_st * state, uschar ** errstr)
23bb6982
JH
745{
746gnutls_x509_crt_t cert = NULL;
747time_t now;
748gnutls_x509_privkey_t pkey = NULL;
749const uschar * where;
750int rc;
751
752where = US"initialising pkey";
753if ((rc = gnutls_x509_privkey_init(&pkey))) goto err;
754
755where = US"initialising cert";
756if ((rc = gnutls_x509_crt_init(&cert))) goto err;
757
758where = US"generating pkey";
759if ((rc = gnutls_x509_privkey_generate(pkey, GNUTLS_PK_RSA,
76075bb5 760#ifdef SUPPORT_PARAM_TO_PK_BITS
23bb6982 761 gnutls_sec_param_to_pk_bits(GNUTLS_PK_RSA, GNUTLS_SEC_PARAM_LOW),
76075bb5
JH
762#else
763 1024,
764#endif
765 0)))
23bb6982
JH
766 goto err;
767
768where = US"configuring cert";
769now = 0;
770if ( (rc = gnutls_x509_crt_set_version(cert, 3))
771 || (rc = gnutls_x509_crt_set_serial(cert, &now, sizeof(now)))
772 || (rc = gnutls_x509_crt_set_activation_time(cert, now = time(NULL)))
773 || (rc = gnutls_x509_crt_set_expiration_time(cert, now + 60 * 60)) /* 1 hr */
774 || (rc = gnutls_x509_crt_set_key(cert, pkey))
775
776 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
777 GNUTLS_OID_X520_COUNTRY_NAME, 0, "UK", 2))
778 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
779 GNUTLS_OID_X520_ORGANIZATION_NAME, 0, "Exim Developers", 15))
780 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
781 GNUTLS_OID_X520_COMMON_NAME, 0,
782 smtp_active_hostname, Ustrlen(smtp_active_hostname)))
783 )
784 goto err;
785
786where = US"signing cert";
787if ((rc = gnutls_x509_crt_sign(cert, cert, pkey))) goto err;
788
789where = US"installing selfsign cert";
790 /* Since: 2.4.0 */
791if ((rc = gnutls_certificate_set_x509_key(state->x509_cred, &cert, 1, pkey)))
792 goto err;
793
794rc = OK;
795
796out:
797 if (cert) gnutls_x509_crt_deinit(cert);
798 if (pkey) gnutls_x509_privkey_deinit(pkey);
799 return rc;
800
801err:
cf0c6164 802 rc = tls_error(where, gnutls_strerror(rc), NULL, errstr);
23bb6982
JH
803 goto out;
804}
805
806
807
808
47195144
JH
809/* Add certificate and key, from files.
810
811Return:
812 Zero or negative: good. Negate value for certificate index if < 0.
813 Greater than zero: FAIL or DEFER code.
814*/
815
ba86e143
JH
816static int
817tls_add_certfile(exim_gnutls_state_st * state, const host_item * host,
818 uschar * certfile, uschar * keyfile, uschar ** errstr)
819{
820int rc = gnutls_certificate_set_x509_key_file(state->x509_cred,
821 CS certfile, CS keyfile, GNUTLS_X509_FMT_PEM);
47195144
JH
822if (rc < 0)
823 return tls_error(
824 string_sprintf("cert/key setup: cert=%s key=%s", certfile, keyfile),
825 gnutls_strerror(rc), host, errstr);
826return -rc;
ba86e143
JH
827}
828
829
059ec3d9 830/*************************************************
17c76198 831* Variables re-expanded post-SNI *
059ec3d9
PH
832*************************************************/
833
17c76198
PP
834/* Called from both server and client code, via tls_init(), and also from
835the SNI callback after receiving an SNI, if tls_certificate includes "tls_sni".
836
837We can tell the two apart by state->received_sni being non-NULL in callback.
838
839The callback should not call us unless state->trigger_sni_changes is true,
840which we are responsible for setting on the first pass through.
059ec3d9
PH
841
842Arguments:
17c76198 843 state exim_gnutls_state_st *
cf0c6164 844 errstr error string pointer
059ec3d9
PH
845
846Returns: OK/DEFER/FAIL
847*/
848
849static int
ba86e143 850tls_expand_session_files(exim_gnutls_state_st * state, uschar ** errstr)
059ec3d9 851{
1365611d 852struct stat statbuf;
059ec3d9 853int rc;
17c76198
PP
854const host_item *host = state->host; /* macro should be reconsidered? */
855uschar *saved_tls_certificate = NULL;
856uschar *saved_tls_privatekey = NULL;
857uschar *saved_tls_verify_certificates = NULL;
858uschar *saved_tls_crl = NULL;
859int cert_count;
860
861/* We check for tls_sni *before* expansion. */
2b4a568d 862if (!host) /* server */
17c76198
PP
863 if (!state->received_sni)
864 {
ba86e143
JH
865 if ( state->tls_certificate
866 && ( Ustrstr(state->tls_certificate, US"tls_sni")
867 || Ustrstr(state->tls_certificate, US"tls_in_sni")
868 || Ustrstr(state->tls_certificate, US"tls_out_sni")
869 ) )
17c76198
PP
870 {
871 DEBUG(D_tls) debug_printf("We will re-expand TLS session files if we receive SNI.\n");
872 state->trigger_sni_changes = TRUE;
873 }
874 }
875 else
876 {
1365611d 877 /* useful for debugging */
17c76198
PP
878 saved_tls_certificate = state->exp_tls_certificate;
879 saved_tls_privatekey = state->exp_tls_privatekey;
880 saved_tls_verify_certificates = state->exp_tls_verify_certificates;
881 saved_tls_crl = state->exp_tls_crl;
882 }
059ec3d9 883
1365611d 884rc = gnutls_certificate_allocate_credentials(&state->x509_cred);
47195144
JH
885exim_gnutls_err_check(rc, US"gnutls_certificate_allocate_credentials");
886
887#ifdef SUPPORT_SRV_OCSP_STACK
888gnutls_certificate_set_flags(state->x509_cred, GNUTLS_CERTIFICATE_API_V2);
889#endif
1365611d 890
17c76198
PP
891/* remember: expand_check_tlsvar() is expand_check() but fiddling with
892state members, assuming consistent naming; and expand_check() returns
893false if expansion failed, unless expansion was forced to fail. */
059ec3d9 894
17c76198
PP
895/* check if we at least have a certificate, before doing expensive
896D-H generation. */
059ec3d9 897
cf0c6164 898if (!expand_check_tlsvar(tls_certificate, errstr))
17c76198 899 return DEFER;
059ec3d9 900
17c76198 901/* certificate is mandatory in server, optional in client */
059ec3d9 902
23bb6982
JH
903if ( !state->exp_tls_certificate
904 || !*state->exp_tls_certificate
905 )
2b4a568d 906 if (!host)
cf0c6164 907 return tls_install_selfsign(state, errstr);
17c76198
PP
908 else
909 DEBUG(D_tls) debug_printf("TLS: no client certificate specified; okay\n");
059ec3d9 910
cf0c6164 911if (state->tls_privatekey && !expand_check_tlsvar(tls_privatekey, errstr))
059ec3d9
PH
912 return DEFER;
913
17c76198
PP
914/* tls_privatekey is optional, defaulting to same file as certificate */
915
916if (state->tls_privatekey == NULL || *state->tls_privatekey == '\0')
059ec3d9 917 {
17c76198
PP
918 state->tls_privatekey = state->tls_certificate;
919 state->exp_tls_privatekey = state->exp_tls_certificate;
059ec3d9 920 }
c91535f3 921
059ec3d9 922
17c76198 923if (state->exp_tls_certificate && *state->exp_tls_certificate)
059ec3d9
PH
924 {
925 DEBUG(D_tls) debug_printf("certificate file = %s\nkey file = %s\n",
17c76198
PP
926 state->exp_tls_certificate, state->exp_tls_privatekey);
927
928 if (state->received_sni)
23bb6982
JH
929 if ( Ustrcmp(state->exp_tls_certificate, saved_tls_certificate) == 0
930 && Ustrcmp(state->exp_tls_privatekey, saved_tls_privatekey) == 0
931 )
17c76198 932 {
b34fc30c 933 DEBUG(D_tls) debug_printf("TLS SNI: cert and key unchanged\n");
17c76198
PP
934 }
935 else
936 {
b34fc30c 937 DEBUG(D_tls) debug_printf("TLS SNI: have a changed cert/key pair.\n");
17c76198 938 }
059ec3d9 939
ba86e143
JH
940 if (!host) /* server */
941 {
942 const uschar * clist = state->exp_tls_certificate;
943 const uschar * klist = state->exp_tls_privatekey;
47195144
JH
944 const uschar * olist;
945 int csep = 0, ksep = 0, osep = 0, cnt = 0;
946 uschar * cfile, * kfile, * ofile;
947
948#ifndef DISABLE_OCSP
949 if (!expand_check(tls_ocsp_file, US"tls_ocsp_file", &ofile, errstr))
950 return DEFER;
951 olist = ofile;
952#endif
ba86e143
JH
953
954 while (cfile = string_nextinlist(&clist, &csep, NULL, 0))
47195144 955
ba86e143
JH
956 if (!(kfile = string_nextinlist(&klist, &ksep, NULL, 0)))
957 return tls_error(US"cert/key setup: out of keys", NULL, host, errstr);
47195144 958 else if (0 < (rc = tls_add_certfile(state, host, cfile, kfile, errstr)))
ba86e143
JH
959 return rc;
960 else
47195144
JH
961 {
962 int gnutls_cert_index = -rc;
ba86e143 963 DEBUG(D_tls) debug_printf("TLS: cert/key %s registered\n", cfile);
47195144
JH
964
965 /* Set the OCSP stapling server info */
966
967#ifndef DISABLE_OCSP
968 if (tls_ocsp_file)
969 if (gnutls_buggy_ocsp)
970 {
971 DEBUG(D_tls)
972 debug_printf("GnuTLS library is buggy for OCSP; avoiding\n");
973 }
974 else if ((ofile = string_nextinlist(&olist, &osep, NULL, 0)))
975 {
976 /* Use the full callback method for stapling just to get
977 observability. More efficient would be to read the file once only,
978 if it never changed (due to SNI). Would need restart on file update,
979 or watch datestamp. */
980
981# ifdef SUPPORT_SRV_OCSP_STACK
982 rc = gnutls_certificate_set_ocsp_status_request_function2(
983 state->x509_cred, gnutls_cert_index,
984 server_ocsp_stapling_cb, ofile);
985
986 exim_gnutls_err_check(rc,
987 US"gnutls_certificate_set_ocsp_status_request_function2");
988# else
989 if (cnt++ > 0)
990 {
991 DEBUG(D_tls)
992 debug_printf("oops; multiple OCSP files not supported\n");
993 break;
994 }
995 gnutls_certificate_set_ocsp_status_request_function(
996 state->x509_cred, server_ocsp_stapling_cb, ofile);
997# endif
998
999 DEBUG(D_tls) debug_printf("OCSP response file = %s\n", ofile);
1000 }
1001 else
1002 DEBUG(D_tls) debug_printf("ran out of OCSP response files in list\n");
1003#endif
1004 }
ba86e143
JH
1005 }
1006 else
1007 {
47195144 1008 if (0 < (rc = tls_add_certfile(state, host,
ba86e143
JH
1009 state->exp_tls_certificate, state->exp_tls_privatekey, errstr)))
1010 return rc;
1011 DEBUG(D_tls) debug_printf("TLS: cert/key registered\n");
1012 }
1013
b34fc30c 1014 } /* tls_certificate */
059ec3d9 1015
2b4a568d 1016
059ec3d9
PH
1017/* Set the trusted CAs file if one is provided, and then add the CRL if one is
1018provided. Experiment shows that, if the certificate file is empty, an unhelpful
1019error message is provided. However, if we just refrain from setting anything up
1020in that case, certificate verification fails, which seems to be the correct
1021behaviour. */
1022
610ff438 1023if (state->tls_verify_certificates && *state->tls_verify_certificates)
059ec3d9 1024 {
cf0c6164 1025 if (!expand_check_tlsvar(tls_verify_certificates, errstr))
059ec3d9 1026 return DEFER;
610ff438
JH
1027#ifndef SUPPORT_SYSDEFAULT_CABUNDLE
1028 if (Ustrcmp(state->exp_tls_verify_certificates, "system") == 0)
1029 state->exp_tls_verify_certificates = NULL;
1030#endif
17c76198 1031 if (state->tls_crl && *state->tls_crl)
cf0c6164 1032 if (!expand_check_tlsvar(tls_crl, errstr))
17c76198 1033 return DEFER;
059ec3d9 1034
1365611d
PP
1035 if (!(state->exp_tls_verify_certificates &&
1036 *state->exp_tls_verify_certificates))
b34fc30c
PP
1037 {
1038 DEBUG(D_tls)
1365611d
PP
1039 debug_printf("TLS: tls_verify_certificates expanded empty, ignoring\n");
1040 /* With no tls_verify_certificates, we ignore tls_crl too */
17c76198 1041 return OK;
b34fc30c 1042 }
1365611d 1043 }
83e2f8a2
PP
1044else
1045 {
1046 DEBUG(D_tls)
1047 debug_printf("TLS: tls_verify_certificates not set or empty, ignoring\n");
1048 return OK;
1049 }
17c76198 1050
cb1d7830
JH
1051#ifdef SUPPORT_SYSDEFAULT_CABUNDLE
1052if (Ustrcmp(state->exp_tls_verify_certificates, "system") == 0)
1053 cert_count = gnutls_certificate_set_x509_system_trust(state->x509_cred);
1054else
1055#endif
1365611d 1056 {
cb1d7830
JH
1057 if (Ustat(state->exp_tls_verify_certificates, &statbuf) < 0)
1058 {
1059 log_write(0, LOG_MAIN|LOG_PANIC, "could not stat %s "
1060 "(tls_verify_certificates): %s", state->exp_tls_verify_certificates,
1061 strerror(errno));
1062 return DEFER;
1063 }
17c76198 1064
a7fec7a7 1065#ifndef SUPPORT_CA_DIR
cb1d7830
JH
1066 /* The test suite passes in /dev/null; we could check for that path explicitly,
1067 but who knows if someone has some weird FIFO which always dumps some certs, or
1068 other weirdness. The thing we really want to check is that it's not a
1069 directory, since while OpenSSL supports that, GnuTLS does not.
60f914bc 1070 So s/!S_ISREG/S_ISDIR/ and change some messaging ... */
cb1d7830
JH
1071 if (S_ISDIR(statbuf.st_mode))
1072 {
1073 DEBUG(D_tls)
1074 debug_printf("verify certificates path is a dir: \"%s\"\n",
1075 state->exp_tls_verify_certificates);
1076 log_write(0, LOG_MAIN|LOG_PANIC,
1077 "tls_verify_certificates \"%s\" is a directory",
1078 state->exp_tls_verify_certificates);
1079 return DEFER;
1080 }
a7fec7a7 1081#endif
059ec3d9 1082
cb1d7830
JH
1083 DEBUG(D_tls) debug_printf("verify certificates = %s size=" OFF_T_FMT "\n",
1084 state->exp_tls_verify_certificates, statbuf.st_size);
059ec3d9 1085
cb1d7830
JH
1086 if (statbuf.st_size == 0)
1087 {
1088 DEBUG(D_tls)
1089 debug_printf("cert file empty, no certs, no verification, ignoring any CRL\n");
1090 return OK;
1091 }
059ec3d9 1092
cb1d7830 1093 cert_count =
a7fec7a7
JH
1094
1095#ifdef SUPPORT_CA_DIR
cb1d7830
JH
1096 (statbuf.st_mode & S_IFMT) == S_IFDIR
1097 ?
1098 gnutls_certificate_set_x509_trust_dir(state->x509_cred,
1099 CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM)
1100 :
a7fec7a7 1101#endif
cb1d7830
JH
1102 gnutls_certificate_set_x509_trust_file(state->x509_cred,
1103 CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM);
1104 }
a7fec7a7 1105
1365611d
PP
1106if (cert_count < 0)
1107 {
1108 rc = cert_count;
47195144 1109 exim_gnutls_err_check(rc, US"setting certificate trust");
1365611d
PP
1110 }
1111DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n", cert_count);
059ec3d9 1112
5c8cda3a
PP
1113if (state->tls_crl && *state->tls_crl &&
1114 state->exp_tls_crl && *state->exp_tls_crl)
1365611d 1115 {
5c8cda3a
PP
1116 DEBUG(D_tls) debug_printf("loading CRL file = %s\n", state->exp_tls_crl);
1117 cert_count = gnutls_certificate_set_x509_crl_file(state->x509_cred,
1118 CS state->exp_tls_crl, GNUTLS_X509_FMT_PEM);
1119 if (cert_count < 0)
1365611d 1120 {
5c8cda3a 1121 rc = cert_count;
47195144 1122 exim_gnutls_err_check(rc, US"gnutls_certificate_set_x509_crl_file");
1365611d 1123 }
5c8cda3a 1124 DEBUG(D_tls) debug_printf("Processed %d CRLs.\n", cert_count);
1365611d 1125 }
059ec3d9 1126
059ec3d9
PH
1127return OK;
1128}
1129
1130
1131
1132
1133/*************************************************
1365611d
PP
1134* Set X.509 state variables *
1135*************************************************/
1136
1137/* In GnuTLS, the registered cert/key are not replaced by a later
1138set of a cert/key, so for SNI support we need a whole new x509_cred
1139structure. Which means various other non-re-expanded pieces of state
1140need to be re-set in the new struct, so the setting logic is pulled
1141out to this.
1142
1143Arguments:
1144 state exim_gnutls_state_st *
cf0c6164 1145 errstr error string pointer
1365611d
PP
1146
1147Returns: OK/DEFER/FAIL
1148*/
1149
1150static int
cf0c6164 1151tls_set_remaining_x509(exim_gnutls_state_st *state, uschar ** errstr)
1365611d
PP
1152{
1153int rc;
1154const host_item *host = state->host; /* macro should be reconsidered? */
1155
1156/* Create D-H parameters, or read them from the cache file. This function does
1157its own SMTP error messaging. This only happens for the server, TLS D-H ignores
1158client-side params. */
1159
1160if (!state->host)
1161 {
1162 if (!dh_server_params)
1163 {
cf0c6164 1164 rc = init_server_dh(errstr);
1365611d
PP
1165 if (rc != OK) return rc;
1166 }
1167 gnutls_certificate_set_dh_params(state->x509_cred, dh_server_params);
1168 }
1169
1170/* Link the credentials to the session. */
1171
1172rc = gnutls_credentials_set(state->session, GNUTLS_CRD_CERTIFICATE, state->x509_cred);
47195144 1173exim_gnutls_err_check(rc, US"gnutls_credentials_set");
1365611d
PP
1174
1175return OK;
1176}
1177
1178/*************************************************
17c76198 1179* Initialize for GnuTLS *
059ec3d9
PH
1180*************************************************/
1181
9196d5bf 1182
4fb7df6d
JH
1183#ifndef DISABLE_OCSP
1184
9196d5bf
JH
1185static BOOL
1186tls_is_buggy_ocsp(void)
1187{
1188const uschar * s;
1189uschar maj, mid, mic;
1190
1191s = CUS gnutls_check_version(NULL);
1192maj = atoi(CCS s);
1193if (maj == 3)
1194 {
1195 while (*s && *s != '.') s++;
1196 mid = atoi(CCS ++s);
1197 if (mid <= 2)
1198 return TRUE;
1199 else if (mid >= 5)
1200 return FALSE;
1201 else
1202 {
1203 while (*s && *s != '.') s++;
1204 mic = atoi(CCS ++s);
1205 return mic <= (mid == 3 ? 16 : 3);
1206 }
1207 }
1208return FALSE;
1209}
1210
4fb7df6d 1211#endif
9196d5bf
JH
1212
1213
17c76198
PP
1214/* Called from both server and client code. In the case of a server, errors
1215before actual TLS negotiation return DEFER.
059ec3d9
PH
1216
1217Arguments:
17c76198
PP
1218 host connected host, if client; NULL if server
1219 certificate certificate file
1220 privatekey private key file
1221 sni TLS SNI to send, sometimes when client; else NULL
1222 cas CA certs file
1223 crl CRL file
1224 require_ciphers tls_require_ciphers setting
817d9f57 1225 caller_state returned state-info structure
cf0c6164 1226 errstr error string pointer
059ec3d9 1227
17c76198 1228Returns: OK/DEFER/FAIL
059ec3d9
PH
1229*/
1230
17c76198
PP
1231static int
1232tls_init(
1233 const host_item *host,
1234 const uschar *certificate,
1235 const uschar *privatekey,
1236 const uschar *sni,
1237 const uschar *cas,
1238 const uschar *crl,
1239 const uschar *require_ciphers,
cf0c6164
JH
1240 exim_gnutls_state_st **caller_state,
1241 uschar ** errstr)
059ec3d9 1242{
17c76198
PP
1243exim_gnutls_state_st *state;
1244int rc;
1245size_t sz;
1246const char *errpos;
1247uschar *p;
1248BOOL want_default_priorities;
1249
1250if (!exim_gnutls_base_init_done)
059ec3d9 1251 {
17c76198
PP
1252 DEBUG(D_tls) debug_printf("GnuTLS global init required.\n");
1253
a5f239e4
PP
1254#ifdef HAVE_GNUTLS_PKCS11
1255 /* By default, gnutls_global_init will init PKCS11 support in auto mode,
1256 which loads modules from a config file, which sounds good and may be wanted
1257 by some sysadmin, but also means in common configurations that GNOME keyring
1258 environment variables are used and so breaks for users calling mailq.
1259 To prevent this, we init PKCS11 first, which is the documented approach. */
2519e60d 1260 if (!gnutls_allow_auto_pkcs11)
a5f239e4
PP
1261 {
1262 rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
47195144 1263 exim_gnutls_err_check(rc, US"gnutls_pkcs11_init");
a5f239e4
PP
1264 }
1265#endif
1266
17c76198 1267 rc = gnutls_global_init();
47195144 1268 exim_gnutls_err_check(rc, US"gnutls_global_init");
17c76198
PP
1269
1270#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
1271 DEBUG(D_tls)
059ec3d9 1272 {
17c76198
PP
1273 gnutls_global_set_log_function(exim_gnutls_logger_cb);
1274 /* arbitrarily chosen level; bump upto 9 for more */
1275 gnutls_global_set_log_level(EXIM_GNUTLS_LIBRARY_LOG_LEVEL);
059ec3d9 1276 }
17c76198
PP
1277#endif
1278
4fb7df6d
JH
1279#ifndef DISABLE_OCSP
1280 if (tls_ocsp_file && (gnutls_buggy_ocsp = tls_is_buggy_ocsp()))
9196d5bf 1281 log_write(0, LOG_MAIN, "OCSP unusable with this GnuTLS library version");
4fb7df6d 1282#endif
9196d5bf 1283
17c76198 1284 exim_gnutls_base_init_done = TRUE;
059ec3d9 1285 }
059ec3d9 1286
17c76198
PP
1287if (host)
1288 {
1289 state = &state_client;
1290 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
817d9f57 1291 state->tlsp = &tls_out;
17c76198
PP
1292 DEBUG(D_tls) debug_printf("initialising GnuTLS client session\n");
1293 rc = gnutls_init(&state->session, GNUTLS_CLIENT);
1294 }
1295else
1296 {
1297 state = &state_server;
1298 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
817d9f57 1299 state->tlsp = &tls_in;
17c76198
PP
1300 DEBUG(D_tls) debug_printf("initialising GnuTLS server session\n");
1301 rc = gnutls_init(&state->session, GNUTLS_SERVER);
1302 }
47195144 1303exim_gnutls_err_check(rc, US"gnutls_init");
059ec3d9 1304
17c76198 1305state->host = host;
059ec3d9 1306
17c76198
PP
1307state->tls_certificate = certificate;
1308state->tls_privatekey = privatekey;
5779e6aa 1309state->tls_require_ciphers = require_ciphers;
17c76198
PP
1310state->tls_sni = sni;
1311state->tls_verify_certificates = cas;
1312state->tls_crl = crl;
059ec3d9 1313
17c76198
PP
1314/* This handles the variables that might get re-expanded after TLS SNI;
1315that's tls_certificate, tls_privatekey, tls_verify_certificates, tls_crl */
059ec3d9 1316
17c76198
PP
1317DEBUG(D_tls)
1318 debug_printf("Expanding various TLS configuration options for session credentials.\n");
cf0c6164 1319if ((rc = tls_expand_session_files(state, errstr)) != OK) return rc;
059ec3d9 1320
1365611d
PP
1321/* These are all other parts of the x509_cred handling, since SNI in GnuTLS
1322requires a new structure afterwards. */
83da1223 1323
cf0c6164 1324if ((rc = tls_set_remaining_x509(state, errstr)) != OK) return rc;
83da1223 1325
17c76198
PP
1326/* set SNI in client, only */
1327if (host)
1328 {
cf0c6164 1329 if (!expand_check(sni, US"tls_out_sni", &state->tlsp->sni, errstr))
17c76198 1330 return DEFER;
0df4ab80 1331 if (state->tlsp->sni && *state->tlsp->sni)
17c76198
PP
1332 {
1333 DEBUG(D_tls)
0df4ab80
JH
1334 debug_printf("Setting TLS client SNI to \"%s\"\n", state->tlsp->sni);
1335 sz = Ustrlen(state->tlsp->sni);
17c76198 1336 rc = gnutls_server_name_set(state->session,
0df4ab80 1337 GNUTLS_NAME_DNS, state->tlsp->sni, sz);
47195144 1338 exim_gnutls_err_check(rc, US"gnutls_server_name_set");
17c76198
PP
1339 }
1340 }
1341else if (state->tls_sni)
1342 DEBUG(D_tls) debug_printf("*** PROBABLY A BUG *** " \
ba86e143 1343 "have an SNI set for a server [%s]\n", state->tls_sni);
83da1223 1344
17c76198 1345/* This is the priority string support,
42bfef1e 1346http://www.gnutls.org/manual/html_node/Priority-Strings.html
17c76198
PP
1347and replaces gnutls_require_kx, gnutls_require_mac & gnutls_require_protocols.
1348This was backwards incompatible, but means Exim no longer needs to track
1349all algorithms and provide string forms for them. */
83da1223 1350
17c76198 1351want_default_priorities = TRUE;
83da1223 1352
17c76198 1353if (state->tls_require_ciphers && *state->tls_require_ciphers)
83da1223 1354 {
cf0c6164 1355 if (!expand_check_tlsvar(tls_require_ciphers, errstr))
17c76198
PP
1356 return DEFER;
1357 if (state->exp_tls_require_ciphers && *state->exp_tls_require_ciphers)
83da1223 1358 {
17c76198
PP
1359 DEBUG(D_tls) debug_printf("GnuTLS session cipher/priority \"%s\"\n",
1360 state->exp_tls_require_ciphers);
1361
1362 rc = gnutls_priority_init(&state->priority_cache,
1363 CS state->exp_tls_require_ciphers, &errpos);
1364 want_default_priorities = FALSE;
1365 p = state->exp_tls_require_ciphers;
83da1223
PH
1366 }
1367 }
17c76198
PP
1368if (want_default_priorities)
1369 {
83e2f8a2
PP
1370 DEBUG(D_tls)
1371 debug_printf("GnuTLS using default session cipher/priority \"%s\"\n",
1372 exim_default_gnutls_priority);
17c76198
PP
1373 rc = gnutls_priority_init(&state->priority_cache,
1374 exim_default_gnutls_priority, &errpos);
1375 p = US exim_default_gnutls_priority;
1376 }
83da1223 1377
47195144 1378exim_gnutls_err_check(rc, string_sprintf(
17c76198
PP
1379 "gnutls_priority_init(%s) failed at offset %ld, \"%.6s..\"",
1380 p, errpos - CS p, errpos));
1381
1382rc = gnutls_priority_set(state->session, state->priority_cache);
47195144 1383exim_gnutls_err_check(rc, US"gnutls_priority_set");
17c76198
PP
1384
1385gnutls_db_set_cache_expiration(state->session, ssl_session_timeout);
1386
1387/* Reduce security in favour of increased compatibility, if the admin
1388decides to make that trade-off. */
1389if (gnutls_compat_mode)
83da1223 1390 {
17c76198
PP
1391#if LIBGNUTLS_VERSION_NUMBER >= 0x020104
1392 DEBUG(D_tls) debug_printf("lowering GnuTLS security, compatibility mode\n");
1393 gnutls_session_enable_compatibility_mode(state->session);
1394#else
1395 DEBUG(D_tls) debug_printf("Unable to set gnutls_compat_mode - GnuTLS version too old\n");
1396#endif
83da1223
PH
1397 }
1398
17c76198 1399*caller_state = state;
17c76198 1400return OK;
83da1223
PH
1401}
1402
1403
1404
83da1223 1405/*************************************************
17c76198 1406* Extract peer information *
059ec3d9
PH
1407*************************************************/
1408
17c76198 1409/* Called from both server and client code.
4fe99a6c
PP
1410Only this is allowed to set state->peerdn and state->have_set_peerdn
1411and we use that to detect double-calls.
059ec3d9 1412
75fe387d
PP
1413NOTE: the state blocks last while the TLS connection is up, which is fine
1414for logging in the server side, but for the client side, we log after teardown
1415in src/deliver.c. While the session is up, we can twist about states and
1416repoint tls_* globals, but those variables used for logging or other variable
1417expansion that happens _after_ delivery need to have a longer life-time.
1418
1419So for those, we get the data from POOL_PERM; the re-invoke guard keeps us from
1420doing this more than once per generation of a state context. We set them in
1421the state context, and repoint tls_* to them. After the state goes away, the
1422tls_* copies of the pointers remain valid and client delivery logging is happy.
1423
1424tls_certificate_verified is a BOOL, so the tls_peerdn and tls_cipher issues
1425don't apply.
1426
059ec3d9 1427Arguments:
17c76198 1428 state exim_gnutls_state_st *
cf0c6164 1429 errstr pointer to error string
059ec3d9 1430
17c76198 1431Returns: OK/DEFER/FAIL
059ec3d9
PH
1432*/
1433
17c76198 1434static int
cf0c6164 1435peer_status(exim_gnutls_state_st *state, uschar ** errstr)
059ec3d9 1436{
75fe387d 1437uschar cipherbuf[256];
27f19eb4 1438const gnutls_datum_t *cert_list;
75fe387d 1439int old_pool, rc;
17c76198 1440unsigned int cert_list_size = 0;
4fe99a6c
PP
1441gnutls_protocol_t protocol;
1442gnutls_cipher_algorithm_t cipher;
1443gnutls_kx_algorithm_t kx;
1444gnutls_mac_algorithm_t mac;
17c76198
PP
1445gnutls_certificate_type_t ct;
1446gnutls_x509_crt_t crt;
4fe99a6c 1447uschar *p, *dn_buf;
17c76198 1448size_t sz;
059ec3d9 1449
4fe99a6c 1450if (state->have_set_peerdn)
17c76198 1451 return OK;
4fe99a6c 1452state->have_set_peerdn = TRUE;
059ec3d9 1453
4fe99a6c 1454state->peerdn = NULL;
059ec3d9 1455
4fe99a6c
PP
1456/* tls_cipher */
1457cipher = gnutls_cipher_get(state->session);
1458protocol = gnutls_protocol_get_version(state->session);
1459mac = gnutls_mac_get(state->session);
1460kx = gnutls_kx_get(state->session);
1461
75fe387d 1462string_format(cipherbuf, sizeof(cipherbuf),
4fe99a6c
PP
1463 "%s:%s:%d",
1464 gnutls_protocol_get_name(protocol),
1465 gnutls_cipher_suite_get_name(kx, cipher, mac),
1466 (int) gnutls_cipher_get_key_size(cipher) * 8);
1467
1468/* I don't see a way that spaces could occur, in the current GnuTLS
1469code base, but it was a concern in the old code and perhaps older GnuTLS
1470releases did return "TLS 1.0"; play it safe, just in case. */
75fe387d 1471for (p = cipherbuf; *p != '\0'; ++p)
4fe99a6c
PP
1472 if (isspace(*p))
1473 *p = '-';
75fe387d
PP
1474old_pool = store_pool;
1475store_pool = POOL_PERM;
1476state->ciphersuite = string_copy(cipherbuf);
1477store_pool = old_pool;
817d9f57 1478state->tlsp->cipher = state->ciphersuite;
4fe99a6c
PP
1479
1480/* tls_peerdn */
17c76198 1481cert_list = gnutls_certificate_get_peers(state->session, &cert_list_size);
83da1223 1482
17c76198
PP
1483if (cert_list == NULL || cert_list_size == 0)
1484 {
17c76198
PP
1485 DEBUG(D_tls) debug_printf("TLS: no certificate from peer (%p & %d)\n",
1486 cert_list, cert_list_size);
e51c7be2 1487 if (state->verify_requirement >= VERIFY_REQUIRED)
17c76198 1488 return tls_error(US"certificate verification failed",
cf0c6164 1489 "no certificate received from peer", state->host, errstr);
17c76198
PP
1490 return OK;
1491 }
059ec3d9 1492
17c76198
PP
1493ct = gnutls_certificate_type_get(state->session);
1494if (ct != GNUTLS_CRT_X509)
059ec3d9 1495 {
17c76198 1496 const char *ctn = gnutls_certificate_type_get_name(ct);
17c76198
PP
1497 DEBUG(D_tls)
1498 debug_printf("TLS: peer cert not X.509 but instead \"%s\"\n", ctn);
e51c7be2 1499 if (state->verify_requirement >= VERIFY_REQUIRED)
17c76198 1500 return tls_error(US"certificate verification not possible, unhandled type",
cf0c6164 1501 ctn, state->host, errstr);
17c76198 1502 return OK;
83da1223 1503 }
059ec3d9 1504
e51c7be2
JH
1505#define exim_gnutls_peer_err(Label) \
1506 do { \
1507 if (rc != GNUTLS_E_SUCCESS) \
1508 { \
1509 DEBUG(D_tls) debug_printf("TLS: peer cert problem: %s: %s\n", \
1510 (Label), gnutls_strerror(rc)); \
1511 if (state->verify_requirement >= VERIFY_REQUIRED) \
cf0c6164 1512 return tls_error((Label), gnutls_strerror(rc), state->host, errstr); \
e51c7be2
JH
1513 return OK; \
1514 } \
1515 } while (0)
17c76198 1516
9d1c15ef
JH
1517rc = import_cert(&cert_list[0], &crt);
1518exim_gnutls_peer_err(US"cert 0");
1519
1520state->tlsp->peercert = state->peercert = crt;
17c76198 1521
17c76198
PP
1522sz = 0;
1523rc = gnutls_x509_crt_get_dn(crt, NULL, &sz);
1524if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
83da1223 1525 {
17c76198
PP
1526 exim_gnutls_peer_err(US"getting size for cert DN failed");
1527 return FAIL; /* should not happen */
059ec3d9 1528 }
17c76198
PP
1529dn_buf = store_get_perm(sz);
1530rc = gnutls_x509_crt_get_dn(crt, CS dn_buf, &sz);
1531exim_gnutls_peer_err(US"failed to extract certificate DN [gnutls_x509_crt_get_dn(cert 0)]");
9d1c15ef 1532
17c76198
PP
1533state->peerdn = dn_buf;
1534
1535return OK;
1536#undef exim_gnutls_peer_err
1537}
059ec3d9 1538
059ec3d9 1539
059ec3d9 1540
059ec3d9 1541
17c76198
PP
1542/*************************************************
1543* Verify peer certificate *
1544*************************************************/
059ec3d9 1545
17c76198
PP
1546/* Called from both server and client code.
1547*Should* be using a callback registered with
1548gnutls_certificate_set_verify_function() to fail the handshake if we dislike
1549the peer information, but that's too new for some OSes.
059ec3d9 1550
17c76198
PP
1551Arguments:
1552 state exim_gnutls_state_st *
cf0c6164 1553 errstr where to put an error message
059ec3d9 1554
17c76198
PP
1555Returns:
1556 FALSE if the session should be rejected
1557 TRUE if the cert is okay or we just don't care
1558*/
059ec3d9 1559
17c76198 1560static BOOL
cf0c6164 1561verify_certificate(exim_gnutls_state_st *state, uschar ** errstr)
17c76198
PP
1562{
1563int rc;
1564unsigned int verify;
1565
cf0c6164 1566*errstr = NULL;
17c76198 1567
cf0c6164 1568if ((rc = peer_status(state, errstr)) != OK)
e6060e2c 1569 {
17c76198 1570 verify = GNUTLS_CERT_INVALID;
cf0c6164 1571 *errstr = US"certificate not supplied";
17c76198
PP
1572 }
1573else
17c76198 1574 rc = gnutls_certificate_verify_peers2(state->session, &verify);
e6060e2c 1575
17c76198
PP
1576/* Handle the result of verification. INVALID seems to be set as well
1577as REVOKED, but leave the test for both. */
059ec3d9 1578
e51c7be2
JH
1579if (rc < 0 ||
1580 verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED)
1581 )
17c76198
PP
1582 {
1583 state->peer_cert_verified = FALSE;
cf0c6164
JH
1584 if (!*errstr)
1585 *errstr = verify & GNUTLS_CERT_REVOKED
1586 ? US"certificate revoked" : US"certificate invalid";
059ec3d9 1587
17c76198 1588 DEBUG(D_tls)
e51c7be2 1589 debug_printf("TLS certificate verification failed (%s): peerdn=\"%s\"\n",
cf0c6164 1590 *errstr, state->peerdn ? state->peerdn : US"<unset>");
059ec3d9 1591
e51c7be2 1592 if (state->verify_requirement >= VERIFY_REQUIRED)
17c76198 1593 {
e51c7be2
JH
1594 gnutls_alert_send(state->session,
1595 GNUTLS_AL_FATAL, GNUTLS_A_BAD_CERTIFICATE);
17c76198
PP
1596 return FALSE;
1597 }
1598 DEBUG(D_tls)
4789da3a 1599 debug_printf("TLS verify failure overridden (host in tls_try_verify_hosts)\n");
17c76198 1600 }
e51c7be2 1601
17c76198
PP
1602else
1603 {
aa2a70ba 1604 if (state->exp_tls_verify_cert_hostnames)
e51c7be2
JH
1605 {
1606 int sep = 0;
55414b25 1607 const uschar * list = state->exp_tls_verify_cert_hostnames;
e51c7be2 1608 uschar * name;
76075bb5 1609 while ((name = string_nextinlist(&list, &sep, NULL, 0)))
e51c7be2
JH
1610 if (gnutls_x509_crt_check_hostname(state->tlsp->peercert, CS name))
1611 break;
1612 if (!name)
1613 {
1614 DEBUG(D_tls)
1615 debug_printf("TLS certificate verification failed: cert name mismatch\n");
aa2a70ba
JH
1616 if (state->verify_requirement >= VERIFY_REQUIRED)
1617 {
1618 gnutls_alert_send(state->session,
1619 GNUTLS_AL_FATAL, GNUTLS_A_BAD_CERTIFICATE);
1620 return FALSE;
1621 }
1622 return TRUE;
e51c7be2
JH
1623 }
1624 }
17c76198 1625 state->peer_cert_verified = TRUE;
e51c7be2 1626 DEBUG(D_tls) debug_printf("TLS certificate verified: peerdn=\"%s\"\n",
4fe99a6c 1627 state->peerdn ? state->peerdn : US"<unset>");
17c76198 1628 }
059ec3d9 1629
817d9f57 1630state->tlsp->peerdn = state->peerdn;
059ec3d9 1631
17c76198
PP
1632return TRUE;
1633}
059ec3d9 1634
17c76198
PP
1635
1636
1637
1638/* ------------------------------------------------------------------------ */
1639/* Callbacks */
1640
1641/* Logging function which can be registered with
1642 * gnutls_global_set_log_function()
1643 * gnutls_global_set_log_level() 0..9
1644 */
af3498d6 1645#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
059ec3d9 1646static void
17c76198 1647exim_gnutls_logger_cb(int level, const char *message)
059ec3d9 1648{
8c79eebf
PP
1649 size_t len = strlen(message);
1650 if (len < 1)
1651 {
1652 DEBUG(D_tls) debug_printf("GnuTLS<%d> empty debug message\n", level);
1653 return;
1654 }
1655 DEBUG(D_tls) debug_printf("GnuTLS<%d>: %s%s", level, message,
1656 message[len-1] == '\n' ? "" : "\n");
17c76198 1657}
af3498d6 1658#endif
059ec3d9 1659
059ec3d9 1660
17c76198
PP
1661/* Called after client hello, should handle SNI work.
1662This will always set tls_sni (state->received_sni) if available,
1663and may trigger presenting different certificates,
1664if state->trigger_sni_changes is TRUE.
059ec3d9 1665
17c76198
PP
1666Should be registered with
1667 gnutls_handshake_set_post_client_hello_function()
059ec3d9 1668
17c76198
PP
1669"This callback must return 0 on success or a gnutls error code to terminate the
1670handshake.".
059ec3d9 1671
17c76198
PP
1672For inability to get SNI information, we return 0.
1673We only return non-zero if re-setup failed.
817d9f57 1674Only used for server-side TLS.
17c76198 1675*/
44bbabb5 1676
17c76198
PP
1677static int
1678exim_sni_handling_cb(gnutls_session_t session)
1679{
1680char sni_name[MAX_HOST_LEN];
1681size_t data_len = MAX_HOST_LEN;
817d9f57 1682exim_gnutls_state_st *state = &state_server;
17c76198
PP
1683unsigned int sni_type;
1684int rc, old_pool;
cf0c6164 1685uschar * dummy_errstr;
17c76198
PP
1686
1687rc = gnutls_server_name_get(session, sni_name, &data_len, &sni_type, 0);
b34fc30c
PP
1688if (rc != GNUTLS_E_SUCCESS)
1689 {
1690 DEBUG(D_tls) {
1691 if (rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
1692 debug_printf("TLS: no SNI presented in handshake.\n");
1693 else
1694 debug_printf("TLS failure: gnutls_server_name_get(): %s [%d]\n",
1695 gnutls_strerror(rc), rc);
cf0c6164 1696 }
b34fc30c
PP
1697 return 0;
1698 }
1699
17c76198
PP
1700if (sni_type != GNUTLS_NAME_DNS)
1701 {
1702 DEBUG(D_tls) debug_printf("TLS: ignoring SNI of unhandled type %u\n", sni_type);
1703 return 0;
1704 }
44bbabb5 1705
17c76198
PP
1706/* We now have a UTF-8 string in sni_name */
1707old_pool = store_pool;
1708store_pool = POOL_PERM;
1709state->received_sni = string_copyn(US sni_name, data_len);
1710store_pool = old_pool;
1711
1712/* We set this one now so that variable expansions below will work */
817d9f57 1713state->tlsp->sni = state->received_sni;
17c76198
PP
1714
1715DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", sni_name,
1716 state->trigger_sni_changes ? "" : " (unused for certificate selection)");
1717
1718if (!state->trigger_sni_changes)
1719 return 0;
1720
cf0c6164 1721if ((rc = tls_expand_session_files(state, &dummy_errstr)) != OK)
17c76198
PP
1722 {
1723 /* If the setup of certs/etc failed before handshake, TLS would not have
1724 been offered. The best we can do now is abort. */
1725 return GNUTLS_E_APPLICATION_ERROR_MIN;
1726 }
1727
cf0c6164 1728rc = tls_set_remaining_x509(state, &dummy_errstr);
1365611d
PP
1729if (rc != OK) return GNUTLS_E_APPLICATION_ERROR_MIN;
1730
1731return 0;
059ec3d9
PH
1732}
1733
1734
1735
f2de3a33 1736#ifndef DISABLE_OCSP
44662487
JH
1737
1738static int
1739server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
1740 gnutls_datum_t * ocsp_response)
1741{
1742int ret;
47195144 1743DEBUG(D_tls) debug_printf("OCSP stapling callback: %s\n", US ptr);
44662487 1744
44662487
JH
1745if ((ret = gnutls_load_file(ptr, ocsp_response)) < 0)
1746 {
1747 DEBUG(D_tls) debug_printf("Failed to load ocsp stapling file %s\n",
5903c6ff 1748 CS ptr);
018058b2 1749 tls_in.ocsp = OCSP_NOT_RESP;
44662487
JH
1750 return GNUTLS_E_NO_CERTIFICATE_STATUS;
1751 }
1752
018058b2 1753tls_in.ocsp = OCSP_VFY_NOT_TRIED;
44662487
JH
1754return 0;
1755}
1756
1757#endif
1758
1759
0cbf2b82 1760#ifndef DISABLE_EVENT
a7538db1
JH
1761/*
1762We use this callback to get observability and detail-level control
723fe533
JH
1763for an exim TLS connection (either direction), raising a tls:cert event
1764for each cert in the chain presented by the peer. Any event
a7538db1
JH
1765can deny verification.
1766
1767Return 0 for the handshake to continue or non-zero to terminate.
1768*/
1769
1770static int
723fe533 1771verify_cb(gnutls_session_t session)
a7538db1 1772{
27f19eb4 1773const gnutls_datum_t * cert_list;
a7538db1
JH
1774unsigned int cert_list_size = 0;
1775gnutls_x509_crt_t crt;
1776int rc;
b30275b8 1777uschar * yield;
a7538db1
JH
1778exim_gnutls_state_st * state = gnutls_session_get_ptr(session);
1779
1780cert_list = gnutls_certificate_get_peers(session, &cert_list_size);
1781if (cert_list)
1782 while (cert_list_size--)
1783 {
1784 rc = import_cert(&cert_list[cert_list_size], &crt);
1785 if (rc != GNUTLS_E_SUCCESS)
1786 {
1787 DEBUG(D_tls) debug_printf("TLS: peer cert problem: depth %d: %s\n",
1788 cert_list_size, gnutls_strerror(rc));
1789 break;
1790 }
1791
1792 state->tlsp->peercert = crt;
b30275b8
JH
1793 if ((yield = event_raise(state->event_action,
1794 US"tls:cert", string_sprintf("%d", cert_list_size))))
a7538db1
JH
1795 {
1796 log_write(0, LOG_MAIN,
b30275b8
JH
1797 "SSL verify denied by event-action: depth=%d: %s",
1798 cert_list_size, yield);
a7538db1
JH
1799 return 1; /* reject */
1800 }
1801 state->tlsp->peercert = NULL;
1802 }
1803
1804return 0;
1805}
1806
1807#endif
44662487
JH
1808
1809
17c76198
PP
1810
1811/* ------------------------------------------------------------------------ */
1812/* Exported functions */
1813
1814
1815
1816
059ec3d9
PH
1817/*************************************************
1818* Start a TLS session in a server *
1819*************************************************/
1820
1821/* This is called when Exim is running as a server, after having received
1822the STARTTLS command. It must respond to that command, and then negotiate
1823a TLS session.
1824
1825Arguments:
83da1223 1826 require_ciphers list of allowed ciphers or NULL
cf0c6164 1827 errstr pointer to error string
059ec3d9
PH
1828
1829Returns: OK on success
1830 DEFER for errors before the start of the negotiation
4c04137d 1831 FAIL for errors during the negotiation; the server can't
059ec3d9
PH
1832 continue running.
1833*/
1834
1835int
cf0c6164 1836tls_server_start(const uschar * require_ciphers, uschar ** errstr)
059ec3d9
PH
1837{
1838int rc;
cf0c6164 1839exim_gnutls_state_st * state = NULL;
059ec3d9
PH
1840
1841/* Check for previous activation */
817d9f57 1842if (tls_in.active >= 0)
059ec3d9 1843 {
cf0c6164 1844 tls_error(US"STARTTLS received after TLS started", "", NULL, errstr);
925ac8e4 1845 smtp_printf("554 Already in TLS\r\n", FALSE);
059ec3d9
PH
1846 return FAIL;
1847 }
1848
1849/* Initialize the library. If it fails, it will already have logged the error
1850and sent an SMTP response. */
1851
17c76198 1852DEBUG(D_tls) debug_printf("initialising GnuTLS as a server\n");
059ec3d9 1853
cf0c6164 1854if ((rc = tls_init(NULL, tls_certificate, tls_privatekey,
17c76198 1855 NULL, tls_verify_certificates, tls_crl,
cf0c6164 1856 require_ciphers, &state, errstr)) != OK) return rc;
059ec3d9 1857
059ec3d9
PH
1858/* If this is a host for which certificate verification is mandatory or
1859optional, set up appropriately. */
1860
059ec3d9 1861if (verify_check_host(&tls_verify_hosts) == OK)
17c76198 1862 {
e51c7be2
JH
1863 DEBUG(D_tls)
1864 debug_printf("TLS: a client certificate will be required.\n");
17c76198
PP
1865 state->verify_requirement = VERIFY_REQUIRED;
1866 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
1867 }
059ec3d9 1868else if (verify_check_host(&tls_try_verify_hosts) == OK)
17c76198 1869 {
e51c7be2
JH
1870 DEBUG(D_tls)
1871 debug_printf("TLS: a client certificate will be requested but not required.\n");
17c76198
PP
1872 state->verify_requirement = VERIFY_OPTIONAL;
1873 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
1874 }
1875else
1876 {
e51c7be2
JH
1877 DEBUG(D_tls)
1878 debug_printf("TLS: a client certificate will not be requested.\n");
17c76198
PP
1879 state->verify_requirement = VERIFY_NONE;
1880 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
1881 }
059ec3d9 1882
0cbf2b82 1883#ifndef DISABLE_EVENT
723fe533
JH
1884if (event_action)
1885 {
1886 state->event_action = event_action;
1887 gnutls_session_set_ptr(state->session, state);
1888 gnutls_certificate_set_verify_function(state->x509_cred, verify_cb);
1889 }
1890#endif
1891
17c76198
PP
1892/* Register SNI handling; always, even if not in tls_certificate, so that the
1893expansion variable $tls_sni is always available. */
059ec3d9 1894
17c76198
PP
1895gnutls_handshake_set_post_client_hello_function(state->session,
1896 exim_sni_handling_cb);
059ec3d9
PH
1897
1898/* Set context and tell client to go ahead, except in the case of TLS startup
1899on connection, where outputting anything now upsets the clients and tends to
1900make them disconnect. We need to have an explicit fflush() here, to force out
1901the response. Other smtp_printf() calls do not need it, because in non-TLS
1902mode, the fflush() happens when smtp_getc() is called. */
1903
817d9f57 1904if (!state->tlsp->on_connect)
059ec3d9 1905 {
925ac8e4 1906 smtp_printf("220 TLS go ahead\r\n", FALSE);
9d1c15ef 1907 fflush(smtp_out);
059ec3d9
PH
1908 }
1909
1910/* Now negotiate the TLS session. We put our own timer on it, since it seems
1911that the GnuTLS library doesn't. */
1912
17c76198 1913gnutls_transport_set_ptr2(state->session,
27f19eb4
JH
1914 (gnutls_transport_ptr_t)(long) fileno(smtp_in),
1915 (gnutls_transport_ptr_t)(long) fileno(smtp_out));
17c76198
PP
1916state->fd_in = fileno(smtp_in);
1917state->fd_out = fileno(smtp_out);
059ec3d9
PH
1918
1919sigalrm_seen = FALSE;
1920if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
17c76198 1921do
17c76198 1922 rc = gnutls_handshake(state->session);
157a7880 1923while (rc == GNUTLS_E_AGAIN || rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen);
059ec3d9
PH
1924alarm(0);
1925
17c76198 1926if (rc != GNUTLS_E_SUCCESS)
059ec3d9 1927 {
059ec3d9
PH
1928 /* It seems that, except in the case of a timeout, we have to close the
1929 connection right here; otherwise if the other end is running OpenSSL it hangs
1930 until the server times out. */
1931
60d10ce7 1932 if (sigalrm_seen)
ad7fc6eb 1933 {
cf0c6164 1934 tls_error(US"gnutls_handshake", "timed out", NULL, errstr);
ad7fc6eb
JH
1935 gnutls_db_remove_session(state->session);
1936 }
60d10ce7 1937 else
059ec3d9 1938 {
cf0c6164 1939 tls_error(US"gnutls_handshake", gnutls_strerror(rc), NULL, errstr);
f5d25c2b 1940 (void) gnutls_alert_send_appropriate(state->session, rc);
ad7fc6eb 1941 gnutls_deinit(state->session);
ed62aae3 1942 gnutls_certificate_free_credentials(state->x509_cred);
60d10ce7 1943 millisleep(500);
ad7fc6eb 1944 shutdown(state->fd_out, SHUT_WR);
60d10ce7 1945 for (rc = 1024; fgetc(smtp_in) != EOF && rc > 0; ) rc--; /* drain skt */
f1e894f3
PH
1946 (void)fclose(smtp_out);
1947 (void)fclose(smtp_in);
60d10ce7 1948 smtp_out = smtp_in = NULL;
059ec3d9
PH
1949 }
1950
1951 return FAIL;
1952 }
1953
1954DEBUG(D_tls) debug_printf("gnutls_handshake was successful\n");
1955
17c76198
PP
1956/* Verify after the fact */
1957
9d1c15ef 1958if ( state->verify_requirement != VERIFY_NONE
cf0c6164 1959 && !verify_certificate(state, errstr))
059ec3d9 1960 {
9d1c15ef 1961 if (state->verify_requirement != VERIFY_OPTIONAL)
17c76198 1962 {
cf0c6164 1963 (void) tls_error(US"certificate verification failed", *errstr, NULL, errstr);
9d1c15ef 1964 return FAIL;
17c76198 1965 }
9d1c15ef
JH
1966 DEBUG(D_tls)
1967 debug_printf("TLS: continuing on only because verification was optional, after: %s\n",
cf0c6164 1968 *errstr);
059ec3d9
PH
1969 }
1970
17c76198
PP
1971/* Figure out peer DN, and if authenticated, etc. */
1972
cf0c6164 1973if ((rc = peer_status(state, NULL)) != OK) return rc;
17c76198
PP
1974
1975/* Sets various Exim expansion variables; always safe within server */
1976
9d1c15ef 1977extract_exim_vars_from_tls_state(state);
059ec3d9
PH
1978
1979/* TLS has been set up. Adjust the input functions to read via TLS,
1980and initialize appropriately. */
1981
17c76198 1982state->xfer_buffer = store_malloc(ssl_xfer_buffer_size);
059ec3d9
PH
1983
1984receive_getc = tls_getc;
0d81dabc 1985receive_getbuf = tls_getbuf;
584e96c6 1986receive_get_cache = tls_get_cache;
059ec3d9
PH
1987receive_ungetc = tls_ungetc;
1988receive_feof = tls_feof;
1989receive_ferror = tls_ferror;
58eb016e 1990receive_smtp_buffered = tls_smtp_buffered;
059ec3d9 1991
059ec3d9
PH
1992return OK;
1993}
1994
1995
1996
1997
aa2a70ba
JH
1998static void
1999tls_client_setup_hostname_checks(host_item * host, exim_gnutls_state_st * state,
2000 smtp_transport_options_block * ob)
2001{
5130845b 2002if (verify_check_given_host(&ob->tls_verify_cert_hostnames, host) == OK)
aa2a70ba 2003 {
4af0d74a 2004 state->exp_tls_verify_cert_hostnames =
8c5d388a 2005#ifdef SUPPORT_I18N
4af0d74a
JH
2006 string_domain_utf8_to_alabel(host->name, NULL);
2007#else
2008 host->name;
2009#endif
aa2a70ba
JH
2010 DEBUG(D_tls)
2011 debug_printf("TLS: server cert verification includes hostname: \"%s\".\n",
2012 state->exp_tls_verify_cert_hostnames);
2013 }
2014}
aa2a70ba
JH
2015
2016
059ec3d9
PH
2017/*************************************************
2018* Start a TLS session in a client *
2019*************************************************/
2020
2021/* Called from the smtp transport after STARTTLS has been accepted.
2022
2023Arguments:
2024 fd the fd of the connection
2025 host connected host (for messages)
83da1223 2026 addr the first address (not used)
a7538db1 2027 tb transport (always smtp)
059ec3d9 2028
cf0c6164
JH
2029 errstr error string pointer
2030
059ec3d9
PH
2031Returns: OK/DEFER/FAIL (because using common functions),
2032 but for a client, DEFER and FAIL have the same meaning
2033*/
2034
2035int
17c76198 2036tls_client_start(int fd, host_item *host,
f5d78688 2037 address_item *addr ARG_UNUSED,
cf0c6164 2038 transport_instance * tb,
0e66b3b6 2039#ifdef EXPERIMENTAL_DANE
cf0c6164 2040 dns_answer * tlsa_dnsa ARG_UNUSED,
0e66b3b6 2041#endif
cf0c6164 2042 uschar ** errstr)
059ec3d9 2043{
a7538db1
JH
2044smtp_transport_options_block *ob =
2045 (smtp_transport_options_block *)tb->options_block;
059ec3d9 2046int rc;
17c76198 2047exim_gnutls_state_st *state = NULL;
f2de3a33 2048#ifndef DISABLE_OCSP
5130845b
JH
2049BOOL require_ocsp =
2050 verify_check_given_host(&ob->hosts_require_ocsp, host) == OK;
44662487 2051BOOL request_ocsp = require_ocsp ? TRUE
5130845b 2052 : verify_check_given_host(&ob->hosts_request_ocsp, host) == OK;
2b4a568d 2053#endif
059ec3d9 2054
17c76198 2055DEBUG(D_tls) debug_printf("initialising GnuTLS as a client on fd %d\n", fd);
059ec3d9 2056
65867078
JH
2057if ((rc = tls_init(host, ob->tls_certificate, ob->tls_privatekey,
2058 ob->tls_sni, ob->tls_verify_certificates, ob->tls_crl,
cf0c6164 2059 ob->tls_require_ciphers, &state, errstr)) != OK)
2b4a568d 2060 return rc;
059ec3d9 2061
54c90be1 2062 {
65867078
JH
2063 int dh_min_bits = ob->tls_dh_min_bits;
2064 if (dh_min_bits < EXIM_CLIENT_DH_MIN_MIN_BITS)
2065 {
2066 DEBUG(D_tls)
2067 debug_printf("WARNING: tls_dh_min_bits far too low,"
2068 " clamping %d up to %d\n",
2069 dh_min_bits, EXIM_CLIENT_DH_MIN_MIN_BITS);
2070 dh_min_bits = EXIM_CLIENT_DH_MIN_MIN_BITS;
2071 }
54c90be1 2072
65867078
JH
2073 DEBUG(D_tls) debug_printf("Setting D-H prime minimum"
2074 " acceptable bits to %d\n",
2075 dh_min_bits);
2076 gnutls_dh_set_prime_bits(state->session, dh_min_bits);
2077 }
83da1223 2078
94431adb 2079/* Stick to the old behaviour for compatibility if tls_verify_certificates is
2b4a568d
JH
2080set but both tls_verify_hosts and tls_try_verify_hosts are unset. Check only
2081the specified host patterns if one of them is defined */
2082
aa2a70ba
JH
2083if ( ( state->exp_tls_verify_certificates
2084 && !ob->tls_verify_hosts
610ff438 2085 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
aa2a70ba 2086 )
5130845b 2087 || verify_check_given_host(&ob->tls_verify_hosts, host) == OK
2b4a568d 2088 )
17c76198 2089 {
aa2a70ba 2090 tls_client_setup_hostname_checks(host, state, ob);
aa2a70ba
JH
2091 DEBUG(D_tls)
2092 debug_printf("TLS: server certificate verification required.\n");
2093 state->verify_requirement = VERIFY_REQUIRED;
52f93eed
WB
2094 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
2095 }
5130845b 2096else if (verify_check_given_host(&ob->tls_try_verify_hosts, host) == OK)
52f93eed 2097 {
aa2a70ba 2098 tls_client_setup_hostname_checks(host, state, ob);
e51c7be2
JH
2099 DEBUG(D_tls)
2100 debug_printf("TLS: server certificate verification optional.\n");
52f93eed 2101 state->verify_requirement = VERIFY_OPTIONAL;
17c76198
PP
2102 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
2103 }
2104else
2105 {
e51c7be2
JH
2106 DEBUG(D_tls)
2107 debug_printf("TLS: server certificate verification not required.\n");
52f93eed
WB
2108 state->verify_requirement = VERIFY_NONE;
2109 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
17c76198 2110 }
059ec3d9 2111
f2de3a33
JH
2112#ifndef DISABLE_OCSP
2113 /* supported since GnuTLS 3.1.3 */
44662487 2114if (request_ocsp)
9d1c15ef
JH
2115 {
2116 DEBUG(D_tls) debug_printf("TLS: will request OCSP stapling\n");
65867078
JH
2117 if ((rc = gnutls_ocsp_status_request_enable_client(state->session,
2118 NULL, 0, NULL)) != OK)
9d1c15ef 2119 return tls_error(US"cert-status-req",
cf0c6164 2120 gnutls_strerror(rc), state->host, errstr);
44662487 2121 tls_out.ocsp = OCSP_NOT_RESP;
9d1c15ef 2122 }
2b4a568d
JH
2123#endif
2124
0cbf2b82 2125#ifndef DISABLE_EVENT
774ef2d7 2126if (tb->event_action)
a7538db1 2127 {
774ef2d7 2128 state->event_action = tb->event_action;
a7538db1 2129 gnutls_session_set_ptr(state->session, state);
723fe533 2130 gnutls_certificate_set_verify_function(state->x509_cred, verify_cb);
a7538db1
JH
2131 }
2132#endif
2133
27f19eb4 2134gnutls_transport_set_ptr(state->session, (gnutls_transport_ptr_t)(long) fd);
17c76198
PP
2135state->fd_in = fd;
2136state->fd_out = fd;
059ec3d9 2137
9d1c15ef 2138DEBUG(D_tls) debug_printf("about to gnutls_handshake\n");
059ec3d9
PH
2139/* There doesn't seem to be a built-in timeout on connection. */
2140
2141sigalrm_seen = FALSE;
65867078 2142alarm(ob->command_timeout);
17c76198
PP
2143do
2144 {
2145 rc = gnutls_handshake(state->session);
619b2b25
PP
2146 } while ((rc == GNUTLS_E_AGAIN) ||
2147 (rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen));
059ec3d9
PH
2148alarm(0);
2149
4fe99a6c 2150if (rc != GNUTLS_E_SUCCESS)
60d10ce7
JH
2151 if (sigalrm_seen)
2152 {
2153 gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_USER_CANCELED);
cf0c6164 2154 return tls_error(US"gnutls_handshake", "timed out", state->host, errstr);
60d10ce7
JH
2155 }
2156 else
cf0c6164 2157 return tls_error(US"gnutls_handshake", gnutls_strerror(rc), state->host, errstr);
4fe99a6c 2158
17c76198 2159DEBUG(D_tls) debug_printf("gnutls_handshake was successful\n");
059ec3d9 2160
17c76198 2161/* Verify late */
059ec3d9 2162
17c76198 2163if (state->verify_requirement != VERIFY_NONE &&
cf0c6164
JH
2164 !verify_certificate(state, errstr))
2165 return tls_error(US"certificate verification failed", *errstr, state->host, errstr);
059ec3d9 2166
f2de3a33 2167#ifndef DISABLE_OCSP
2b4a568d
JH
2168if (require_ocsp)
2169 {
2170 DEBUG(D_tls)
2171 {
2172 gnutls_datum_t stapling;
2173 gnutls_ocsp_resp_t resp;
2174 gnutls_datum_t printed;
2175 if ( (rc= gnutls_ocsp_status_request_get(state->session, &stapling)) == 0
2176 && (rc= gnutls_ocsp_resp_init(&resp)) == 0
2177 && (rc= gnutls_ocsp_resp_import(resp, &stapling)) == 0
2178 && (rc= gnutls_ocsp_resp_print(resp, GNUTLS_OCSP_PRINT_FULL, &printed)) == 0
2179 )
2180 {
65867078 2181 debug_printf("%.4096s", printed.data);
2b4a568d
JH
2182 gnutls_free(printed.data);
2183 }
2184 else
cf0c6164 2185 (void) tls_error(US"ocsp decode", gnutls_strerror(rc), state->host, errstr);
2b4a568d
JH
2186 }
2187
2b4a568d 2188 if (gnutls_ocsp_status_request_is_checked(state->session, 0) == 0)
018058b2
JH
2189 {
2190 tls_out.ocsp = OCSP_FAILED;
cf0c6164 2191 return tls_error(US"certificate status check failed", NULL, state->host, errstr);
018058b2 2192 }
2b4a568d 2193 DEBUG(D_tls) debug_printf("Passed OCSP checking\n");
44662487 2194 tls_out.ocsp = OCSP_VFIED;
2b4a568d
JH
2195 }
2196#endif
2197
17c76198 2198/* Figure out peer DN, and if authenticated, etc. */
059ec3d9 2199
cf0c6164 2200if ((rc = peer_status(state, errstr)) != OK)
2b4a568d 2201 return rc;
059ec3d9 2202
4fe99a6c 2203/* Sets various Exim expansion variables; may need to adjust for ACL callouts */
059ec3d9 2204
9d1c15ef 2205extract_exim_vars_from_tls_state(state);
059ec3d9 2206
059ec3d9
PH
2207return OK;
2208}
2209
2210
2211
17c76198 2212
059ec3d9 2213/*************************************************
17c76198 2214* Close down a TLS session *
059ec3d9
PH
2215*************************************************/
2216
17c76198
PP
2217/* This is also called from within a delivery subprocess forked from the
2218daemon, to shut down the TLS library, without actually doing a shutdown (which
2219would tamper with the TLS session in the parent process).
059ec3d9 2220
17c76198
PP
2221Arguments: TRUE if gnutls_bye is to be called
2222Returns: nothing
059ec3d9
PH
2223*/
2224
17c76198 2225void
817d9f57 2226tls_close(BOOL is_server, BOOL shutdown)
059ec3d9 2227{
817d9f57 2228exim_gnutls_state_st *state = is_server ? &state_server : &state_client;
059ec3d9 2229
389ca47a 2230if (!state->tlsp || state->tlsp->active < 0) return; /* TLS was not active */
17c76198
PP
2231
2232if (shutdown)
2233 {
f5723109 2234 DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS\n");
17c76198
PP
2235 gnutls_bye(state->session, GNUTLS_SHUT_WR);
2236 }
2237
2238gnutls_deinit(state->session);
ed62aae3
HSHR
2239gnutls_certificate_free_credentials(state->x509_cred);
2240
17c76198 2241
389ca47a 2242state->tlsp->active = -1;
17c76198
PP
2243memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
2244
2245if ((state_server.session == NULL) && (state_client.session == NULL))
2246 {
2247 gnutls_global_deinit();
2248 exim_gnutls_base_init_done = FALSE;
2249 }
059ec3d9
PH
2250}
2251
2252
2253
17c76198 2254
0d81dabc
JH
2255static BOOL
2256tls_refill(unsigned lim)
2257{
2258exim_gnutls_state_st * state = &state_server;
2259ssize_t inbytes;
2260
2261DEBUG(D_tls) debug_printf("Calling gnutls_record_recv(%p, %p, %u)\n",
2262 state->session, state->xfer_buffer, ssl_xfer_buffer_size);
2263
2264if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
2265inbytes = gnutls_record_recv(state->session, state->xfer_buffer,
2266 MIN(ssl_xfer_buffer_size, lim));
2267alarm(0);
2268
2269/* Timeouts do not get this far; see command_timeout_handler().
2270 A zero-byte return appears to mean that the TLS session has been
2271 closed down, not that the socket itself has been closed down. Revert to
2272 non-TLS handling. */
2273
2274if (sigalrm_seen)
2275 {
2276 DEBUG(D_tls) debug_printf("Got tls read timeout\n");
2277 state->xfer_error = 1;
2278 return FALSE;
2279 }
2280
2281else if (inbytes == 0)
2282 {
2283 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
2284
2285 receive_getc = smtp_getc;
2286 receive_getbuf = smtp_getbuf;
2287 receive_get_cache = smtp_get_cache;
2288 receive_ungetc = smtp_ungetc;
2289 receive_feof = smtp_feof;
2290 receive_ferror = smtp_ferror;
2291 receive_smtp_buffered = smtp_buffered;
2292
2293 gnutls_deinit(state->session);
2294 gnutls_certificate_free_credentials(state->x509_cred);
2295
2296 state->session = NULL;
2297 state->tlsp->active = -1;
2298 state->tlsp->bits = 0;
2299 state->tlsp->certificate_verified = FALSE;
2300 tls_channelbinding_b64 = NULL;
2301 state->tlsp->cipher = NULL;
2302 state->tlsp->peercert = NULL;
2303 state->tlsp->peerdn = NULL;
2304
2305 return FALSE;
2306 }
2307
2308/* Handle genuine errors */
2309
2310else if (inbytes < 0)
2311 {
2312 record_io_error(state, (int) inbytes, US"recv", NULL);
2313 state->xfer_error = 1;
2314 return FALSE;
2315 }
2316#ifndef DISABLE_DKIM
2317dkim_exim_verify_feed(state->xfer_buffer, inbytes);
2318#endif
2319state->xfer_buffer_hwm = (int) inbytes;
2320state->xfer_buffer_lwm = 0;
2321return TRUE;
2322}
2323
059ec3d9
PH
2324/*************************************************
2325* TLS version of getc *
2326*************************************************/
2327
2328/* This gets the next byte from the TLS input buffer. If the buffer is empty,
2329it refills the buffer via the GnuTLS reading function.
817d9f57 2330Only used by the server-side TLS.
059ec3d9 2331
17c76198
PP
2332This feeds DKIM and should be used for all message-body reads.
2333
bd8fbe36 2334Arguments: lim Maximum amount to read/bufffer
059ec3d9
PH
2335Returns: the next character or EOF
2336*/
2337
2338int
bd8fbe36 2339tls_getc(unsigned lim)
059ec3d9 2340{
0d81dabc 2341exim_gnutls_state_st * state = &state_server;
059ec3d9 2342
0d81dabc
JH
2343if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
2344 if (!tls_refill(lim))
2345 return state->xfer_error ? EOF : smtp_getc(lim);
ed62aae3 2346
0d81dabc 2347/* Something in the buffer; return next uschar */
059ec3d9 2348
0d81dabc
JH
2349return state->xfer_buffer[state->xfer_buffer_lwm++];
2350}
059ec3d9 2351
0d81dabc
JH
2352uschar *
2353tls_getbuf(unsigned * len)
2354{
2355exim_gnutls_state_st * state = &state_server;
2356unsigned size;
2357uschar * buf;
059ec3d9 2358
0d81dabc
JH
2359if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
2360 if (!tls_refill(*len))
059ec3d9 2361 {
0d81dabc
JH
2362 if (!state->xfer_error) return smtp_getbuf(len);
2363 *len = 0;
2364 return NULL;
059ec3d9 2365 }
059ec3d9 2366
0d81dabc
JH
2367if ((size = state->xfer_buffer_hwm - state->xfer_buffer_lwm) > *len)
2368 size = *len;
2369buf = &state->xfer_buffer[state->xfer_buffer_lwm];
2370state->xfer_buffer_lwm += size;
2371*len = size;
2372return buf;
059ec3d9
PH
2373}
2374
0d81dabc 2375
584e96c6
JH
2376void
2377tls_get_cache()
2378{
9960d1e5 2379#ifndef DISABLE_DKIM
584e96c6
JH
2380exim_gnutls_state_st * state = &state_server;
2381int n = state->xfer_buffer_hwm - state->xfer_buffer_lwm;
2382if (n > 0)
2383 dkim_exim_verify_feed(state->xfer_buffer+state->xfer_buffer_lwm, n);
584e96c6 2384#endif
9960d1e5 2385}
584e96c6 2386
059ec3d9 2387
925ac8e4
JH
2388BOOL
2389tls_could_read(void)
2390{
2391return state_server.xfer_buffer_lwm < state_server.xfer_buffer_hwm
2392 || gnutls_record_check_pending(state_server.session) > 0;
2393}
2394
2395
059ec3d9 2396
17c76198 2397
059ec3d9
PH
2398/*************************************************
2399* Read bytes from TLS channel *
2400*************************************************/
2401
17c76198
PP
2402/* This does not feed DKIM, so if the caller uses this for reading message body,
2403then the caller must feed DKIM.
817d9f57 2404
059ec3d9
PH
2405Arguments:
2406 buff buffer of data
2407 len size of buffer
2408
2409Returns: the number of bytes read
2410 -1 after a failed read
2411*/
2412
2413int
817d9f57 2414tls_read(BOOL is_server, uschar *buff, size_t len)
059ec3d9 2415{
817d9f57 2416exim_gnutls_state_st *state = is_server ? &state_server : &state_client;
17c76198 2417ssize_t inbytes;
059ec3d9 2418
17c76198
PP
2419if (len > INT_MAX)
2420 len = INT_MAX;
059ec3d9 2421
17c76198
PP
2422if (state->xfer_buffer_lwm < state->xfer_buffer_hwm)
2423 DEBUG(D_tls)
2424 debug_printf("*** PROBABLY A BUG *** " \
2425 "tls_read() called with data in the tls_getc() buffer, %d ignored\n",
2426 state->xfer_buffer_hwm - state->xfer_buffer_lwm);
2427
2428DEBUG(D_tls)
2429 debug_printf("Calling gnutls_record_recv(%p, %p, " SIZE_T_FMT ")\n",
2430 state->session, buff, len);
2431
2432inbytes = gnutls_record_recv(state->session, buff, len);
059ec3d9
PH
2433if (inbytes > 0) return inbytes;
2434if (inbytes == 0)
2435 {
2436 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
2437 }
17c76198 2438else record_io_error(state, (int)inbytes, US"recv", NULL);
059ec3d9
PH
2439
2440return -1;
2441}
2442
2443
2444
17c76198 2445
059ec3d9
PH
2446/*************************************************
2447* Write bytes down TLS channel *
2448*************************************************/
2449
2450/*
2451Arguments:
817d9f57 2452 is_server channel specifier
059ec3d9
PH
2453 buff buffer of data
2454 len number of bytes
925ac8e4 2455 more more data expected soon
059ec3d9
PH
2456
2457Returns: the number of bytes after a successful write,
2458 -1 after a failed write
2459*/
2460
2461int
925ac8e4 2462tls_write(BOOL is_server, const uschar *buff, size_t len, BOOL more)
059ec3d9 2463{
17c76198
PP
2464ssize_t outbytes;
2465size_t left = len;
817d9f57 2466exim_gnutls_state_st *state = is_server ? &state_server : &state_client;
925ac8e4
JH
2467#ifdef SUPPORT_CORK
2468static BOOL corked = FALSE;
2469
2470if (more && !corked) gnutls_record_cork(state->session);
2471#endif
2472
2473DEBUG(D_tls) debug_printf("%s(%p, " SIZE_T_FMT "%s)\n", __FUNCTION__,
2474 buff, left, more ? ", more" : "");
059ec3d9 2475
059ec3d9
PH
2476while (left > 0)
2477 {
17c76198
PP
2478 DEBUG(D_tls) debug_printf("gnutls_record_send(SSL, %p, " SIZE_T_FMT ")\n",
2479 buff, left);
2480 outbytes = gnutls_record_send(state->session, buff, left);
059ec3d9 2481
17c76198 2482 DEBUG(D_tls) debug_printf("outbytes=" SSIZE_T_FMT "\n", outbytes);
059ec3d9
PH
2483 if (outbytes < 0)
2484 {
17c76198 2485 record_io_error(state, outbytes, US"send", NULL);
059ec3d9
PH
2486 return -1;
2487 }
2488 if (outbytes == 0)
2489 {
17c76198 2490 record_io_error(state, 0, US"send", US"TLS channel closed on write");
059ec3d9
PH
2491 return -1;
2492 }
2493
2494 left -= outbytes;
2495 buff += outbytes;
2496 }
2497
17c76198
PP
2498if (len > INT_MAX)
2499 {
2500 DEBUG(D_tls)
2501 debug_printf("Whoops! Wrote more bytes (" SIZE_T_FMT ") than INT_MAX\n",
2502 len);
2503 len = INT_MAX;
2504 }
2505
925ac8e4
JH
2506#ifdef SUPPORT_CORK
2507if (more != corked)
2508 {
2509 if (!more) (void) gnutls_record_uncork(state->session, 0);
2510 corked = more;
2511 }
2512#endif
2513
17c76198 2514return (int) len;
059ec3d9
PH
2515}
2516
2517
2518
17c76198 2519
059ec3d9 2520/*************************************************
17c76198 2521* Random number generation *
059ec3d9
PH
2522*************************************************/
2523
17c76198
PP
2524/* Pseudo-random number generation. The result is not expected to be
2525cryptographically strong but not so weak that someone will shoot themselves
2526in the foot using it as a nonce in input in some email header scheme or
2527whatever weirdness they'll twist this into. The result should handle fork()
2528and avoid repeating sequences. OpenSSL handles that for us.
059ec3d9 2529
17c76198
PP
2530Arguments:
2531 max range maximum
2532Returns a random number in range [0, max-1]
059ec3d9
PH
2533*/
2534
af3498d6 2535#ifdef HAVE_GNUTLS_RND
17c76198
PP
2536int
2537vaguely_random_number(int max)
059ec3d9 2538{
17c76198
PP
2539unsigned int r;
2540int i, needed_len;
2541uschar *p;
2542uschar smallbuf[sizeof(r)];
2543
2544if (max <= 1)
2545 return 0;
2546
2547needed_len = sizeof(r);
2548/* Don't take 8 times more entropy than needed if int is 8 octets and we were
2549 * asked for a number less than 10. */
2550for (r = max, i = 0; r; ++i)
2551 r >>= 1;
2552i = (i + 7) / 8;
2553if (i < needed_len)
2554 needed_len = i;
2555
2556i = gnutls_rnd(GNUTLS_RND_NONCE, smallbuf, needed_len);
2557if (i < 0)
059ec3d9 2558 {
17c76198
PP
2559 DEBUG(D_all) debug_printf("gnutls_rnd() failed, using fallback.\n");
2560 return vaguely_random_number_fallback(max);
2561 }
2562r = 0;
2563for (p = smallbuf; needed_len; --needed_len, ++p)
2564 {
2565 r *= 256;
2566 r += *p;
059ec3d9
PH
2567 }
2568
17c76198
PP
2569/* We don't particularly care about weighted results; if someone wants
2570 * smooth distribution and cares enough then they should submit a patch then. */
2571return r % max;
059ec3d9 2572}
af3498d6
PP
2573#else /* HAVE_GNUTLS_RND */
2574int
2575vaguely_random_number(int max)
2576{
2577 return vaguely_random_number_fallback(max);
2578}
2579#endif /* HAVE_GNUTLS_RND */
059ec3d9 2580
36f12725
NM
2581
2582
2583
2584/*************************************************
3375e053
PP
2585* Let tls_require_ciphers be checked at startup *
2586*************************************************/
2587
2588/* The tls_require_ciphers option, if set, must be something which the
2589library can parse.
2590
2591Returns: NULL on success, or error message
2592*/
2593
2594uschar *
2595tls_validate_require_cipher(void)
2596{
2597int rc;
2598uschar *expciphers = NULL;
2599gnutls_priority_t priority_cache;
2600const char *errpos;
cf0c6164 2601uschar * dummy_errstr;
3375e053
PP
2602
2603#define validate_check_rc(Label) do { \
2604 if (rc != GNUTLS_E_SUCCESS) { if (exim_gnutls_base_init_done) gnutls_global_deinit(); \
2605 return string_sprintf("%s failed: %s", (Label), gnutls_strerror(rc)); } } while (0)
2606#define return_deinit(Label) do { gnutls_global_deinit(); return (Label); } while (0)
2607
2608if (exim_gnutls_base_init_done)
2609 log_write(0, LOG_MAIN|LOG_PANIC,
2610 "already initialised GnuTLS, Exim developer bug");
2611
a5f239e4 2612#ifdef HAVE_GNUTLS_PKCS11
2519e60d 2613if (!gnutls_allow_auto_pkcs11)
a5f239e4
PP
2614 {
2615 rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
2616 validate_check_rc(US"gnutls_pkcs11_init");
2617 }
2618#endif
3375e053
PP
2619rc = gnutls_global_init();
2620validate_check_rc(US"gnutls_global_init()");
2621exim_gnutls_base_init_done = TRUE;
2622
2623if (!(tls_require_ciphers && *tls_require_ciphers))
2624 return_deinit(NULL);
2625
cf0c6164
JH
2626if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers,
2627 &dummy_errstr))
3375e053
PP
2628 return_deinit(US"failed to expand tls_require_ciphers");
2629
2630if (!(expciphers && *expciphers))
2631 return_deinit(NULL);
2632
2633DEBUG(D_tls)
2634 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
2635
2636rc = gnutls_priority_init(&priority_cache, CS expciphers, &errpos);
2637validate_check_rc(string_sprintf(
2638 "gnutls_priority_init(%s) failed at offset %ld, \"%.8s..\"",
2639 expciphers, errpos - CS expciphers, errpos));
2640
2641#undef return_deinit
2642#undef validate_check_rc
2643gnutls_global_deinit();
2644
2645return NULL;
2646}
2647
2648
2649
2650
2651/*************************************************
36f12725
NM
2652* Report the library versions. *
2653*************************************************/
2654
2655/* See a description in tls-openssl.c for an explanation of why this exists.
2656
2657Arguments: a FILE* to print the results to
2658Returns: nothing
2659*/
2660
2661void
2662tls_version_report(FILE *f)
2663{
754a0503
PP
2664fprintf(f, "Library version: GnuTLS: Compile: %s\n"
2665 " Runtime: %s\n",
2666 LIBGNUTLS_VERSION,
2667 gnutls_check_version(NULL));
36f12725
NM
2668}
2669
2b4a568d
JH
2670/* vi: aw ai sw=2
2671*/
059ec3d9 2672/* End of tls-gnu.c */