projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Testsuite: move CRL testcases away from using SHA1-signed certs
[exim.git] / src / src / tls-gnu.c
CommitLineData
059ec3d9
PH		 1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
9242a7e8 5/* Copyright (c) University of Cambridge 1995 - 2017 */
059ec3d9
PH		 6/* See the file NOTICE for conditions of use and distribution. */
7
17c76198 8/* Copyright (c) Phil Pennock 2012 */
059ec3d9 9
17c76198
PP		 10/* This file provides TLS/SSL support for Exim using the GnuTLS library,
11one of the available supported implementations. This file is #included into
12tls.c when USE_GNUTLS has been set.
059ec3d9 13
17c76198
PP		 14The code herein is a revamp of GnuTLS integration using the current APIs; the
15original tls-gnu.c was based on a patch which was contributed by Nikos
6aa6fc9c 16Mavrogiannopoulos. The revamp is partially a rewrite, partially cut&paste as
17c76198 17appropriate.
059ec3d9 18
17c76198
PP		 19APIs current as of GnuTLS 2.12.18; note that the GnuTLS manual is for GnuTLS 3,
20which is not widely deployed by OS vendors. Will note issues below, which may
21assist in updating the code in the future. Another sources of hints is
22mod_gnutls for Apache (SNI callback registration and handling).
059ec3d9 23
17c76198
PP		 24Keeping client and server variables more split than before and is currently
25the norm, in anticipation of TLS in ACL callouts.
059ec3d9 26
17c76198
PP		 27I wanted to switch to gnutls_certificate_set_verify_function() so that
28certificate rejection could happen during handshake where it belongs, rather
29than being dropped afterwards, but that was introduced in 2.10.0 and Debian
30(6.0.5) is still on 2.8.6. So for now we have to stick with sub-par behaviour.
059ec3d9 31
17c76198
PP		 32(I wasn't looking for libraries quite that old, when updating to get rid of
33compiler warnings of deprecated APIs. If it turns out that a lot of the rest
34require current GnuTLS, then we'll drop support for the ancient libraries).
35*/
b5aea5e1 36
17c76198
PP		 37#include <gnutls/gnutls.h>
38/* needed for cert checks in verification and DN extraction: */
39#include <gnutls/x509.h>
40/* man-page is incorrect, gnutls_rnd() is not in gnutls.h: */
41#include <gnutls/crypto.h>
a5f239e4
PP		 42/* needed to disable PKCS11 autoload unless requested */
43#if GNUTLS_VERSION_NUMBER >= 0x020c00
44# include <gnutls/pkcs11.h>
76075bb5 45# define SUPPORT_PARAM_TO_PK_BITS
a5f239e4 46#endif
7e07527a
JH		 47#if GNUTLS_VERSION_NUMBER < 0x030103 && !defined(DISABLE_OCSP)
48# warning "GnuTLS library version too old; define DISABLE_OCSP in Makefile"
49# define DISABLE_OCSP
50#endif
0cbf2b82 51#if GNUTLS_VERSION_NUMBER < 0x020a00 && !defined(DISABLE_EVENT)
774ef2d7 52# warning "GnuTLS library version too old; tls:cert event unsupported"
0cbf2b82 53# define DISABLE_EVENT
a7538db1 54#endif
a7fec7a7
JH		 55#if GNUTLS_VERSION_NUMBER >= 0x030306
56# define SUPPORT_CA_DIR
57#else
58# undef SUPPORT_CA_DIR
59#endif
11a04b5a 60#if GNUTLS_VERSION_NUMBER >= 0x030014
cb1d7830
JH		 61# define SUPPORT_SYSDEFAULT_CABUNDLE
62#endif
925ac8e4
JH		 63#if GNUTLS_VERSION_NUMBER >= 0x030109
64# define SUPPORT_CORK
65#endif
47195144
JH		 66#if GNUTLS_VERSION_NUMBER >= 0x030506 && !defined(DISABLE_OCSP)
67# define SUPPORT_SRV_OCSP_STACK
68#endif
7e07527a 69
f2de3a33 70#ifndef DISABLE_OCSP
2b4a568d
JH		 71# include <gnutls/ocsp.h>
72#endif
059ec3d9 73
17c76198 74/* GnuTLS 2 vs 3
059ec3d9 75
17c76198
PP		 76GnuTLS 3 only:
77 gnutls_global_set_audit_log_function()
059ec3d9 78
17c76198
PP		 79Changes:
80 gnutls_certificate_verify_peers2(): is new, drop the 2 for old version
81*/
059ec3d9 82
17c76198 83/* Local static variables for GnuTLS */
059ec3d9 84
17c76198 85/* Values for verify_requirement */
059ec3d9 86
e51c7be2 87enum peer_verify_requirement
aa2a70ba 88 { VERIFY_NONE, VERIFY_OPTIONAL, VERIFY_REQUIRED };
059ec3d9 89
17c76198
PP		 90/* This holds most state for server or client; with this, we can set up an
91outbound TLS-enabled connection in an ACL callout, while not stomping all
92over the TLS variables available for expansion.
059ec3d9 93
17c76198
PP		 94Some of these correspond to variables in globals.c; those variables will
95be set to point to content in one of these instances, as appropriate for
96the stage of the process lifetime.
059ec3d9 97
389ca47a 98Not handled here: global tls_channelbinding_b64.
17c76198 99*/
059ec3d9 100
17c76198 101typedef struct exim_gnutls_state {
9d1c15ef 102 gnutls_session_t session;
17c76198 103 gnutls_certificate_credentials_t x509_cred;
9d1c15ef 104 gnutls_priority_t priority_cache;
17c76198 105 enum peer_verify_requirement verify_requirement;
9d1c15ef
JH		 106 int fd_in;
107 int fd_out;
108 BOOL peer_cert_verified;
109 BOOL trigger_sni_changes;
110 BOOL have_set_peerdn;
17c76198 111 const struct host_item *host;
9d1c15ef
JH		 112 gnutls_x509_crt_t peercert;
113 uschar *peerdn;
114 uschar *ciphersuite;
115 uschar *received_sni;
17c76198
PP		 116
117 const uschar *tls_certificate;
118 const uschar *tls_privatekey;
119 const uschar *tls_sni; /* client send only, not received */
120 const uschar *tls_verify_certificates;
121 const uschar *tls_crl;
122 const uschar *tls_require_ciphers;
e51c7be2 123
17c76198
PP		 124 uschar *exp_tls_certificate;
125 uschar *exp_tls_privatekey;
17c76198
PP		 126 uschar *exp_tls_verify_certificates;
127 uschar *exp_tls_crl;
128 uschar *exp_tls_require_ciphers;
55414b25 129 const uschar *exp_tls_verify_cert_hostnames;
0cbf2b82 130#ifndef DISABLE_EVENT
a7538db1
JH		 131 uschar *event_action;
132#endif
17c76198 133
389ca47a 134 tls_support *tlsp; /* set in tls_init() */
817d9f57 135
17c76198
PP		 136 uschar *xfer_buffer;
137 int xfer_buffer_lwm;
138 int xfer_buffer_hwm;
139 int xfer_eof;
140 int xfer_error;
17c76198
PP		 141} exim_gnutls_state_st;
142
143static const exim_gnutls_state_st exim_gnutls_state_init = {
f2ed27cf
JH		 144 .session = NULL,
145 .x509_cred = NULL,
146 .priority_cache = NULL,
147 .verify_requirement = VERIFY_NONE,
148 .fd_in = -1,
149 .fd_out = -1,
150 .peer_cert_verified = FALSE,
151 .trigger_sni_changes =FALSE,
152 .have_set_peerdn = FALSE,
153 .host = NULL,
154 .peercert = NULL,
155 .peerdn = NULL,
156 .ciphersuite = NULL,
157 .received_sni = NULL,
158
159 .tls_certificate = NULL,
160 .tls_privatekey = NULL,
161 .tls_sni = NULL,
162 .tls_verify_certificates = NULL,
163 .tls_crl = NULL,
164 .tls_require_ciphers =NULL,
165
166 .exp_tls_certificate = NULL,
167 .exp_tls_privatekey = NULL,
168 .exp_tls_verify_certificates = NULL,
169 .exp_tls_crl = NULL,
170 .exp_tls_require_ciphers = NULL,
f2ed27cf 171 .exp_tls_verify_cert_hostnames = NULL,
0cbf2b82 172#ifndef DISABLE_EVENT
f2ed27cf 173 .event_action = NULL,
e51c7be2 174#endif
f2ed27cf
JH		 175 .tlsp = NULL,
176
177 .xfer_buffer = NULL,
178 .xfer_buffer_lwm = 0,
179 .xfer_buffer_hwm = 0,
180 .xfer_eof = 0,
181 .xfer_error = 0,
17c76198 182};
83da1223 183
17c76198
PP		 184/* Not only do we have our own APIs which don't pass around state, assuming
185it's held in globals, GnuTLS doesn't appear to let us register callback data
186for callbacks, or as part of the session, so we have to keep a "this is the
187context we're currently dealing with" pointer and rely upon being
188single-threaded to keep from processing data on an inbound TLS connection while
189talking to another TLS connection for an outbound check. This does mean that
190there's no way for heart-beats to be responded to, for the duration of the
a7538db1
JH		 191second connection.
192XXX But see gnutls_session_get_ptr()
193*/
059ec3d9 194
17c76198 195static exim_gnutls_state_st state_server, state_client;
059ec3d9 196
17c76198
PP		 197/* dh_params are initialised once within the lifetime of a process using TLS;
198if we used TLS in a long-lived daemon, we'd have to reconsider this. But we
199don't want to repeat this. */
83da1223 200
17c76198 201static gnutls_dh_params_t dh_server_params = NULL;
059ec3d9 202
17c76198 203/* No idea how this value was chosen; preserving it. Default is 3600. */
059ec3d9 204
17c76198 205static const int ssl_session_timeout = 200;
059ec3d9 206
17c76198 207static const char * const exim_default_gnutls_priority = "NORMAL";
83da1223 208
17c76198 209/* Guard library core initialisation */
83da1223 210
17c76198 211static BOOL exim_gnutls_base_init_done = FALSE;
059ec3d9 212
4fb7df6d 213#ifndef DISABLE_OCSP
9196d5bf 214static BOOL gnutls_buggy_ocsp = FALSE;
4fb7df6d 215#endif
9196d5bf 216
059ec3d9 217
17c76198
PP		 218/* ------------------------------------------------------------------------ */
219/* macros */
83da1223 220
17c76198 221#define MAX_HOST_LEN 255
83da1223 222
17c76198
PP		 223/* Set this to control gnutls_global_set_log_level(); values 0 to 9 will setup
224the library logging; a value less than 0 disables the calls to set up logging
ef9da2ee
JH		 225callbacks. Possibly GNuTLS also looks for an environment variable
226"GNUTLS_DEBUG_LEVEL". */
2c17bb02 227#ifndef EXIM_GNUTLS_LIBRARY_LOG_LEVEL
a7538db1 228# define EXIM_GNUTLS_LIBRARY_LOG_LEVEL -1
2c17bb02 229#endif
83da1223 230
2c17bb02 231#ifndef EXIM_CLIENT_DH_MIN_BITS
a7538db1 232# define EXIM_CLIENT_DH_MIN_BITS 1024
2c17bb02 233#endif
83da1223 234
af3498d6
PP		 235/* With GnuTLS 2.12.x+ we have gnutls_sec_param_to_pk_bits() with which we
236can ask for a bit-strength. Without that, we stick to the constant we had
237before, for now. */
2c17bb02 238#ifndef EXIM_SERVER_DH_BITS_PRE2_12
a7538db1 239# define EXIM_SERVER_DH_BITS_PRE2_12 1024
2c17bb02 240#endif
af3498d6 241
47195144
JH		 242#define exim_gnutls_err_check(rc, Label) do { \
243 if ((rc) != GNUTLS_E_SUCCESS) \
cf0c6164
JH		 244 return tls_error((Label), gnutls_strerror(rc), host, errstr); \
245 } while (0)
059ec3d9 246
cf0c6164
JH		 247#define expand_check_tlsvar(Varname, errstr) \
248 expand_check(state->Varname, US #Varname, &state->exp_##Varname, errstr)
83da1223 249
17c76198 250#if GNUTLS_VERSION_NUMBER >= 0x020c00
e51c7be2
JH		 251# define HAVE_GNUTLS_SESSION_CHANNEL_BINDING
252# define HAVE_GNUTLS_SEC_PARAM_CONSTANTS
253# define HAVE_GNUTLS_RND
2519e60d
TL		 254/* The security fix we provide with the gnutls_allow_auto_pkcs11 option
255 * (4.82 PP/09) introduces a compatibility regression. The symbol simply
256 * isn't available sometimes, so this needs to become a conditional
257 * compilation; the sanest way to deal with this being a problem on
258 * older OSes is to block it in the Local/Makefile with this compiler
259 * definition */
e51c7be2
JH		 260# ifndef AVOID_GNUTLS_PKCS11
261# define HAVE_GNUTLS_PKCS11
262# endif /* AVOID_GNUTLS_PKCS11 */
17c76198 263#endif
83da1223 264
af3498d6
PP		 265
266
267
268/* ------------------------------------------------------------------------ */
269/* Callback declarations */
270
271#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
272static void exim_gnutls_logger_cb(int level, const char *message);
273#endif
274
275static int exim_sni_handling_cb(gnutls_session_t session);
276
f2de3a33 277#ifndef DISABLE_OCSP
44662487
JH		 278static int server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
279 gnutls_datum_t * ocsp_response);
280#endif
af3498d6
PP		 281
282
283
17c76198
PP		 284/* ------------------------------------------------------------------------ */
285/* Static functions */
059ec3d9
PH		 286
287/*************************************************
288* Handle TLS error *
289*************************************************/
290
291/* Called from lots of places when errors occur before actually starting to do
292the TLS handshake, that is, while the session is still in clear. Always returns
293DEFER for a server and FAIL for a client so that most calls can use "return
294tls_error(...)" to do this processing and then give an appropriate return. A
295single function is used for both server and client, because it is called from
296some shared functions.
297
298Argument:
299 prefix text to include in the logged error
7199e1ee
TF		 300 msg additional error string (may be NULL)
301 usually obtained from gnutls_strerror()
17c76198
PP		 302 host NULL if setting up a server;
303 the connected host if setting up a client
cf0c6164 304 errstr pointer to returned error string
059ec3d9
PH		 305
306Returns: OK/DEFER/FAIL
307*/
308
309static int
cf0c6164
JH		 310tls_error(const uschar *prefix, const char *msg, const host_item *host,
311 uschar ** errstr)
059ec3d9 312{
cf0c6164
JH		 313if (errstr)
314 *errstr = string_sprintf("(%s)%s%s", prefix, msg ? ": " : "", msg ? msg : "");
315return host ? FAIL : DEFER;
059ec3d9
PH		 316}
317
318
319
17c76198 320
059ec3d9 321/*************************************************
17c76198 322* Deal with logging errors during I/O *
059ec3d9
PH		 323*************************************************/
324
17c76198 325/* We have to get the identity of the peer from saved data.
059ec3d9 326
17c76198
PP		 327Argument:
328 state the current GnuTLS exim state container
329 rc the GnuTLS error code, or 0 if it's a local error
330 when text identifying read or write
331 text local error text when ec is 0
059ec3d9 332
17c76198 333Returns: nothing
059ec3d9
PH		 334*/
335
17c76198
PP		 336static void
337record_io_error(exim_gnutls_state_st *state, int rc, uschar *when, uschar *text)
059ec3d9 338{
cf0c6164
JH		 339const char * msg;
340uschar * errstr;
059ec3d9 341
17c76198
PP		 342if (rc == GNUTLS_E_FATAL_ALERT_RECEIVED)
343 msg = CS string_sprintf("%s: %s", US gnutls_strerror(rc),
344 US gnutls_alert_get_name(gnutls_alert_get(state->session)));
345else
346 msg = gnutls_strerror(rc);
059ec3d9 347
cf0c6164
JH		 348(void) tls_error(when, msg, state->host, &errstr);
349
350if (state->host)
351 log_write(0, LOG_MAIN, "H=%s [%s] TLS error on connection %s",
352 state->host->name, state->host->address, errstr);
353else
354 {
355 uschar * conn_info = smtp_get_connection_info();
356 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0) conn_info += 5;
357 /* I'd like to get separated H= here, but too hard for now */
358 log_write(0, LOG_MAIN, "TLS error on %s %s", conn_info, errstr);
359 }
17c76198 360}
059ec3d9 361
059ec3d9 362
059ec3d9 363
059ec3d9 364
17c76198
PP		 365/*************************************************
366* Set various Exim expansion vars *
367*************************************************/
059ec3d9 368
e51c7be2
JH		 369#define exim_gnutls_cert_err(Label) \
370 do \
371 { \
372 if (rc != GNUTLS_E_SUCCESS) \
373 { \
374 DEBUG(D_tls) debug_printf("TLS: cert problem: %s: %s\n", \
375 (Label), gnutls_strerror(rc)); \
376 return rc; \
377 } \
378 } while (0)
9d1c15ef
JH		 379
380static int
27f19eb4 381import_cert(const gnutls_datum_t * cert, gnutls_x509_crt_t * crtp)
9d1c15ef
JH		 382{
383int rc;
384
385rc = gnutls_x509_crt_init(crtp);
386exim_gnutls_cert_err(US"gnutls_x509_crt_init (crt)");
387
388rc = gnutls_x509_crt_import(*crtp, cert, GNUTLS_X509_FMT_DER);
389exim_gnutls_cert_err(US"failed to import certificate [gnutls_x509_crt_import(cert)]");
390
391return rc;
392}
393
394#undef exim_gnutls_cert_err
395
396
17c76198
PP		 397/* We set various Exim global variables from the state, once a session has
398been established. With TLS callouts, may need to change this to stack
399variables, or just re-call it with the server state after client callout
400has finished.
059ec3d9 401
9d1c15ef 402Make sure anything set here is unset in tls_getc().
17c76198
PP		 403
404Sets:
405 tls_active fd
406 tls_bits strength indicator
407 tls_certificate_verified bool indicator
408 tls_channelbinding_b64 for some SASL mechanisms
409 tls_cipher a string
9d1c15ef 410 tls_peercert pointer to library internal
17c76198
PP		 411 tls_peerdn a string
412 tls_sni a (UTF-8) string
9d1c15ef 413 tls_ourcert pointer to library internal
17c76198
PP		 414
415Argument:
416 state the relevant exim_gnutls_state_st *
417*/
418
419static void
9d1c15ef 420extract_exim_vars_from_tls_state(exim_gnutls_state_st * state)
17c76198 421{
17c76198 422gnutls_cipher_algorithm_t cipher;
17c76198
PP		 423#ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
424int old_pool;
425int rc;
426gnutls_datum_t channel;
427#endif
9d1c15ef 428tls_support * tlsp = state->tlsp;
17c76198 429
9d1c15ef 430tlsp->active = state->fd_out;
17c76198
PP		 431
432cipher = gnutls_cipher_get(state->session);
433/* returns size in "bytes" */
9d1c15ef 434tlsp->bits = gnutls_cipher_get_key_size(cipher) * 8;
17c76198 435
9d1c15ef 436tlsp->cipher = state->ciphersuite;
17c76198 437
817d9f57 438DEBUG(D_tls) debug_printf("cipher: %s\n", state->ciphersuite);
17c76198 439
9d1c15ef 440tlsp->certificate_verified = state->peer_cert_verified;
059ec3d9 441
17c76198
PP		 442/* note that tls_channelbinding_b64 is not saved to the spool file, since it's
443only available for use for authenticators while this TLS session is running. */
444
445tls_channelbinding_b64 = NULL;
446#ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
447channel.data = NULL;
448channel.size = 0;
449rc = gnutls_session_channel_binding(state->session, GNUTLS_CB_TLS_UNIQUE, &channel);
450if (rc) {
451 DEBUG(D_tls) debug_printf("Channel binding error: %s\n", gnutls_strerror(rc));
452} else {
453 old_pool = store_pool;
454 store_pool = POOL_PERM;
f4d091fb 455 tls_channelbinding_b64 = b64encode(channel.data, (int)channel.size);
17c76198
PP		 456 store_pool = old_pool;
457 DEBUG(D_tls) debug_printf("Have channel bindings cached for possible auth usage.\n");
458}
459#endif
460
9d1c15ef
JH		 461/* peercert is set in peer_status() */
462tlsp->peerdn = state->peerdn;
463tlsp->sni = state->received_sni;
464
465/* record our certificate */
466 {
27f19eb4 467 const gnutls_datum_t * cert = gnutls_certificate_get_ours(state->session);
9d1c15ef
JH		 468 gnutls_x509_crt_t crt;
469
470 tlsp->ourcert = cert && import_cert(cert, &crt)==0 ? crt : NULL;
471 }
059ec3d9
PH		 472}
473
474
475
17c76198 476
059ec3d9 477/*************************************************
575643cd 478* Setup up DH parameters *
059ec3d9
PH		 479*************************************************/
480
575643cd 481/* Generating the D-H parameters may take a long time. They only need to
059ec3d9
PH		 482be re-generated every so often, depending on security policy. What we do is to
483keep these parameters in a file in the spool directory. If the file does not
484exist, we generate them. This means that it is easy to cause a regeneration.
485
486The new file is written as a temporary file and renamed, so that an incomplete
487file is never present. If two processes both compute some new parameters, you
488waste a bit of effort, but it doesn't seem worth messing around with locking to
489prevent this.
490
059ec3d9
PH		 491Returns: OK/DEFER/FAIL
492*/
493
494static int
cf0c6164 495init_server_dh(uschar ** errstr)
059ec3d9 496{
17c76198
PP		 497int fd, rc;
498unsigned int dh_bits;
27f19eb4 499gnutls_datum_t m;
a799883d
PP		 500uschar filename_buf[PATH_MAX];
501uschar *filename = NULL;
17c76198 502size_t sz;
a799883d
PP		 503uschar *exp_tls_dhparam;
504BOOL use_file_in_spool = FALSE;
505BOOL use_fixed_file = FALSE;
17c76198 506host_item *host = NULL; /* dummy for macros */
059ec3d9 507
17c76198 508DEBUG(D_tls) debug_printf("Initialising GnuTLS server params.\n");
059ec3d9 509
17c76198 510rc = gnutls_dh_params_init(&dh_server_params);
47195144 511exim_gnutls_err_check(rc, US"gnutls_dh_params_init");
059ec3d9 512
a799883d
PP		 513m.data = NULL;
514m.size = 0;
515
cf0c6164 516if (!expand_check(tls_dhparam, US"tls_dhparam", &exp_tls_dhparam, errstr))
a799883d
PP		 517 return DEFER;
518
519if (!exp_tls_dhparam)
520 {
521 DEBUG(D_tls) debug_printf("Loading default hard-coded DH params\n");
522 m.data = US std_dh_prime_default();
523 m.size = Ustrlen(m.data);
524 }
525else if (Ustrcmp(exp_tls_dhparam, "historic") == 0)
526 use_file_in_spool = TRUE;
527else if (Ustrcmp(exp_tls_dhparam, "none") == 0)
528 {
529 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
530 return OK;
531 }
532else if (exp_tls_dhparam[0] != '/')
533 {
f5d25c2b 534 if (!(m.data = US std_dh_prime_named(exp_tls_dhparam)))
cf0c6164 535 return tls_error(US"No standard prime named", CS exp_tls_dhparam, NULL, errstr);
a799883d
PP		 536 m.size = Ustrlen(m.data);
537 }
538else
539 {
540 use_fixed_file = TRUE;
541 filename = exp_tls_dhparam;
542 }
543
544if (m.data)
545 {
546 rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM);
47195144 547 exim_gnutls_err_check(rc, US"gnutls_dh_params_import_pkcs3");
a799883d
PP		 548 DEBUG(D_tls) debug_printf("Loaded fixed standard D-H parameters\n");
549 return OK;
550 }
551
af3498d6
PP		 552#ifdef HAVE_GNUTLS_SEC_PARAM_CONSTANTS
553/* If you change this constant, also change dh_param_fn_ext so that we can use a
17c76198
PP		 554different filename and ensure we have sufficient bits. */
555dh_bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL);
556if (!dh_bits)
cf0c6164 557 return tls_error(US"gnutls_sec_param_to_pk_bits() failed", NULL, NULL, errstr);
af3498d6 558DEBUG(D_tls)
b34fc30c 559 debug_printf("GnuTLS tells us that for D-H PK, NORMAL is %d bits.\n",
af3498d6
PP		 560 dh_bits);
561#else
562dh_bits = EXIM_SERVER_DH_BITS_PRE2_12;
563DEBUG(D_tls)
564 debug_printf("GnuTLS lacks gnutls_sec_param_to_pk_bits(), using %d bits.\n",
565 dh_bits);
566#endif
059ec3d9 567
3375e053
PP		 568/* Some clients have hard-coded limits. */
569if (dh_bits > tls_dh_max_bits)
570 {
571 DEBUG(D_tls)
572 debug_printf("tls_dh_max_bits clamping override, using %d bits instead.\n",
573 tls_dh_max_bits);
574 dh_bits = tls_dh_max_bits;
575 }
576
a799883d
PP		 577if (use_file_in_spool)
578 {
579 if (!string_format(filename_buf, sizeof(filename_buf),
580 "%s/gnutls-params-%d", spool_directory, dh_bits))
cf0c6164 581 return tls_error(US"overlong filename", NULL, NULL, errstr);
a799883d
PP		 582 filename = filename_buf;
583 }
059ec3d9 584
b5aea5e1 585/* Open the cache file for reading and if successful, read it and set up the
575643cd 586parameters. */
059ec3d9 587
f5d25c2b 588if ((fd = Uopen(filename, O_RDONLY, 0)) >= 0)
059ec3d9 589 {
b5aea5e1 590 struct stat statbuf;
17c76198
PP		 591 FILE *fp;
592 int saved_errno;
593
594 if (fstat(fd, &statbuf) < 0) /* EIO */
595 {
596 saved_errno = errno;
597 (void)close(fd);
cf0c6164 598 return tls_error(US"TLS cache stat failed", strerror(saved_errno), NULL, errstr);
17c76198
PP		 599 }
600 if (!S_ISREG(statbuf.st_mode))
b5aea5e1
PH		 601 {
602 (void)close(fd);
cf0c6164 603 return tls_error(US"TLS cache not a file", NULL, NULL, errstr);
17c76198 604 }
40c90bca 605 if (!(fp = fdopen(fd, "rb")))
17c76198
PP		 606 {
607 saved_errno = errno;
608 (void)close(fd);
609 return tls_error(US"fdopen(TLS cache stat fd) failed",
cf0c6164 610 strerror(saved_errno), NULL, errstr);
b5aea5e1 611 }
059ec3d9 612
b5aea5e1 613 m.size = statbuf.st_size;
40c90bca 614 if (!(m.data = malloc(m.size)))
17c76198
PP		 615 {
616 fclose(fp);
cf0c6164 617 return tls_error(US"malloc failed", strerror(errno), NULL, errstr);
17c76198 618 }
40c90bca 619 if (!(sz = fread(m.data, m.size, 1, fp)))
17c76198
PP		 620 {
621 saved_errno = errno;
622 fclose(fp);
623 free(m.data);
cf0c6164 624 return tls_error(US"fread failed", strerror(saved_errno), NULL, errstr);
17c76198
PP		 625 }
626 fclose(fp);
b5aea5e1 627
17c76198 628 rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM);
b5aea5e1 629 free(m.data);
47195144 630 exim_gnutls_err_check(rc, US"gnutls_dh_params_import_pkcs3");
17c76198 631 DEBUG(D_tls) debug_printf("read D-H parameters from file \"%s\"\n", filename);
b5aea5e1
PH		 632 }
633
634/* If the file does not exist, fall through to compute new data and cache it.
635If there was any other opening error, it is serious. */
636
182ad5cf
PH		 637else if (errno == ENOENT)
638 {
17c76198 639 rc = -1;
182ad5cf 640 DEBUG(D_tls)
17c76198 641 debug_printf("D-H parameter cache file \"%s\" does not exist\n", filename);
182ad5cf
PH		 642 }
643else
17c76198 644 return tls_error(string_open_failed(errno, "\"%s\" for reading", filename),
cf0c6164 645 NULL, NULL, errstr);
b5aea5e1
PH		 646
647/* If ret < 0, either the cache file does not exist, or the data it contains
648is not useful. One particular case of this is when upgrading from an older
649release of Exim in which the data was stored in a different format. We don't
650try to be clever and support both formats; we just regenerate new data in this
651case. */
652
17c76198 653if (rc < 0)
b5aea5e1 654 {
17c76198 655 uschar *temp_fn;
201f5254 656 unsigned int dh_bits_gen = dh_bits;
059ec3d9 657
17c76198
PP		 658 if ((PATH_MAX - Ustrlen(filename)) < 10)
659 return tls_error(US"Filename too long to generate replacement",
cf0c6164 660 CS filename, NULL, errstr);
059ec3d9 661
17c76198 662 temp_fn = string_copy(US "%s.XXXXXXX");
f5d25c2b 663 if ((fd = mkstemp(CS temp_fn)) < 0) /* modifies temp_fn */
cf0c6164 664 return tls_error(US"Unable to open temp file", strerror(errno), NULL, errstr);
059ec3d9
PH		 665 (void)fchown(fd, exim_uid, exim_gid); /* Probably not necessary */
666
201f5254
PP		 667 /* GnuTLS overshoots!
668 * If we ask for 2236, we might get 2237 or more.
669 * But there's no way to ask GnuTLS how many bits there really are.
670 * We can ask how many bits were used in a TLS session, but that's it!
671 * The prime itself is hidden behind too much abstraction.
672 * So we ask for less, and proceed on a wing and a prayer.
673 * First attempt, subtracted 3 for 2233 and got 2240.
674 */
cae6e576 675 if (dh_bits >= EXIM_CLIENT_DH_MIN_BITS + 10)
201f5254
PP		 676 {
677 dh_bits_gen = dh_bits - 10;
678 DEBUG(D_tls)
679 debug_printf("being paranoid about DH generation, make it '%d' bits'\n",
680 dh_bits_gen);
681 }
682
683 DEBUG(D_tls)
684 debug_printf("requesting generation of %d bit Diffie-Hellman prime ...\n",
685 dh_bits_gen);
686 rc = gnutls_dh_params_generate2(dh_server_params, dh_bits_gen);
47195144 687 exim_gnutls_err_check(rc, US"gnutls_dh_params_generate2");
17c76198
PP		 688
689 /* gnutls_dh_params_export_pkcs3() will tell us the exact size, every time,
690 and I confirmed that a NULL call to get the size first is how the GnuTLS
691 sample apps handle this. */
692
693 sz = 0;
694 m.data = NULL;
695 rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM,
696 m.data, &sz);
697 if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
47195144 698 exim_gnutls_err_check(rc, US"gnutls_dh_params_export_pkcs3(NULL) sizing");
17c76198 699 m.size = sz;
40c90bca 700 if (!(m.data = malloc(m.size)))
cf0c6164 701 return tls_error(US"memory allocation failed", strerror(errno), NULL, errstr);
40c90bca 702
1f00591e 703 /* this will return a size 1 less than the allocation size above */
17c76198 704 rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM,
1f00591e 705 m.data, &sz);
17c76198
PP		 706 if (rc != GNUTLS_E_SUCCESS)
707 {
708 free(m.data);
47195144 709 exim_gnutls_err_check(rc, US"gnutls_dh_params_export_pkcs3() real");
17c76198 710 }
1f00591e 711 m.size = sz; /* shrink by 1, probably */
059ec3d9 712
f5d25c2b 713 if ((sz = write_to_fd_buf(fd, m.data, (size_t) m.size)) != m.size)
17c76198
PP		 714 {
715 free(m.data);
716 return tls_error(US"TLS cache write D-H params failed",
cf0c6164 717 strerror(errno), NULL, errstr);
17c76198 718 }
b5aea5e1 719 free(m.data);
f5d25c2b 720 if ((sz = write_to_fd_buf(fd, US"\n", 1)) != 1)
17c76198 721 return tls_error(US"TLS cache write D-H params final newline failed",
cf0c6164 722 strerror(errno), NULL, errstr);
17c76198 723
f5d25c2b 724 if ((rc = close(fd)))
cf0c6164 725 return tls_error(US"TLS cache write close() failed", strerror(errno), NULL, errstr);
059ec3d9 726
17c76198
PP		 727 if (Urename(temp_fn, filename) < 0)
728 return tls_error(string_sprintf("failed to rename \"%s\" as \"%s\"",
cf0c6164 729 temp_fn, filename), strerror(errno), NULL, errstr);
059ec3d9 730
17c76198 731 DEBUG(D_tls) debug_printf("wrote D-H parameters to file \"%s\"\n", filename);
059ec3d9
PH		 732 }
733
17c76198 734DEBUG(D_tls) debug_printf("initialized server D-H parameters\n");
059ec3d9
PH		 735return OK;
736}
737
738
739
740
23bb6982
JH		 741/* Create and install a selfsigned certificate, for use in server mode */
742
743static int
cf0c6164 744tls_install_selfsign(exim_gnutls_state_st * state, uschar ** errstr)
23bb6982
JH		 745{
746gnutls_x509_crt_t cert = NULL;
747time_t now;
748gnutls_x509_privkey_t pkey = NULL;
749const uschar * where;
750int rc;
751
752where = US"initialising pkey";
753if ((rc = gnutls_x509_privkey_init(&pkey))) goto err;
754
755where = US"initialising cert";
756if ((rc = gnutls_x509_crt_init(&cert))) goto err;
757
758where = US"generating pkey";
759if ((rc = gnutls_x509_privkey_generate(pkey, GNUTLS_PK_RSA,
76075bb5 760#ifdef SUPPORT_PARAM_TO_PK_BITS
23bb6982 761 gnutls_sec_param_to_pk_bits(GNUTLS_PK_RSA, GNUTLS_SEC_PARAM_LOW),
76075bb5
JH		 762#else
763 1024,
764#endif
765 0)))
23bb6982
JH		 766 goto err;
767
768where = US"configuring cert";
769now = 0;
770if ( (rc = gnutls_x509_crt_set_version(cert, 3))
771 || (rc = gnutls_x509_crt_set_serial(cert, &now, sizeof(now)))
772 || (rc = gnutls_x509_crt_set_activation_time(cert, now = time(NULL)))
773 || (rc = gnutls_x509_crt_set_expiration_time(cert, now + 60 * 60)) /* 1 hr */
774 || (rc = gnutls_x509_crt_set_key(cert, pkey))
775
776 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
777 GNUTLS_OID_X520_COUNTRY_NAME, 0, "UK", 2))
778 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
779 GNUTLS_OID_X520_ORGANIZATION_NAME, 0, "Exim Developers", 15))
780 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
781 GNUTLS_OID_X520_COMMON_NAME, 0,
782 smtp_active_hostname, Ustrlen(smtp_active_hostname)))
783 )
784 goto err;
785
786where = US"signing cert";
787if ((rc = gnutls_x509_crt_sign(cert, cert, pkey))) goto err;
788
789where = US"installing selfsign cert";
790 /* Since: 2.4.0 */
791if ((rc = gnutls_certificate_set_x509_key(state->x509_cred, &cert, 1, pkey)))
792 goto err;
793
794rc = OK;
795
796out:
797 if (cert) gnutls_x509_crt_deinit(cert);
798 if (pkey) gnutls_x509_privkey_deinit(pkey);
799 return rc;
800
801err:
cf0c6164 802 rc = tls_error(where, gnutls_strerror(rc), NULL, errstr);
23bb6982
JH		 803 goto out;
804}
805
806
807
808
47195144
JH		 809/* Add certificate and key, from files.
810
811Return:
812 Zero or negative: good. Negate value for certificate index if < 0.
813 Greater than zero: FAIL or DEFER code.
814*/
815
ba86e143
JH		 816static int
817tls_add_certfile(exim_gnutls_state_st * state, const host_item * host,
818 uschar * certfile, uschar * keyfile, uschar ** errstr)
819{
820int rc = gnutls_certificate_set_x509_key_file(state->x509_cred,
821 CS certfile, CS keyfile, GNUTLS_X509_FMT_PEM);
47195144
JH		 822if (rc < 0)
823 return tls_error(
824 string_sprintf("cert/key setup: cert=%s key=%s", certfile, keyfile),
825 gnutls_strerror(rc), host, errstr);
826return -rc;
ba86e143
JH		 827}
828
829
059ec3d9 830/*************************************************
17c76198 831* Variables re-expanded post-SNI *
059ec3d9
PH		 832*************************************************/
833
17c76198
PP		 834/* Called from both server and client code, via tls_init(), and also from
835the SNI callback after receiving an SNI, if tls_certificate includes "tls_sni".
836
837We can tell the two apart by state->received_sni being non-NULL in callback.
838
839The callback should not call us unless state->trigger_sni_changes is true,
840which we are responsible for setting on the first pass through.
059ec3d9
PH		 841
842Arguments:
17c76198 843 state exim_gnutls_state_st *
cf0c6164 844 errstr error string pointer
059ec3d9
PH		 845
846Returns: OK/DEFER/FAIL
847*/
848
849static int
ba86e143 850tls_expand_session_files(exim_gnutls_state_st * state, uschar ** errstr)
059ec3d9 851{
1365611d 852struct stat statbuf;
059ec3d9 853int rc;
17c76198
PP		 854const host_item *host = state->host; /* macro should be reconsidered? */
855uschar *saved_tls_certificate = NULL;
856uschar *saved_tls_privatekey = NULL;
857uschar *saved_tls_verify_certificates = NULL;
858uschar *saved_tls_crl = NULL;
859int cert_count;
860
861/* We check for tls_sni *before* expansion. */
2b4a568d 862if (!host) /* server */
17c76198
PP		 863 if (!state->received_sni)
864 {
ba86e143
JH		 865 if ( state->tls_certificate
866 && ( Ustrstr(state->tls_certificate, US"tls_sni")
867 || Ustrstr(state->tls_certificate, US"tls_in_sni")
868 || Ustrstr(state->tls_certificate, US"tls_out_sni")
869 ) )
17c76198
PP		 870 {
871 DEBUG(D_tls) debug_printf("We will re-expand TLS session files if we receive SNI.\n");
872 state->trigger_sni_changes = TRUE;
873 }
874 }
875 else
876 {
1365611d 877 /* useful for debugging */
17c76198
PP		 878 saved_tls_certificate = state->exp_tls_certificate;
879 saved_tls_privatekey = state->exp_tls_privatekey;
880 saved_tls_verify_certificates = state->exp_tls_verify_certificates;
881 saved_tls_crl = state->exp_tls_crl;
882 }
059ec3d9 883
1365611d 884rc = gnutls_certificate_allocate_credentials(&state->x509_cred);
47195144
JH		 885exim_gnutls_err_check(rc, US"gnutls_certificate_allocate_credentials");
886
887#ifdef SUPPORT_SRV_OCSP_STACK
888gnutls_certificate_set_flags(state->x509_cred, GNUTLS_CERTIFICATE_API_V2);
889#endif
1365611d 890
17c76198
PP		 891/* remember: expand_check_tlsvar() is expand_check() but fiddling with
892state members, assuming consistent naming; and expand_check() returns
893false if expansion failed, unless expansion was forced to fail. */
059ec3d9 894
17c76198
PP		 895/* check if we at least have a certificate, before doing expensive
896D-H generation. */
059ec3d9 897
cf0c6164 898if (!expand_check_tlsvar(tls_certificate, errstr))
17c76198 899 return DEFER;
059ec3d9 900
17c76198 901/* certificate is mandatory in server, optional in client */
059ec3d9 902
23bb6982
JH		 903if ( !state->exp_tls_certificate
904 || !*state->exp_tls_certificate
905 )
2b4a568d 906 if (!host)
cf0c6164 907 return tls_install_selfsign(state, errstr);
17c76198
PP		 908 else
909 DEBUG(D_tls) debug_printf("TLS: no client certificate specified; okay\n");
059ec3d9 910
cf0c6164 911if (state->tls_privatekey && !expand_check_tlsvar(tls_privatekey, errstr))
059ec3d9
PH		 912 return DEFER;
913
17c76198
PP		 914/* tls_privatekey is optional, defaulting to same file as certificate */
915
916if (state->tls_privatekey == NULL || *state->tls_privatekey == '\0')
059ec3d9 917 {
17c76198
PP		 918 state->tls_privatekey = state->tls_certificate;
919 state->exp_tls_privatekey = state->exp_tls_certificate;
059ec3d9 920 }
c91535f3 921
059ec3d9 922
17c76198 923if (state->exp_tls_certificate && *state->exp_tls_certificate)
059ec3d9
PH		 924 {
925 DEBUG(D_tls) debug_printf("certificate file = %s\nkey file = %s\n",
17c76198
PP		 926 state->exp_tls_certificate, state->exp_tls_privatekey);
927
928 if (state->received_sni)
23bb6982
JH		 929 if ( Ustrcmp(state->exp_tls_certificate, saved_tls_certificate) == 0
930 && Ustrcmp(state->exp_tls_privatekey, saved_tls_privatekey) == 0
931 )
17c76198 932 {
b34fc30c 933 DEBUG(D_tls) debug_printf("TLS SNI: cert and key unchanged\n");
17c76198
PP		 934 }
935 else
936 {
b34fc30c 937 DEBUG(D_tls) debug_printf("TLS SNI: have a changed cert/key pair.\n");
17c76198 938 }
059ec3d9 939
ba86e143
JH		 940 if (!host) /* server */
941 {
942 const uschar * clist = state->exp_tls_certificate;
943 const uschar * klist = state->exp_tls_privatekey;
47195144
JH		 944 const uschar * olist;
945 int csep = 0, ksep = 0, osep = 0, cnt = 0;
946 uschar * cfile, * kfile, * ofile;
947
948#ifndef DISABLE_OCSP
949 if (!expand_check(tls_ocsp_file, US"tls_ocsp_file", &ofile, errstr))
950 return DEFER;
951 olist = ofile;
952#endif
ba86e143
JH		 953
954 while (cfile = string_nextinlist(&clist, &csep, NULL, 0))
47195144 955
ba86e143
JH		 956 if (!(kfile = string_nextinlist(&klist, &ksep, NULL, 0)))
957 return tls_error(US"cert/key setup: out of keys", NULL, host, errstr);
47195144 958 else if (0 < (rc = tls_add_certfile(state, host, cfile, kfile, errstr)))
ba86e143
JH		 959 return rc;
960 else
47195144
JH		 961 {
962 int gnutls_cert_index = -rc;
ba86e143 963 DEBUG(D_tls) debug_printf("TLS: cert/key %s registered\n", cfile);
47195144
JH		 964
965 /* Set the OCSP stapling server info */
966
967#ifndef DISABLE_OCSP
968 if (tls_ocsp_file)
969 if (gnutls_buggy_ocsp)
970 {
971 DEBUG(D_tls)
972 debug_printf("GnuTLS library is buggy for OCSP; avoiding\n");
973 }
974 else if ((ofile = string_nextinlist(&olist, &osep, NULL, 0)))
975 {
976 /* Use the full callback method for stapling just to get
977 observability. More efficient would be to read the file once only,
978 if it never changed (due to SNI). Would need restart on file update,
979 or watch datestamp. */
980
981# ifdef SUPPORT_SRV_OCSP_STACK
982 rc = gnutls_certificate_set_ocsp_status_request_function2(
983 state->x509_cred, gnutls_cert_index,
984 server_ocsp_stapling_cb, ofile);
985
986 exim_gnutls_err_check(rc,
987 US"gnutls_certificate_set_ocsp_status_request_function2");
988# else
989 if (cnt++ > 0)
990 {
991 DEBUG(D_tls)
992 debug_printf("oops; multiple OCSP files not supported\n");
993 break;
994 }
995 gnutls_certificate_set_ocsp_status_request_function(
996 state->x509_cred, server_ocsp_stapling_cb, ofile);
997# endif
998
999 DEBUG(D_tls) debug_printf("OCSP response file = %s\n", ofile);
1000 }
1001 else
1002 DEBUG(D_tls) debug_printf("ran out of OCSP response files in list\n");
1003#endif
1004 }
ba86e143
JH		 1005 }
1006 else
1007 {
47195144 1008 if (0 < (rc = tls_add_certfile(state, host,
ba86e143
JH		 1009 state->exp_tls_certificate, state->exp_tls_privatekey, errstr)))
1010 return rc;
1011 DEBUG(D_tls) debug_printf("TLS: cert/key registered\n");
1012 }
1013
b34fc30c 1014 } /* tls_certificate */
059ec3d9 1015
2b4a568d 1016
059ec3d9
PH		 1017/* Set the trusted CAs file if one is provided, and then add the CRL if one is
1018provided. Experiment shows that, if the certificate file is empty, an unhelpful
1019error message is provided. However, if we just refrain from setting anything up
1020in that case, certificate verification fails, which seems to be the correct
1021behaviour. */
1022
610ff438 1023if (state->tls_verify_certificates && *state->tls_verify_certificates)
059ec3d9 1024 {
cf0c6164 1025 if (!expand_check_tlsvar(tls_verify_certificates, errstr))
059ec3d9 1026 return DEFER;
610ff438
JH		 1027#ifndef SUPPORT_SYSDEFAULT_CABUNDLE
1028 if (Ustrcmp(state->exp_tls_verify_certificates, "system") == 0)
1029 state->exp_tls_verify_certificates = NULL;
1030#endif
17c76198 1031 if (state->tls_crl && *state->tls_crl)
cf0c6164 1032 if (!expand_check_tlsvar(tls_crl, errstr))
17c76198 1033 return DEFER;
059ec3d9 1034
1365611d
PP		 1035 if (!(state->exp_tls_verify_certificates &&
1036 *state->exp_tls_verify_certificates))
b34fc30c
PP		 1037 {
1038 DEBUG(D_tls)
1365611d
PP		 1039 debug_printf("TLS: tls_verify_certificates expanded empty, ignoring\n");
1040 /* With no tls_verify_certificates, we ignore tls_crl too */
17c76198 1041 return OK;
b34fc30c 1042 }
1365611d 1043 }
83e2f8a2
PP		 1044else
1045 {
1046 DEBUG(D_tls)
1047 debug_printf("TLS: tls_verify_certificates not set or empty, ignoring\n");
1048 return OK;
1049 }
17c76198 1050
cb1d7830
JH		 1051#ifdef SUPPORT_SYSDEFAULT_CABUNDLE
1052if (Ustrcmp(state->exp_tls_verify_certificates, "system") == 0)
1053 cert_count = gnutls_certificate_set_x509_system_trust(state->x509_cred);
1054else
1055#endif
1365611d 1056 {
cb1d7830
JH		 1057 if (Ustat(state->exp_tls_verify_certificates, &statbuf) < 0)
1058 {
1059 log_write(0, LOG_MAIN|LOG_PANIC, "could not stat %s "
1060 "(tls_verify_certificates): %s", state->exp_tls_verify_certificates,
1061 strerror(errno));
1062 return DEFER;
1063 }
17c76198 1064
a7fec7a7 1065#ifndef SUPPORT_CA_DIR
cb1d7830
JH		 1066 /* The test suite passes in /dev/null; we could check for that path explicitly,
1067 but who knows if someone has some weird FIFO which always dumps some certs, or
1068 other weirdness. The thing we really want to check is that it's not a
1069 directory, since while OpenSSL supports that, GnuTLS does not.
60f914bc 1070 So s/!S_ISREG/S_ISDIR/ and change some messaging ... */
cb1d7830
JH		 1071 if (S_ISDIR(statbuf.st_mode))
1072 {
1073 DEBUG(D_tls)
1074 debug_printf("verify certificates path is a dir: \"%s\"\n",
1075 state->exp_tls_verify_certificates);
1076 log_write(0, LOG_MAIN|LOG_PANIC,
1077 "tls_verify_certificates \"%s\" is a directory",
1078 state->exp_tls_verify_certificates);
1079 return DEFER;
1080 }
a7fec7a7 1081#endif
059ec3d9 1082
cb1d7830
JH		 1083 DEBUG(D_tls) debug_printf("verify certificates = %s size=" OFF_T_FMT "\n",
1084 state->exp_tls_verify_certificates, statbuf.st_size);
059ec3d9 1085
cb1d7830
JH		 1086 if (statbuf.st_size == 0)
1087 {
1088 DEBUG(D_tls)
1089 debug_printf("cert file empty, no certs, no verification, ignoring any CRL\n");
1090 return OK;
1091 }
059ec3d9 1092
cb1d7830 1093 cert_count =
a7fec7a7
JH		 1094
1095#ifdef SUPPORT_CA_DIR
cb1d7830
JH		 1096 (statbuf.st_mode & S_IFMT) == S_IFDIR
1097 ?
1098 gnutls_certificate_set_x509_trust_dir(state->x509_cred,
1099 CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM)
1100 :
a7fec7a7 1101#endif
cb1d7830
JH		 1102 gnutls_certificate_set_x509_trust_file(state->x509_cred,
1103 CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM);
1104 }
a7fec7a7 1105
1365611d
PP		 1106if (cert_count < 0)
1107 {
1108 rc = cert_count;
47195144 1109 exim_gnutls_err_check(rc, US"setting certificate trust");
1365611d
PP		 1110 }
1111DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n", cert_count);
059ec3d9 1112
5c8cda3a
PP		 1113if (state->tls_crl && *state->tls_crl &&
1114 state->exp_tls_crl && *state->exp_tls_crl)
1365611d 1115 {
5c8cda3a
PP		 1116 DEBUG(D_tls) debug_printf("loading CRL file = %s\n", state->exp_tls_crl);
1117 cert_count = gnutls_certificate_set_x509_crl_file(state->x509_cred,
1118 CS state->exp_tls_crl, GNUTLS_X509_FMT_PEM);
1119 if (cert_count < 0)
1365611d 1120 {
5c8cda3a 1121 rc = cert_count;
47195144 1122 exim_gnutls_err_check(rc, US"gnutls_certificate_set_x509_crl_file");
1365611d 1123 }
5c8cda3a 1124 DEBUG(D_tls) debug_printf("Processed %d CRLs.\n", cert_count);
1365611d 1125 }
059ec3d9 1126
059ec3d9
PH		 1127return OK;
1128}
1129
1130
1131
1132
1365611d
PP		 1133/*************************************************
1134* Set X.509 state variables *
1135*************************************************/
1136
1137/* In GnuTLS, the registered cert/key are not replaced by a later
1138set of a cert/key, so for SNI support we need a whole new x509_cred
1139structure. Which means various other non-re-expanded pieces of state
1140need to be re-set in the new struct, so the setting logic is pulled
1141out to this.
1142
1143Arguments:
1144 state exim_gnutls_state_st *
cf0c6164 1145 errstr error string pointer
1365611d
PP		 1146
1147Returns: OK/DEFER/FAIL
1148*/
1149
1150static int
cf0c6164 1151tls_set_remaining_x509(exim_gnutls_state_st *state, uschar ** errstr)
1365611d
PP		 1152{
1153int rc;
1154const host_item *host = state->host; /* macro should be reconsidered? */
1155
1156/* Create D-H parameters, or read them from the cache file. This function does
1157its own SMTP error messaging. This only happens for the server, TLS D-H ignores
1158client-side params. */
1159
1160if (!state->host)
1161 {
1162 if (!dh_server_params)
1163 {
cf0c6164 1164 rc = init_server_dh(errstr);
1365611d
PP		 1165 if (rc != OK) return rc;
1166 }
1167 gnutls_certificate_set_dh_params(state->x509_cred, dh_server_params);
1168 }
1169
1170/* Link the credentials to the session. */
1171
1172rc = gnutls_credentials_set(state->session, GNUTLS_CRD_CERTIFICATE, state->x509_cred);
47195144 1173exim_gnutls_err_check(rc, US"gnutls_credentials_set");
1365611d
PP		 1174
1175return OK;
1176}
1177
059ec3d9 1178/*************************************************
17c76198 1179* Initialize for GnuTLS *
059ec3d9
PH		 1180*************************************************/
1181
9196d5bf 1182
4fb7df6d
JH		 1183#ifndef DISABLE_OCSP
1184
9196d5bf
JH		 1185static BOOL
1186tls_is_buggy_ocsp(void)
1187{
1188const uschar * s;
1189uschar maj, mid, mic;
1190
1191s = CUS gnutls_check_version(NULL);
1192maj = atoi(CCS s);
1193if (maj == 3)
1194 {
1195 while (*s && *s != '.') s++;
1196 mid = atoi(CCS ++s);
1197 if (mid <= 2)
1198 return TRUE;
1199 else if (mid >= 5)
1200 return FALSE;
1201 else
1202 {
1203 while (*s && *s != '.') s++;
1204 mic = atoi(CCS ++s);
1205 return mic <= (mid == 3 ? 16 : 3);
1206 }
1207 }
1208return FALSE;
1209}
1210
4fb7df6d 1211#endif
9196d5bf
JH		 1212
1213
17c76198
PP		 1214/* Called from both server and client code. In the case of a server, errors
1215before actual TLS negotiation return DEFER.
059ec3d9
PH		 1216
1217Arguments:
17c76198
PP		 1218 host connected host, if client; NULL if server
1219 certificate certificate file
1220 privatekey private key file
1221 sni TLS SNI to send, sometimes when client; else NULL
1222 cas CA certs file
1223 crl CRL file
1224 require_ciphers tls_require_ciphers setting
817d9f57 1225 caller_state returned state-info structure
cf0c6164 1226 errstr error string pointer
059ec3d9 1227
17c76198 1228Returns: OK/DEFER/FAIL
059ec3d9
PH		 1229*/
1230
17c76198
PP		 1231static int
1232tls_init(
1233 const host_item *host,
1234 const uschar *certificate,
1235 const uschar *privatekey,
1236 const uschar *sni,
1237 const uschar *cas,
1238 const uschar *crl,
1239 const uschar *require_ciphers,
cf0c6164
JH		 1240 exim_gnutls_state_st **caller_state,
1241 uschar ** errstr)
059ec3d9 1242{
17c76198
PP		 1243exim_gnutls_state_st *state;
1244int rc;
1245size_t sz;
1246const char *errpos;
1247uschar *p;
1248BOOL want_default_priorities;
1249
1250if (!exim_gnutls_base_init_done)
059ec3d9 1251 {
17c76198
PP		 1252 DEBUG(D_tls) debug_printf("GnuTLS global init required.\n");
1253
a5f239e4
PP		 1254#ifdef HAVE_GNUTLS_PKCS11
1255 /* By default, gnutls_global_init will init PKCS11 support in auto mode,
1256 which loads modules from a config file, which sounds good and may be wanted
1257 by some sysadmin, but also means in common configurations that GNOME keyring
1258 environment variables are used and so breaks for users calling mailq.
1259 To prevent this, we init PKCS11 first, which is the documented approach. */
2519e60d 1260 if (!gnutls_allow_auto_pkcs11)
a5f239e4
PP		 1261 {
1262 rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
47195144 1263 exim_gnutls_err_check(rc, US"gnutls_pkcs11_init");
a5f239e4
PP		 1264 }
1265#endif
1266
17c76198 1267 rc = gnutls_global_init();
47195144 1268 exim_gnutls_err_check(rc, US"gnutls_global_init");
17c76198
PP		 1269
1270#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
1271 DEBUG(D_tls)
059ec3d9 1272 {
17c76198
PP		 1273 gnutls_global_set_log_function(exim_gnutls_logger_cb);
1274 /* arbitrarily chosen level; bump upto 9 for more */
1275 gnutls_global_set_log_level(EXIM_GNUTLS_LIBRARY_LOG_LEVEL);
059ec3d9 1276 }
17c76198
PP		 1277#endif
1278
4fb7df6d
JH		 1279#ifndef DISABLE_OCSP
1280 if (tls_ocsp_file && (gnutls_buggy_ocsp = tls_is_buggy_ocsp()))
9196d5bf 1281 log_write(0, LOG_MAIN, "OCSP unusable with this GnuTLS library version");
4fb7df6d 1282#endif
9196d5bf 1283
17c76198 1284 exim_gnutls_base_init_done = TRUE;
059ec3d9 1285 }
059ec3d9 1286
17c76198
PP		 1287if (host)
1288 {
1289 state = &state_client;
1290 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
817d9f57 1291 state->tlsp = &tls_out;
17c76198
PP		 1292 DEBUG(D_tls) debug_printf("initialising GnuTLS client session\n");
1293 rc = gnutls_init(&state->session, GNUTLS_CLIENT);
1294 }
1295else
1296 {
1297 state = &state_server;
1298 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
817d9f57 1299 state->tlsp = &tls_in;
17c76198
PP		 1300 DEBUG(D_tls) debug_printf("initialising GnuTLS server session\n");
1301 rc = gnutls_init(&state->session, GNUTLS_SERVER);
1302 }
47195144 1303exim_gnutls_err_check(rc, US"gnutls_init");
059ec3d9 1304
17c76198 1305state->host = host;
059ec3d9 1306
17c76198
PP		 1307state->tls_certificate = certificate;
1308state->tls_privatekey = privatekey;
5779e6aa 1309state->tls_require_ciphers = require_ciphers;
17c76198
PP		 1310state->tls_sni = sni;
1311state->tls_verify_certificates = cas;
1312state->tls_crl = crl;
059ec3d9 1313
17c76198
PP		 1314/* This handles the variables that might get re-expanded after TLS SNI;
1315that's tls_certificate, tls_privatekey, tls_verify_certificates, tls_crl */
059ec3d9 1316
17c76198
PP		 1317DEBUG(D_tls)
1318 debug_printf("Expanding various TLS configuration options for session credentials.\n");
cf0c6164 1319if ((rc = tls_expand_session_files(state, errstr)) != OK) return rc;
059ec3d9 1320
1365611d
PP		 1321/* These are all other parts of the x509_cred handling, since SNI in GnuTLS
1322requires a new structure afterwards. */
83da1223 1323
cf0c6164 1324if ((rc = tls_set_remaining_x509(state, errstr)) != OK) return rc;
83da1223 1325
17c76198
PP		 1326/* set SNI in client, only */
1327if (host)
1328 {
cf0c6164 1329 if (!expand_check(sni, US"tls_out_sni", &state->tlsp->sni, errstr))
17c76198 1330 return DEFER;
0df4ab80 1331 if (state->tlsp->sni && *state->tlsp->sni)
17c76198
PP		 1332 {
1333 DEBUG(D_tls)
0df4ab80
JH		 1334 debug_printf("Setting TLS client SNI to \"%s\"\n", state->tlsp->sni);
1335 sz = Ustrlen(state->tlsp->sni);
17c76198 1336 rc = gnutls_server_name_set(state->session,
0df4ab80 1337 GNUTLS_NAME_DNS, state->tlsp->sni, sz);
47195144 1338 exim_gnutls_err_check(rc, US"gnutls_server_name_set");
17c76198
PP		 1339 }
1340 }
1341else if (state->tls_sni)
1342 DEBUG(D_tls) debug_printf("*** PROBABLY A BUG *** " \
ba86e143 1343 "have an SNI set for a server [%s]\n", state->tls_sni);
83da1223 1344
17c76198 1345/* This is the priority string support,
42bfef1e 1346http://www.gnutls.org/manual/html_node/Priority-Strings.html
17c76198
PP		 1347and replaces gnutls_require_kx, gnutls_require_mac & gnutls_require_protocols.
1348This was backwards incompatible, but means Exim no longer needs to track
1349all algorithms and provide string forms for them. */
83da1223 1350
17c76198 1351want_default_priorities = TRUE;
83da1223 1352
17c76198 1353if (state->tls_require_ciphers && *state->tls_require_ciphers)
83da1223 1354 {
cf0c6164 1355 if (!expand_check_tlsvar(tls_require_ciphers, errstr))
17c76198
PP		 1356 return DEFER;
1357 if (state->exp_tls_require_ciphers && *state->exp_tls_require_ciphers)
83da1223 1358 {
17c76198
PP		 1359 DEBUG(D_tls) debug_printf("GnuTLS session cipher/priority \"%s\"\n",
1360 state->exp_tls_require_ciphers);
1361
1362 rc = gnutls_priority_init(&state->priority_cache,
1363 CS state->exp_tls_require_ciphers, &errpos);
1364 want_default_priorities = FALSE;
1365 p = state->exp_tls_require_ciphers;
83da1223
PH		 1366 }
1367 }
17c76198
PP		 1368if (want_default_priorities)
1369 {
83e2f8a2
PP		 1370 DEBUG(D_tls)
1371 debug_printf("GnuTLS using default session cipher/priority \"%s\"\n",
1372 exim_default_gnutls_priority);
17c76198
PP		 1373 rc = gnutls_priority_init(&state->priority_cache,
1374 exim_default_gnutls_priority, &errpos);
1375 p = US exim_default_gnutls_priority;
1376 }
83da1223 1377
47195144 1378exim_gnutls_err_check(rc, string_sprintf(
17c76198
PP		 1379 "gnutls_priority_init(%s) failed at offset %ld, \"%.6s..\"",
1380 p, errpos - CS p, errpos));
1381
1382rc = gnutls_priority_set(state->session, state->priority_cache);
47195144 1383exim_gnutls_err_check(rc, US"gnutls_priority_set");
17c76198
PP		 1384
1385gnutls_db_set_cache_expiration(state->session, ssl_session_timeout);
1386
1387/* Reduce security in favour of increased compatibility, if the admin
1388decides to make that trade-off. */
1389if (gnutls_compat_mode)
83da1223 1390 {
17c76198
PP		 1391#if LIBGNUTLS_VERSION_NUMBER >= 0x020104
1392 DEBUG(D_tls) debug_printf("lowering GnuTLS security, compatibility mode\n");
1393 gnutls_session_enable_compatibility_mode(state->session);
1394#else
1395 DEBUG(D_tls) debug_printf("Unable to set gnutls_compat_mode - GnuTLS version too old\n");
1396#endif
83da1223
PH		 1397 }
1398
17c76198 1399*caller_state = state;
17c76198 1400return OK;
83da1223
PH		 1401}
1402
1403
1404
059ec3d9 1405/*************************************************
17c76198 1406* Extract peer information *
059ec3d9
PH		 1407*************************************************/
1408
17c76198 1409/* Called from both server and client code.
4fe99a6c
PP		 1410Only this is allowed to set state->peerdn and state->have_set_peerdn
1411and we use that to detect double-calls.
059ec3d9 1412
75fe387d
PP		 1413NOTE: the state blocks last while the TLS connection is up, which is fine
1414for logging in the server side, but for the client side, we log after teardown
1415in src/deliver.c. While the session is up, we can twist about states and
1416repoint tls_* globals, but those variables used for logging or other variable
1417expansion that happens _after_ delivery need to have a longer life-time.
1418
1419So for those, we get the data from POOL_PERM; the re-invoke guard keeps us from
1420doing this more than once per generation of a state context. We set them in
1421the state context, and repoint tls_* to them. After the state goes away, the
1422tls_* copies of the pointers remain valid and client delivery logging is happy.
1423
1424tls_certificate_verified is a BOOL, so the tls_peerdn and tls_cipher issues
1425don't apply.
1426
059ec3d9 1427Arguments:
17c76198 1428 state exim_gnutls_state_st *
cf0c6164 1429 errstr pointer to error string
059ec3d9 1430
17c76198 1431Returns: OK/DEFER/FAIL
059ec3d9
PH		 1432*/
1433
17c76198 1434static int
cf0c6164 1435peer_status(exim_gnutls_state_st *state, uschar ** errstr)
059ec3d9 1436{
75fe387d 1437uschar cipherbuf[256];
27f19eb4 1438const gnutls_datum_t *cert_list;
75fe387d 1439int old_pool, rc;
17c76198 1440unsigned int cert_list_size = 0;
4fe99a6c
PP		 1441gnutls_protocol_t protocol;
1442gnutls_cipher_algorithm_t cipher;
1443gnutls_kx_algorithm_t kx;
1444gnutls_mac_algorithm_t mac;
17c76198
PP		 1445gnutls_certificate_type_t ct;
1446gnutls_x509_crt_t crt;
4fe99a6c 1447uschar *p, *dn_buf;
17c76198 1448size_t sz;
059ec3d9 1449
4fe99a6c 1450if (state->have_set_peerdn)
17c76198 1451 return OK;
4fe99a6c 1452state->have_set_peerdn = TRUE;
059ec3d9 1453
4fe99a6c 1454state->peerdn = NULL;
059ec3d9 1455
4fe99a6c
PP		 1456/* tls_cipher */
1457cipher = gnutls_cipher_get(state->session);
1458protocol = gnutls_protocol_get_version(state->session);
1459mac = gnutls_mac_get(state->session);
1460kx = gnutls_kx_get(state->session);
1461
75fe387d 1462string_format(cipherbuf, sizeof(cipherbuf),
4fe99a6c
PP		 1463 "%s:%s:%d",
1464 gnutls_protocol_get_name(protocol),
1465 gnutls_cipher_suite_get_name(kx, cipher, mac),
1466 (int) gnutls_cipher_get_key_size(cipher) * 8);
1467
1468/* I don't see a way that spaces could occur, in the current GnuTLS
1469code base, but it was a concern in the old code and perhaps older GnuTLS
1470releases did return "TLS 1.0"; play it safe, just in case. */
75fe387d 1471for (p = cipherbuf; *p != '\0'; ++p)
4fe99a6c
PP		 1472 if (isspace(*p))
1473 *p = '-';
75fe387d
PP		 1474old_pool = store_pool;
1475store_pool = POOL_PERM;
1476state->ciphersuite = string_copy(cipherbuf);
1477store_pool = old_pool;
817d9f57 1478state->tlsp->cipher = state->ciphersuite;
4fe99a6c
PP		 1479
1480/* tls_peerdn */
17c76198 1481cert_list = gnutls_certificate_get_peers(state->session, &cert_list_size);
83da1223 1482
17c76198
PP		 1483if (cert_list == NULL || cert_list_size == 0)
1484 {
17c76198
PP		 1485 DEBUG(D_tls) debug_printf("TLS: no certificate from peer (%p & %d)\n",
1486 cert_list, cert_list_size);
e51c7be2 1487 if (state->verify_requirement >= VERIFY_REQUIRED)
17c76198 1488 return tls_error(US"certificate verification failed",
cf0c6164 1489 "no certificate received from peer", state->host, errstr);
17c76198
PP		 1490 return OK;
1491 }
059ec3d9 1492
17c76198
PP		 1493ct = gnutls_certificate_type_get(state->session);
1494if (ct != GNUTLS_CRT_X509)
059ec3d9 1495 {
17c76198 1496 const char *ctn = gnutls_certificate_type_get_name(ct);
17c76198
PP		 1497 DEBUG(D_tls)
1498 debug_printf("TLS: peer cert not X.509 but instead \"%s\"\n", ctn);
e51c7be2 1499 if (state->verify_requirement >= VERIFY_REQUIRED)
17c76198 1500 return tls_error(US"certificate verification not possible, unhandled type",
cf0c6164 1501 ctn, state->host, errstr);
17c76198 1502 return OK;
83da1223 1503 }
059ec3d9 1504
e51c7be2
JH		 1505#define exim_gnutls_peer_err(Label) \
1506 do { \
1507 if (rc != GNUTLS_E_SUCCESS) \
1508 { \
1509 DEBUG(D_tls) debug_printf("TLS: peer cert problem: %s: %s\n", \
1510 (Label), gnutls_strerror(rc)); \
1511 if (state->verify_requirement >= VERIFY_REQUIRED) \
cf0c6164 1512 return tls_error((Label), gnutls_strerror(rc), state->host, errstr); \
e51c7be2
JH		 1513 return OK; \
1514 } \
1515 } while (0)
17c76198 1516
9d1c15ef
JH		 1517rc = import_cert(&cert_list[0], &crt);
1518exim_gnutls_peer_err(US"cert 0");
1519
1520state->tlsp->peercert = state->peercert = crt;
17c76198 1521
17c76198
PP		 1522sz = 0;
1523rc = gnutls_x509_crt_get_dn(crt, NULL, &sz);
1524if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
83da1223 1525 {
17c76198
PP		 1526 exim_gnutls_peer_err(US"getting size for cert DN failed");
1527 return FAIL; /* should not happen */
059ec3d9 1528 }
17c76198
PP		 1529dn_buf = store_get_perm(sz);
1530rc = gnutls_x509_crt_get_dn(crt, CS dn_buf, &sz);
1531exim_gnutls_peer_err(US"failed to extract certificate DN [gnutls_x509_crt_get_dn(cert 0)]");
9d1c15ef 1532
17c76198
PP		 1533state->peerdn = dn_buf;
1534
1535return OK;
1536#undef exim_gnutls_peer_err
1537}
059ec3d9 1538
059ec3d9 1539
059ec3d9 1540
059ec3d9 1541
17c76198
PP		 1542/*************************************************
1543* Verify peer certificate *
1544*************************************************/
059ec3d9 1545
17c76198
PP		 1546/* Called from both server and client code.
1547*Should* be using a callback registered with
1548gnutls_certificate_set_verify_function() to fail the handshake if we dislike
1549the peer information, but that's too new for some OSes.
059ec3d9 1550
17c76198
PP		 1551Arguments:
1552 state exim_gnutls_state_st *
cf0c6164 1553 errstr where to put an error message
059ec3d9 1554
17c76198
PP		 1555Returns:
1556 FALSE if the session should be rejected
1557 TRUE if the cert is okay or we just don't care
1558*/
059ec3d9 1559
17c76198 1560static BOOL
cf0c6164 1561verify_certificate(exim_gnutls_state_st *state, uschar ** errstr)
17c76198
PP		 1562{
1563int rc;
1564unsigned int verify;
1565
cf0c6164 1566*errstr = NULL;
17c76198 1567
cf0c6164 1568if ((rc = peer_status(state, errstr)) != OK)
e6060e2c 1569 {
17c76198 1570 verify = GNUTLS_CERT_INVALID;
cf0c6164 1571 *errstr = US"certificate not supplied";
17c76198
PP		 1572 }
1573else
17c76198 1574 rc = gnutls_certificate_verify_peers2(state->session, &verify);
e6060e2c 1575
17c76198
PP		 1576/* Handle the result of verification. INVALID seems to be set as well
1577as REVOKED, but leave the test for both. */
059ec3d9 1578
e51c7be2
JH		 1579if (rc < 0 ||
1580 verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED)
1581 )
17c76198
PP		 1582 {
1583 state->peer_cert_verified = FALSE;
cf0c6164
JH		 1584 if (!*errstr)
1585 *errstr = verify & GNUTLS_CERT_REVOKED
1586 ? US"certificate revoked" : US"certificate invalid";
059ec3d9 1587
17c76198 1588 DEBUG(D_tls)
e51c7be2 1589 debug_printf("TLS certificate verification failed (%s): peerdn=\"%s\"\n",
cf0c6164 1590 *errstr, state->peerdn ? state->peerdn : US"<unset>");
059ec3d9 1591
e51c7be2 1592 if (state->verify_requirement >= VERIFY_REQUIRED)
17c76198 1593 {
e51c7be2
JH		 1594 gnutls_alert_send(state->session,
1595 GNUTLS_AL_FATAL, GNUTLS_A_BAD_CERTIFICATE);
17c76198
PP		 1596 return FALSE;
1597 }
1598 DEBUG(D_tls)
4789da3a 1599 debug_printf("TLS verify failure overridden (host in tls_try_verify_hosts)\n");
17c76198 1600 }
e51c7be2 1601
17c76198
PP		 1602else
1603 {
aa2a70ba 1604 if (state->exp_tls_verify_cert_hostnames)
e51c7be2
JH		 1605 {
1606 int sep = 0;
55414b25 1607 const uschar * list = state->exp_tls_verify_cert_hostnames;
e51c7be2 1608 uschar * name;
76075bb5 1609 while ((name = string_nextinlist(&list, &sep, NULL, 0)))
e51c7be2
JH		 1610 if (gnutls_x509_crt_check_hostname(state->tlsp->peercert, CS name))
1611 break;
1612 if (!name)
1613 {
1614 DEBUG(D_tls)
1615 debug_printf("TLS certificate verification failed: cert name mismatch\n");
aa2a70ba
JH		 1616 if (state->verify_requirement >= VERIFY_REQUIRED)
1617 {
1618 gnutls_alert_send(state->session,
1619 GNUTLS_AL_FATAL, GNUTLS_A_BAD_CERTIFICATE);
1620 return FALSE;
1621 }
1622 return TRUE;
e51c7be2
JH		 1623 }
1624 }
17c76198 1625 state->peer_cert_verified = TRUE;
e51c7be2 1626 DEBUG(D_tls) debug_printf("TLS certificate verified: peerdn=\"%s\"\n",
4fe99a6c 1627 state->peerdn ? state->peerdn : US"<unset>");
17c76198 1628 }
059ec3d9 1629
817d9f57 1630state->tlsp->peerdn = state->peerdn;
059ec3d9 1631
17c76198
PP		 1632return TRUE;
1633}
059ec3d9 1634
17c76198
PP		 1635
1636
1637
1638/* ------------------------------------------------------------------------ */
1639/* Callbacks */
1640
1641/* Logging function which can be registered with
1642 * gnutls_global_set_log_function()
1643 * gnutls_global_set_log_level() 0..9
1644 */
af3498d6 1645#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
059ec3d9 1646static void
17c76198 1647exim_gnutls_logger_cb(int level, const char *message)
059ec3d9 1648{
8c79eebf
PP		 1649 size_t len = strlen(message);
1650 if (len < 1)
1651 {
1652 DEBUG(D_tls) debug_printf("GnuTLS<%d> empty debug message\n", level);
1653 return;
1654 }
1655 DEBUG(D_tls) debug_printf("GnuTLS<%d>: %s%s", level, message,
1656 message[len-1] == '\n' ? "" : "\n");
17c76198 1657}
af3498d6 1658#endif
059ec3d9 1659
059ec3d9 1660
17c76198
PP		 1661/* Called after client hello, should handle SNI work.
1662This will always set tls_sni (state->received_sni) if available,
1663and may trigger presenting different certificates,
1664if state->trigger_sni_changes is TRUE.
059ec3d9 1665
17c76198
PP		 1666Should be registered with
1667 gnutls_handshake_set_post_client_hello_function()
059ec3d9 1668
17c76198
PP		 1669"This callback must return 0 on success or a gnutls error code to terminate the
1670handshake.".
059ec3d9 1671
17c76198
PP		 1672For inability to get SNI information, we return 0.
1673We only return non-zero if re-setup failed.
817d9f57 1674Only used for server-side TLS.
17c76198 1675*/
44bbabb5 1676
17c76198
PP		 1677static int
1678exim_sni_handling_cb(gnutls_session_t session)
1679{
1680char sni_name[MAX_HOST_LEN];
1681size_t data_len = MAX_HOST_LEN;
817d9f57 1682exim_gnutls_state_st *state = &state_server;
17c76198
PP		 1683unsigned int sni_type;
1684int rc, old_pool;
cf0c6164 1685uschar * dummy_errstr;
17c76198
PP		 1686
1687rc = gnutls_server_name_get(session, sni_name, &data_len, &sni_type, 0);
b34fc30c
PP		 1688if (rc != GNUTLS_E_SUCCESS)
1689 {
1690 DEBUG(D_tls) {
1691 if (rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
1692 debug_printf("TLS: no SNI presented in handshake.\n");
1693 else
1694 debug_printf("TLS failure: gnutls_server_name_get(): %s [%d]\n",
1695 gnutls_strerror(rc), rc);
cf0c6164 1696 }
b34fc30c
PP		 1697 return 0;
1698 }
1699
17c76198
PP		 1700if (sni_type != GNUTLS_NAME_DNS)
1701 {
1702 DEBUG(D_tls) debug_printf("TLS: ignoring SNI of unhandled type %u\n", sni_type);
1703 return 0;
1704 }
44bbabb5 1705
17c76198
PP		 1706/* We now have a UTF-8 string in sni_name */
1707old_pool = store_pool;
1708store_pool = POOL_PERM;
1709state->received_sni = string_copyn(US sni_name, data_len);
1710store_pool = old_pool;
1711
1712/* We set this one now so that variable expansions below will work */
817d9f57 1713state->tlsp->sni = state->received_sni;
17c76198
PP		 1714
1715DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", sni_name,
1716 state->trigger_sni_changes ? "" : " (unused for certificate selection)");
1717
1718if (!state->trigger_sni_changes)
1719 return 0;
1720
cf0c6164 1721if ((rc = tls_expand_session_files(state, &dummy_errstr)) != OK)
17c76198
PP		 1722 {
1723 /* If the setup of certs/etc failed before handshake, TLS would not have
1724 been offered. The best we can do now is abort. */
1725 return GNUTLS_E_APPLICATION_ERROR_MIN;
1726 }
1727
cf0c6164 1728rc = tls_set_remaining_x509(state, &dummy_errstr);
1365611d
PP		 1729if (rc != OK) return GNUTLS_E_APPLICATION_ERROR_MIN;
1730
1731return 0;
059ec3d9
PH		 1732}
1733
1734
1735
f2de3a33 1736#ifndef DISABLE_OCSP
44662487
JH		 1737
1738static int
1739server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
1740 gnutls_datum_t * ocsp_response)
1741{
1742int ret;
47195144 1743DEBUG(D_tls) debug_printf("OCSP stapling callback: %s\n", US ptr);
44662487 1744
44662487
JH		 1745if ((ret = gnutls_load_file(ptr, ocsp_response)) < 0)
1746 {
1747 DEBUG(D_tls) debug_printf("Failed to load ocsp stapling file %s\n",
5903c6ff 1748 CS ptr);
018058b2 1749 tls_in.ocsp = OCSP_NOT_RESP;
44662487
JH		 1750 return GNUTLS_E_NO_CERTIFICATE_STATUS;
1751 }
1752
018058b2 1753tls_in.ocsp = OCSP_VFY_NOT_TRIED;
44662487
JH		 1754return 0;
1755}
1756
1757#endif
1758
1759
0cbf2b82 1760#ifndef DISABLE_EVENT
a7538db1
JH		 1761/*
1762We use this callback to get observability and detail-level control
723fe533
JH		 1763for an exim TLS connection (either direction), raising a tls:cert event
1764for each cert in the chain presented by the peer. Any event
a7538db1
JH		 1765can deny verification.
1766
1767Return 0 for the handshake to continue or non-zero to terminate.
1768*/
1769
1770static int
723fe533 1771verify_cb(gnutls_session_t session)
a7538db1 1772{
27f19eb4 1773const gnutls_datum_t * cert_list;
a7538db1
JH		 1774unsigned int cert_list_size = 0;
1775gnutls_x509_crt_t crt;
1776int rc;
b30275b8 1777uschar * yield;
a7538db1
JH		 1778exim_gnutls_state_st * state = gnutls_session_get_ptr(session);
1779
1780cert_list = gnutls_certificate_get_peers(session, &cert_list_size);
1781if (cert_list)
1782 while (cert_list_size--)
1783 {
1784 rc = import_cert(&cert_list[cert_list_size], &crt);
1785 if (rc != GNUTLS_E_SUCCESS)
1786 {
1787 DEBUG(D_tls) debug_printf("TLS: peer cert problem: depth %d: %s\n",
1788 cert_list_size, gnutls_strerror(rc));
1789 break;
1790 }
1791
1792 state->tlsp->peercert = crt;
b30275b8
JH		 1793 if ((yield = event_raise(state->event_action,
1794 US"tls:cert", string_sprintf("%d", cert_list_size))))
a7538db1
JH		 1795 {
1796 log_write(0, LOG_MAIN,
b30275b8
JH		 1797 "SSL verify denied by event-action: depth=%d: %s",
1798 cert_list_size, yield);
a7538db1
JH		 1799 return 1; /* reject */
1800 }
1801 state->tlsp->peercert = NULL;
1802 }
1803
1804return 0;
1805}
1806
1807#endif
44662487
JH		 1808
1809
17c76198
PP		 1810
1811/* ------------------------------------------------------------------------ */
1812/* Exported functions */
1813
1814
1815
1816
059ec3d9
PH		 1817/*************************************************
1818* Start a TLS session in a server *
1819*************************************************/
1820
1821/* This is called when Exim is running as a server, after having received
1822the STARTTLS command. It must respond to that command, and then negotiate
1823a TLS session.
1824
1825Arguments:
83da1223 1826 require_ciphers list of allowed ciphers or NULL
cf0c6164 1827 errstr pointer to error string
059ec3d9
PH		 1828
1829Returns: OK on success
1830 DEFER for errors before the start of the negotiation
4c04137d 1831 FAIL for errors during the negotiation; the server can't
059ec3d9
PH		 1832 continue running.
1833*/
1834
1835int
cf0c6164 1836tls_server_start(const uschar * require_ciphers, uschar ** errstr)
059ec3d9
PH		 1837{
1838int rc;
cf0c6164 1839exim_gnutls_state_st * state = NULL;
059ec3d9
PH		 1840
1841/* Check for previous activation */
817d9f57 1842if (tls_in.active >= 0)
059ec3d9 1843 {
cf0c6164 1844 tls_error(US"STARTTLS received after TLS started", "", NULL, errstr);
925ac8e4 1845 smtp_printf("554 Already in TLS\r\n", FALSE);
059ec3d9
PH		 1846 return FAIL;
1847 }
1848
1849/* Initialize the library. If it fails, it will already have logged the error
1850and sent an SMTP response. */
1851
17c76198 1852DEBUG(D_tls) debug_printf("initialising GnuTLS as a server\n");
059ec3d9 1853
cf0c6164 1854if ((rc = tls_init(NULL, tls_certificate, tls_privatekey,
17c76198 1855 NULL, tls_verify_certificates, tls_crl,
cf0c6164 1856 require_ciphers, &state, errstr)) != OK) return rc;
059ec3d9 1857
059ec3d9
PH		 1858/* If this is a host for which certificate verification is mandatory or
1859optional, set up appropriately. */
1860
059ec3d9 1861if (verify_check_host(&tls_verify_hosts) == OK)
17c76198 1862 {
e51c7be2
JH		 1863 DEBUG(D_tls)
1864 debug_printf("TLS: a client certificate will be required.\n");
17c76198
PP		 1865 state->verify_requirement = VERIFY_REQUIRED;
1866 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
1867 }
059ec3d9 1868else if (verify_check_host(&tls_try_verify_hosts) == OK)
17c76198 1869 {
e51c7be2
JH		 1870 DEBUG(D_tls)
1871 debug_printf("TLS: a client certificate will be requested but not required.\n");
17c76198
PP		 1872 state->verify_requirement = VERIFY_OPTIONAL;
1873 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
1874 }
1875else
1876 {
e51c7be2
JH		 1877 DEBUG(D_tls)
1878 debug_printf("TLS: a client certificate will not be requested.\n");
17c76198
PP		 1879 state->verify_requirement = VERIFY_NONE;
1880 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
1881 }
059ec3d9 1882
0cbf2b82 1883#ifndef DISABLE_EVENT
723fe533
JH		 1884if (event_action)
1885 {
1886 state->event_action = event_action;
1887 gnutls_session_set_ptr(state->session, state);
1888 gnutls_certificate_set_verify_function(state->x509_cred, verify_cb);
1889 }
1890#endif
1891
17c76198
PP		 1892/* Register SNI handling; always, even if not in tls_certificate, so that the
1893expansion variable $tls_sni is always available. */
059ec3d9 1894
17c76198
PP		 1895gnutls_handshake_set_post_client_hello_function(state->session,
1896 exim_sni_handling_cb);
059ec3d9
PH		 1897
1898/* Set context and tell client to go ahead, except in the case of TLS startup
1899on connection, where outputting anything now upsets the clients and tends to
1900make them disconnect. We need to have an explicit fflush() here, to force out
1901the response. Other smtp_printf() calls do not need it, because in non-TLS
1902mode, the fflush() happens when smtp_getc() is called. */
1903
817d9f57 1904if (!state->tlsp->on_connect)
059ec3d9 1905 {
925ac8e4 1906 smtp_printf("220 TLS go ahead\r\n", FALSE);
9d1c15ef 1907 fflush(smtp_out);
059ec3d9
PH		 1908 }
1909
1910/* Now negotiate the TLS session. We put our own timer on it, since it seems
1911that the GnuTLS library doesn't. */
1912
17c76198 1913gnutls_transport_set_ptr2(state->session,
27f19eb4
JH		 1914 (gnutls_transport_ptr_t)(long) fileno(smtp_in),
1915 (gnutls_transport_ptr_t)(long) fileno(smtp_out));
17c76198
PP		 1916state->fd_in = fileno(smtp_in);
1917state->fd_out = fileno(smtp_out);
059ec3d9
PH		 1918
1919sigalrm_seen = FALSE;
1920if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
17c76198 1921do
17c76198 1922 rc = gnutls_handshake(state->session);
157a7880 1923while (rc == GNUTLS_E_AGAIN || rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen);
059ec3d9
PH		 1924alarm(0);
1925
17c76198 1926if (rc != GNUTLS_E_SUCCESS)
059ec3d9 1927 {
059ec3d9
PH		 1928 /* It seems that, except in the case of a timeout, we have to close the
1929 connection right here; otherwise if the other end is running OpenSSL it hangs
1930 until the server times out. */
1931
60d10ce7 1932 if (sigalrm_seen)
ad7fc6eb 1933 {
cf0c6164 1934 tls_error(US"gnutls_handshake", "timed out", NULL, errstr);
ad7fc6eb
JH		 1935 gnutls_db_remove_session(state->session);
1936 }
60d10ce7 1937 else
059ec3d9 1938 {
cf0c6164 1939 tls_error(US"gnutls_handshake", gnutls_strerror(rc), NULL, errstr);
f5d25c2b 1940 (void) gnutls_alert_send_appropriate(state->session, rc);
ad7fc6eb 1941 gnutls_deinit(state->session);
ed62aae3 1942 gnutls_certificate_free_credentials(state->x509_cred);
60d10ce7 1943 millisleep(500);
ad7fc6eb 1944 shutdown(state->fd_out, SHUT_WR);
60d10ce7 1945 for (rc = 1024; fgetc(smtp_in) != EOF && rc > 0; ) rc--; /* drain skt */
f1e894f3
PH		 1946 (void)fclose(smtp_out);
1947 (void)fclose(smtp_in);
60d10ce7 1948 smtp_out = smtp_in = NULL;
059ec3d9
PH		 1949 }
1950
1951 return FAIL;
1952 }
1953
1954DEBUG(D_tls) debug_printf("gnutls_handshake was successful\n");
1955
17c76198
PP		 1956/* Verify after the fact */
1957
9d1c15ef 1958if ( state->verify_requirement != VERIFY_NONE
cf0c6164 1959 && !verify_certificate(state, errstr))
059ec3d9 1960 {
9d1c15ef 1961 if (state->verify_requirement != VERIFY_OPTIONAL)
17c76198 1962 {
cf0c6164 1963 (void) tls_error(US"certificate verification failed", *errstr, NULL, errstr);
9d1c15ef 1964 return FAIL;
17c76198 1965 }
9d1c15ef
JH		 1966 DEBUG(D_tls)
1967 debug_printf("TLS: continuing on only because verification was optional, after: %s\n",
cf0c6164 1968 *errstr);
059ec3d9
PH		 1969 }
1970
17c76198
PP		 1971/* Figure out peer DN, and if authenticated, etc. */
1972
cf0c6164 1973if ((rc = peer_status(state, NULL)) != OK) return rc;
17c76198
PP		 1974
1975/* Sets various Exim expansion variables; always safe within server */
1976
9d1c15ef 1977extract_exim_vars_from_tls_state(state);
059ec3d9
PH		 1978
1979/* TLS has been set up. Adjust the input functions to read via TLS,
1980and initialize appropriately. */
1981
17c76198 1982state->xfer_buffer = store_malloc(ssl_xfer_buffer_size);
059ec3d9
PH		 1983
1984receive_getc = tls_getc;
0d81dabc 1985receive_getbuf = tls_getbuf;
584e96c6 1986receive_get_cache = tls_get_cache;
059ec3d9
PH		 1987receive_ungetc = tls_ungetc;
1988receive_feof = tls_feof;
1989receive_ferror = tls_ferror;
58eb016e 1990receive_smtp_buffered = tls_smtp_buffered;
059ec3d9 1991
059ec3d9
PH		 1992return OK;
1993}
1994
1995
1996
1997
aa2a70ba
JH		 1998static void
1999tls_client_setup_hostname_checks(host_item * host, exim_gnutls_state_st * state,
2000 smtp_transport_options_block * ob)
2001{
5130845b 2002if (verify_check_given_host(&ob->tls_verify_cert_hostnames, host) == OK)
aa2a70ba 2003 {
4af0d74a 2004 state->exp_tls_verify_cert_hostnames =
8c5d388a 2005#ifdef SUPPORT_I18N
4af0d74a
JH		 2006 string_domain_utf8_to_alabel(host->name, NULL);
2007#else
2008 host->name;
2009#endif
aa2a70ba
JH		 2010 DEBUG(D_tls)
2011 debug_printf("TLS: server cert verification includes hostname: \"%s\".\n",
2012 state->exp_tls_verify_cert_hostnames);
2013 }
2014}
aa2a70ba
JH		 2015
2016
059ec3d9
PH		 2017/*************************************************
2018* Start a TLS session in a client *
2019*************************************************/
2020
2021/* Called from the smtp transport after STARTTLS has been accepted.
2022
2023Arguments:
2024 fd the fd of the connection
2025 host connected host (for messages)
83da1223 2026 addr the first address (not used)
a7538db1 2027 tb transport (always smtp)
059ec3d9 2028
cf0c6164
JH		 2029 errstr error string pointer
2030
059ec3d9
PH		 2031Returns: OK/DEFER/FAIL (because using common functions),
2032 but for a client, DEFER and FAIL have the same meaning
2033*/
2034
2035int
17c76198 2036tls_client_start(int fd, host_item *host,
f5d78688 2037 address_item *addr ARG_UNUSED,
cf0c6164 2038 transport_instance * tb,
0e66b3b6 2039#ifdef EXPERIMENTAL_DANE
cf0c6164 2040 dns_answer * tlsa_dnsa ARG_UNUSED,
0e66b3b6 2041#endif
cf0c6164 2042 uschar ** errstr)
059ec3d9 2043{
a7538db1
JH		 2044smtp_transport_options_block *ob =
2045 (smtp_transport_options_block *)tb->options_block;
059ec3d9 2046int rc;
17c76198 2047exim_gnutls_state_st *state = NULL;
f2de3a33 2048#ifndef DISABLE_OCSP
5130845b
JH		 2049BOOL require_ocsp =
2050 verify_check_given_host(&ob->hosts_require_ocsp, host) == OK;
44662487 2051BOOL request_ocsp = require_ocsp ? TRUE
5130845b 2052 : verify_check_given_host(&ob->hosts_request_ocsp, host) == OK;
2b4a568d 2053#endif
059ec3d9 2054
17c76198 2055DEBUG(D_tls) debug_printf("initialising GnuTLS as a client on fd %d\n", fd);
059ec3d9 2056
65867078
JH		 2057if ((rc = tls_init(host, ob->tls_certificate, ob->tls_privatekey,
2058 ob->tls_sni, ob->tls_verify_certificates, ob->tls_crl,
cf0c6164 2059 ob->tls_require_ciphers, &state, errstr)) != OK)
2b4a568d 2060 return rc;
059ec3d9 2061
54c90be1 2062 {
65867078
JH		 2063 int dh_min_bits = ob->tls_dh_min_bits;
2064 if (dh_min_bits < EXIM_CLIENT_DH_MIN_MIN_BITS)
2065 {
2066 DEBUG(D_tls)
2067 debug_printf("WARNING: tls_dh_min_bits far too low,"
2068 " clamping %d up to %d\n",
2069 dh_min_bits, EXIM_CLIENT_DH_MIN_MIN_BITS);
2070 dh_min_bits = EXIM_CLIENT_DH_MIN_MIN_BITS;
2071 }
54c90be1 2072
65867078
JH		 2073 DEBUG(D_tls) debug_printf("Setting D-H prime minimum"
2074 " acceptable bits to %d\n",
2075 dh_min_bits);
2076 gnutls_dh_set_prime_bits(state->session, dh_min_bits);
2077 }
83da1223 2078
94431adb 2079/* Stick to the old behaviour for compatibility if tls_verify_certificates is
2b4a568d
JH		 2080set but both tls_verify_hosts and tls_try_verify_hosts are unset. Check only
2081the specified host patterns if one of them is defined */
2082
aa2a70ba
JH		 2083if ( ( state->exp_tls_verify_certificates
2084 && !ob->tls_verify_hosts
610ff438 2085 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
aa2a70ba 2086 )
5130845b 2087 || verify_check_given_host(&ob->tls_verify_hosts, host) == OK
2b4a568d 2088 )
17c76198 2089 {
aa2a70ba 2090 tls_client_setup_hostname_checks(host, state, ob);
aa2a70ba
JH		 2091 DEBUG(D_tls)
2092 debug_printf("TLS: server certificate verification required.\n");
2093 state->verify_requirement = VERIFY_REQUIRED;
52f93eed
WB		 2094 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
2095 }
5130845b 2096else if (verify_check_given_host(&ob->tls_try_verify_hosts, host) == OK)
52f93eed 2097 {
aa2a70ba 2098 tls_client_setup_hostname_checks(host, state, ob);
e51c7be2
JH		 2099 DEBUG(D_tls)
2100 debug_printf("TLS: server certificate verification optional.\n");
52f93eed 2101 state->verify_requirement = VERIFY_OPTIONAL;
17c76198
PP		 2102 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
2103 }
2104else
2105 {
e51c7be2
JH		 2106 DEBUG(D_tls)
2107 debug_printf("TLS: server certificate verification not required.\n");
52f93eed
WB		 2108 state->verify_requirement = VERIFY_NONE;
2109 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
17c76198 2110 }
059ec3d9 2111
f2de3a33
JH		 2112#ifndef DISABLE_OCSP
2113 /* supported since GnuTLS 3.1.3 */
44662487 2114if (request_ocsp)
9d1c15ef
JH		 2115 {
2116 DEBUG(D_tls) debug_printf("TLS: will request OCSP stapling\n");
65867078
JH		 2117 if ((rc = gnutls_ocsp_status_request_enable_client(state->session,
2118 NULL, 0, NULL)) != OK)
9d1c15ef 2119 return tls_error(US"cert-status-req",
cf0c6164 2120 gnutls_strerror(rc), state->host, errstr);
44662487 2121 tls_out.ocsp = OCSP_NOT_RESP;
9d1c15ef 2122 }
2b4a568d
JH		 2123#endif
2124
0cbf2b82 2125#ifndef DISABLE_EVENT
774ef2d7 2126if (tb->event_action)
a7538db1 2127 {
774ef2d7 2128 state->event_action = tb->event_action;
a7538db1 2129 gnutls_session_set_ptr(state->session, state);
723fe533 2130 gnutls_certificate_set_verify_function(state->x509_cred, verify_cb);
a7538db1
JH		 2131 }
2132#endif
2133
27f19eb4 2134gnutls_transport_set_ptr(state->session, (gnutls_transport_ptr_t)(long) fd);
17c76198
PP		 2135state->fd_in = fd;
2136state->fd_out = fd;
059ec3d9 2137
9d1c15ef 2138DEBUG(D_tls) debug_printf("about to gnutls_handshake\n");
059ec3d9
PH		 2139/* There doesn't seem to be a built-in timeout on connection. */
2140
2141sigalrm_seen = FALSE;
65867078 2142alarm(ob->command_timeout);
17c76198
PP		 2143do
2144 {
2145 rc = gnutls_handshake(state->session);
619b2b25
PP		 2146 } while ((rc == GNUTLS_E_AGAIN) ||
2147 (rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen));
059ec3d9
PH		 2148alarm(0);
2149
4fe99a6c 2150if (rc != GNUTLS_E_SUCCESS)
60d10ce7
JH		 2151 if (sigalrm_seen)
2152 {
2153 gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_USER_CANCELED);
cf0c6164 2154 return tls_error(US"gnutls_handshake", "timed out", state->host, errstr);
60d10ce7
JH		 2155 }
2156 else
cf0c6164 2157 return tls_error(US"gnutls_handshake", gnutls_strerror(rc), state->host, errstr);
4fe99a6c 2158
17c76198 2159DEBUG(D_tls) debug_printf("gnutls_handshake was successful\n");
059ec3d9 2160
17c76198 2161/* Verify late */
059ec3d9 2162
17c76198 2163if (state->verify_requirement != VERIFY_NONE &&
cf0c6164
JH		 2164 !verify_certificate(state, errstr))
2165 return tls_error(US"certificate verification failed", *errstr, state->host, errstr);
059ec3d9 2166
f2de3a33 2167#ifndef DISABLE_OCSP
2b4a568d
JH		 2168if (require_ocsp)
2169 {
2170 DEBUG(D_tls)
2171 {
2172 gnutls_datum_t stapling;
2173 gnutls_ocsp_resp_t resp;
2174 gnutls_datum_t printed;
2175 if ( (rc= gnutls_ocsp_status_request_get(state->session, &stapling)) == 0
2176 && (rc= gnutls_ocsp_resp_init(&resp)) == 0
2177 && (rc= gnutls_ocsp_resp_import(resp, &stapling)) == 0
2178 && (rc= gnutls_ocsp_resp_print(resp, GNUTLS_OCSP_PRINT_FULL, &printed)) == 0
2179 )
2180 {
65867078 2181 debug_printf("%.4096s", printed.data);
2b4a568d
JH		 2182 gnutls_free(printed.data);
2183 }
2184 else
cf0c6164 2185 (void) tls_error(US"ocsp decode", gnutls_strerror(rc), state->host, errstr);
2b4a568d
JH		 2186 }
2187
2b4a568d 2188 if (gnutls_ocsp_status_request_is_checked(state->session, 0) == 0)
018058b2
JH		 2189 {
2190 tls_out.ocsp = OCSP_FAILED;
cf0c6164 2191 return tls_error(US"certificate status check failed", NULL, state->host, errstr);
018058b2 2192 }
2b4a568d 2193 DEBUG(D_tls) debug_printf("Passed OCSP checking\n");
44662487 2194 tls_out.ocsp = OCSP_VFIED;
2b4a568d
JH		 2195 }
2196#endif
2197
17c76198 2198/* Figure out peer DN, and if authenticated, etc. */
059ec3d9 2199
cf0c6164 2200if ((rc = peer_status(state, errstr)) != OK)
2b4a568d 2201 return rc;
059ec3d9 2202
4fe99a6c 2203/* Sets various Exim expansion variables; may need to adjust for ACL callouts */
059ec3d9 2204
9d1c15ef 2205extract_exim_vars_from_tls_state(state);
059ec3d9 2206
059ec3d9
PH		 2207return OK;
2208}
2209
2210
2211
17c76198 2212
059ec3d9 2213/*************************************************
17c76198 2214* Close down a TLS session *
059ec3d9
PH		 2215*************************************************/
2216
17c76198
PP		 2217/* This is also called from within a delivery subprocess forked from the
2218daemon, to shut down the TLS library, without actually doing a shutdown (which
2219would tamper with the TLS session in the parent process).
059ec3d9 2220
17c76198
PP		 2221Arguments: TRUE if gnutls_bye is to be called
2222Returns: nothing
059ec3d9
PH		 2223*/
2224
17c76198 2225void
817d9f57 2226tls_close(BOOL is_server, BOOL shutdown)
059ec3d9 2227{
817d9f57 2228exim_gnutls_state_st *state = is_server ? &state_server : &state_client;
059ec3d9 2229
389ca47a 2230if (!state->tlsp || state->tlsp->active < 0) return; /* TLS was not active */
17c76198
PP		 2231
2232if (shutdown)
2233 {
f5723109 2234 DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS\n");
17c76198
PP		 2235 gnutls_bye(state->session, GNUTLS_SHUT_WR);
2236 }
2237
2238gnutls_deinit(state->session);
ed62aae3
HSHR		 2239gnutls_certificate_free_credentials(state->x509_cred);
2240
17c76198 2241
389ca47a 2242state->tlsp->active = -1;
17c76198
PP		 2243memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
2244
2245if ((state_server.session == NULL) && (state_client.session == NULL))
2246 {
2247 gnutls_global_deinit();
2248 exim_gnutls_base_init_done = FALSE;
2249 }
059ec3d9
PH		 2250}
2251
2252
2253
17c76198 2254
0d81dabc
JH		 2255static BOOL
2256tls_refill(unsigned lim)
2257{
2258exim_gnutls_state_st * state = &state_server;
2259ssize_t inbytes;
2260
2261DEBUG(D_tls) debug_printf("Calling gnutls_record_recv(%p, %p, %u)\n",
2262 state->session, state->xfer_buffer, ssl_xfer_buffer_size);
2263
2264if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
2265inbytes = gnutls_record_recv(state->session, state->xfer_buffer,
2266 MIN(ssl_xfer_buffer_size, lim));
2267alarm(0);
2268
2269/* Timeouts do not get this far; see command_timeout_handler().
2270 A zero-byte return appears to mean that the TLS session has been
2271 closed down, not that the socket itself has been closed down. Revert to
2272 non-TLS handling. */
2273
2274if (sigalrm_seen)
2275 {
2276 DEBUG(D_tls) debug_printf("Got tls read timeout\n");
2277 state->xfer_error = 1;
2278 return FALSE;
2279 }
2280
2281else if (inbytes == 0)
2282 {
2283 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
2284
2285 receive_getc = smtp_getc;
2286 receive_getbuf = smtp_getbuf;
2287 receive_get_cache = smtp_get_cache;
2288 receive_ungetc = smtp_ungetc;
2289 receive_feof = smtp_feof;
2290 receive_ferror = smtp_ferror;
2291 receive_smtp_buffered = smtp_buffered;
2292
2293 gnutls_deinit(state->session);
2294 gnutls_certificate_free_credentials(state->x509_cred);
2295
2296 state->session = NULL;
2297 state->tlsp->active = -1;
2298 state->tlsp->bits = 0;
2299 state->tlsp->certificate_verified = FALSE;
2300 tls_channelbinding_b64 = NULL;
2301 state->tlsp->cipher = NULL;
2302 state->tlsp->peercert = NULL;
2303 state->tlsp->peerdn = NULL;
2304
2305 return FALSE;
2306 }
2307
2308/* Handle genuine errors */
2309
2310else if (inbytes < 0)
2311 {
2312 record_io_error(state, (int) inbytes, US"recv", NULL);
2313 state->xfer_error = 1;
2314 return FALSE;
2315 }
2316#ifndef DISABLE_DKIM
2317dkim_exim_verify_feed(state->xfer_buffer, inbytes);
2318#endif
2319state->xfer_buffer_hwm = (int) inbytes;
2320state->xfer_buffer_lwm = 0;
2321return TRUE;
2322}
2323
059ec3d9
PH		 2324/*************************************************
2325* TLS version of getc *
2326*************************************************/
2327
2328/* This gets the next byte from the TLS input buffer. If the buffer is empty,
2329it refills the buffer via the GnuTLS reading function.
817d9f57 2330Only used by the server-side TLS.
059ec3d9 2331
17c76198
PP		 2332This feeds DKIM and should be used for all message-body reads.
2333
bd8fbe36 2334Arguments: lim Maximum amount to read/bufffer
059ec3d9
PH		 2335Returns: the next character or EOF
2336*/
2337
2338int
bd8fbe36 2339tls_getc(unsigned lim)
059ec3d9 2340{
0d81dabc 2341exim_gnutls_state_st * state = &state_server;
059ec3d9 2342
0d81dabc
JH		 2343if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
2344 if (!tls_refill(lim))
2345 return state->xfer_error ? EOF : smtp_getc(lim);
ed62aae3 2346
0d81dabc 2347/* Something in the buffer; return next uschar */
059ec3d9 2348
0d81dabc
JH		 2349return state->xfer_buffer[state->xfer_buffer_lwm++];
2350}
059ec3d9 2351
0d81dabc
JH		 2352uschar *
2353tls_getbuf(unsigned * len)
2354{
2355exim_gnutls_state_st * state = &state_server;
2356unsigned size;
2357uschar * buf;
059ec3d9 2358
0d81dabc
JH		 2359if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
2360 if (!tls_refill(*len))
059ec3d9 2361 {
0d81dabc
JH		 2362 if (!state->xfer_error) return smtp_getbuf(len);
2363 *len = 0;
2364 return NULL;
059ec3d9 2365 }
059ec3d9 2366
0d81dabc
JH		 2367if ((size = state->xfer_buffer_hwm - state->xfer_buffer_lwm) > *len)
2368 size = *len;
2369buf = &state->xfer_buffer[state->xfer_buffer_lwm];
2370state->xfer_buffer_lwm += size;
2371*len = size;
2372return buf;
059ec3d9
PH		 2373}
2374
0d81dabc 2375
584e96c6
JH		 2376void
2377tls_get_cache()
2378{
9960d1e5 2379#ifndef DISABLE_DKIM
584e96c6
JH		 2380exim_gnutls_state_st * state = &state_server;
2381int n = state->xfer_buffer_hwm - state->xfer_buffer_lwm;
2382if (n > 0)
2383 dkim_exim_verify_feed(state->xfer_buffer+state->xfer_buffer_lwm, n);
584e96c6 2384#endif
9960d1e5 2385}
584e96c6 2386
059ec3d9 2387
925ac8e4
JH		 2388BOOL
2389tls_could_read(void)
2390{
2391return state_server.xfer_buffer_lwm < state_server.xfer_buffer_hwm
2392 || gnutls_record_check_pending(state_server.session) > 0;
2393}
2394
2395
059ec3d9 2396
17c76198 2397
059ec3d9
PH		 2398/*************************************************
2399* Read bytes from TLS channel *
2400*************************************************/
2401
17c76198
PP		 2402/* This does not feed DKIM, so if the caller uses this for reading message body,
2403then the caller must feed DKIM.
817d9f57 2404
059ec3d9
PH		 2405Arguments:
2406 buff buffer of data
2407 len size of buffer
2408
2409Returns: the number of bytes read
2410 -1 after a failed read
2411*/
2412
2413int
817d9f57 2414tls_read(BOOL is_server, uschar *buff, size_t len)
059ec3d9 2415{
817d9f57 2416exim_gnutls_state_st *state = is_server ? &state_server : &state_client;
17c76198 2417ssize_t inbytes;
059ec3d9 2418
17c76198
PP		 2419if (len > INT_MAX)
2420 len = INT_MAX;
059ec3d9 2421
17c76198
PP		 2422if (state->xfer_buffer_lwm < state->xfer_buffer_hwm)
2423 DEBUG(D_tls)
2424 debug_printf("*** PROBABLY A BUG *** " \
2425 "tls_read() called with data in the tls_getc() buffer, %d ignored\n",
2426 state->xfer_buffer_hwm - state->xfer_buffer_lwm);
2427
2428DEBUG(D_tls)
2429 debug_printf("Calling gnutls_record_recv(%p, %p, " SIZE_T_FMT ")\n",
2430 state->session, buff, len);
2431
2432inbytes = gnutls_record_recv(state->session, buff, len);
059ec3d9
PH		 2433if (inbytes > 0) return inbytes;
2434if (inbytes == 0)
2435 {
2436 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
2437 }
17c76198 2438else record_io_error(state, (int)inbytes, US"recv", NULL);
059ec3d9
PH		 2439
2440return -1;
2441}
2442
2443
2444
17c76198 2445
059ec3d9
PH		 2446/*************************************************
2447* Write bytes down TLS channel *
2448*************************************************/
2449
2450/*
2451Arguments:
817d9f57 2452 is_server channel specifier
059ec3d9
PH		 2453 buff buffer of data
2454 len number of bytes
925ac8e4 2455 more more data expected soon
059ec3d9
PH		 2456
2457Returns: the number of bytes after a successful write,
2458 -1 after a failed write
2459*/
2460
2461int
925ac8e4 2462tls_write(BOOL is_server, const uschar *buff, size_t len, BOOL more)
059ec3d9 2463{
17c76198
PP		 2464ssize_t outbytes;
2465size_t left = len;
817d9f57 2466exim_gnutls_state_st *state = is_server ? &state_server : &state_client;
925ac8e4
JH		 2467#ifdef SUPPORT_CORK
2468static BOOL corked = FALSE;
2469
2470if (more && !corked) gnutls_record_cork(state->session);
2471#endif
2472
2473DEBUG(D_tls) debug_printf("%s(%p, " SIZE_T_FMT "%s)\n", __FUNCTION__,
2474 buff, left, more ? ", more" : "");
059ec3d9 2475
059ec3d9
PH		 2476while (left > 0)
2477 {
17c76198
PP		 2478 DEBUG(D_tls) debug_printf("gnutls_record_send(SSL, %p, " SIZE_T_FMT ")\n",
2479 buff, left);
2480 outbytes = gnutls_record_send(state->session, buff, left);
059ec3d9 2481
17c76198 2482 DEBUG(D_tls) debug_printf("outbytes=" SSIZE_T_FMT "\n", outbytes);
059ec3d9
PH		 2483 if (outbytes < 0)
2484 {
17c76198 2485 record_io_error(state, outbytes, US"send", NULL);
059ec3d9
PH		 2486 return -1;
2487 }
2488 if (outbytes == 0)
2489 {
17c76198 2490 record_io_error(state, 0, US"send", US"TLS channel closed on write");
059ec3d9
PH		 2491 return -1;
2492 }
2493
2494 left -= outbytes;
2495 buff += outbytes;
2496 }
2497
17c76198
PP		 2498if (len > INT_MAX)
2499 {
2500 DEBUG(D_tls)
2501 debug_printf("Whoops! Wrote more bytes (" SIZE_T_FMT ") than INT_MAX\n",
2502 len);
2503 len = INT_MAX;
2504 }
2505
925ac8e4
JH		 2506#ifdef SUPPORT_CORK
2507if (more != corked)
2508 {
2509 if (!more) (void) gnutls_record_uncork(state->session, 0);
2510 corked = more;
2511 }
2512#endif
2513
17c76198 2514return (int) len;
059ec3d9
PH		 2515}
2516
2517
2518
17c76198 2519
059ec3d9 2520/*************************************************
17c76198 2521* Random number generation *
059ec3d9
PH		 2522*************************************************/
2523
17c76198
PP		 2524/* Pseudo-random number generation. The result is not expected to be
2525cryptographically strong but not so weak that someone will shoot themselves
2526in the foot using it as a nonce in input in some email header scheme or
2527whatever weirdness they'll twist this into. The result should handle fork()
2528and avoid repeating sequences. OpenSSL handles that for us.
059ec3d9 2529
17c76198
PP		 2530Arguments:
2531 max range maximum
2532Returns a random number in range [0, max-1]
059ec3d9
PH		 2533*/
2534
af3498d6 2535#ifdef HAVE_GNUTLS_RND
17c76198
PP		 2536int
2537vaguely_random_number(int max)
059ec3d9 2538{
17c76198
PP		 2539unsigned int r;
2540int i, needed_len;
2541uschar *p;
2542uschar smallbuf[sizeof(r)];
2543
2544if (max <= 1)
2545 return 0;
2546
2547needed_len = sizeof(r);
2548/* Don't take 8 times more entropy than needed if int is 8 octets and we were
2549 * asked for a number less than 10. */
2550for (r = max, i = 0; r; ++i)
2551 r >>= 1;
2552i = (i + 7) / 8;
2553if (i < needed_len)
2554 needed_len = i;
2555
2556i = gnutls_rnd(GNUTLS_RND_NONCE, smallbuf, needed_len);
2557if (i < 0)
059ec3d9 2558 {
17c76198
PP		 2559 DEBUG(D_all) debug_printf("gnutls_rnd() failed, using fallback.\n");
2560 return vaguely_random_number_fallback(max);
2561 }
2562r = 0;
2563for (p = smallbuf; needed_len; --needed_len, ++p)
2564 {
2565 r *= 256;
2566 r += *p;
059ec3d9
PH		 2567 }
2568
17c76198
PP		 2569/* We don't particularly care about weighted results; if someone wants
2570 * smooth distribution and cares enough then they should submit a patch then. */
2571return r % max;
059ec3d9 2572}
af3498d6
PP		 2573#else /* HAVE_GNUTLS_RND */
2574int
2575vaguely_random_number(int max)
2576{
2577 return vaguely_random_number_fallback(max);
2578}
2579#endif /* HAVE_GNUTLS_RND */
059ec3d9 2580
36f12725
NM		 2581
2582
2583
3375e053
PP		 2584/*************************************************
2585* Let tls_require_ciphers be checked at startup *
2586*************************************************/
2587
2588/* The tls_require_ciphers option, if set, must be something which the
2589library can parse.
2590
2591Returns: NULL on success, or error message
2592*/
2593
2594uschar *
2595tls_validate_require_cipher(void)
2596{
2597int rc;
2598uschar *expciphers = NULL;
2599gnutls_priority_t priority_cache;
2600const char *errpos;
cf0c6164 2601uschar * dummy_errstr;
3375e053
PP		 2602
2603#define validate_check_rc(Label) do { \
2604 if (rc != GNUTLS_E_SUCCESS) { if (exim_gnutls_base_init_done) gnutls_global_deinit(); \
2605 return string_sprintf("%s failed: %s", (Label), gnutls_strerror(rc)); } } while (0)
2606#define return_deinit(Label) do { gnutls_global_deinit(); return (Label); } while (0)
2607
2608if (exim_gnutls_base_init_done)
2609 log_write(0, LOG_MAIN|LOG_PANIC,
2610 "already initialised GnuTLS, Exim developer bug");
2611
a5f239e4 2612#ifdef HAVE_GNUTLS_PKCS11
2519e60d 2613if (!gnutls_allow_auto_pkcs11)
a5f239e4
PP		 2614 {
2615 rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
2616 validate_check_rc(US"gnutls_pkcs11_init");
2617 }
2618#endif
3375e053
PP		 2619rc = gnutls_global_init();
2620validate_check_rc(US"gnutls_global_init()");
2621exim_gnutls_base_init_done = TRUE;
2622
2623if (!(tls_require_ciphers && *tls_require_ciphers))
2624 return_deinit(NULL);
2625
cf0c6164
JH		 2626if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers,
2627 &dummy_errstr))
3375e053
PP		 2628 return_deinit(US"failed to expand tls_require_ciphers");
2629
2630if (!(expciphers && *expciphers))
2631 return_deinit(NULL);
2632
2633DEBUG(D_tls)
2634 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
2635
2636rc = gnutls_priority_init(&priority_cache, CS expciphers, &errpos);
2637validate_check_rc(string_sprintf(
2638 "gnutls_priority_init(%s) failed at offset %ld, \"%.8s..\"",
2639 expciphers, errpos - CS expciphers, errpos));
2640
2641#undef return_deinit
2642#undef validate_check_rc
2643gnutls_global_deinit();
2644
2645return NULL;
2646}
2647
2648
2649
2650
36f12725
NM		 2651/*************************************************
2652* Report the library versions. *
2653*************************************************/
2654
2655/* See a description in tls-openssl.c for an explanation of why this exists.
2656
2657Arguments: a FILE* to print the results to
2658Returns: nothing
2659*/
2660
2661void
2662tls_version_report(FILE *f)
2663{
754a0503
PP		 2664fprintf(f, "Library version: GnuTLS: Compile: %s\n"
2665 " Runtime: %s\n",
2666 LIBGNUTLS_VERSION,
2667 gnutls_check_version(NULL));
36f12725
NM		 2668}
2669
2b4a568d
JH		 2670/* vi: aw ai sw=2
2671*/
059ec3d9 2672/* End of tls-gnu.c */
Unnamed repository; edit this file 'description' to name the repository.