Fix build on older GnuTLS
[exim.git] / src / src / tls-gnu.c
CommitLineData
059ec3d9
PH
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
f9ba5e22 5/* Copyright (c) University of Cambridge 1995 - 2018 */
059ec3d9
PH
6/* See the file NOTICE for conditions of use and distribution. */
7
17c76198 8/* Copyright (c) Phil Pennock 2012 */
059ec3d9 9
17c76198
PP
10/* This file provides TLS/SSL support for Exim using the GnuTLS library,
11one of the available supported implementations. This file is #included into
12tls.c when USE_GNUTLS has been set.
059ec3d9 13
17c76198
PP
14The code herein is a revamp of GnuTLS integration using the current APIs; the
15original tls-gnu.c was based on a patch which was contributed by Nikos
6aa6fc9c 16Mavrogiannopoulos. The revamp is partially a rewrite, partially cut&paste as
17c76198 17appropriate.
059ec3d9 18
17c76198
PP
19APIs current as of GnuTLS 2.12.18; note that the GnuTLS manual is for GnuTLS 3,
20which is not widely deployed by OS vendors. Will note issues below, which may
21assist in updating the code in the future. Another sources of hints is
22mod_gnutls for Apache (SNI callback registration and handling).
059ec3d9 23
17c76198
PP
24Keeping client and server variables more split than before and is currently
25the norm, in anticipation of TLS in ACL callouts.
059ec3d9 26
17c76198
PP
27I wanted to switch to gnutls_certificate_set_verify_function() so that
28certificate rejection could happen during handshake where it belongs, rather
29than being dropped afterwards, but that was introduced in 2.10.0 and Debian
30(6.0.5) is still on 2.8.6. So for now we have to stick with sub-par behaviour.
059ec3d9 31
17c76198
PP
32(I wasn't looking for libraries quite that old, when updating to get rid of
33compiler warnings of deprecated APIs. If it turns out that a lot of the rest
34require current GnuTLS, then we'll drop support for the ancient libraries).
35*/
b5aea5e1 36
17c76198
PP
37#include <gnutls/gnutls.h>
38/* needed for cert checks in verification and DN extraction: */
39#include <gnutls/x509.h>
40/* man-page is incorrect, gnutls_rnd() is not in gnutls.h: */
41#include <gnutls/crypto.h>
184384c3 42
a5f239e4
PP
43/* needed to disable PKCS11 autoload unless requested */
44#if GNUTLS_VERSION_NUMBER >= 0x020c00
45# include <gnutls/pkcs11.h>
76075bb5 46# define SUPPORT_PARAM_TO_PK_BITS
a5f239e4 47#endif
7e07527a
JH
48#if GNUTLS_VERSION_NUMBER < 0x030103 && !defined(DISABLE_OCSP)
49# warning "GnuTLS library version too old; define DISABLE_OCSP in Makefile"
50# define DISABLE_OCSP
51#endif
0cbf2b82 52#if GNUTLS_VERSION_NUMBER < 0x020a00 && !defined(DISABLE_EVENT)
774ef2d7 53# warning "GnuTLS library version too old; tls:cert event unsupported"
0cbf2b82 54# define DISABLE_EVENT
a7538db1 55#endif
a7fec7a7
JH
56#if GNUTLS_VERSION_NUMBER >= 0x030306
57# define SUPPORT_CA_DIR
58#else
59# undef SUPPORT_CA_DIR
60#endif
11a04b5a 61#if GNUTLS_VERSION_NUMBER >= 0x030014
cb1d7830
JH
62# define SUPPORT_SYSDEFAULT_CABUNDLE
63#endif
184384c3
JH
64#if GNUTLS_VERSION_NUMBER >= 0x030104
65# define GNUTLS_CERT_VFY_STATUS_PRINT
66#endif
925ac8e4
JH
67#if GNUTLS_VERSION_NUMBER >= 0x030109
68# define SUPPORT_CORK
69#endif
f20cfa4a
JH
70#if GNUTLS_VERSION_NUMBER >= 0x03010a
71# define SUPPORT_GNUTLS_SESS_DESC
72#endif
73#if GNUTLS_VERSION_NUMBER >= 0x030500
74# define SUPPORT_GNUTLS_KEYLOG
75#endif
47195144
JH
76#if GNUTLS_VERSION_NUMBER >= 0x030506 && !defined(DISABLE_OCSP)
77# define SUPPORT_SRV_OCSP_STACK
78#endif
c0635b6d
JH
79
80#ifdef SUPPORT_DANE
81# if GNUTLS_VERSION_NUMBER >= 0x030000
82# define DANESSL_USAGE_DANE_TA 2
83# define DANESSL_USAGE_DANE_EE 3
84# else
85# error GnuTLS version too early for DANE
86# endif
87# if GNUTLS_VERSION_NUMBER < 0x999999
88# define GNUTLS_BROKEN_DANE_VALIDATION
89# endif
899b8bbc 90#endif
7e07527a 91
f2de3a33 92#ifndef DISABLE_OCSP
2b4a568d
JH
93# include <gnutls/ocsp.h>
94#endif
899b8bbc
JH
95#ifdef SUPPORT_DANE
96# include <gnutls/dane.h>
97#endif
059ec3d9 98
f1be21cf
JH
99#include "tls-cipher-stdname.c"
100
101
b10c87b3
JH
102#ifdef MACRO_PREDEF
103void
104options_tls(void)
105{
106# ifdef EXPERIMENTAL_TLS_RESUME
107builtin_macro_create_var(US"_RESUME_DECODE", RESUME_DECODE_STRING );
108# endif
109}
110#else
111
112
17c76198 113/* GnuTLS 2 vs 3
059ec3d9 114
17c76198
PP
115GnuTLS 3 only:
116 gnutls_global_set_audit_log_function()
059ec3d9 117
17c76198
PP
118Changes:
119 gnutls_certificate_verify_peers2(): is new, drop the 2 for old version
120*/
059ec3d9 121
17c76198 122/* Local static variables for GnuTLS */
059ec3d9 123
17c76198 124/* Values for verify_requirement */
059ec3d9 125
e51c7be2 126enum peer_verify_requirement
899b8bbc 127 { VERIFY_NONE, VERIFY_OPTIONAL, VERIFY_REQUIRED, VERIFY_DANE };
059ec3d9 128
17c76198
PP
129/* This holds most state for server or client; with this, we can set up an
130outbound TLS-enabled connection in an ACL callout, while not stomping all
131over the TLS variables available for expansion.
059ec3d9 132
17c76198
PP
133Some of these correspond to variables in globals.c; those variables will
134be set to point to content in one of these instances, as appropriate for
135the stage of the process lifetime.
059ec3d9 136
389ca47a 137Not handled here: global tls_channelbinding_b64.
17c76198 138*/
059ec3d9 139
17c76198 140typedef struct exim_gnutls_state {
9d1c15ef 141 gnutls_session_t session;
17c76198 142 gnutls_certificate_credentials_t x509_cred;
9d1c15ef 143 gnutls_priority_t priority_cache;
17c76198 144 enum peer_verify_requirement verify_requirement;
9d1c15ef
JH
145 int fd_in;
146 int fd_out;
147 BOOL peer_cert_verified;
899b8bbc 148 BOOL peer_dane_verified;
9d1c15ef
JH
149 BOOL trigger_sni_changes;
150 BOOL have_set_peerdn;
5fd28bb8 151 const struct host_item *host; /* NULL if server */
afdb5e9c 152 gnutls_x509_crt_t peercert;
9d1c15ef
JH
153 uschar *peerdn;
154 uschar *ciphersuite;
155 uschar *received_sni;
17c76198
PP
156
157 const uschar *tls_certificate;
158 const uschar *tls_privatekey;
159 const uschar *tls_sni; /* client send only, not received */
160 const uschar *tls_verify_certificates;
161 const uschar *tls_crl;
162 const uschar *tls_require_ciphers;
e51c7be2 163
17c76198
PP
164 uschar *exp_tls_certificate;
165 uschar *exp_tls_privatekey;
17c76198
PP
166 uschar *exp_tls_verify_certificates;
167 uschar *exp_tls_crl;
168 uschar *exp_tls_require_ciphers;
55414b25 169 const uschar *exp_tls_verify_cert_hostnames;
0cbf2b82 170#ifndef DISABLE_EVENT
a7538db1
JH
171 uschar *event_action;
172#endif
899b8bbc
JH
173#ifdef SUPPORT_DANE
174 char * const * dane_data;
175 const int * dane_data_len;
176#endif
17c76198 177
389ca47a 178 tls_support *tlsp; /* set in tls_init() */
817d9f57 179
17c76198
PP
180 uschar *xfer_buffer;
181 int xfer_buffer_lwm;
182 int xfer_buffer_hwm;
8b77d27a
JH
183 BOOL xfer_eof; /*XXX never gets set! */
184 BOOL xfer_error;
17c76198
PP
185} exim_gnutls_state_st;
186
187static const exim_gnutls_state_st exim_gnutls_state_init = {
b10c87b3 188 /* all elements not explicitly intialised here get 0/NULL/FALSE */
f2ed27cf
JH
189 .fd_in = -1,
190 .fd_out = -1,
17c76198 191};
83da1223 192
17c76198
PP
193/* Not only do we have our own APIs which don't pass around state, assuming
194it's held in globals, GnuTLS doesn't appear to let us register callback data
195for callbacks, or as part of the session, so we have to keep a "this is the
196context we're currently dealing with" pointer and rely upon being
197single-threaded to keep from processing data on an inbound TLS connection while
198talking to another TLS connection for an outbound check. This does mean that
199there's no way for heart-beats to be responded to, for the duration of the
a7538db1
JH
200second connection.
201XXX But see gnutls_session_get_ptr()
202*/
059ec3d9 203
74f1a423 204static exim_gnutls_state_st state_server;
059ec3d9 205
17c76198
PP
206/* dh_params are initialised once within the lifetime of a process using TLS;
207if we used TLS in a long-lived daemon, we'd have to reconsider this. But we
208don't want to repeat this. */
83da1223 209
17c76198 210static gnutls_dh_params_t dh_server_params = NULL;
059ec3d9 211
b10c87b3 212static int ssl_session_timeout = 3600; /* One hour */
059ec3d9 213
fc243e94 214static const uschar * const exim_default_gnutls_priority = US"NORMAL";
83da1223 215
17c76198 216/* Guard library core initialisation */
83da1223 217
17c76198 218static BOOL exim_gnutls_base_init_done = FALSE;
059ec3d9 219
4fb7df6d 220#ifndef DISABLE_OCSP
9196d5bf 221static BOOL gnutls_buggy_ocsp = FALSE;
4fb7df6d 222#endif
9196d5bf 223
b10c87b3
JH
224#ifdef EXPERIMENTAL_TLS_RESUME
225static gnutls_datum_t server_sessticket_key;
226#endif
059ec3d9 227
17c76198 228/* ------------------------------------------------------------------------ */
17c76198 229/* macros */
83da1223 230
17c76198 231#define MAX_HOST_LEN 255
83da1223 232
17c76198
PP
233/* Set this to control gnutls_global_set_log_level(); values 0 to 9 will setup
234the library logging; a value less than 0 disables the calls to set up logging
dc6d1769
JH
235callbacks. GNuTLS also looks for an environment variable - except not for
236setuid binaries, making it useless - "GNUTLS_DEBUG_LEVEL".
237Allegedly the testscript line "GNUTLS_DEBUG_LEVEL=9 sudo exim ..." would work,
238but the env var must be added to /etc/sudoers too. */
2c17bb02 239#ifndef EXIM_GNUTLS_LIBRARY_LOG_LEVEL
b1a4f234 240# define EXIM_GNUTLS_LIBRARY_LOG_LEVEL -1
2c17bb02 241#endif
83da1223 242
2c17bb02 243#ifndef EXIM_CLIENT_DH_MIN_BITS
a7538db1 244# define EXIM_CLIENT_DH_MIN_BITS 1024
2c17bb02 245#endif
83da1223 246
af3498d6
PP
247/* With GnuTLS 2.12.x+ we have gnutls_sec_param_to_pk_bits() with which we
248can ask for a bit-strength. Without that, we stick to the constant we had
249before, for now. */
2c17bb02 250#ifndef EXIM_SERVER_DH_BITS_PRE2_12
a7538db1 251# define EXIM_SERVER_DH_BITS_PRE2_12 1024
2c17bb02 252#endif
af3498d6 253
cf0c6164
JH
254#define expand_check_tlsvar(Varname, errstr) \
255 expand_check(state->Varname, US #Varname, &state->exp_##Varname, errstr)
83da1223 256
17c76198 257#if GNUTLS_VERSION_NUMBER >= 0x020c00
e51c7be2
JH
258# define HAVE_GNUTLS_SESSION_CHANNEL_BINDING
259# define HAVE_GNUTLS_SEC_PARAM_CONSTANTS
260# define HAVE_GNUTLS_RND
2519e60d
TL
261/* The security fix we provide with the gnutls_allow_auto_pkcs11 option
262 * (4.82 PP/09) introduces a compatibility regression. The symbol simply
263 * isn't available sometimes, so this needs to become a conditional
264 * compilation; the sanest way to deal with this being a problem on
265 * older OSes is to block it in the Local/Makefile with this compiler
266 * definition */
e51c7be2
JH
267# ifndef AVOID_GNUTLS_PKCS11
268# define HAVE_GNUTLS_PKCS11
269# endif /* AVOID_GNUTLS_PKCS11 */
17c76198 270#endif
83da1223 271
af3498d6
PP
272
273
274
275/* ------------------------------------------------------------------------ */
276/* Callback declarations */
277
278#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
279static void exim_gnutls_logger_cb(int level, const char *message);
280#endif
281
282static int exim_sni_handling_cb(gnutls_session_t session);
283
f2de3a33 284#ifndef DISABLE_OCSP
44662487
JH
285static int server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
286 gnutls_datum_t * ocsp_response);
287#endif
af3498d6
PP
288
289
290
b10c87b3
JH
291/* Daemon one-time initialisation */
292void
293tls_daemon_init(void)
294{
295#ifdef EXPERIMENTAL_TLS_RESUME
296/* We are dependent on the GnuTLS implementation of the Session Ticket
297encryption; both the strength and the key rotation period. We hope that
298the strength at least matches that of the ciphersuite (but GnuTLS does not
299document this). */
300
301static BOOL once = FALSE;
302if (once) return;
303once = TRUE;
304gnutls_session_ticket_key_generate(&server_sessticket_key); /* >= 2.10.0 */
305if (f.running_in_test_harness) ssl_session_timeout = 6;
306#endif
307}
308
17c76198
PP
309/* ------------------------------------------------------------------------ */
310/* Static functions */
059ec3d9
PH
311
312/*************************************************
313* Handle TLS error *
314*************************************************/
315
316/* Called from lots of places when errors occur before actually starting to do
317the TLS handshake, that is, while the session is still in clear. Always returns
318DEFER for a server and FAIL for a client so that most calls can use "return
319tls_error(...)" to do this processing and then give an appropriate return. A
320single function is used for both server and client, because it is called from
321some shared functions.
322
323Argument:
324 prefix text to include in the logged error
7199e1ee
TF
325 msg additional error string (may be NULL)
326 usually obtained from gnutls_strerror()
17c76198
PP
327 host NULL if setting up a server;
328 the connected host if setting up a client
cf0c6164 329 errstr pointer to returned error string
059ec3d9
PH
330
331Returns: OK/DEFER/FAIL
332*/
333
334static int
48224640 335tls_error(const uschar *prefix, const uschar *msg, const host_item *host,
cf0c6164 336 uschar ** errstr)
059ec3d9 337{
cf0c6164 338if (errstr)
48224640 339 *errstr = string_sprintf("(%s)%s%s", prefix, msg ? ": " : "", msg ? msg : US"");
cf0c6164 340return host ? FAIL : DEFER;
059ec3d9
PH
341}
342
343
452a164f
JH
344static int
345tls_error_gnu(const uschar *prefix, int err, const host_item *host,
346 uschar ** errstr)
347{
348return tls_error(prefix, US gnutls_strerror(err), host, errstr);
349}
350
351static int
352tls_error_sys(const uschar *prefix, int err, const host_item *host,
353 uschar ** errstr)
354{
355return tls_error(prefix, US strerror(err), host, errstr);
356}
059ec3d9 357
17c76198 358
059ec3d9 359/*************************************************
17c76198 360* Deal with logging errors during I/O *
059ec3d9
PH
361*************************************************/
362
17c76198 363/* We have to get the identity of the peer from saved data.
059ec3d9 364
17c76198
PP
365Argument:
366 state the current GnuTLS exim state container
367 rc the GnuTLS error code, or 0 if it's a local error
368 when text identifying read or write
95f52235 369 text local error text when rc is 0
059ec3d9 370
17c76198 371Returns: nothing
059ec3d9
PH
372*/
373
17c76198
PP
374static void
375record_io_error(exim_gnutls_state_st *state, int rc, uschar *when, uschar *text)
059ec3d9 376{
48224640 377const uschar * msg;
cf0c6164 378uschar * errstr;
059ec3d9 379
17c76198 380if (rc == GNUTLS_E_FATAL_ALERT_RECEIVED)
95f52235 381 msg = string_sprintf("A TLS fatal alert has been received: %s",
17c76198
PP
382 US gnutls_alert_get_name(gnutls_alert_get(state->session)));
383else
48224640 384 msg = US gnutls_strerror(rc);
059ec3d9 385
cf0c6164
JH
386(void) tls_error(when, msg, state->host, &errstr);
387
388if (state->host)
389 log_write(0, LOG_MAIN, "H=%s [%s] TLS error on connection %s",
390 state->host->name, state->host->address, errstr);
391else
392 {
393 uschar * conn_info = smtp_get_connection_info();
394 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0) conn_info += 5;
395 /* I'd like to get separated H= here, but too hard for now */
396 log_write(0, LOG_MAIN, "TLS error on %s %s", conn_info, errstr);
397 }
17c76198 398}
059ec3d9 399
059ec3d9 400
059ec3d9 401
059ec3d9 402
17c76198
PP
403/*************************************************
404* Set various Exim expansion vars *
405*************************************************/
059ec3d9 406
e51c7be2
JH
407#define exim_gnutls_cert_err(Label) \
408 do \
409 { \
410 if (rc != GNUTLS_E_SUCCESS) \
411 { \
412 DEBUG(D_tls) debug_printf("TLS: cert problem: %s: %s\n", \
413 (Label), gnutls_strerror(rc)); \
414 return rc; \
415 } \
416 } while (0)
9d1c15ef
JH
417
418static int
27f19eb4 419import_cert(const gnutls_datum_t * cert, gnutls_x509_crt_t * crtp)
9d1c15ef
JH
420{
421int rc;
422
423rc = gnutls_x509_crt_init(crtp);
424exim_gnutls_cert_err(US"gnutls_x509_crt_init (crt)");
425
426rc = gnutls_x509_crt_import(*crtp, cert, GNUTLS_X509_FMT_DER);
427exim_gnutls_cert_err(US"failed to import certificate [gnutls_x509_crt_import(cert)]");
428
429return rc;
430}
431
432#undef exim_gnutls_cert_err
433
434
17c76198
PP
435/* We set various Exim global variables from the state, once a session has
436been established. With TLS callouts, may need to change this to stack
437variables, or just re-call it with the server state after client callout
438has finished.
059ec3d9 439
9d1c15ef 440Make sure anything set here is unset in tls_getc().
17c76198
PP
441
442Sets:
443 tls_active fd
444 tls_bits strength indicator
445 tls_certificate_verified bool indicator
446 tls_channelbinding_b64 for some SASL mechanisms
447 tls_cipher a string
9d1c15ef 448 tls_peercert pointer to library internal
17c76198
PP
449 tls_peerdn a string
450 tls_sni a (UTF-8) string
9d1c15ef 451 tls_ourcert pointer to library internal
17c76198
PP
452
453Argument:
454 state the relevant exim_gnutls_state_st *
455*/
456
457static void
9d1c15ef 458extract_exim_vars_from_tls_state(exim_gnutls_state_st * state)
17c76198 459{
17c76198
PP
460#ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
461int old_pool;
462int rc;
463gnutls_datum_t channel;
464#endif
9d1c15ef 465tls_support * tlsp = state->tlsp;
17c76198 466
74f1a423
JH
467tlsp->active.sock = state->fd_out;
468tlsp->active.tls_ctx = state;
17c76198 469
817d9f57 470DEBUG(D_tls) debug_printf("cipher: %s\n", state->ciphersuite);
17c76198 471
9d1c15ef 472tlsp->certificate_verified = state->peer_cert_verified;
899b8bbc
JH
473#ifdef SUPPORT_DANE
474tlsp->dane_verified = state->peer_dane_verified;
475#endif
059ec3d9 476
17c76198
PP
477/* note that tls_channelbinding_b64 is not saved to the spool file, since it's
478only available for use for authenticators while this TLS session is running. */
479
480tls_channelbinding_b64 = NULL;
481#ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
482channel.data = NULL;
483channel.size = 0;
1f20760b
JH
484if ((rc = gnutls_session_channel_binding(state->session, GNUTLS_CB_TLS_UNIQUE, &channel)))
485 { DEBUG(D_tls) debug_printf("Channel binding error: %s\n", gnutls_strerror(rc)); }
486else
487 {
17c76198
PP
488 old_pool = store_pool;
489 store_pool = POOL_PERM;
1f20760b 490 tls_channelbinding_b64 = b64encode(CUS channel.data, (int)channel.size);
17c76198
PP
491 store_pool = old_pool;
492 DEBUG(D_tls) debug_printf("Have channel bindings cached for possible auth usage.\n");
1f20760b 493 }
17c76198
PP
494#endif
495
9d1c15ef
JH
496/* peercert is set in peer_status() */
497tlsp->peerdn = state->peerdn;
498tlsp->sni = state->received_sni;
499
500/* record our certificate */
501 {
27f19eb4 502 const gnutls_datum_t * cert = gnutls_certificate_get_ours(state->session);
9d1c15ef
JH
503 gnutls_x509_crt_t crt;
504
505 tlsp->ourcert = cert && import_cert(cert, &crt)==0 ? crt : NULL;
506 }
059ec3d9
PH
507}
508
509
510
17c76198 511
059ec3d9 512/*************************************************
575643cd 513* Setup up DH parameters *
059ec3d9
PH
514*************************************************/
515
575643cd 516/* Generating the D-H parameters may take a long time. They only need to
059ec3d9
PH
517be re-generated every so often, depending on security policy. What we do is to
518keep these parameters in a file in the spool directory. If the file does not
519exist, we generate them. This means that it is easy to cause a regeneration.
520
521The new file is written as a temporary file and renamed, so that an incomplete
522file is never present. If two processes both compute some new parameters, you
523waste a bit of effort, but it doesn't seem worth messing around with locking to
524prevent this.
525
059ec3d9
PH
526Returns: OK/DEFER/FAIL
527*/
528
529static int
cf0c6164 530init_server_dh(uschar ** errstr)
059ec3d9 531{
17c76198
PP
532int fd, rc;
533unsigned int dh_bits;
27f19eb4 534gnutls_datum_t m;
a799883d
PP
535uschar filename_buf[PATH_MAX];
536uschar *filename = NULL;
17c76198 537size_t sz;
a799883d
PP
538uschar *exp_tls_dhparam;
539BOOL use_file_in_spool = FALSE;
17c76198 540host_item *host = NULL; /* dummy for macros */
059ec3d9 541
17c76198 542DEBUG(D_tls) debug_printf("Initialising GnuTLS server params.\n");
059ec3d9 543
452a164f
JH
544if ((rc = gnutls_dh_params_init(&dh_server_params)))
545 return tls_error_gnu(US"gnutls_dh_params_init", rc, host, errstr);
059ec3d9 546
a799883d
PP
547m.data = NULL;
548m.size = 0;
549
cf0c6164 550if (!expand_check(tls_dhparam, US"tls_dhparam", &exp_tls_dhparam, errstr))
a799883d
PP
551 return DEFER;
552
553if (!exp_tls_dhparam)
554 {
555 DEBUG(D_tls) debug_printf("Loading default hard-coded DH params\n");
556 m.data = US std_dh_prime_default();
557 m.size = Ustrlen(m.data);
558 }
559else if (Ustrcmp(exp_tls_dhparam, "historic") == 0)
560 use_file_in_spool = TRUE;
561else if (Ustrcmp(exp_tls_dhparam, "none") == 0)
562 {
563 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
564 return OK;
565 }
566else if (exp_tls_dhparam[0] != '/')
567 {
f5d25c2b 568 if (!(m.data = US std_dh_prime_named(exp_tls_dhparam)))
48224640 569 return tls_error(US"No standard prime named", exp_tls_dhparam, NULL, errstr);
a799883d
PP
570 m.size = Ustrlen(m.data);
571 }
572else
a799883d 573 filename = exp_tls_dhparam;
a799883d
PP
574
575if (m.data)
576 {
452a164f
JH
577 if ((rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM)))
578 return tls_error_gnu(US"gnutls_dh_params_import_pkcs3", rc, host, errstr);
a799883d
PP
579 DEBUG(D_tls) debug_printf("Loaded fixed standard D-H parameters\n");
580 return OK;
581 }
582
af3498d6
PP
583#ifdef HAVE_GNUTLS_SEC_PARAM_CONSTANTS
584/* If you change this constant, also change dh_param_fn_ext so that we can use a
17c76198 585different filename and ensure we have sufficient bits. */
452a164f
JH
586
587if (!(dh_bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL)))
cf0c6164 588 return tls_error(US"gnutls_sec_param_to_pk_bits() failed", NULL, NULL, errstr);
af3498d6 589DEBUG(D_tls)
b34fc30c 590 debug_printf("GnuTLS tells us that for D-H PK, NORMAL is %d bits.\n",
af3498d6
PP
591 dh_bits);
592#else
593dh_bits = EXIM_SERVER_DH_BITS_PRE2_12;
594DEBUG(D_tls)
595 debug_printf("GnuTLS lacks gnutls_sec_param_to_pk_bits(), using %d bits.\n",
596 dh_bits);
597#endif
059ec3d9 598
3375e053
PP
599/* Some clients have hard-coded limits. */
600if (dh_bits > tls_dh_max_bits)
601 {
602 DEBUG(D_tls)
603 debug_printf("tls_dh_max_bits clamping override, using %d bits instead.\n",
604 tls_dh_max_bits);
605 dh_bits = tls_dh_max_bits;
606 }
607
a799883d
PP
608if (use_file_in_spool)
609 {
610 if (!string_format(filename_buf, sizeof(filename_buf),
611 "%s/gnutls-params-%d", spool_directory, dh_bits))
cf0c6164 612 return tls_error(US"overlong filename", NULL, NULL, errstr);
a799883d
PP
613 filename = filename_buf;
614 }
059ec3d9 615
b5aea5e1 616/* Open the cache file for reading and if successful, read it and set up the
575643cd 617parameters. */
059ec3d9 618
f5d25c2b 619if ((fd = Uopen(filename, O_RDONLY, 0)) >= 0)
059ec3d9 620 {
b5aea5e1 621 struct stat statbuf;
17c76198
PP
622 FILE *fp;
623 int saved_errno;
624
625 if (fstat(fd, &statbuf) < 0) /* EIO */
626 {
627 saved_errno = errno;
628 (void)close(fd);
452a164f 629 return tls_error_sys(US"TLS cache stat failed", saved_errno, NULL, errstr);
17c76198
PP
630 }
631 if (!S_ISREG(statbuf.st_mode))
b5aea5e1
PH
632 {
633 (void)close(fd);
cf0c6164 634 return tls_error(US"TLS cache not a file", NULL, NULL, errstr);
17c76198 635 }
40c90bca 636 if (!(fp = fdopen(fd, "rb")))
17c76198
PP
637 {
638 saved_errno = errno;
639 (void)close(fd);
452a164f
JH
640 return tls_error_sys(US"fdopen(TLS cache stat fd) failed",
641 saved_errno, NULL, errstr);
b5aea5e1 642 }
059ec3d9 643
b5aea5e1 644 m.size = statbuf.st_size;
40c90bca 645 if (!(m.data = malloc(m.size)))
17c76198
PP
646 {
647 fclose(fp);
452a164f 648 return tls_error_sys(US"malloc failed", errno, NULL, errstr);
17c76198 649 }
40c90bca 650 if (!(sz = fread(m.data, m.size, 1, fp)))
17c76198
PP
651 {
652 saved_errno = errno;
653 fclose(fp);
654 free(m.data);
452a164f 655 return tls_error_sys(US"fread failed", saved_errno, NULL, errstr);
17c76198
PP
656 }
657 fclose(fp);
b5aea5e1 658
17c76198 659 rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM);
b5aea5e1 660 free(m.data);
452a164f
JH
661 if (rc)
662 return tls_error_gnu(US"gnutls_dh_params_import_pkcs3", rc, host, errstr);
17c76198 663 DEBUG(D_tls) debug_printf("read D-H parameters from file \"%s\"\n", filename);
b5aea5e1
PH
664 }
665
666/* If the file does not exist, fall through to compute new data and cache it.
667If there was any other opening error, it is serious. */
668
182ad5cf
PH
669else if (errno == ENOENT)
670 {
17c76198 671 rc = -1;
182ad5cf 672 DEBUG(D_tls)
17c76198 673 debug_printf("D-H parameter cache file \"%s\" does not exist\n", filename);
182ad5cf
PH
674 }
675else
17c76198 676 return tls_error(string_open_failed(errno, "\"%s\" for reading", filename),
cf0c6164 677 NULL, NULL, errstr);
b5aea5e1
PH
678
679/* If ret < 0, either the cache file does not exist, or the data it contains
680is not useful. One particular case of this is when upgrading from an older
681release of Exim in which the data was stored in a different format. We don't
682try to be clever and support both formats; we just regenerate new data in this
683case. */
684
17c76198 685if (rc < 0)
b5aea5e1 686 {
17c76198 687 uschar *temp_fn;
201f5254 688 unsigned int dh_bits_gen = dh_bits;
059ec3d9 689
17c76198
PP
690 if ((PATH_MAX - Ustrlen(filename)) < 10)
691 return tls_error(US"Filename too long to generate replacement",
48224640 692 filename, NULL, errstr);
059ec3d9 693
48224640 694 temp_fn = string_copy(US"%s.XXXXXXX");
f5d25c2b 695 if ((fd = mkstemp(CS temp_fn)) < 0) /* modifies temp_fn */
452a164f 696 return tls_error_sys(US"Unable to open temp file", errno, NULL, errstr);
b66fecb4 697 (void)exim_chown(temp_fn, exim_uid, exim_gid); /* Probably not necessary */
059ec3d9 698
201f5254
PP
699 /* GnuTLS overshoots!
700 * If we ask for 2236, we might get 2237 or more.
701 * But there's no way to ask GnuTLS how many bits there really are.
702 * We can ask how many bits were used in a TLS session, but that's it!
703 * The prime itself is hidden behind too much abstraction.
704 * So we ask for less, and proceed on a wing and a prayer.
705 * First attempt, subtracted 3 for 2233 and got 2240.
706 */
cae6e576 707 if (dh_bits >= EXIM_CLIENT_DH_MIN_BITS + 10)
201f5254
PP
708 {
709 dh_bits_gen = dh_bits - 10;
710 DEBUG(D_tls)
711 debug_printf("being paranoid about DH generation, make it '%d' bits'\n",
712 dh_bits_gen);
713 }
714
715 DEBUG(D_tls)
716 debug_printf("requesting generation of %d bit Diffie-Hellman prime ...\n",
717 dh_bits_gen);
452a164f
JH
718 if ((rc = gnutls_dh_params_generate2(dh_server_params, dh_bits_gen)))
719 return tls_error_gnu(US"gnutls_dh_params_generate2", rc, host, errstr);
17c76198
PP
720
721 /* gnutls_dh_params_export_pkcs3() will tell us the exact size, every time,
722 and I confirmed that a NULL call to get the size first is how the GnuTLS
723 sample apps handle this. */
724
725 sz = 0;
726 m.data = NULL;
452a164f
JH
727 if ( (rc = gnutls_dh_params_export_pkcs3(dh_server_params,
728 GNUTLS_X509_FMT_PEM, m.data, &sz))
729 && rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
730 return tls_error_gnu(US"gnutls_dh_params_export_pkcs3(NULL) sizing",
731 rc, host, errstr);
17c76198 732 m.size = sz;
40c90bca 733 if (!(m.data = malloc(m.size)))
452a164f 734 return tls_error_sys(US"memory allocation failed", errno, NULL, errstr);
40c90bca 735
1f00591e 736 /* this will return a size 1 less than the allocation size above */
452a164f
JH
737 if ((rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM,
738 m.data, &sz)))
17c76198
PP
739 {
740 free(m.data);
452a164f 741 return tls_error_gnu(US"gnutls_dh_params_export_pkcs3() real", rc, host, errstr);
17c76198 742 }
1f00591e 743 m.size = sz; /* shrink by 1, probably */
059ec3d9 744
f5d25c2b 745 if ((sz = write_to_fd_buf(fd, m.data, (size_t) m.size)) != m.size)
17c76198
PP
746 {
747 free(m.data);
452a164f
JH
748 return tls_error_sys(US"TLS cache write D-H params failed",
749 errno, NULL, errstr);
17c76198 750 }
b5aea5e1 751 free(m.data);
f5d25c2b 752 if ((sz = write_to_fd_buf(fd, US"\n", 1)) != 1)
452a164f
JH
753 return tls_error_sys(US"TLS cache write D-H params final newline failed",
754 errno, NULL, errstr);
17c76198 755
f5d25c2b 756 if ((rc = close(fd)))
452a164f 757 return tls_error_sys(US"TLS cache write close() failed", errno, NULL, errstr);
059ec3d9 758
17c76198 759 if (Urename(temp_fn, filename) < 0)
452a164f
JH
760 return tls_error_sys(string_sprintf("failed to rename \"%s\" as \"%s\"",
761 temp_fn, filename), errno, NULL, errstr);
059ec3d9 762
17c76198 763 DEBUG(D_tls) debug_printf("wrote D-H parameters to file \"%s\"\n", filename);
059ec3d9
PH
764 }
765
17c76198 766DEBUG(D_tls) debug_printf("initialized server D-H parameters\n");
059ec3d9
PH
767return OK;
768}
769
770
771
772
23bb6982
JH
773/* Create and install a selfsigned certificate, for use in server mode */
774
775static int
cf0c6164 776tls_install_selfsign(exim_gnutls_state_st * state, uschar ** errstr)
23bb6982
JH
777{
778gnutls_x509_crt_t cert = NULL;
779time_t now;
780gnutls_x509_privkey_t pkey = NULL;
781const uschar * where;
782int rc;
783
784where = US"initialising pkey";
785if ((rc = gnutls_x509_privkey_init(&pkey))) goto err;
786
787where = US"initialising cert";
788if ((rc = gnutls_x509_crt_init(&cert))) goto err;
789
790where = US"generating pkey";
791if ((rc = gnutls_x509_privkey_generate(pkey, GNUTLS_PK_RSA,
76075bb5 792#ifdef SUPPORT_PARAM_TO_PK_BITS
4312da48
JH
793# ifndef GNUTLS_SEC_PARAM_MEDIUM
794# define GNUTLS_SEC_PARAM_MEDIUM GNUTLS_SEC_PARAM_HIGH
795# endif
6aac3239 796 gnutls_sec_param_to_pk_bits(GNUTLS_PK_RSA, GNUTLS_SEC_PARAM_MEDIUM),
76075bb5 797#else
6aac3239 798 2048,
76075bb5
JH
799#endif
800 0)))
23bb6982
JH
801 goto err;
802
803where = US"configuring cert";
1613fd68 804now = 1;
23bb6982
JH
805if ( (rc = gnutls_x509_crt_set_version(cert, 3))
806 || (rc = gnutls_x509_crt_set_serial(cert, &now, sizeof(now)))
807 || (rc = gnutls_x509_crt_set_activation_time(cert, now = time(NULL)))
808 || (rc = gnutls_x509_crt_set_expiration_time(cert, now + 60 * 60)) /* 1 hr */
809 || (rc = gnutls_x509_crt_set_key(cert, pkey))
810
811 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
812 GNUTLS_OID_X520_COUNTRY_NAME, 0, "UK", 2))
813 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
814 GNUTLS_OID_X520_ORGANIZATION_NAME, 0, "Exim Developers", 15))
815 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
816 GNUTLS_OID_X520_COMMON_NAME, 0,
817 smtp_active_hostname, Ustrlen(smtp_active_hostname)))
818 )
819 goto err;
820
821where = US"signing cert";
822if ((rc = gnutls_x509_crt_sign(cert, cert, pkey))) goto err;
823
824where = US"installing selfsign cert";
825 /* Since: 2.4.0 */
826if ((rc = gnutls_certificate_set_x509_key(state->x509_cred, &cert, 1, pkey)))
827 goto err;
828
829rc = OK;
830
831out:
832 if (cert) gnutls_x509_crt_deinit(cert);
833 if (pkey) gnutls_x509_privkey_deinit(pkey);
834 return rc;
835
836err:
452a164f 837 rc = tls_error_gnu(where, rc, NULL, errstr);
23bb6982
JH
838 goto out;
839}
840
841
842
843
47195144
JH
844/* Add certificate and key, from files.
845
846Return:
847 Zero or negative: good. Negate value for certificate index if < 0.
848 Greater than zero: FAIL or DEFER code.
849*/
850
ba86e143
JH
851static int
852tls_add_certfile(exim_gnutls_state_st * state, const host_item * host,
853 uschar * certfile, uschar * keyfile, uschar ** errstr)
854{
855int rc = gnutls_certificate_set_x509_key_file(state->x509_cred,
856 CS certfile, CS keyfile, GNUTLS_X509_FMT_PEM);
47195144 857if (rc < 0)
452a164f 858 return tls_error_gnu(
47195144 859 string_sprintf("cert/key setup: cert=%s key=%s", certfile, keyfile),
452a164f 860 rc, host, errstr);
47195144 861return -rc;
ba86e143
JH
862}
863
864
059ec3d9 865/*************************************************
17c76198 866* Variables re-expanded post-SNI *
059ec3d9
PH
867*************************************************/
868
17c76198
PP
869/* Called from both server and client code, via tls_init(), and also from
870the SNI callback after receiving an SNI, if tls_certificate includes "tls_sni".
871
872We can tell the two apart by state->received_sni being non-NULL in callback.
873
874The callback should not call us unless state->trigger_sni_changes is true,
875which we are responsible for setting on the first pass through.
059ec3d9
PH
876
877Arguments:
17c76198 878 state exim_gnutls_state_st *
cf0c6164 879 errstr error string pointer
059ec3d9
PH
880
881Returns: OK/DEFER/FAIL
882*/
883
884static int
ba86e143 885tls_expand_session_files(exim_gnutls_state_st * state, uschar ** errstr)
059ec3d9 886{
1365611d 887struct stat statbuf;
059ec3d9 888int rc;
17c76198
PP
889const host_item *host = state->host; /* macro should be reconsidered? */
890uschar *saved_tls_certificate = NULL;
891uschar *saved_tls_privatekey = NULL;
892uschar *saved_tls_verify_certificates = NULL;
893uschar *saved_tls_crl = NULL;
894int cert_count;
895
896/* We check for tls_sni *before* expansion. */
2b4a568d 897if (!host) /* server */
17c76198
PP
898 if (!state->received_sni)
899 {
ba86e143
JH
900 if ( state->tls_certificate
901 && ( Ustrstr(state->tls_certificate, US"tls_sni")
902 || Ustrstr(state->tls_certificate, US"tls_in_sni")
903 || Ustrstr(state->tls_certificate, US"tls_out_sni")
904 ) )
17c76198
PP
905 {
906 DEBUG(D_tls) debug_printf("We will re-expand TLS session files if we receive SNI.\n");
907 state->trigger_sni_changes = TRUE;
908 }
909 }
910 else
911 {
1365611d 912 /* useful for debugging */
17c76198
PP
913 saved_tls_certificate = state->exp_tls_certificate;
914 saved_tls_privatekey = state->exp_tls_privatekey;
915 saved_tls_verify_certificates = state->exp_tls_verify_certificates;
916 saved_tls_crl = state->exp_tls_crl;
917 }
059ec3d9 918
452a164f
JH
919if ((rc = gnutls_certificate_allocate_credentials(&state->x509_cred)))
920 return tls_error_gnu(US"gnutls_certificate_allocate_credentials",
921 rc, host, errstr);
47195144
JH
922
923#ifdef SUPPORT_SRV_OCSP_STACK
924gnutls_certificate_set_flags(state->x509_cred, GNUTLS_CERTIFICATE_API_V2);
925#endif
1365611d 926
17c76198
PP
927/* remember: expand_check_tlsvar() is expand_check() but fiddling with
928state members, assuming consistent naming; and expand_check() returns
929false if expansion failed, unless expansion was forced to fail. */
059ec3d9 930
17c76198
PP
931/* check if we at least have a certificate, before doing expensive
932D-H generation. */
059ec3d9 933
cf0c6164 934if (!expand_check_tlsvar(tls_certificate, errstr))
17c76198 935 return DEFER;
059ec3d9 936
17c76198 937/* certificate is mandatory in server, optional in client */
059ec3d9 938
23bb6982
JH
939if ( !state->exp_tls_certificate
940 || !*state->exp_tls_certificate
941 )
2b4a568d 942 if (!host)
cf0c6164 943 return tls_install_selfsign(state, errstr);
17c76198
PP
944 else
945 DEBUG(D_tls) debug_printf("TLS: no client certificate specified; okay\n");
059ec3d9 946
cf0c6164 947if (state->tls_privatekey && !expand_check_tlsvar(tls_privatekey, errstr))
059ec3d9
PH
948 return DEFER;
949
17c76198
PP
950/* tls_privatekey is optional, defaulting to same file as certificate */
951
952if (state->tls_privatekey == NULL || *state->tls_privatekey == '\0')
059ec3d9 953 {
17c76198
PP
954 state->tls_privatekey = state->tls_certificate;
955 state->exp_tls_privatekey = state->exp_tls_certificate;
059ec3d9 956 }
c91535f3 957
059ec3d9 958
17c76198 959if (state->exp_tls_certificate && *state->exp_tls_certificate)
059ec3d9
PH
960 {
961 DEBUG(D_tls) debug_printf("certificate file = %s\nkey file = %s\n",
17c76198
PP
962 state->exp_tls_certificate, state->exp_tls_privatekey);
963
964 if (state->received_sni)
23bb6982
JH
965 if ( Ustrcmp(state->exp_tls_certificate, saved_tls_certificate) == 0
966 && Ustrcmp(state->exp_tls_privatekey, saved_tls_privatekey) == 0
967 )
17c76198 968 {
b34fc30c 969 DEBUG(D_tls) debug_printf("TLS SNI: cert and key unchanged\n");
17c76198
PP
970 }
971 else
972 {
b34fc30c 973 DEBUG(D_tls) debug_printf("TLS SNI: have a changed cert/key pair.\n");
17c76198 974 }
059ec3d9 975
ba86e143
JH
976 if (!host) /* server */
977 {
978 const uschar * clist = state->exp_tls_certificate;
979 const uschar * klist = state->exp_tls_privatekey;
47195144
JH
980 const uschar * olist;
981 int csep = 0, ksep = 0, osep = 0, cnt = 0;
982 uschar * cfile, * kfile, * ofile;
983
984#ifndef DISABLE_OCSP
985 if (!expand_check(tls_ocsp_file, US"tls_ocsp_file", &ofile, errstr))
986 return DEFER;
987 olist = ofile;
988#endif
ba86e143
JH
989
990 while (cfile = string_nextinlist(&clist, &csep, NULL, 0))
47195144 991
ba86e143
JH
992 if (!(kfile = string_nextinlist(&klist, &ksep, NULL, 0)))
993 return tls_error(US"cert/key setup: out of keys", NULL, host, errstr);
47195144 994 else if (0 < (rc = tls_add_certfile(state, host, cfile, kfile, errstr)))
ba86e143
JH
995 return rc;
996 else
47195144
JH
997 {
998 int gnutls_cert_index = -rc;
ba86e143 999 DEBUG(D_tls) debug_printf("TLS: cert/key %s registered\n", cfile);
47195144
JH
1000
1001 /* Set the OCSP stapling server info */
1002
1003#ifndef DISABLE_OCSP
1004 if (tls_ocsp_file)
1005 if (gnutls_buggy_ocsp)
1006 {
1007 DEBUG(D_tls)
1008 debug_printf("GnuTLS library is buggy for OCSP; avoiding\n");
1009 }
1010 else if ((ofile = string_nextinlist(&olist, &osep, NULL, 0)))
1011 {
1012 /* Use the full callback method for stapling just to get
1013 observability. More efficient would be to read the file once only,
1014 if it never changed (due to SNI). Would need restart on file update,
1015 or watch datestamp. */
1016
1017# ifdef SUPPORT_SRV_OCSP_STACK
452a164f
JH
1018 if ((rc = gnutls_certificate_set_ocsp_status_request_function2(
1019 state->x509_cred, gnutls_cert_index,
1020 server_ocsp_stapling_cb, ofile)))
1021 return tls_error_gnu(
1022 US"gnutls_certificate_set_ocsp_status_request_function2",
1023 rc, host, errstr);
47195144
JH
1024# else
1025 if (cnt++ > 0)
1026 {
1027 DEBUG(D_tls)
1028 debug_printf("oops; multiple OCSP files not supported\n");
1029 break;
1030 }
1031 gnutls_certificate_set_ocsp_status_request_function(
1032 state->x509_cred, server_ocsp_stapling_cb, ofile);
1033# endif
1034
1035 DEBUG(D_tls) debug_printf("OCSP response file = %s\n", ofile);
1036 }
1037 else
1038 DEBUG(D_tls) debug_printf("ran out of OCSP response files in list\n");
1039#endif
1040 }
ba86e143
JH
1041 }
1042 else
1043 {
47195144 1044 if (0 < (rc = tls_add_certfile(state, host,
ba86e143
JH
1045 state->exp_tls_certificate, state->exp_tls_privatekey, errstr)))
1046 return rc;
1047 DEBUG(D_tls) debug_printf("TLS: cert/key registered\n");
1048 }
1049
b34fc30c 1050 } /* tls_certificate */
059ec3d9 1051
2b4a568d 1052
059ec3d9
PH
1053/* Set the trusted CAs file if one is provided, and then add the CRL if one is
1054provided. Experiment shows that, if the certificate file is empty, an unhelpful
1055error message is provided. However, if we just refrain from setting anything up
1056in that case, certificate verification fails, which seems to be the correct
1057behaviour. */
1058
610ff438 1059if (state->tls_verify_certificates && *state->tls_verify_certificates)
059ec3d9 1060 {
cf0c6164 1061 if (!expand_check_tlsvar(tls_verify_certificates, errstr))
059ec3d9 1062 return DEFER;
610ff438
JH
1063#ifndef SUPPORT_SYSDEFAULT_CABUNDLE
1064 if (Ustrcmp(state->exp_tls_verify_certificates, "system") == 0)
1065 state->exp_tls_verify_certificates = NULL;
1066#endif
17c76198 1067 if (state->tls_crl && *state->tls_crl)
cf0c6164 1068 if (!expand_check_tlsvar(tls_crl, errstr))
17c76198 1069 return DEFER;
059ec3d9 1070
1365611d
PP
1071 if (!(state->exp_tls_verify_certificates &&
1072 *state->exp_tls_verify_certificates))
b34fc30c
PP
1073 {
1074 DEBUG(D_tls)
1365611d
PP
1075 debug_printf("TLS: tls_verify_certificates expanded empty, ignoring\n");
1076 /* With no tls_verify_certificates, we ignore tls_crl too */
17c76198 1077 return OK;
b34fc30c 1078 }
1365611d 1079 }
83e2f8a2
PP
1080else
1081 {
1082 DEBUG(D_tls)
1083 debug_printf("TLS: tls_verify_certificates not set or empty, ignoring\n");
1084 return OK;
1085 }
17c76198 1086
cb1d7830
JH
1087#ifdef SUPPORT_SYSDEFAULT_CABUNDLE
1088if (Ustrcmp(state->exp_tls_verify_certificates, "system") == 0)
1089 cert_count = gnutls_certificate_set_x509_system_trust(state->x509_cred);
1090else
1091#endif
1365611d 1092 {
cb1d7830
JH
1093 if (Ustat(state->exp_tls_verify_certificates, &statbuf) < 0)
1094 {
1095 log_write(0, LOG_MAIN|LOG_PANIC, "could not stat %s "
1096 "(tls_verify_certificates): %s", state->exp_tls_verify_certificates,
1097 strerror(errno));
1098 return DEFER;
1099 }
17c76198 1100
a7fec7a7 1101#ifndef SUPPORT_CA_DIR
cb1d7830
JH
1102 /* The test suite passes in /dev/null; we could check for that path explicitly,
1103 but who knows if someone has some weird FIFO which always dumps some certs, or
1104 other weirdness. The thing we really want to check is that it's not a
1105 directory, since while OpenSSL supports that, GnuTLS does not.
60f914bc 1106 So s/!S_ISREG/S_ISDIR/ and change some messaging ... */
cb1d7830
JH
1107 if (S_ISDIR(statbuf.st_mode))
1108 {
1109 DEBUG(D_tls)
1110 debug_printf("verify certificates path is a dir: \"%s\"\n",
1111 state->exp_tls_verify_certificates);
1112 log_write(0, LOG_MAIN|LOG_PANIC,
1113 "tls_verify_certificates \"%s\" is a directory",
1114 state->exp_tls_verify_certificates);
1115 return DEFER;
1116 }
a7fec7a7 1117#endif
059ec3d9 1118
cb1d7830
JH
1119 DEBUG(D_tls) debug_printf("verify certificates = %s size=" OFF_T_FMT "\n",
1120 state->exp_tls_verify_certificates, statbuf.st_size);
059ec3d9 1121
cb1d7830
JH
1122 if (statbuf.st_size == 0)
1123 {
1124 DEBUG(D_tls)
1125 debug_printf("cert file empty, no certs, no verification, ignoring any CRL\n");
1126 return OK;
1127 }
059ec3d9 1128
cb1d7830 1129 cert_count =
a7fec7a7
JH
1130
1131#ifdef SUPPORT_CA_DIR
cb1d7830
JH
1132 (statbuf.st_mode & S_IFMT) == S_IFDIR
1133 ?
1134 gnutls_certificate_set_x509_trust_dir(state->x509_cred,
1135 CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM)
1136 :
a7fec7a7 1137#endif
cb1d7830
JH
1138 gnutls_certificate_set_x509_trust_file(state->x509_cred,
1139 CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM);
1140 }
a7fec7a7 1141
1365611d 1142if (cert_count < 0)
452a164f
JH
1143 return tls_error_gnu(US"setting certificate trust", cert_count, host, errstr);
1144DEBUG(D_tls)
1145 debug_printf("Added %d certificate authorities.\n", cert_count);
059ec3d9 1146
5c8cda3a
PP
1147if (state->tls_crl && *state->tls_crl &&
1148 state->exp_tls_crl && *state->exp_tls_crl)
1365611d 1149 {
5c8cda3a 1150 DEBUG(D_tls) debug_printf("loading CRL file = %s\n", state->exp_tls_crl);
452a164f
JH
1151 if ((cert_count = gnutls_certificate_set_x509_crl_file(state->x509_cred,
1152 CS state->exp_tls_crl, GNUTLS_X509_FMT_PEM)) < 0)
1153 return tls_error_gnu(US"gnutls_certificate_set_x509_crl_file",
1154 cert_count, host, errstr);
1155
5c8cda3a 1156 DEBUG(D_tls) debug_printf("Processed %d CRLs.\n", cert_count);
1365611d 1157 }
059ec3d9 1158
059ec3d9
PH
1159return OK;
1160}
1161
1162
1163
1164
1165/*************************************************
1365611d
PP
1166* Set X.509 state variables *
1167*************************************************/
1168
1169/* In GnuTLS, the registered cert/key are not replaced by a later
1170set of a cert/key, so for SNI support we need a whole new x509_cred
1171structure. Which means various other non-re-expanded pieces of state
1172need to be re-set in the new struct, so the setting logic is pulled
1173out to this.
1174
1175Arguments:
1176 state exim_gnutls_state_st *
cf0c6164 1177 errstr error string pointer
1365611d
PP
1178
1179Returns: OK/DEFER/FAIL
1180*/
1181
1182static int
cf0c6164 1183tls_set_remaining_x509(exim_gnutls_state_st *state, uschar ** errstr)
1365611d
PP
1184{
1185int rc;
1186const host_item *host = state->host; /* macro should be reconsidered? */
1187
1188/* Create D-H parameters, or read them from the cache file. This function does
1189its own SMTP error messaging. This only happens for the server, TLS D-H ignores
1190client-side params. */
1191
1192if (!state->host)
1193 {
1194 if (!dh_server_params)
452a164f 1195 if ((rc = init_server_dh(errstr)) != OK) return rc;
1365611d
PP
1196 gnutls_certificate_set_dh_params(state->x509_cred, dh_server_params);
1197 }
1198
1199/* Link the credentials to the session. */
1200
452a164f
JH
1201if ((rc = gnutls_credentials_set(state->session,
1202 GNUTLS_CRD_CERTIFICATE, state->x509_cred)))
1203 return tls_error_gnu(US"gnutls_credentials_set", rc, host, errstr);
1365611d
PP
1204
1205return OK;
1206}
1207
1208/*************************************************
17c76198 1209* Initialize for GnuTLS *
059ec3d9
PH
1210*************************************************/
1211
9196d5bf 1212
4fb7df6d
JH
1213#ifndef DISABLE_OCSP
1214
9196d5bf
JH
1215static BOOL
1216tls_is_buggy_ocsp(void)
1217{
1218const uschar * s;
1219uschar maj, mid, mic;
1220
1221s = CUS gnutls_check_version(NULL);
1222maj = atoi(CCS s);
1223if (maj == 3)
1224 {
1225 while (*s && *s != '.') s++;
1226 mid = atoi(CCS ++s);
1227 if (mid <= 2)
1228 return TRUE;
1229 else if (mid >= 5)
1230 return FALSE;
1231 else
1232 {
1233 while (*s && *s != '.') s++;
1234 mic = atoi(CCS ++s);
1235 return mic <= (mid == 3 ? 16 : 3);
1236 }
1237 }
1238return FALSE;
1239}
1240
4fb7df6d 1241#endif
9196d5bf
JH
1242
1243
17c76198
PP
1244/* Called from both server and client code. In the case of a server, errors
1245before actual TLS negotiation return DEFER.
059ec3d9
PH
1246
1247Arguments:
17c76198
PP
1248 host connected host, if client; NULL if server
1249 certificate certificate file
1250 privatekey private key file
1251 sni TLS SNI to send, sometimes when client; else NULL
1252 cas CA certs file
1253 crl CRL file
1254 require_ciphers tls_require_ciphers setting
817d9f57 1255 caller_state returned state-info structure
cf0c6164 1256 errstr error string pointer
059ec3d9 1257
17c76198 1258Returns: OK/DEFER/FAIL
059ec3d9
PH
1259*/
1260
17c76198
PP
1261static int
1262tls_init(
1263 const host_item *host,
1264 const uschar *certificate,
1265 const uschar *privatekey,
1266 const uschar *sni,
1267 const uschar *cas,
1268 const uschar *crl,
1269 const uschar *require_ciphers,
cf0c6164 1270 exim_gnutls_state_st **caller_state,
74f1a423 1271 tls_support * tlsp,
cf0c6164 1272 uschar ** errstr)
059ec3d9 1273{
00c0dd4e 1274exim_gnutls_state_st * state;
17c76198
PP
1275int rc;
1276size_t sz;
00c0dd4e
JH
1277const char * errpos;
1278const uschar * p;
17c76198
PP
1279
1280if (!exim_gnutls_base_init_done)
059ec3d9 1281 {
17c76198
PP
1282 DEBUG(D_tls) debug_printf("GnuTLS global init required.\n");
1283
a5f239e4
PP
1284#ifdef HAVE_GNUTLS_PKCS11
1285 /* By default, gnutls_global_init will init PKCS11 support in auto mode,
1286 which loads modules from a config file, which sounds good and may be wanted
1287 by some sysadmin, but also means in common configurations that GNOME keyring
1288 environment variables are used and so breaks for users calling mailq.
1289 To prevent this, we init PKCS11 first, which is the documented approach. */
2519e60d 1290 if (!gnutls_allow_auto_pkcs11)
452a164f
JH
1291 if ((rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL)))
1292 return tls_error_gnu(US"gnutls_pkcs11_init", rc, host, errstr);
a5f239e4
PP
1293#endif
1294
452a164f
JH
1295 if ((rc = gnutls_global_init()))
1296 return tls_error_gnu(US"gnutls_global_init", rc, host, errstr);
17c76198
PP
1297
1298#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
1299 DEBUG(D_tls)
059ec3d9 1300 {
17c76198 1301 gnutls_global_set_log_function(exim_gnutls_logger_cb);
aded2255 1302 /* arbitrarily chosen level; bump up to 9 for more */
17c76198 1303 gnutls_global_set_log_level(EXIM_GNUTLS_LIBRARY_LOG_LEVEL);
059ec3d9 1304 }
17c76198
PP
1305#endif
1306
4fb7df6d
JH
1307#ifndef DISABLE_OCSP
1308 if (tls_ocsp_file && (gnutls_buggy_ocsp = tls_is_buggy_ocsp()))
9196d5bf 1309 log_write(0, LOG_MAIN, "OCSP unusable with this GnuTLS library version");
4fb7df6d 1310#endif
9196d5bf 1311
17c76198 1312 exim_gnutls_base_init_done = TRUE;
059ec3d9 1313 }
059ec3d9 1314
17c76198
PP
1315if (host)
1316 {
74f1a423
JH
1317 /* For client-side sessions we allocate a context. This lets us run
1318 several in parallel. */
1319 int old_pool = store_pool;
1320 store_pool = POOL_PERM;
1321 state = store_get(sizeof(exim_gnutls_state_st));
1322 store_pool = old_pool;
1323
17c76198 1324 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
74f1a423 1325 state->tlsp = tlsp;
17c76198
PP
1326 DEBUG(D_tls) debug_printf("initialising GnuTLS client session\n");
1327 rc = gnutls_init(&state->session, GNUTLS_CLIENT);
1328 }
1329else
1330 {
1331 state = &state_server;
1332 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
74f1a423 1333 state->tlsp = tlsp;
17c76198
PP
1334 DEBUG(D_tls) debug_printf("initialising GnuTLS server session\n");
1335 rc = gnutls_init(&state->session, GNUTLS_SERVER);
1336 }
452a164f
JH
1337if (rc)
1338 return tls_error_gnu(US"gnutls_init", rc, host, errstr);
059ec3d9 1339
17c76198 1340state->host = host;
059ec3d9 1341
17c76198
PP
1342state->tls_certificate = certificate;
1343state->tls_privatekey = privatekey;
5779e6aa 1344state->tls_require_ciphers = require_ciphers;
17c76198
PP
1345state->tls_sni = sni;
1346state->tls_verify_certificates = cas;
1347state->tls_crl = crl;
059ec3d9 1348
17c76198
PP
1349/* This handles the variables that might get re-expanded after TLS SNI;
1350that's tls_certificate, tls_privatekey, tls_verify_certificates, tls_crl */
059ec3d9 1351
17c76198
PP
1352DEBUG(D_tls)
1353 debug_printf("Expanding various TLS configuration options for session credentials.\n");
cf0c6164 1354if ((rc = tls_expand_session_files(state, errstr)) != OK) return rc;
059ec3d9 1355
1365611d
PP
1356/* These are all other parts of the x509_cred handling, since SNI in GnuTLS
1357requires a new structure afterwards. */
83da1223 1358
cf0c6164 1359if ((rc = tls_set_remaining_x509(state, errstr)) != OK) return rc;
83da1223 1360
17c76198
PP
1361/* set SNI in client, only */
1362if (host)
1363 {
cf0c6164 1364 if (!expand_check(sni, US"tls_out_sni", &state->tlsp->sni, errstr))
17c76198 1365 return DEFER;
0df4ab80 1366 if (state->tlsp->sni && *state->tlsp->sni)
17c76198
PP
1367 {
1368 DEBUG(D_tls)
0df4ab80
JH
1369 debug_printf("Setting TLS client SNI to \"%s\"\n", state->tlsp->sni);
1370 sz = Ustrlen(state->tlsp->sni);
452a164f
JH
1371 if ((rc = gnutls_server_name_set(state->session,
1372 GNUTLS_NAME_DNS, state->tlsp->sni, sz)))
1373 return tls_error_gnu(US"gnutls_server_name_set", rc, host, errstr);
17c76198
PP
1374 }
1375 }
1376else if (state->tls_sni)
1377 DEBUG(D_tls) debug_printf("*** PROBABLY A BUG *** " \
ba86e143 1378 "have an SNI set for a server [%s]\n", state->tls_sni);
83da1223 1379
17c76198 1380/* This is the priority string support,
42bfef1e 1381http://www.gnutls.org/manual/html_node/Priority-Strings.html
17c76198
PP
1382and replaces gnutls_require_kx, gnutls_require_mac & gnutls_require_protocols.
1383This was backwards incompatible, but means Exim no longer needs to track
1384all algorithms and provide string forms for them. */
83da1223 1385
fc243e94 1386p = NULL;
17c76198 1387if (state->tls_require_ciphers && *state->tls_require_ciphers)
83da1223 1388 {
cf0c6164 1389 if (!expand_check_tlsvar(tls_require_ciphers, errstr))
17c76198
PP
1390 return DEFER;
1391 if (state->exp_tls_require_ciphers && *state->exp_tls_require_ciphers)
83da1223 1392 {
17c76198 1393 p = state->exp_tls_require_ciphers;
fc243e94 1394 DEBUG(D_tls) debug_printf("GnuTLS session cipher/priority \"%s\"\n", p);
83da1223
PH
1395 }
1396 }
fc243e94 1397if (!p)
17c76198 1398 {
fc243e94 1399 p = exim_default_gnutls_priority;
83e2f8a2 1400 DEBUG(D_tls)
fc243e94 1401 debug_printf("GnuTLS using default session cipher/priority \"%s\"\n", p);
17c76198 1402 }
83da1223 1403
452a164f
JH
1404if ((rc = gnutls_priority_init(&state->priority_cache, CCS p, &errpos)))
1405 return tls_error_gnu(string_sprintf(
1406 "gnutls_priority_init(%s) failed at offset %ld, \"%.6s..\"",
1407 p, errpos - CS p, errpos),
1408 rc, host, errstr);
17c76198 1409
452a164f
JH
1410if ((rc = gnutls_priority_set(state->session, state->priority_cache)))
1411 return tls_error_gnu(US"gnutls_priority_set", rc, host, errstr);
17c76198 1412
b10c87b3
JH
1413/* This also sets the server ticket expiration time to the same, and
1414the STEK rotation time to 3x. */
1415
17c76198
PP
1416gnutls_db_set_cache_expiration(state->session, ssl_session_timeout);
1417
1418/* Reduce security in favour of increased compatibility, if the admin
1419decides to make that trade-off. */
1420if (gnutls_compat_mode)
83da1223 1421 {
17c76198
PP
1422#if LIBGNUTLS_VERSION_NUMBER >= 0x020104
1423 DEBUG(D_tls) debug_printf("lowering GnuTLS security, compatibility mode\n");
1424 gnutls_session_enable_compatibility_mode(state->session);
1425#else
1426 DEBUG(D_tls) debug_printf("Unable to set gnutls_compat_mode - GnuTLS version too old\n");
1427#endif
83da1223
PH
1428 }
1429
17c76198 1430*caller_state = state;
17c76198 1431return OK;
83da1223
PH
1432}
1433
1434
1435
83da1223 1436/*************************************************
17c76198 1437* Extract peer information *
059ec3d9
PH
1438*************************************************/
1439
f1be21cf
JH
1440static const uschar *
1441cipher_stdname_kcm(gnutls_kx_algorithm_t kx, gnutls_cipher_algorithm_t cipher,
1442 gnutls_mac_algorithm_t mac)
1443{
1444uschar cs_id[2];
1445gnutls_kx_algorithm_t kx_i;
1446gnutls_cipher_algorithm_t cipher_i;
1447gnutls_mac_algorithm_t mac_i;
1448
1449for (size_t i = 0;
1450 gnutls_cipher_suite_info(i, cs_id, &kx_i, &cipher_i, &mac_i, NULL);
1451 i++)
1452 if (kx_i == kx && cipher_i == cipher && mac_i == mac)
1453 return cipher_stdname(cs_id[0], cs_id[1]);
1454return NULL;
1455}
1456
1457
1458
17c76198 1459/* Called from both server and client code.
4fe99a6c
PP
1460Only this is allowed to set state->peerdn and state->have_set_peerdn
1461and we use that to detect double-calls.
059ec3d9 1462
75fe387d
PP
1463NOTE: the state blocks last while the TLS connection is up, which is fine
1464for logging in the server side, but for the client side, we log after teardown
1465in src/deliver.c. While the session is up, we can twist about states and
1466repoint tls_* globals, but those variables used for logging or other variable
1467expansion that happens _after_ delivery need to have a longer life-time.
1468
1469So for those, we get the data from POOL_PERM; the re-invoke guard keeps us from
1470doing this more than once per generation of a state context. We set them in
1471the state context, and repoint tls_* to them. After the state goes away, the
1472tls_* copies of the pointers remain valid and client delivery logging is happy.
1473
1474tls_certificate_verified is a BOOL, so the tls_peerdn and tls_cipher issues
1475don't apply.
1476
059ec3d9 1477Arguments:
17c76198 1478 state exim_gnutls_state_st *
cf0c6164 1479 errstr pointer to error string
059ec3d9 1480
17c76198 1481Returns: OK/DEFER/FAIL
059ec3d9
PH
1482*/
1483
17c76198 1484static int
b10c87b3 1485peer_status(exim_gnutls_state_st * state, uschar ** errstr)
059ec3d9 1486{
b10c87b3
JH
1487gnutls_session_t session = state->session;
1488const gnutls_datum_t * cert_list;
75fe387d 1489int old_pool, rc;
17c76198 1490unsigned int cert_list_size = 0;
4fe99a6c
PP
1491gnutls_protocol_t protocol;
1492gnutls_cipher_algorithm_t cipher;
1493gnutls_kx_algorithm_t kx;
1494gnutls_mac_algorithm_t mac;
17c76198
PP
1495gnutls_certificate_type_t ct;
1496gnutls_x509_crt_t crt;
b10c87b3 1497uschar * dn_buf;
17c76198 1498size_t sz;
059ec3d9 1499
4fe99a6c 1500if (state->have_set_peerdn)
17c76198 1501 return OK;
4fe99a6c 1502state->have_set_peerdn = TRUE;
059ec3d9 1503
4fe99a6c 1504state->peerdn = NULL;
059ec3d9 1505
4fe99a6c 1506/* tls_cipher */
b10c87b3
JH
1507cipher = gnutls_cipher_get(session);
1508protocol = gnutls_protocol_get_version(session);
1509mac = gnutls_mac_get(session);
b9c6f63c
JH
1510kx =
1511#ifdef GNUTLS_TLS1_3
1512 protocol >= GNUTLS_TLS1_3 ? 0 :
1513#endif
b10c87b3 1514 gnutls_kx_get(session);
4fe99a6c 1515
75fe387d 1516old_pool = store_pool;
f1be21cf 1517 {
b10c87b3 1518 tls_support * tlsp = state->tlsp;
f1be21cf 1519 store_pool = POOL_PERM;
d9acfc1c
JH
1520
1521#ifdef SUPPORT_GNUTLS_SESS_DESC
1522 {
1523 gstring * g = NULL;
b10c87b3 1524 uschar * s = US gnutls_session_get_desc(session), c;
d9acfc1c
JH
1525
1526 /* Nikos M suggests we use this by preference. It returns like:
1527 (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
1528
1529 For partial back-compat, put a colon after the TLS version, replace the
1530 )-( grouping with __, replace in-group - with _ and append the :keysize. */
1531
1532 /* debug_printf("peer_status: gnutls_session_get_desc %s\n", s); */
1533
1534 for (s++; (c = *s) && c != ')'; s++) g = string_catn(g, s, 1);
1535 g = string_catn(g, US":", 1);
1536 if (*s) s++; /* now on _ between groups */
1537 while ((c = *s))
1538 {
1539 for (*++s && ++s; (c = *s) && c != ')'; s++) g = string_catn(g, c == '-' ? US"_" : s, 1);
1540 /* now on ) closing group */
1541 if ((c = *s) && *++s == '-') g = string_catn(g, US"__", 2);
1542 /* now on _ between groups */
1543 }
1544 g = string_catn(g, US":", 1);
1545 g = string_cat(g, string_sprintf("%d", (int) gnutls_cipher_get_key_size(cipher) * 8));
1546 state->ciphersuite = string_from_gstring(g);
1547 }
1548#else
f1be21cf
JH
1549 state->ciphersuite = string_sprintf("%s:%s:%d",
1550 gnutls_protocol_get_name(protocol),
1551 gnutls_cipher_suite_get_name(kx, cipher, mac),
1552 (int) gnutls_cipher_get_key_size(cipher) * 8);
1553
1554 /* I don't see a way that spaces could occur, in the current GnuTLS
1555 code base, but it was a concern in the old code and perhaps older GnuTLS
1556 releases did return "TLS 1.0"; play it safe, just in case. */
1557
1558 for (uschar * p = state->ciphersuite; *p; p++) if (isspace(*p)) *p = '-';
d9acfc1c
JH
1559#endif
1560
1561/* debug_printf("peer_status: ciphersuite %s\n", state->ciphersuite); */
1562
b10c87b3
JH
1563 tlsp->cipher = state->ciphersuite;
1564 tlsp->bits = gnutls_cipher_get_key_size(cipher) * 8;
f1be21cf 1565
b10c87b3 1566 tlsp->cipher_stdname = cipher_stdname_kcm(kx, cipher, mac);
f1be21cf 1567 }
75fe387d 1568store_pool = old_pool;
4fe99a6c
PP
1569
1570/* tls_peerdn */
b10c87b3 1571cert_list = gnutls_certificate_get_peers(session, &cert_list_size);
83da1223 1572
f1be21cf 1573if (!cert_list || cert_list_size == 0)
17c76198 1574 {
17c76198
PP
1575 DEBUG(D_tls) debug_printf("TLS: no certificate from peer (%p & %d)\n",
1576 cert_list, cert_list_size);
e51c7be2 1577 if (state->verify_requirement >= VERIFY_REQUIRED)
17c76198 1578 return tls_error(US"certificate verification failed",
48224640 1579 US"no certificate received from peer", state->host, errstr);
17c76198
PP
1580 return OK;
1581 }
059ec3d9 1582
b10c87b3 1583if ((ct = gnutls_certificate_type_get(session)) != GNUTLS_CRT_X509)
059ec3d9 1584 {
95f52235 1585 const uschar * ctn = US gnutls_certificate_type_get_name(ct);
17c76198
PP
1586 DEBUG(D_tls)
1587 debug_printf("TLS: peer cert not X.509 but instead \"%s\"\n", ctn);
e51c7be2 1588 if (state->verify_requirement >= VERIFY_REQUIRED)
17c76198 1589 return tls_error(US"certificate verification not possible, unhandled type",
cf0c6164 1590 ctn, state->host, errstr);
17c76198 1591 return OK;
83da1223 1592 }
059ec3d9 1593
e51c7be2
JH
1594#define exim_gnutls_peer_err(Label) \
1595 do { \
1596 if (rc != GNUTLS_E_SUCCESS) \
1597 { \
1598 DEBUG(D_tls) debug_printf("TLS: peer cert problem: %s: %s\n", \
1599 (Label), gnutls_strerror(rc)); \
1600 if (state->verify_requirement >= VERIFY_REQUIRED) \
452a164f 1601 return tls_error_gnu((Label), rc, state->host, errstr); \
e51c7be2
JH
1602 return OK; \
1603 } \
1604 } while (0)
17c76198 1605
9d1c15ef
JH
1606rc = import_cert(&cert_list[0], &crt);
1607exim_gnutls_peer_err(US"cert 0");
1608
1609state->tlsp->peercert = state->peercert = crt;
17c76198 1610
17c76198
PP
1611sz = 0;
1612rc = gnutls_x509_crt_get_dn(crt, NULL, &sz);
1613if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
83da1223 1614 {
17c76198
PP
1615 exim_gnutls_peer_err(US"getting size for cert DN failed");
1616 return FAIL; /* should not happen */
059ec3d9 1617 }
17c76198
PP
1618dn_buf = store_get_perm(sz);
1619rc = gnutls_x509_crt_get_dn(crt, CS dn_buf, &sz);
1620exim_gnutls_peer_err(US"failed to extract certificate DN [gnutls_x509_crt_get_dn(cert 0)]");
9d1c15ef 1621
17c76198
PP
1622state->peerdn = dn_buf;
1623
1624return OK;
1625#undef exim_gnutls_peer_err
1626}
059ec3d9 1627
059ec3d9 1628
059ec3d9 1629
059ec3d9 1630
17c76198
PP
1631/*************************************************
1632* Verify peer certificate *
1633*************************************************/
059ec3d9 1634
17c76198
PP
1635/* Called from both server and client code.
1636*Should* be using a callback registered with
1637gnutls_certificate_set_verify_function() to fail the handshake if we dislike
1638the peer information, but that's too new for some OSes.
059ec3d9 1639
17c76198 1640Arguments:
899b8bbc
JH
1641 state exim_gnutls_state_st *
1642 errstr where to put an error message
059ec3d9 1643
17c76198
PP
1644Returns:
1645 FALSE if the session should be rejected
1646 TRUE if the cert is okay or we just don't care
1647*/
059ec3d9 1648
17c76198 1649static BOOL
28646fa9 1650verify_certificate(exim_gnutls_state_st * state, uschar ** errstr)
17c76198
PP
1651{
1652int rc;
899b8bbc
JH
1653uint verify;
1654
8008accd 1655DEBUG(D_tls) debug_printf("TLS: checking peer certificate\n");
cf0c6164 1656*errstr = NULL;
b10c87b3 1657rc = peer_status(state, errstr);
17c76198 1658
b10c87b3
JH
1659if (state->verify_requirement == VERIFY_NONE)
1660 return TRUE;
1661
1662if (rc != OK || !state->peerdn)
e6060e2c 1663 {
17c76198 1664 verify = GNUTLS_CERT_INVALID;
cf0c6164 1665 *errstr = US"certificate not supplied";
17c76198
PP
1666 }
1667else
899b8bbc
JH
1668
1669 {
1670#ifdef SUPPORT_DANE
1671 if (state->verify_requirement == VERIFY_DANE && state->host)
1672 {
1673 /* Using dane_verify_session_crt() would be easy, as it does it all for us
1674 including talking to a DNS resolver. But we want to do that bit ourselves
1675 as the testsuite intercepts and fakes its own DNS environment. */
1676
1677 dane_state_t s;
1678 dane_query_t r;
899b8bbc 1679 uint lsize;
94c13285
JH
1680 const gnutls_datum_t * certlist =
1681 gnutls_certificate_get_peers(state->session, &lsize);
1682 int usage = tls_out.tlsa_usage;
1683
1684# ifdef GNUTLS_BROKEN_DANE_VALIDATION
1685 /* Split the TLSA records into two sets, TA and EE selectors. Run the
1686 dane-verification separately so that we know which selector verified;
570cb1bd 1687 then we know whether to do name-verification (needed for TA but not EE). */
94c13285
JH
1688
1689 if (usage == ((1<<DANESSL_USAGE_DANE_TA) | (1<<DANESSL_USAGE_DANE_EE)))
bd5b3f3c 1690 { /* a mixed-usage bundle */
94c13285
JH
1691 int i, j, nrec;
1692 const char ** dd;
1693 int * ddl;
1694
1695 for(nrec = 0; state->dane_data_len[nrec]; ) nrec++;
1696 nrec++;
1697
1698 dd = store_get(nrec * sizeof(uschar *));
1699 ddl = store_get(nrec * sizeof(int));
1700 nrec--;
1701
1702 if ((rc = dane_state_init(&s, 0)))
1703 goto tlsa_prob;
1704
1705 for (usage = DANESSL_USAGE_DANE_EE;
1706 usage >= DANESSL_USAGE_DANE_TA; usage--)
1707 { /* take records with this usage */
1708 for (j = i = 0; i < nrec; i++)
1709 if (state->dane_data[i][0] == usage)
1710 {
1711 dd[j] = state->dane_data[i];
1712 ddl[j++] = state->dane_data_len[i];
1713 }
1714 if (j)
1715 {
1716 dd[j] = NULL;
1717 ddl[j] = 0;
1718
1719 if ((rc = dane_raw_tlsa(s, &r, (char * const *)dd, ddl, 1, 0)))
1720 goto tlsa_prob;
1721
1722 if ((rc = dane_verify_crt_raw(s, certlist, lsize,
1723 gnutls_certificate_type_get(state->session),
1724 r, 0,
1725 usage == DANESSL_USAGE_DANE_EE
1726 ? DANE_VFLAG_ONLY_CHECK_EE_USAGE : 0,
1727 &verify)))
1728 {
1729 DEBUG(D_tls)
1730 debug_printf("TLSA record problem: %s\n", dane_strerror(rc));
1731 }
1732 else if (verify == 0) /* verification passed */
1733 {
1734 usage = 1 << usage;
1735 break;
1736 }
1737 }
1738 }
899b8bbc 1739
94c13285
JH
1740 if (rc) goto tlsa_prob;
1741 }
1742 else
1743# endif
899b8bbc 1744 {
94c13285
JH
1745 if ( (rc = dane_state_init(&s, 0))
1746 || (rc = dane_raw_tlsa(s, &r, state->dane_data, state->dane_data_len,
1747 1, 0))
1748 || (rc = dane_verify_crt_raw(s, certlist, lsize,
1749 gnutls_certificate_type_get(state->session),
5ec37a55 1750 r, 0,
94c13285
JH
1751# ifdef GNUTLS_BROKEN_DANE_VALIDATION
1752 usage == (1 << DANESSL_USAGE_DANE_EE)
1753 ? DANE_VFLAG_ONLY_CHECK_EE_USAGE : 0,
1754# else
1755 0,
1756# endif
1757 &verify))
1758 )
1759 goto tlsa_prob;
899b8bbc 1760 }
94c13285
JH
1761
1762 if (verify != 0) /* verification failed */
899b8bbc
JH
1763 {
1764 gnutls_datum_t str;
1765 (void) dane_verification_status_print(verify, &str, 0);
1766 *errstr = US str.data; /* don't bother to free */
1767 goto badcert;
1768 }
28646fa9 1769
94c13285
JH
1770# ifdef GNUTLS_BROKEN_DANE_VALIDATION
1771 /* If a TA-mode TLSA record was used for verification we must additionally
570cb1bd 1772 verify the cert name (but not the CA chain). For EE-mode, skip it. */
28646fa9 1773
94c13285
JH
1774 if (usage & (1 << DANESSL_USAGE_DANE_EE))
1775# endif
28646fa9 1776 {
570cb1bd 1777 state->peer_dane_verified = state->peer_cert_verified = TRUE;
28646fa9
JH
1778 goto goodcert;
1779 }
570cb1bd
JH
1780# ifdef GNUTLS_BROKEN_DANE_VALIDATION
1781 /* Assume that the name on the A-record is the one that should be matching
1782 the cert. An alternate view is that the domain part of the email address
1783 is also permissible. */
1784
1785 if (gnutls_x509_crt_check_hostname(state->tlsp->peercert,
1786 CS state->host->name))
1787 {
1788 state->peer_dane_verified = state->peer_cert_verified = TRUE;
1789 goto goodcert;
1790 }
1791# endif
899b8bbc 1792 }
570cb1bd 1793#endif /*SUPPORT_DANE*/
899b8bbc 1794
17c76198 1795 rc = gnutls_certificate_verify_peers2(state->session, &verify);
899b8bbc 1796 }
e6060e2c 1797
899b8bbc 1798/* Handle the result of verification. INVALID is set if any others are. */
059ec3d9 1799
28646fa9 1800if (rc < 0 || verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED))
17c76198
PP
1801 {
1802 state->peer_cert_verified = FALSE;
cf0c6164 1803 if (!*errstr)
184384c3
JH
1804 {
1805#ifdef GNUTLS_CERT_VFY_STATUS_PRINT
1806 DEBUG(D_tls)
1807 {
1808 gnutls_datum_t txt;
1809
1810 if (gnutls_certificate_verification_status_print(verify,
1811 gnutls_certificate_type_get(state->session), &txt, 0)
1812 == GNUTLS_E_SUCCESS)
1813 {
1814 debug_printf("%s\n", txt.data);
1815 gnutls_free(txt.data);
1816 }
1817 }
1818#endif
cf0c6164
JH
1819 *errstr = verify & GNUTLS_CERT_REVOKED
1820 ? US"certificate revoked" : US"certificate invalid";
184384c3 1821 }
059ec3d9 1822
17c76198 1823 DEBUG(D_tls)
e51c7be2 1824 debug_printf("TLS certificate verification failed (%s): peerdn=\"%s\"\n",
cf0c6164 1825 *errstr, state->peerdn ? state->peerdn : US"<unset>");
059ec3d9 1826
e51c7be2 1827 if (state->verify_requirement >= VERIFY_REQUIRED)
899b8bbc 1828 goto badcert;
17c76198 1829 DEBUG(D_tls)
4789da3a 1830 debug_printf("TLS verify failure overridden (host in tls_try_verify_hosts)\n");
17c76198 1831 }
e51c7be2 1832
17c76198
PP
1833else
1834 {
5fd28bb8
JH
1835 /* Client side, check the server's certificate name versus the name on the
1836 A-record for the connection we made. What to do for server side - what name
1837 to use for client? We document that there is no such checking for server
1838 side. */
1839
1840 if ( state->exp_tls_verify_cert_hostnames
1841 && !gnutls_x509_crt_check_hostname(state->tlsp->peercert,
1842 CS state->exp_tls_verify_cert_hostnames)
1843 )
e51c7be2 1844 {
5fd28bb8
JH
1845 DEBUG(D_tls)
1846 debug_printf("TLS certificate verification failed: cert name mismatch\n");
1847 if (state->verify_requirement >= VERIFY_REQUIRED)
1848 goto badcert;
1849 return TRUE;
e51c7be2 1850 }
5fd28bb8 1851
17c76198 1852 state->peer_cert_verified = TRUE;
e51c7be2 1853 DEBUG(D_tls) debug_printf("TLS certificate verified: peerdn=\"%s\"\n",
4fe99a6c 1854 state->peerdn ? state->peerdn : US"<unset>");
17c76198 1855 }
059ec3d9 1856
28646fa9
JH
1857goodcert:
1858 state->tlsp->peerdn = state->peerdn;
1859 return TRUE;
899b8bbc 1860
b83314e3 1861#ifdef SUPPORT_DANE
94c13285 1862tlsa_prob:
624f33df
JH
1863 *errstr = string_sprintf("TLSA record problem: %s",
1864 rc == DANE_E_REQUESTED_DATA_NOT_AVAILABLE ? "none usable" : dane_strerror(rc));
b83314e3
JH
1865#endif
1866
899b8bbc
JH
1867badcert:
1868 gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_BAD_CERTIFICATE);
1869 return FALSE;
17c76198 1870}
059ec3d9 1871
17c76198
PP
1872
1873
1874
1875/* ------------------------------------------------------------------------ */
1876/* Callbacks */
1877
1878/* Logging function which can be registered with
1879 * gnutls_global_set_log_function()
1880 * gnutls_global_set_log_level() 0..9
1881 */
af3498d6 1882#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
059ec3d9 1883static void
17c76198 1884exim_gnutls_logger_cb(int level, const char *message)
059ec3d9 1885{
8c79eebf
PP
1886 size_t len = strlen(message);
1887 if (len < 1)
1888 {
1889 DEBUG(D_tls) debug_printf("GnuTLS<%d> empty debug message\n", level);
1890 return;
1891 }
1892 DEBUG(D_tls) debug_printf("GnuTLS<%d>: %s%s", level, message,
1893 message[len-1] == '\n' ? "" : "\n");
17c76198 1894}
af3498d6 1895#endif
059ec3d9 1896
059ec3d9 1897
17c76198
PP
1898/* Called after client hello, should handle SNI work.
1899This will always set tls_sni (state->received_sni) if available,
1900and may trigger presenting different certificates,
1901if state->trigger_sni_changes is TRUE.
059ec3d9 1902
17c76198
PP
1903Should be registered with
1904 gnutls_handshake_set_post_client_hello_function()
059ec3d9 1905
17c76198
PP
1906"This callback must return 0 on success or a gnutls error code to terminate the
1907handshake.".
059ec3d9 1908
17c76198
PP
1909For inability to get SNI information, we return 0.
1910We only return non-zero if re-setup failed.
817d9f57 1911Only used for server-side TLS.
17c76198 1912*/
44bbabb5 1913
17c76198
PP
1914static int
1915exim_sni_handling_cb(gnutls_session_t session)
1916{
1917char sni_name[MAX_HOST_LEN];
1918size_t data_len = MAX_HOST_LEN;
817d9f57 1919exim_gnutls_state_st *state = &state_server;
17c76198
PP
1920unsigned int sni_type;
1921int rc, old_pool;
cf0c6164 1922uschar * dummy_errstr;
17c76198
PP
1923
1924rc = gnutls_server_name_get(session, sni_name, &data_len, &sni_type, 0);
b34fc30c
PP
1925if (rc != GNUTLS_E_SUCCESS)
1926 {
1927 DEBUG(D_tls) {
1928 if (rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
1929 debug_printf("TLS: no SNI presented in handshake.\n");
1930 else
1931 debug_printf("TLS failure: gnutls_server_name_get(): %s [%d]\n",
1932 gnutls_strerror(rc), rc);
cf0c6164 1933 }
b34fc30c
PP
1934 return 0;
1935 }
1936
17c76198
PP
1937if (sni_type != GNUTLS_NAME_DNS)
1938 {
1939 DEBUG(D_tls) debug_printf("TLS: ignoring SNI of unhandled type %u\n", sni_type);
1940 return 0;
1941 }
44bbabb5 1942
17c76198
PP
1943/* We now have a UTF-8 string in sni_name */
1944old_pool = store_pool;
1945store_pool = POOL_PERM;
1946state->received_sni = string_copyn(US sni_name, data_len);
1947store_pool = old_pool;
1948
1949/* We set this one now so that variable expansions below will work */
817d9f57 1950state->tlsp->sni = state->received_sni;
17c76198
PP
1951
1952DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", sni_name,
1953 state->trigger_sni_changes ? "" : " (unused for certificate selection)");
1954
1955if (!state->trigger_sni_changes)
1956 return 0;
1957
cf0c6164 1958if ((rc = tls_expand_session_files(state, &dummy_errstr)) != OK)
17c76198
PP
1959 {
1960 /* If the setup of certs/etc failed before handshake, TLS would not have
1961 been offered. The best we can do now is abort. */
1962 return GNUTLS_E_APPLICATION_ERROR_MIN;
1963 }
1964
cf0c6164 1965rc = tls_set_remaining_x509(state, &dummy_errstr);
1365611d
PP
1966if (rc != OK) return GNUTLS_E_APPLICATION_ERROR_MIN;
1967
1968return 0;
059ec3d9
PH
1969}
1970
1971
1972
f2de3a33 1973#ifndef DISABLE_OCSP
44662487
JH
1974
1975static int
1976server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
1977 gnutls_datum_t * ocsp_response)
1978{
1979int ret;
47195144 1980DEBUG(D_tls) debug_printf("OCSP stapling callback: %s\n", US ptr);
44662487 1981
44662487
JH
1982if ((ret = gnutls_load_file(ptr, ocsp_response)) < 0)
1983 {
1984 DEBUG(D_tls) debug_printf("Failed to load ocsp stapling file %s\n",
5903c6ff 1985 CS ptr);
018058b2 1986 tls_in.ocsp = OCSP_NOT_RESP;
44662487
JH
1987 return GNUTLS_E_NO_CERTIFICATE_STATUS;
1988 }
1989
018058b2 1990tls_in.ocsp = OCSP_VFY_NOT_TRIED;
44662487
JH
1991return 0;
1992}
1993
1994#endif
1995
1996
0cbf2b82 1997#ifndef DISABLE_EVENT
a7538db1
JH
1998/*
1999We use this callback to get observability and detail-level control
723fe533
JH
2000for an exim TLS connection (either direction), raising a tls:cert event
2001for each cert in the chain presented by the peer. Any event
a7538db1
JH
2002can deny verification.
2003
2004Return 0 for the handshake to continue or non-zero to terminate.
2005*/
2006
2007static int
723fe533 2008verify_cb(gnutls_session_t session)
a7538db1 2009{
27f19eb4 2010const gnutls_datum_t * cert_list;
a7538db1
JH
2011unsigned int cert_list_size = 0;
2012gnutls_x509_crt_t crt;
2013int rc;
b30275b8 2014uschar * yield;
a7538db1
JH
2015exim_gnutls_state_st * state = gnutls_session_get_ptr(session);
2016
bd5b3f3c 2017if ((cert_list = gnutls_certificate_get_peers(session, &cert_list_size)))
a7538db1
JH
2018 while (cert_list_size--)
2019 {
bd5b3f3c 2020 if ((rc = import_cert(&cert_list[cert_list_size], &crt)) != GNUTLS_E_SUCCESS)
a7538db1
JH
2021 {
2022 DEBUG(D_tls) debug_printf("TLS: peer cert problem: depth %d: %s\n",
2023 cert_list_size, gnutls_strerror(rc));
2024 break;
2025 }
2026
2027 state->tlsp->peercert = crt;
b30275b8
JH
2028 if ((yield = event_raise(state->event_action,
2029 US"tls:cert", string_sprintf("%d", cert_list_size))))
a7538db1
JH
2030 {
2031 log_write(0, LOG_MAIN,
b30275b8
JH
2032 "SSL verify denied by event-action: depth=%d: %s",
2033 cert_list_size, yield);
a7538db1
JH
2034 return 1; /* reject */
2035 }
2036 state->tlsp->peercert = NULL;
2037 }
2038
2039return 0;
2040}
2041
2042#endif
44662487
JH
2043
2044
f20cfa4a
JH
2045static gstring *
2046ddump(gnutls_datum_t * d)
2047{
2048gstring * g = string_get((d->size+1) * 2);
2049uschar * s = d->data;
2050for (unsigned i = d->size; i > 0; i--, s++)
2051 {
2052 g = string_catn(g, US "0123456789abcdef" + (*s >> 4), 1);
2053 g = string_catn(g, US "0123456789abcdef" + (*s & 0xf), 1);
2054 }
2055return g;
2056}
17c76198 2057
dc6d1769
JH
2058static void
2059post_handshake_debug(exim_gnutls_state_st * state)
2060{
dc6d1769
JH
2061#ifdef SUPPORT_GNUTLS_SESS_DESC
2062debug_printf("%s\n", gnutls_session_get_desc(state->session));
2063#endif
2064#ifdef SUPPORT_GNUTLS_KEYLOG
a8af957d 2065# ifdef GNUTLS_TLS1_3
dc6d1769 2066if (gnutls_protocol_get_version(state->session) < GNUTLS_TLS1_3)
a8af957d
JH
2067#else
2068if (TRUE)
2069#endif
dc6d1769
JH
2070 {
2071 gnutls_datum_t c, s;
2072 gstring * gc, * gs;
2073 /* we only want the client random and the master secret */
2074 gnutls_session_get_random(state->session, &c, &s);
2075 gnutls_session_get_master_secret(state->session, &s);
2076 gc = ddump(&c);
2077 gs = ddump(&s);
2078 debug_printf("CLIENT_RANDOM %.*s %.*s\n", (int)gc->ptr, gc->s, (int)gs->ptr, gs->s);
2079 }
2080else
2081 debug_printf("To get keying info for TLS1.3 is hard:\n"
2082 " set environment variable SSLKEYLOGFILE to a filename writable by uid exim\n"
2083 " add SSLKEYLOGFILE to keep_environment in the exim config\n"
2084 " run exim as root\n"
2085 " if using sudo, add SSLKEYLOGFILE to env_keep in /etc/sudoers\n");
2086#endif
2087}
2088
b10c87b3
JH
2089
2090#ifdef EXPERIMENTAL_TLS_RESUME
2091static int
2092tls_server_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
2093 unsigned incoming, const gnutls_datum_t * msg)
2094{
2095DEBUG(D_tls) debug_printf("newticket cb\n");
2096tls_in.resumption |= RESUME_CLIENT_REQUESTED;
2097return 0;
2098}
2099
2100static void
2101tls_server_resume_prehandshake(exim_gnutls_state_st * state)
2102{
2103/* Should the server offer session resumption? */
2104tls_in.resumption = RESUME_SUPPORTED;
2105if (verify_check_host(&tls_resumption_hosts) == OK)
2106 {
2107 int rc;
2108 /* GnuTLS appears to not do ticket overlap, but does emit a fresh ticket when
2109 an offered resumption is unacceptable. We lose one resumption per ticket
2110 lifetime, and sessions cannot be indefinitely re-used. There seems to be no
2111 way (3.6.7) of changing the default number of 2 TLS1.3 tickets issued, but at
2112 least they go out in a single packet. */
2113
2114 if (!(rc = gnutls_session_ticket_enable_server(state->session,
2115 &server_sessticket_key)))
2116 tls_in.resumption |= RESUME_SERVER_TICKET;
2117 else
2118 DEBUG(D_tls)
2119 debug_printf("enabling session tickets: %s\n", US gnutls_strerror(rc));
2120
2121 /* Try to tell if we see a ticket request */
2122 gnutls_handshake_set_hook_function(state->session,
2123 GNUTLS_HANDSHAKE_NEW_SESSION_TICKET, GNUTLS_HOOK_POST, tls_server_ticket_cb);
2124 }
2125}
2126
2127static void
2128tls_server_resume_posthandshake(exim_gnutls_state_st * state)
2129{
2130if (gnutls_session_resumption_requested(state->session))
2131 {
2132 /* This tells us the client sent a full ticket. We use a
2133 callback on session-ticket request, elsewhere, to tell
2134 if a client asked for a ticket. */
2135
2136 tls_in.resumption |= RESUME_CLIENT_SUGGESTED;
2137 DEBUG(D_tls) debug_printf("client requested resumption\n");
2138 }
2139if (gnutls_session_is_resumed(state->session))
2140 {
2141 tls_in.resumption |= RESUME_USED;
2142 DEBUG(D_tls) debug_printf("Session resumed\n");
2143 }
2144}
2145#endif
17c76198
PP
2146/* ------------------------------------------------------------------------ */
2147/* Exported functions */
2148
2149
2150
2151
059ec3d9
PH
2152/*************************************************
2153* Start a TLS session in a server *
2154*************************************************/
2155
2156/* This is called when Exim is running as a server, after having received
2157the STARTTLS command. It must respond to that command, and then negotiate
2158a TLS session.
2159
2160Arguments:
83da1223 2161 require_ciphers list of allowed ciphers or NULL
cf0c6164 2162 errstr pointer to error string
059ec3d9
PH
2163
2164Returns: OK on success
2165 DEFER for errors before the start of the negotiation
4c04137d 2166 FAIL for errors during the negotiation; the server can't
059ec3d9
PH
2167 continue running.
2168*/
2169
2170int
cf0c6164 2171tls_server_start(const uschar * require_ciphers, uschar ** errstr)
059ec3d9
PH
2172{
2173int rc;
cf0c6164 2174exim_gnutls_state_st * state = NULL;
059ec3d9
PH
2175
2176/* Check for previous activation */
74f1a423 2177if (tls_in.active.sock >= 0)
059ec3d9 2178 {
48224640 2179 tls_error(US"STARTTLS received after TLS started", US "", NULL, errstr);
925ac8e4 2180 smtp_printf("554 Already in TLS\r\n", FALSE);
059ec3d9
PH
2181 return FAIL;
2182 }
2183
2184/* Initialize the library. If it fails, it will already have logged the error
2185and sent an SMTP response. */
2186
17c76198 2187DEBUG(D_tls) debug_printf("initialising GnuTLS as a server\n");
059ec3d9 2188
cf0c6164 2189if ((rc = tls_init(NULL, tls_certificate, tls_privatekey,
17c76198 2190 NULL, tls_verify_certificates, tls_crl,
74f1a423 2191 require_ciphers, &state, &tls_in, errstr)) != OK) return rc;
059ec3d9 2192
b10c87b3
JH
2193#ifdef EXPERIMENTAL_TLS_RESUME
2194tls_server_resume_prehandshake(state);
2195#endif
2196
059ec3d9
PH
2197/* If this is a host for which certificate verification is mandatory or
2198optional, set up appropriately. */
2199
059ec3d9 2200if (verify_check_host(&tls_verify_hosts) == OK)
17c76198 2201 {
e51c7be2
JH
2202 DEBUG(D_tls)
2203 debug_printf("TLS: a client certificate will be required.\n");
17c76198
PP
2204 state->verify_requirement = VERIFY_REQUIRED;
2205 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
2206 }
059ec3d9 2207else if (verify_check_host(&tls_try_verify_hosts) == OK)
17c76198 2208 {
e51c7be2
JH
2209 DEBUG(D_tls)
2210 debug_printf("TLS: a client certificate will be requested but not required.\n");
17c76198
PP
2211 state->verify_requirement = VERIFY_OPTIONAL;
2212 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
2213 }
2214else
2215 {
e51c7be2
JH
2216 DEBUG(D_tls)
2217 debug_printf("TLS: a client certificate will not be requested.\n");
17c76198
PP
2218 state->verify_requirement = VERIFY_NONE;
2219 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
2220 }
059ec3d9 2221
0cbf2b82 2222#ifndef DISABLE_EVENT
723fe533
JH
2223if (event_action)
2224 {
2225 state->event_action = event_action;
2226 gnutls_session_set_ptr(state->session, state);
2227 gnutls_certificate_set_verify_function(state->x509_cred, verify_cb);
2228 }
2229#endif
2230
17c76198
PP
2231/* Register SNI handling; always, even if not in tls_certificate, so that the
2232expansion variable $tls_sni is always available. */
059ec3d9 2233
17c76198
PP
2234gnutls_handshake_set_post_client_hello_function(state->session,
2235 exim_sni_handling_cb);
059ec3d9
PH
2236
2237/* Set context and tell client to go ahead, except in the case of TLS startup
2238on connection, where outputting anything now upsets the clients and tends to
2239make them disconnect. We need to have an explicit fflush() here, to force out
2240the response. Other smtp_printf() calls do not need it, because in non-TLS
2241mode, the fflush() happens when smtp_getc() is called. */
2242
817d9f57 2243if (!state->tlsp->on_connect)
059ec3d9 2244 {
925ac8e4 2245 smtp_printf("220 TLS go ahead\r\n", FALSE);
9d1c15ef 2246 fflush(smtp_out);
059ec3d9
PH
2247 }
2248
2249/* Now negotiate the TLS session. We put our own timer on it, since it seems
8008accd
JH
2250that the GnuTLS library doesn't.
2251From 3.1.0 there is gnutls_handshake_set_timeout() - but it requires you
2252to set (and clear down afterwards) up a pull-timeout callback function that does
2253a select, so we're no better off unless avoiding signals becomes an issue. */
059ec3d9 2254
17c76198 2255gnutls_transport_set_ptr2(state->session,
27f19eb4
JH
2256 (gnutls_transport_ptr_t)(long) fileno(smtp_in),
2257 (gnutls_transport_ptr_t)(long) fileno(smtp_out));
17c76198
PP
2258state->fd_in = fileno(smtp_in);
2259state->fd_out = fileno(smtp_out);
059ec3d9
PH
2260
2261sigalrm_seen = FALSE;
c2a1bba0 2262if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
17c76198 2263do
17c76198 2264 rc = gnutls_handshake(state->session);
157a7880 2265while (rc == GNUTLS_E_AGAIN || rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen);
c2a1bba0 2266ALARM_CLR(0);
059ec3d9 2267
17c76198 2268if (rc != GNUTLS_E_SUCCESS)
059ec3d9 2269 {
059ec3d9
PH
2270 /* It seems that, except in the case of a timeout, we have to close the
2271 connection right here; otherwise if the other end is running OpenSSL it hangs
2272 until the server times out. */
2273
60d10ce7 2274 if (sigalrm_seen)
ad7fc6eb 2275 {
48224640 2276 tls_error(US"gnutls_handshake", US"timed out", NULL, errstr);
ad7fc6eb
JH
2277 gnutls_db_remove_session(state->session);
2278 }
60d10ce7 2279 else
059ec3d9 2280 {
452a164f 2281 tls_error_gnu(US"gnutls_handshake", rc, NULL, errstr);
f5d25c2b 2282 (void) gnutls_alert_send_appropriate(state->session, rc);
ad7fc6eb 2283 gnutls_deinit(state->session);
ed62aae3 2284 gnutls_certificate_free_credentials(state->x509_cred);
60d10ce7 2285 millisleep(500);
ad7fc6eb 2286 shutdown(state->fd_out, SHUT_WR);
d7978c0f 2287 for (int i = 1024; fgetc(smtp_in) != EOF && i > 0; ) i--; /* drain skt */
f1e894f3
PH
2288 (void)fclose(smtp_out);
2289 (void)fclose(smtp_in);
60d10ce7 2290 smtp_out = smtp_in = NULL;
059ec3d9
PH
2291 }
2292
2293 return FAIL;
2294 }
2295
b10c87b3
JH
2296#ifdef EXPERIMENTAL_TLS_RESUME
2297tls_server_resume_posthandshake(state);
2298#endif
2299
dc6d1769 2300DEBUG(D_tls) post_handshake_debug(state);
059ec3d9 2301
17c76198
PP
2302/* Verify after the fact */
2303
899b8bbc 2304if (!verify_certificate(state, errstr))
059ec3d9 2305 {
9d1c15ef 2306 if (state->verify_requirement != VERIFY_OPTIONAL)
17c76198 2307 {
cf0c6164 2308 (void) tls_error(US"certificate verification failed", *errstr, NULL, errstr);
9d1c15ef 2309 return FAIL;
17c76198 2310 }
9d1c15ef
JH
2311 DEBUG(D_tls)
2312 debug_printf("TLS: continuing on only because verification was optional, after: %s\n",
cf0c6164 2313 *errstr);
059ec3d9
PH
2314 }
2315
17c76198
PP
2316/* Sets various Exim expansion variables; always safe within server */
2317
9d1c15ef 2318extract_exim_vars_from_tls_state(state);
059ec3d9
PH
2319
2320/* TLS has been set up. Adjust the input functions to read via TLS,
2321and initialize appropriately. */
2322
17c76198 2323state->xfer_buffer = store_malloc(ssl_xfer_buffer_size);
059ec3d9
PH
2324
2325receive_getc = tls_getc;
0d81dabc 2326receive_getbuf = tls_getbuf;
584e96c6 2327receive_get_cache = tls_get_cache;
059ec3d9
PH
2328receive_ungetc = tls_ungetc;
2329receive_feof = tls_feof;
2330receive_ferror = tls_ferror;
58eb016e 2331receive_smtp_buffered = tls_smtp_buffered;
059ec3d9 2332
059ec3d9
PH
2333return OK;
2334}
2335
2336
2337
2338
aa2a70ba
JH
2339static void
2340tls_client_setup_hostname_checks(host_item * host, exim_gnutls_state_st * state,
2341 smtp_transport_options_block * ob)
2342{
3fb3231c 2343if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
aa2a70ba 2344 {
4af0d74a 2345 state->exp_tls_verify_cert_hostnames =
8c5d388a 2346#ifdef SUPPORT_I18N
4af0d74a
JH
2347 string_domain_utf8_to_alabel(host->name, NULL);
2348#else
2349 host->name;
2350#endif
aa2a70ba
JH
2351 DEBUG(D_tls)
2352 debug_printf("TLS: server cert verification includes hostname: \"%s\".\n",
2353 state->exp_tls_verify_cert_hostnames);
2354 }
2355}
aa2a70ba
JH
2356
2357
899b8bbc
JH
2358
2359
2360#ifdef SUPPORT_DANE
2361/* Given our list of RRs from the TLSA lookup, build a lookup block in
2362GnuTLS-DANE's preferred format. Hang it on the state str for later
2363use in DANE verification.
2364
2365We point at the dnsa data not copy it, so it must remain valid until
2366after verification is done.*/
2367
3674140c 2368static BOOL
899b8bbc
JH
2369dane_tlsa_load(exim_gnutls_state_st * state, dns_answer * dnsa)
2370{
899b8bbc
JH
2371dns_scan dnss;
2372int i;
2373const char ** dane_data;
2374int * dane_data_len;
2375
d7978c0f
JH
2376i = 1;
2377for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
899b8bbc
JH
2378 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
2379 ) if (rr->type == T_TLSA) i++;
2380
2381dane_data = store_get(i * sizeof(uschar *));
2382dane_data_len = store_get(i * sizeof(int));
2383
d7978c0f
JH
2384i = 0;
2385for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
899b8bbc 2386 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
1b76ad22 2387 ) if (rr->type == T_TLSA && rr->size > 3)
899b8bbc
JH
2388 {
2389 const uschar * p = rr->data;
3674140c
JH
2390 uint8_t usage = p[0], sel = p[1], type = p[2];
2391
2392 DEBUG(D_tls)
2393 debug_printf("TLSA: %d %d %d size %d\n", usage, sel, type, rr->size);
2394
94c13285
JH
2395 if ( (usage != DANESSL_USAGE_DANE_TA && usage != DANESSL_USAGE_DANE_EE)
2396 || (sel != 0 && sel != 1)
2397 )
2398 continue;
3674140c
JH
2399 switch(type)
2400 {
2401 case 0: /* Full: cannot check at present */
2402 break;
2403 case 1: if (rr->size != 3 + 256/8) continue; /* sha2-256 */
2404 break;
2405 case 2: if (rr->size != 3 + 512/8) continue; /* sha2-512 */
2406 break;
2407 default: continue;
2408 }
899b8bbc
JH
2409
2410 tls_out.tlsa_usage |= 1<<usage;
48224640 2411 dane_data[i] = CS p;
899b8bbc
JH
2412 dane_data_len[i++] = rr->size;
2413 }
3674140c
JH
2414
2415if (!i) return FALSE;
2416
899b8bbc
JH
2417dane_data[i] = NULL;
2418dane_data_len[i] = 0;
2419
2420state->dane_data = (char * const *)dane_data;
2421state->dane_data_len = dane_data_len;
3674140c 2422return TRUE;
899b8bbc
JH
2423}
2424#endif
2425
2426
2427
b10c87b3
JH
2428#ifdef EXPERIMENTAL_TLS_RESUME
2429/* On the client, get any stashed session for the given IP from hints db
2430and apply it to the ssl-connection for attempted resumption. Although
2431there is a gnutls_session_ticket_enable_client() interface it is
2432documented as unnecessary (as of 3.6.7) as "session tickets are emabled
2433by deafult". There seems to be no way to disable them, so even hosts not
2434enabled by the transport option will be sent a ticket request. We will
2435however avoid storing and retrieving session information. */
2436
2437static void
2438tls_retrieve_session(tls_support * tlsp, gnutls_session_t session,
2439 host_item * host, smtp_transport_options_block * ob)
2440{
2441tlsp->resumption = RESUME_SUPPORTED;
2442if (verify_check_given_host(CUSS &ob->tls_resumption_hosts, host) == OK)
2443 {
2444 dbdata_tls_session * dt;
2445 int len, rc;
2446 open_db dbblock, * dbm_file;
2447
2448 DEBUG(D_tls)
2449 debug_printf("check for resumable session for %s\n", host->address);
2450 tlsp->host_resumable = TRUE;
2451 tlsp->resumption |= RESUME_CLIENT_REQUESTED;
2452 if ((dbm_file = dbfn_open(US"tls", O_RDONLY, &dbblock, FALSE, FALSE)))
2453 {
2454 /* key for the db is the IP */
2455 if ((dt = dbfn_read_with_length(dbm_file, host->address, &len)))
2456 if (!(rc = gnutls_session_set_data(session,
2457 CUS dt->session, (size_t)len - sizeof(dbdata_tls_session))))
2458 {
2459 DEBUG(D_tls) debug_printf("good session\n");
2460 tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
2461 }
2462 else DEBUG(D_tls) debug_printf("setting session resumption data: %s\n",
2463 US gnutls_strerror(rc));
2464 dbfn_close(dbm_file);
2465 }
2466 }
2467}
2468
2469
2470static void
2471tls_save_session(tls_support * tlsp, gnutls_session_t session, const host_item * host)
2472{
2473/* TLS 1.2 - we get both the callback and the direct posthandshake call,
2474but this flag is not set until the second. TLS 1.3 it's the other way about.
2475Keep both calls as the session data cannot be extracted before handshake
2476completes. */
2477
fb34a7cb 2478#ifdef GNUTLS_SFLAGS_SESSION_TICKET
b10c87b3
JH
2479if (gnutls_session_get_flags(session) & GNUTLS_SFLAGS_SESSION_TICKET)
2480 {
2481 gnutls_datum_t tkt;
2482 int rc;
2483
2484 DEBUG(D_tls) debug_printf("server offered session ticket\n");
2485 tlsp->ticket_received = TRUE;
2486 tlsp->resumption |= RESUME_SERVER_TICKET;
2487
2488 if (tlsp->host_resumable)
2489 if (!(rc = gnutls_session_get_data2(session, &tkt)))
2490 {
2491 open_db dbblock, * dbm_file;
2492 int dlen = sizeof(dbdata_tls_session) + tkt.size;
2493 dbdata_tls_session * dt = store_get(dlen);
2494
2495 DEBUG(D_tls) debug_printf("session data size %u\n", (unsigned)tkt.size);
2496 memcpy(dt->session, tkt.data, tkt.size);
2497 gnutls_free(tkt.data);
2498
2499 if ((dbm_file = dbfn_open(US"tls", O_RDWR, &dbblock, FALSE, FALSE)))
2500 {
2501 /* key for the db is the IP */
2502 dbfn_delete(dbm_file, host->address);
2503 dbfn_write(dbm_file, host->address, dt, dlen);
2504 dbfn_close(dbm_file);
2505
2506 DEBUG(D_tls)
2507 debug_printf("wrote session db (len %u)\n", (unsigned)dlen);
2508 }
2509 }
2510 else DEBUG(D_tls)
2511 debug_printf("extract session data: %s\n", US gnutls_strerror(rc));
2512 }
fb34a7cb 2513#endif
b10c87b3
JH
2514}
2515
2516
2517/* With a TLS1.3 session, the ticket(s) are not seen until
2518the first data read is attempted. And there's often two of them.
2519Pick them up with this callback. We are also called for 1.2
2520but we do nothing.
2521*/
2522static int
2523tls_client_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
2524 unsigned incoming, const gnutls_datum_t * msg)
2525{
2526exim_gnutls_state_st * state = gnutls_session_get_ptr(sess);
2527tls_support * tlsp = state->tlsp;
2528
2529DEBUG(D_tls) debug_printf("newticket cb\n");
2530
2531if (!tlsp->ticket_received)
2532 tls_save_session(tlsp, sess, state->host);
2533return 0;
2534}
2535
2536
2537static void
2538tls_client_resume_prehandshake(exim_gnutls_state_st * state,
2539 tls_support * tlsp, host_item * host,
2540 smtp_transport_options_block * ob)
2541{
2542gnutls_session_set_ptr(state->session, state);
2543gnutls_handshake_set_hook_function(state->session,
2544 GNUTLS_HANDSHAKE_NEW_SESSION_TICKET, GNUTLS_HOOK_POST, tls_client_ticket_cb);
2545
2546tls_retrieve_session(tlsp, state->session, host, ob);
2547}
2548
2549static void
2550tls_client_resume_posthandshake(exim_gnutls_state_st * state,
2551 tls_support * tlsp, host_item * host)
2552{
2553if (gnutls_session_is_resumed(state->session))
2554 {
2555 DEBUG(D_tls) debug_printf("Session resumed\n");
2556 tlsp->resumption |= RESUME_USED;
2557 }
2558
2559tls_save_session(tlsp, state->session, host);
2560}
2561#endif /* EXPERIMENTAL_TLS_RESUME */
2562
2563
059ec3d9
PH
2564/*************************************************
2565* Start a TLS session in a client *
2566*************************************************/
2567
2568/* Called from the smtp transport after STARTTLS has been accepted.
2569
2570Arguments:
c05bdbd6
JH
2571 cctx connection context
2572 conn_args connection details
2573 cookie datum for randomness (not used)
2574 tlsp record details of channel configuration here; must be non-NULL
2575 errstr error string pointer
2576
2577Returns: TRUE for success with TLS session context set in smtp context,
2578 FALSE on error
059ec3d9
PH
2579*/
2580
c05bdbd6
JH
2581BOOL
2582tls_client_start(client_conn_ctx * cctx, smtp_connect_args * conn_args,
2583 void * cookie ARG_UNUSED,
2584 tls_support * tlsp, uschar ** errstr)
059ec3d9 2585{
c05bdbd6
JH
2586host_item * host = conn_args->host; /* for msgs and option-tests */
2587transport_instance * tb = conn_args->tblock; /* always smtp or NULL */
2588smtp_transport_options_block * ob = tb
afdb5e9c
JH
2589 ? (smtp_transport_options_block *)tb->options_block
2590 : &smtp_transport_option_defaults;
059ec3d9 2591int rc;
899b8bbc 2592exim_gnutls_state_st * state = NULL;
c05bdbd6 2593uschar * cipher_list = NULL;
74f1a423 2594
f2de3a33 2595#ifndef DISABLE_OCSP
5130845b 2596BOOL require_ocsp =
3fb3231c 2597 verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK;
44662487 2598BOOL request_ocsp = require_ocsp ? TRUE
3fb3231c 2599 : verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
2b4a568d 2600#endif
059ec3d9 2601
c05bdbd6 2602DEBUG(D_tls) debug_printf("initialising GnuTLS as a client on fd %d\n", cctx->sock);
059ec3d9 2603
5ec37a55 2604#ifdef SUPPORT_DANE
c05bdbd6
JH
2605/* If dane is flagged, have either request or require dane for this host, and
2606a TLSA record found. Therefore, dane verify required. Which implies cert must
2607be requested and supplied, dane verify must pass, and cert verify irrelevant
2608(incl. hostnames), and (caller handled) require_tls */
2609
2610if (conn_args->dane && ob->dane_require_tls_ciphers)
5ec37a55
PP
2611 {
2612 /* not using expand_check_tlsvar because not yet in state */
2613 if (!expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
2614 &cipher_list, errstr))
c05bdbd6 2615 return FALSE;
cf260049
JH
2616 cipher_list = cipher_list && *cipher_list
2617 ? ob->dane_require_tls_ciphers : ob->tls_require_ciphers;
5ec37a55
PP
2618 }
2619#endif
2620
2621if (!cipher_list)
2622 cipher_list = ob->tls_require_ciphers;
2623
74f1a423 2624if (tls_init(host, ob->tls_certificate, ob->tls_privatekey,
65867078 2625 ob->tls_sni, ob->tls_verify_certificates, ob->tls_crl,
74f1a423 2626 cipher_list, &state, tlsp, errstr) != OK)
c05bdbd6 2627 return FALSE;
059ec3d9 2628
54c90be1 2629 {
65867078
JH
2630 int dh_min_bits = ob->tls_dh_min_bits;
2631 if (dh_min_bits < EXIM_CLIENT_DH_MIN_MIN_BITS)
2632 {
2633 DEBUG(D_tls)
2634 debug_printf("WARNING: tls_dh_min_bits far too low,"
2635 " clamping %d up to %d\n",
2636 dh_min_bits, EXIM_CLIENT_DH_MIN_MIN_BITS);
2637 dh_min_bits = EXIM_CLIENT_DH_MIN_MIN_BITS;
2638 }
54c90be1 2639
65867078
JH
2640 DEBUG(D_tls) debug_printf("Setting D-H prime minimum"
2641 " acceptable bits to %d\n",
2642 dh_min_bits);
2643 gnutls_dh_set_prime_bits(state->session, dh_min_bits);
2644 }
83da1223 2645
94431adb 2646/* Stick to the old behaviour for compatibility if tls_verify_certificates is
2b4a568d
JH
2647set but both tls_verify_hosts and tls_try_verify_hosts are unset. Check only
2648the specified host patterns if one of them is defined */
2649
899b8bbc 2650#ifdef SUPPORT_DANE
c05bdbd6 2651if (conn_args->dane && dane_tlsa_load(state, &conn_args->tlsa_dnsa))
899b8bbc
JH
2652 {
2653 DEBUG(D_tls)
2654 debug_printf("TLS: server certificate DANE required.\n");
2655 state->verify_requirement = VERIFY_DANE;
2656 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
899b8bbc
JH
2657 }
2658else
2659#endif
2660 if ( ( state->exp_tls_verify_certificates
2661 && !ob->tls_verify_hosts
2662 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
2663 )
3fb3231c 2664 || verify_check_given_host(CUSS &ob->tls_verify_hosts, host) == OK
899b8bbc 2665 )
17c76198 2666 {
aa2a70ba 2667 tls_client_setup_hostname_checks(host, state, ob);
aa2a70ba
JH
2668 DEBUG(D_tls)
2669 debug_printf("TLS: server certificate verification required.\n");
2670 state->verify_requirement = VERIFY_REQUIRED;
52f93eed
WB
2671 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
2672 }
3fb3231c 2673else if (verify_check_given_host(CUSS &ob->tls_try_verify_hosts, host) == OK)
52f93eed 2674 {
aa2a70ba 2675 tls_client_setup_hostname_checks(host, state, ob);
e51c7be2
JH
2676 DEBUG(D_tls)
2677 debug_printf("TLS: server certificate verification optional.\n");
52f93eed 2678 state->verify_requirement = VERIFY_OPTIONAL;
17c76198
PP
2679 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
2680 }
2681else
2682 {
e51c7be2
JH
2683 DEBUG(D_tls)
2684 debug_printf("TLS: server certificate verification not required.\n");
52f93eed
WB
2685 state->verify_requirement = VERIFY_NONE;
2686 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
17c76198 2687 }
059ec3d9 2688
f2de3a33
JH
2689#ifndef DISABLE_OCSP
2690 /* supported since GnuTLS 3.1.3 */
44662487 2691if (request_ocsp)
9d1c15ef
JH
2692 {
2693 DEBUG(D_tls) debug_printf("TLS: will request OCSP stapling\n");
65867078
JH
2694 if ((rc = gnutls_ocsp_status_request_enable_client(state->session,
2695 NULL, 0, NULL)) != OK)
74f1a423 2696 {
452a164f 2697 tls_error_gnu(US"cert-status-req", rc, state->host, errstr);
c05bdbd6 2698 return FALSE;
74f1a423
JH
2699 }
2700 tlsp->ocsp = OCSP_NOT_RESP;
9d1c15ef 2701 }
2b4a568d
JH
2702#endif
2703
b10c87b3
JH
2704#ifdef EXPERIMENTAL_TLS_RESUME
2705tls_client_resume_prehandshake(state, tlsp, host, ob);
2706#endif
2707
0cbf2b82 2708#ifndef DISABLE_EVENT
afdb5e9c 2709if (tb && tb->event_action)
a7538db1 2710 {
774ef2d7 2711 state->event_action = tb->event_action;
a7538db1 2712 gnutls_session_set_ptr(state->session, state);
723fe533 2713 gnutls_certificate_set_verify_function(state->x509_cred, verify_cb);
a7538db1
JH
2714 }
2715#endif
2716
c05bdbd6
JH
2717gnutls_transport_set_ptr(state->session, (gnutls_transport_ptr_t)(long) cctx->sock);
2718state->fd_in = cctx->sock;
2719state->fd_out = cctx->sock;
059ec3d9 2720
9d1c15ef 2721DEBUG(D_tls) debug_printf("about to gnutls_handshake\n");
059ec3d9
PH
2722/* There doesn't seem to be a built-in timeout on connection. */
2723
2724sigalrm_seen = FALSE;
c2a1bba0 2725ALARM(ob->command_timeout);
17c76198 2726do
17c76198 2727 rc = gnutls_handshake(state->session);
f1fed05b 2728while (rc == GNUTLS_E_AGAIN || rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen);
c2a1bba0 2729ALARM_CLR(0);
059ec3d9 2730
4fe99a6c 2731if (rc != GNUTLS_E_SUCCESS)
74f1a423 2732 {
60d10ce7
JH
2733 if (sigalrm_seen)
2734 {
2735 gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_USER_CANCELED);
48224640 2736 tls_error(US"gnutls_handshake", US"timed out", state->host, errstr);
60d10ce7
JH
2737 }
2738 else
452a164f 2739 tls_error_gnu(US"gnutls_handshake", rc, state->host, errstr);
c05bdbd6 2740 return FALSE;
74f1a423 2741 }
4fe99a6c 2742
dc6d1769 2743DEBUG(D_tls) post_handshake_debug(state);
059ec3d9 2744
17c76198 2745/* Verify late */
059ec3d9 2746
899b8bbc 2747if (!verify_certificate(state, errstr))
74f1a423
JH
2748 {
2749 tls_error(US"certificate verification failed", *errstr, state->host, errstr);
c05bdbd6 2750 return FALSE;
74f1a423 2751 }
059ec3d9 2752
f2de3a33 2753#ifndef DISABLE_OCSP
2b4a568d
JH
2754if (require_ocsp)
2755 {
2756 DEBUG(D_tls)
2757 {
2758 gnutls_datum_t stapling;
2759 gnutls_ocsp_resp_t resp;
2760 gnutls_datum_t printed;
2761 if ( (rc= gnutls_ocsp_status_request_get(state->session, &stapling)) == 0
2762 && (rc= gnutls_ocsp_resp_init(&resp)) == 0
2763 && (rc= gnutls_ocsp_resp_import(resp, &stapling)) == 0
2764 && (rc= gnutls_ocsp_resp_print(resp, GNUTLS_OCSP_PRINT_FULL, &printed)) == 0
2765 )
2766 {
65867078 2767 debug_printf("%.4096s", printed.data);
2b4a568d
JH
2768 gnutls_free(printed.data);
2769 }
2770 else
452a164f 2771 (void) tls_error_gnu(US"ocsp decode", rc, state->host, errstr);
2b4a568d
JH
2772 }
2773
2b4a568d 2774 if (gnutls_ocsp_status_request_is_checked(state->session, 0) == 0)
018058b2 2775 {
74f1a423
JH
2776 tlsp->ocsp = OCSP_FAILED;
2777 tls_error(US"certificate status check failed", NULL, state->host, errstr);
c05bdbd6 2778 return FALSE;
018058b2 2779 }
2b4a568d 2780 DEBUG(D_tls) debug_printf("Passed OCSP checking\n");
74f1a423 2781 tlsp->ocsp = OCSP_VFIED;
2b4a568d
JH
2782 }
2783#endif
2784
b10c87b3
JH
2785#ifdef EXPERIMENTAL_TLS_RESUME
2786tls_client_resume_posthandshake(state, tlsp, host);
2787#endif
059ec3d9 2788
4fe99a6c 2789/* Sets various Exim expansion variables; may need to adjust for ACL callouts */
059ec3d9 2790
9d1c15ef 2791extract_exim_vars_from_tls_state(state);
059ec3d9 2792
c05bdbd6
JH
2793cctx->tls_ctx = state;
2794return TRUE;
059ec3d9
PH
2795}
2796
2797
2798
17c76198 2799
059ec3d9 2800/*************************************************
17c76198 2801* Close down a TLS session *
059ec3d9
PH
2802*************************************************/
2803
17c76198
PP
2804/* This is also called from within a delivery subprocess forked from the
2805daemon, to shut down the TLS library, without actually doing a shutdown (which
2806would tamper with the TLS session in the parent process).
059ec3d9 2807
dec766a1 2808Arguments:
74f1a423 2809 ct_ctx client context pointer, or NULL for the one global server context
dec766a1 2810 shutdown 1 if TLS close-alert is to be sent,
afdb5e9c 2811 2 if also response to be waited for
dec766a1 2812
17c76198 2813Returns: nothing
059ec3d9
PH
2814*/
2815
17c76198 2816void
74f1a423 2817tls_close(void * ct_ctx, int shutdown)
059ec3d9 2818{
74f1a423 2819exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
059ec3d9 2820
74f1a423 2821if (!state->tlsp || state->tlsp->active.sock < 0) return; /* TLS was not active */
17c76198
PP
2822
2823if (shutdown)
2824 {
dec766a1
WB
2825 DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS%s\n",
2826 shutdown > 1 ? " (with response-wait)" : "");
2827
c2a1bba0 2828 ALARM(2);
dec766a1 2829 gnutls_bye(state->session, shutdown > 1 ? GNUTLS_SHUT_RDWR : GNUTLS_SHUT_WR);
c2a1bba0 2830 ALARM_CLR(0);
17c76198
PP
2831 }
2832
2833gnutls_deinit(state->session);
ed62aae3
HSHR
2834gnutls_certificate_free_credentials(state->x509_cred);
2835
17c76198 2836
74f1a423
JH
2837state->tlsp->active.sock = -1;
2838state->tlsp->active.tls_ctx = NULL;
b808677c 2839if (state->xfer_buffer) store_free(state->xfer_buffer);
17c76198 2840memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
059ec3d9
PH
2841}
2842
2843
2844
17c76198 2845
0d81dabc
JH
2846static BOOL
2847tls_refill(unsigned lim)
2848{
2849exim_gnutls_state_st * state = &state_server;
2850ssize_t inbytes;
2851
2852DEBUG(D_tls) debug_printf("Calling gnutls_record_recv(%p, %p, %u)\n",
2853 state->session, state->xfer_buffer, ssl_xfer_buffer_size);
2854
f1fed05b 2855sigalrm_seen = FALSE;
c2a1bba0 2856if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
4896a319
AM
2857
2858do
2859 inbytes = gnutls_record_recv(state->session, state->xfer_buffer,
2860 MIN(ssl_xfer_buffer_size, lim));
2861while (inbytes == GNUTLS_E_AGAIN);
2862
c2a1bba0 2863if (smtp_receive_timeout > 0) ALARM_CLR(0);
9723f966
JH
2864
2865if (had_command_timeout) /* set by signal handler */
2866 smtp_command_timeout_exit(); /* does not return */
2867if (had_command_sigterm)
2868 smtp_command_sigterm_exit();
2869if (had_data_timeout)
2870 smtp_data_timeout_exit();
2871if (had_data_sigint)
2872 smtp_data_sigint_exit();
2873
2874/* Timeouts do not get this far. A zero-byte return appears to mean that the
2875TLS session has been closed down, not that the socket itself has been closed
2876down. Revert to non-TLS handling. */
0d81dabc
JH
2877
2878if (sigalrm_seen)
2879 {
2880 DEBUG(D_tls) debug_printf("Got tls read timeout\n");
8b77d27a 2881 state->xfer_error = TRUE;
0d81dabc
JH
2882 return FALSE;
2883 }
2884
2885else if (inbytes == 0)
2886 {
2887 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
2888
2889 receive_getc = smtp_getc;
2890 receive_getbuf = smtp_getbuf;
2891 receive_get_cache = smtp_get_cache;
2892 receive_ungetc = smtp_ungetc;
2893 receive_feof = smtp_feof;
2894 receive_ferror = smtp_ferror;
2895 receive_smtp_buffered = smtp_buffered;
2896
2897 gnutls_deinit(state->session);
2898 gnutls_certificate_free_credentials(state->x509_cred);
2899
2900 state->session = NULL;
74f1a423
JH
2901 state->tlsp->active.sock = -1;
2902 state->tlsp->active.tls_ctx = NULL;
0d81dabc
JH
2903 state->tlsp->bits = 0;
2904 state->tlsp->certificate_verified = FALSE;
2905 tls_channelbinding_b64 = NULL;
2906 state->tlsp->cipher = NULL;
2907 state->tlsp->peercert = NULL;
2908 state->tlsp->peerdn = NULL;
2909
2910 return FALSE;
2911 }
2912
2913/* Handle genuine errors */
2914
2915else if (inbytes < 0)
2916 {
95f52235 2917 DEBUG(D_tls) debug_printf("%s: err from gnutls_record_recv\n", __FUNCTION__);
0d81dabc 2918 record_io_error(state, (int) inbytes, US"recv", NULL);
8b77d27a 2919 state->xfer_error = TRUE;
0d81dabc
JH
2920 return FALSE;
2921 }
2922#ifndef DISABLE_DKIM
2923dkim_exim_verify_feed(state->xfer_buffer, inbytes);
2924#endif
2925state->xfer_buffer_hwm = (int) inbytes;
2926state->xfer_buffer_lwm = 0;
2927return TRUE;
2928}
2929
059ec3d9
PH
2930/*************************************************
2931* TLS version of getc *
2932*************************************************/
2933
2934/* This gets the next byte from the TLS input buffer. If the buffer is empty,
2935it refills the buffer via the GnuTLS reading function.
817d9f57 2936Only used by the server-side TLS.
059ec3d9 2937
17c76198
PP
2938This feeds DKIM and should be used for all message-body reads.
2939
aded2255 2940Arguments: lim Maximum amount to read/buffer
059ec3d9
PH
2941Returns: the next character or EOF
2942*/
2943
2944int
bd8fbe36 2945tls_getc(unsigned lim)
059ec3d9 2946{
0d81dabc 2947exim_gnutls_state_st * state = &state_server;
059ec3d9 2948
0d81dabc
JH
2949if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
2950 if (!tls_refill(lim))
2951 return state->xfer_error ? EOF : smtp_getc(lim);
ed62aae3 2952
0d81dabc 2953/* Something in the buffer; return next uschar */
059ec3d9 2954
0d81dabc
JH
2955return state->xfer_buffer[state->xfer_buffer_lwm++];
2956}
059ec3d9 2957
0d81dabc
JH
2958uschar *
2959tls_getbuf(unsigned * len)
2960{
2961exim_gnutls_state_st * state = &state_server;
2962unsigned size;
2963uschar * buf;
059ec3d9 2964
0d81dabc
JH
2965if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
2966 if (!tls_refill(*len))
059ec3d9 2967 {
0d81dabc
JH
2968 if (!state->xfer_error) return smtp_getbuf(len);
2969 *len = 0;
2970 return NULL;
059ec3d9 2971 }
059ec3d9 2972
0d81dabc
JH
2973if ((size = state->xfer_buffer_hwm - state->xfer_buffer_lwm) > *len)
2974 size = *len;
2975buf = &state->xfer_buffer[state->xfer_buffer_lwm];
2976state->xfer_buffer_lwm += size;
2977*len = size;
2978return buf;
059ec3d9
PH
2979}
2980
0d81dabc 2981
584e96c6
JH
2982void
2983tls_get_cache()
2984{
9960d1e5 2985#ifndef DISABLE_DKIM
584e96c6
JH
2986exim_gnutls_state_st * state = &state_server;
2987int n = state->xfer_buffer_hwm - state->xfer_buffer_lwm;
2988if (n > 0)
2989 dkim_exim_verify_feed(state->xfer_buffer+state->xfer_buffer_lwm, n);
584e96c6 2990#endif
9960d1e5 2991}
584e96c6 2992
059ec3d9 2993
925ac8e4
JH
2994BOOL
2995tls_could_read(void)
2996{
2997return state_server.xfer_buffer_lwm < state_server.xfer_buffer_hwm
2998 || gnutls_record_check_pending(state_server.session) > 0;
2999}
3000
3001
059ec3d9 3002
17c76198 3003
059ec3d9
PH
3004/*************************************************
3005* Read bytes from TLS channel *
3006*************************************************/
3007
17c76198
PP
3008/* This does not feed DKIM, so if the caller uses this for reading message body,
3009then the caller must feed DKIM.
817d9f57 3010
059ec3d9 3011Arguments:
74f1a423 3012 ct_ctx client context pointer, or NULL for the one global server context
059ec3d9
PH
3013 buff buffer of data
3014 len size of buffer
3015
3016Returns: the number of bytes read
afdb5e9c 3017 -1 after a failed read, including EOF
059ec3d9
PH
3018*/
3019
3020int
74f1a423 3021tls_read(void * ct_ctx, uschar *buff, size_t len)
059ec3d9 3022{
74f1a423 3023exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
17c76198 3024ssize_t inbytes;
059ec3d9 3025
17c76198
PP
3026if (len > INT_MAX)
3027 len = INT_MAX;
059ec3d9 3028
17c76198
PP
3029if (state->xfer_buffer_lwm < state->xfer_buffer_hwm)
3030 DEBUG(D_tls)
3031 debug_printf("*** PROBABLY A BUG *** " \
3032 "tls_read() called with data in the tls_getc() buffer, %d ignored\n",
3033 state->xfer_buffer_hwm - state->xfer_buffer_lwm);
3034
3035DEBUG(D_tls)
3036 debug_printf("Calling gnutls_record_recv(%p, %p, " SIZE_T_FMT ")\n",
3037 state->session, buff, len);
3038
4896a319
AM
3039do
3040 inbytes = gnutls_record_recv(state->session, buff, len);
3041while (inbytes == GNUTLS_E_AGAIN);
3042
059ec3d9
PH
3043if (inbytes > 0) return inbytes;
3044if (inbytes == 0)
3045 {
3046 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
3047 }
5fd28bb8 3048else
4896a319 3049 {
95f52235 3050 DEBUG(D_tls) debug_printf("%s: err from gnutls_record_recv\n", __FUNCTION__);
4896a319
AM
3051 record_io_error(state, (int)inbytes, US"recv", NULL);
3052 }
059ec3d9
PH
3053
3054return -1;
3055}
3056
3057
3058
17c76198 3059
059ec3d9
PH
3060/*************************************************
3061* Write bytes down TLS channel *
3062*************************************************/
3063
3064/*
3065Arguments:
74f1a423 3066 ct_ctx client context pointer, or NULL for the one global server context
059ec3d9
PH
3067 buff buffer of data
3068 len number of bytes
925ac8e4 3069 more more data expected soon
059ec3d9
PH
3070
3071Returns: the number of bytes after a successful write,
3072 -1 after a failed write
3073*/
3074
3075int
74f1a423 3076tls_write(void * ct_ctx, const uschar * buff, size_t len, BOOL more)
059ec3d9 3077{
17c76198
PP
3078ssize_t outbytes;
3079size_t left = len;
74f1a423 3080exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
925ac8e4
JH
3081#ifdef SUPPORT_CORK
3082static BOOL corked = FALSE;
3083
3084if (more && !corked) gnutls_record_cork(state->session);
3085#endif
3086
3087DEBUG(D_tls) debug_printf("%s(%p, " SIZE_T_FMT "%s)\n", __FUNCTION__,
3088 buff, left, more ? ", more" : "");
059ec3d9 3089
059ec3d9
PH
3090while (left > 0)
3091 {
17c76198
PP
3092 DEBUG(D_tls) debug_printf("gnutls_record_send(SSL, %p, " SIZE_T_FMT ")\n",
3093 buff, left);
4896a319
AM
3094
3095 do
3096 outbytes = gnutls_record_send(state->session, buff, left);
3097 while (outbytes == GNUTLS_E_AGAIN);
059ec3d9 3098
17c76198 3099 DEBUG(D_tls) debug_printf("outbytes=" SSIZE_T_FMT "\n", outbytes);
059ec3d9
PH
3100 if (outbytes < 0)
3101 {
1b76ad22 3102 DEBUG(D_tls) debug_printf("%s: gnutls_record_send err\n", __FUNCTION__);
17c76198 3103 record_io_error(state, outbytes, US"send", NULL);
059ec3d9
PH
3104 return -1;
3105 }
3106 if (outbytes == 0)
3107 {
17c76198 3108 record_io_error(state, 0, US"send", US"TLS channel closed on write");
059ec3d9
PH
3109 return -1;
3110 }
3111
3112 left -= outbytes;
3113 buff += outbytes;
3114 }
3115
17c76198
PP
3116if (len > INT_MAX)
3117 {
3118 DEBUG(D_tls)
3119 debug_printf("Whoops! Wrote more bytes (" SIZE_T_FMT ") than INT_MAX\n",
3120 len);
3121 len = INT_MAX;
3122 }
3123
925ac8e4
JH
3124#ifdef SUPPORT_CORK
3125if (more != corked)
3126 {
3127 if (!more) (void) gnutls_record_uncork(state->session, 0);
3128 corked = more;
3129 }
3130#endif
3131
17c76198 3132return (int) len;
059ec3d9
PH
3133}
3134
3135
3136
17c76198 3137
059ec3d9 3138/*************************************************
17c76198 3139* Random number generation *
059ec3d9
PH
3140*************************************************/
3141
17c76198
PP
3142/* Pseudo-random number generation. The result is not expected to be
3143cryptographically strong but not so weak that someone will shoot themselves
3144in the foot using it as a nonce in input in some email header scheme or
3145whatever weirdness they'll twist this into. The result should handle fork()
3146and avoid repeating sequences. OpenSSL handles that for us.
059ec3d9 3147
17c76198
PP
3148Arguments:
3149 max range maximum
3150Returns a random number in range [0, max-1]
059ec3d9
PH
3151*/
3152
af3498d6 3153#ifdef HAVE_GNUTLS_RND
17c76198
PP
3154int
3155vaguely_random_number(int max)
059ec3d9 3156{
17c76198
PP
3157unsigned int r;
3158int i, needed_len;
17c76198
PP
3159uschar smallbuf[sizeof(r)];
3160
3161if (max <= 1)
3162 return 0;
3163
3164needed_len = sizeof(r);
3165/* Don't take 8 times more entropy than needed if int is 8 octets and we were
d7978c0f
JH
3166asked for a number less than 10. */
3167
17c76198
PP
3168for (r = max, i = 0; r; ++i)
3169 r >>= 1;
3170i = (i + 7) / 8;
3171if (i < needed_len)
3172 needed_len = i;
3173
3174i = gnutls_rnd(GNUTLS_RND_NONCE, smallbuf, needed_len);
3175if (i < 0)
059ec3d9 3176 {
17c76198
PP
3177 DEBUG(D_all) debug_printf("gnutls_rnd() failed, using fallback.\n");
3178 return vaguely_random_number_fallback(max);
3179 }
3180r = 0;
d7978c0f
JH
3181for (uschar * p = smallbuf; needed_len; --needed_len, ++p)
3182 r = r * 256 + *p;
059ec3d9 3183
17c76198
PP
3184/* We don't particularly care about weighted results; if someone wants
3185 * smooth distribution and cares enough then they should submit a patch then. */
3186return r % max;
059ec3d9 3187}
af3498d6
PP
3188#else /* HAVE_GNUTLS_RND */
3189int
3190vaguely_random_number(int max)
3191{
3192 return vaguely_random_number_fallback(max);
3193}
3194#endif /* HAVE_GNUTLS_RND */
059ec3d9 3195
36f12725
NM
3196
3197
3198
3199/*************************************************
3375e053
PP
3200* Let tls_require_ciphers be checked at startup *
3201*************************************************/
3202
3203/* The tls_require_ciphers option, if set, must be something which the
3204library can parse.
3205
3206Returns: NULL on success, or error message
3207*/
3208
3209uschar *
3210tls_validate_require_cipher(void)
3211{
3212int rc;
3213uschar *expciphers = NULL;
3214gnutls_priority_t priority_cache;
3215const char *errpos;
cf0c6164 3216uschar * dummy_errstr;
3375e053
PP
3217
3218#define validate_check_rc(Label) do { \
3219 if (rc != GNUTLS_E_SUCCESS) { if (exim_gnutls_base_init_done) gnutls_global_deinit(); \
3220 return string_sprintf("%s failed: %s", (Label), gnutls_strerror(rc)); } } while (0)
3221#define return_deinit(Label) do { gnutls_global_deinit(); return (Label); } while (0)
3222
3223if (exim_gnutls_base_init_done)
3224 log_write(0, LOG_MAIN|LOG_PANIC,
3225 "already initialised GnuTLS, Exim developer bug");
3226
a5f239e4 3227#ifdef HAVE_GNUTLS_PKCS11
2519e60d 3228if (!gnutls_allow_auto_pkcs11)
a5f239e4
PP
3229 {
3230 rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
3231 validate_check_rc(US"gnutls_pkcs11_init");
3232 }
3233#endif
3375e053
PP
3234rc = gnutls_global_init();
3235validate_check_rc(US"gnutls_global_init()");
3236exim_gnutls_base_init_done = TRUE;
3237
3238if (!(tls_require_ciphers && *tls_require_ciphers))
3239 return_deinit(NULL);
3240
cf0c6164
JH
3241if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers,
3242 &dummy_errstr))
3375e053
PP
3243 return_deinit(US"failed to expand tls_require_ciphers");
3244
3245if (!(expciphers && *expciphers))
3246 return_deinit(NULL);
3247
3248DEBUG(D_tls)
3249 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
3250
3251rc = gnutls_priority_init(&priority_cache, CS expciphers, &errpos);
3252validate_check_rc(string_sprintf(
3253 "gnutls_priority_init(%s) failed at offset %ld, \"%.8s..\"",
3254 expciphers, errpos - CS expciphers, errpos));
3255
3256#undef return_deinit
3257#undef validate_check_rc
3258gnutls_global_deinit();
3259
3260return NULL;
3261}
3262
3263
3264
3265
3266/*************************************************
36f12725
NM
3267* Report the library versions. *
3268*************************************************/
3269
3270/* See a description in tls-openssl.c for an explanation of why this exists.
3271
3272Arguments: a FILE* to print the results to
3273Returns: nothing
3274*/
3275
3276void
3277tls_version_report(FILE *f)
3278{
754a0503
PP
3279fprintf(f, "Library version: GnuTLS: Compile: %s\n"
3280 " Runtime: %s\n",
3281 LIBGNUTLS_VERSION,
3282 gnutls_check_version(NULL));
36f12725
NM
3283}
3284
b10c87b3 3285#endif /*!MACRO_PREDEF*/
2b4a568d
JH
3286/* vi: aw ai sw=2
3287*/
059ec3d9 3288/* End of tls-gnu.c */