projects / exim.git / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
Refactor common uses of list-checking
[exim.git] / src / src / tls-gnu.c
... / ...
CommitLineData
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
5/* Copyright (c) University of Cambridge 1995 - 2014 */
6/* See the file NOTICE for conditions of use and distribution. */
7
8/* Copyright (c) Phil Pennock 2012 */
9
10/* This file provides TLS/SSL support for Exim using the GnuTLS library,
11one of the available supported implementations. This file is #included into
12tls.c when USE_GNUTLS has been set.
13
14The code herein is a revamp of GnuTLS integration using the current APIs; the
15original tls-gnu.c was based on a patch which was contributed by Nikos
16Mavroyanopoulos. The revamp is partially a rewrite, partially cut&paste as
17appropriate.
18
19APIs current as of GnuTLS 2.12.18; note that the GnuTLS manual is for GnuTLS 3,
20which is not widely deployed by OS vendors. Will note issues below, which may
21assist in updating the code in the future. Another sources of hints is
22mod_gnutls for Apache (SNI callback registration and handling).
23
24Keeping client and server variables more split than before and is currently
25the norm, in anticipation of TLS in ACL callouts.
26
27I wanted to switch to gnutls_certificate_set_verify_function() so that
28certificate rejection could happen during handshake where it belongs, rather
29than being dropped afterwards, but that was introduced in 2.10.0 and Debian
30(6.0.5) is still on 2.8.6. So for now we have to stick with sub-par behaviour.
31
32(I wasn't looking for libraries quite that old, when updating to get rid of
33compiler warnings of deprecated APIs. If it turns out that a lot of the rest
34require current GnuTLS, then we'll drop support for the ancient libraries).
35*/
36
37#include <gnutls/gnutls.h>
38/* needed for cert checks in verification and DN extraction: */
39#include <gnutls/x509.h>
40/* man-page is incorrect, gnutls_rnd() is not in gnutls.h: */
41#include <gnutls/crypto.h>
42/* needed to disable PKCS11 autoload unless requested */
43#if GNUTLS_VERSION_NUMBER >= 0x020c00
44# include <gnutls/pkcs11.h>
45#endif
46#if GNUTLS_VERSION_NUMBER < 0x030103 && !defined(DISABLE_OCSP)
47# warning "GnuTLS library version too old; define DISABLE_OCSP in Makefile"
48# define DISABLE_OCSP
49#endif
50#if GNUTLS_VERSION_NUMBER < 0x020a00 && defined(EXPERIMENTAL_EVENT)
51# warning "GnuTLS library version too old; tls:cert event unsupported"
52# undef EXPERIMENTAL_EVENT
53#endif
54#if GNUTLS_VERSION_NUMBER >= 0x030306
55# define SUPPORT_CA_DIR
56#else
57# undef SUPPORT_CA_DIR
58#endif
59
60#ifndef DISABLE_OCSP
61# include <gnutls/ocsp.h>
62#endif
63
64/* GnuTLS 2 vs 3
65
66GnuTLS 3 only:
67 gnutls_global_set_audit_log_function()
68
69Changes:
70 gnutls_certificate_verify_peers2(): is new, drop the 2 for old version
71*/
72
73/* Local static variables for GnuTLS */
74
75/* Values for verify_requirement */
76
77enum peer_verify_requirement
78 { VERIFY_NONE, VERIFY_OPTIONAL, VERIFY_REQUIRED };
79
80/* This holds most state for server or client; with this, we can set up an
81outbound TLS-enabled connection in an ACL callout, while not stomping all
82over the TLS variables available for expansion.
83
84Some of these correspond to variables in globals.c; those variables will
85be set to point to content in one of these instances, as appropriate for
86the stage of the process lifetime.
87
88Not handled here: global tls_channelbinding_b64.
89*/
90
91typedef struct exim_gnutls_state {
92 gnutls_session_t session;
93 gnutls_certificate_credentials_t x509_cred;
94 gnutls_priority_t priority_cache;
95 enum peer_verify_requirement verify_requirement;
96 int fd_in;
97 int fd_out;
98 BOOL peer_cert_verified;
99 BOOL trigger_sni_changes;
100 BOOL have_set_peerdn;
101 const struct host_item *host;
102 gnutls_x509_crt_t peercert;
103 uschar *peerdn;
104 uschar *ciphersuite;
105 uschar *received_sni;
106
107 const uschar *tls_certificate;
108 const uschar *tls_privatekey;
109 const uschar *tls_sni; /* client send only, not received */
110 const uschar *tls_verify_certificates;
111 const uschar *tls_crl;
112 const uschar *tls_require_ciphers;
113
114 uschar *exp_tls_certificate;
115 uschar *exp_tls_privatekey;
116 uschar *exp_tls_verify_certificates;
117 uschar *exp_tls_crl;
118 uschar *exp_tls_require_ciphers;
119 uschar *exp_tls_ocsp_file;
120#ifdef EXPERIMENTAL_CERTNAMES
121 uschar *exp_tls_verify_cert_hostnames;
122#endif
123#ifdef EXPERIMENTAL_EVENT
124 uschar *event_action;
125#endif
126
127 tls_support *tlsp; /* set in tls_init() */
128
129 uschar *xfer_buffer;
130 int xfer_buffer_lwm;
131 int xfer_buffer_hwm;
132 int xfer_eof;
133 int xfer_error;
134} exim_gnutls_state_st;
135
136static const exim_gnutls_state_st exim_gnutls_state_init = {
137 NULL, NULL, NULL, VERIFY_NONE, -1, -1, FALSE, FALSE, FALSE,
138 NULL, NULL, NULL, NULL,
139 NULL, NULL, NULL, NULL, NULL, NULL,
140 NULL, NULL, NULL, NULL, NULL, NULL, NULL,
141#ifdef EXPERIMENTAL_CERTNAMES
142 NULL,
143#endif
144#ifdef EXPERIMENTAL_EVENT
145 NULL,
146#endif
147 NULL,
148 NULL, 0, 0, 0, 0,
149};
150
151/* Not only do we have our own APIs which don't pass around state, assuming
152it's held in globals, GnuTLS doesn't appear to let us register callback data
153for callbacks, or as part of the session, so we have to keep a "this is the
154context we're currently dealing with" pointer and rely upon being
155single-threaded to keep from processing data on an inbound TLS connection while
156talking to another TLS connection for an outbound check. This does mean that
157there's no way for heart-beats to be responded to, for the duration of the
158second connection.
159XXX But see gnutls_session_get_ptr()
160*/
161
162static exim_gnutls_state_st state_server, state_client;
163
164/* dh_params are initialised once within the lifetime of a process using TLS;
165if we used TLS in a long-lived daemon, we'd have to reconsider this. But we
166don't want to repeat this. */
167
168static gnutls_dh_params_t dh_server_params = NULL;
169
170/* No idea how this value was chosen; preserving it. Default is 3600. */
171
172static const int ssl_session_timeout = 200;
173
174static const char * const exim_default_gnutls_priority = "NORMAL";
175
176/* Guard library core initialisation */
177
178static BOOL exim_gnutls_base_init_done = FALSE;
179
180
181/* ------------------------------------------------------------------------ */
182/* macros */
183
184#define MAX_HOST_LEN 255
185
186/* Set this to control gnutls_global_set_log_level(); values 0 to 9 will setup
187the library logging; a value less than 0 disables the calls to set up logging
188callbacks. */
189#ifndef EXIM_GNUTLS_LIBRARY_LOG_LEVEL
190# define EXIM_GNUTLS_LIBRARY_LOG_LEVEL -1
191#endif
192
193#ifndef EXIM_CLIENT_DH_MIN_BITS
194# define EXIM_CLIENT_DH_MIN_BITS 1024
195#endif
196
197/* With GnuTLS 2.12.x+ we have gnutls_sec_param_to_pk_bits() with which we
198can ask for a bit-strength. Without that, we stick to the constant we had
199before, for now. */
200#ifndef EXIM_SERVER_DH_BITS_PRE2_12
201# define EXIM_SERVER_DH_BITS_PRE2_12 1024
202#endif
203
204#define exim_gnutls_err_check(Label) do { \
205 if (rc != GNUTLS_E_SUCCESS) { return tls_error((Label), gnutls_strerror(rc), host); } } while (0)
206
207#define expand_check_tlsvar(Varname) expand_check(state->Varname, US #Varname, &state->exp_##Varname)
208
209#if GNUTLS_VERSION_NUMBER >= 0x020c00
210# define HAVE_GNUTLS_SESSION_CHANNEL_BINDING
211# define HAVE_GNUTLS_SEC_PARAM_CONSTANTS
212# define HAVE_GNUTLS_RND
213/* The security fix we provide with the gnutls_allow_auto_pkcs11 option
214 * (4.82 PP/09) introduces a compatibility regression. The symbol simply
215 * isn't available sometimes, so this needs to become a conditional
216 * compilation; the sanest way to deal with this being a problem on
217 * older OSes is to block it in the Local/Makefile with this compiler
218 * definition */
219# ifndef AVOID_GNUTLS_PKCS11
220# define HAVE_GNUTLS_PKCS11
221# endif /* AVOID_GNUTLS_PKCS11 */
222#endif
223
224
225
226
227/* ------------------------------------------------------------------------ */
228/* Callback declarations */
229
230#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
231static void exim_gnutls_logger_cb(int level, const char *message);
232#endif
233
234static int exim_sni_handling_cb(gnutls_session_t session);
235
236#ifndef DISABLE_OCSP
237static int server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
238 gnutls_datum_t * ocsp_response);
239#endif
240
241
242
243/* ------------------------------------------------------------------------ */
244/* Static functions */
245
246/*************************************************
247* Handle TLS error *
248*************************************************/
249
250/* Called from lots of places when errors occur before actually starting to do
251the TLS handshake, that is, while the session is still in clear. Always returns
252DEFER for a server and FAIL for a client so that most calls can use "return
253tls_error(...)" to do this processing and then give an appropriate return. A
254single function is used for both server and client, because it is called from
255some shared functions.
256
257Argument:
258 prefix text to include in the logged error
259 msg additional error string (may be NULL)
260 usually obtained from gnutls_strerror()
261 host NULL if setting up a server;
262 the connected host if setting up a client
263
264Returns: OK/DEFER/FAIL
265*/
266
267static int
268tls_error(const uschar *prefix, const char *msg, const host_item *host)
269{
270if (host)
271 {
272 log_write(0, LOG_MAIN, "H=%s [%s] TLS error on connection (%s)%s%s",
273 host->name, host->address, prefix, msg ? ": " : "", msg ? msg : "");
274 return FAIL;
275 }
276else
277 {
278 uschar *conn_info = smtp_get_connection_info();
279 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0)
280 conn_info += 5;
281 /* I'd like to get separated H= here, but too hard for now */
282 log_write(0, LOG_MAIN, "TLS error on %s (%s)%s%s",
283 conn_info, prefix, msg ? ": " : "", msg ? msg : "");
284 return DEFER;
285 }
286}
287
288
289
290
291/*************************************************
292* Deal with logging errors during I/O *
293*************************************************/
294
295/* We have to get the identity of the peer from saved data.
296
297Argument:
298 state the current GnuTLS exim state container
299 rc the GnuTLS error code, or 0 if it's a local error
300 when text identifying read or write
301 text local error text when ec is 0
302
303Returns: nothing
304*/
305
306static void
307record_io_error(exim_gnutls_state_st *state, int rc, uschar *when, uschar *text)
308{
309const char *msg;
310
311if (rc == GNUTLS_E_FATAL_ALERT_RECEIVED)
312 msg = CS string_sprintf("%s: %s", US gnutls_strerror(rc),
313 US gnutls_alert_get_name(gnutls_alert_get(state->session)));
314else
315 msg = gnutls_strerror(rc);
316
317tls_error(when, msg, state->host);
318}
319
320
321
322
323/*************************************************
324* Set various Exim expansion vars *
325*************************************************/
326
327#define exim_gnutls_cert_err(Label) \
328 do \
329 { \
330 if (rc != GNUTLS_E_SUCCESS) \
331 { \
332 DEBUG(D_tls) debug_printf("TLS: cert problem: %s: %s\n", \
333 (Label), gnutls_strerror(rc)); \
334 return rc; \
335 } \
336 } while (0)
337
338static int
339import_cert(const gnutls_datum * cert, gnutls_x509_crt_t * crtp)
340{
341int rc;
342
343rc = gnutls_x509_crt_init(crtp);
344exim_gnutls_cert_err(US"gnutls_x509_crt_init (crt)");
345
346rc = gnutls_x509_crt_import(*crtp, cert, GNUTLS_X509_FMT_DER);
347exim_gnutls_cert_err(US"failed to import certificate [gnutls_x509_crt_import(cert)]");
348
349return rc;
350}
351
352#undef exim_gnutls_cert_err
353
354
355/* We set various Exim global variables from the state, once a session has
356been established. With TLS callouts, may need to change this to stack
357variables, or just re-call it with the server state after client callout
358has finished.
359
360Make sure anything set here is unset in tls_getc().
361
362Sets:
363 tls_active fd
364 tls_bits strength indicator
365 tls_certificate_verified bool indicator
366 tls_channelbinding_b64 for some SASL mechanisms
367 tls_cipher a string
368 tls_peercert pointer to library internal
369 tls_peerdn a string
370 tls_sni a (UTF-8) string
371 tls_ourcert pointer to library internal
372
373Argument:
374 state the relevant exim_gnutls_state_st *
375*/
376
377static void
378extract_exim_vars_from_tls_state(exim_gnutls_state_st * state)
379{
380gnutls_cipher_algorithm_t cipher;
381#ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
382int old_pool;
383int rc;
384gnutls_datum_t channel;
385#endif
386tls_support * tlsp = state->tlsp;
387
388tlsp->active = state->fd_out;
389
390cipher = gnutls_cipher_get(state->session);
391/* returns size in "bytes" */
392tlsp->bits = gnutls_cipher_get_key_size(cipher) * 8;
393
394tlsp->cipher = state->ciphersuite;
395
396DEBUG(D_tls) debug_printf("cipher: %s\n", state->ciphersuite);
397
398tlsp->certificate_verified = state->peer_cert_verified;
399
400/* note that tls_channelbinding_b64 is not saved to the spool file, since it's
401only available for use for authenticators while this TLS session is running. */
402
403tls_channelbinding_b64 = NULL;
404#ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
405channel.data = NULL;
406channel.size = 0;
407rc = gnutls_session_channel_binding(state->session, GNUTLS_CB_TLS_UNIQUE, &channel);
408if (rc) {
409 DEBUG(D_tls) debug_printf("Channel binding error: %s\n", gnutls_strerror(rc));
410} else {
411 old_pool = store_pool;
412 store_pool = POOL_PERM;
413 tls_channelbinding_b64 = auth_b64encode(channel.data, (int)channel.size);
414 store_pool = old_pool;
415 DEBUG(D_tls) debug_printf("Have channel bindings cached for possible auth usage.\n");
416}
417#endif
418
419/* peercert is set in peer_status() */
420tlsp->peerdn = state->peerdn;
421tlsp->sni = state->received_sni;
422
423/* record our certificate */
424 {
425 const gnutls_datum * cert = gnutls_certificate_get_ours(state->session);
426 gnutls_x509_crt_t crt;
427
428 tlsp->ourcert = cert && import_cert(cert, &crt)==0 ? crt : NULL;
429 }
430}
431
432
433
434
435/*************************************************
436* Setup up DH parameters *
437*************************************************/
438
439/* Generating the D-H parameters may take a long time. They only need to
440be re-generated every so often, depending on security policy. What we do is to
441keep these parameters in a file in the spool directory. If the file does not
442exist, we generate them. This means that it is easy to cause a regeneration.
443
444The new file is written as a temporary file and renamed, so that an incomplete
445file is never present. If two processes both compute some new parameters, you
446waste a bit of effort, but it doesn't seem worth messing around with locking to
447prevent this.
448
449Returns: OK/DEFER/FAIL
450*/
451
452static int
453init_server_dh(void)
454{
455int fd, rc;
456unsigned int dh_bits;
457gnutls_datum m;
458uschar filename_buf[PATH_MAX];
459uschar *filename = NULL;
460size_t sz;
461uschar *exp_tls_dhparam;
462BOOL use_file_in_spool = FALSE;
463BOOL use_fixed_file = FALSE;
464host_item *host = NULL; /* dummy for macros */
465
466DEBUG(D_tls) debug_printf("Initialising GnuTLS server params.\n");
467
468rc = gnutls_dh_params_init(&dh_server_params);
469exim_gnutls_err_check(US"gnutls_dh_params_init");
470
471m.data = NULL;
472m.size = 0;
473
474if (!expand_check(tls_dhparam, US"tls_dhparam", &exp_tls_dhparam))
475 return DEFER;
476
477if (!exp_tls_dhparam)
478 {
479 DEBUG(D_tls) debug_printf("Loading default hard-coded DH params\n");
480 m.data = US std_dh_prime_default();
481 m.size = Ustrlen(m.data);
482 }
483else if (Ustrcmp(exp_tls_dhparam, "historic") == 0)
484 use_file_in_spool = TRUE;
485else if (Ustrcmp(exp_tls_dhparam, "none") == 0)
486 {
487 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
488 return OK;
489 }
490else if (exp_tls_dhparam[0] != '/')
491 {
492 m.data = US std_dh_prime_named(exp_tls_dhparam);
493 if (m.data == NULL)
494 return tls_error(US"No standard prime named", CS exp_tls_dhparam, NULL);
495 m.size = Ustrlen(m.data);
496 }
497else
498 {
499 use_fixed_file = TRUE;
500 filename = exp_tls_dhparam;
501 }
502
503if (m.data)
504 {
505 rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM);
506 exim_gnutls_err_check(US"gnutls_dh_params_import_pkcs3");
507 DEBUG(D_tls) debug_printf("Loaded fixed standard D-H parameters\n");
508 return OK;
509 }
510
511#ifdef HAVE_GNUTLS_SEC_PARAM_CONSTANTS
512/* If you change this constant, also change dh_param_fn_ext so that we can use a
513different filename and ensure we have sufficient bits. */
514dh_bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL);
515if (!dh_bits)
516 return tls_error(US"gnutls_sec_param_to_pk_bits() failed", NULL, NULL);
517DEBUG(D_tls)
518 debug_printf("GnuTLS tells us that for D-H PK, NORMAL is %d bits.\n",
519 dh_bits);
520#else
521dh_bits = EXIM_SERVER_DH_BITS_PRE2_12;
522DEBUG(D_tls)
523 debug_printf("GnuTLS lacks gnutls_sec_param_to_pk_bits(), using %d bits.\n",
524 dh_bits);
525#endif
526
527/* Some clients have hard-coded limits. */
528if (dh_bits > tls_dh_max_bits)
529 {
530 DEBUG(D_tls)
531 debug_printf("tls_dh_max_bits clamping override, using %d bits instead.\n",
532 tls_dh_max_bits);
533 dh_bits = tls_dh_max_bits;
534 }
535
536if (use_file_in_spool)
537 {
538 if (!string_format(filename_buf, sizeof(filename_buf),
539 "%s/gnutls-params-%d", spool_directory, dh_bits))
540 return tls_error(US"overlong filename", NULL, NULL);
541 filename = filename_buf;
542 }
543
544/* Open the cache file for reading and if successful, read it and set up the
545parameters. */
546
547fd = Uopen(filename, O_RDONLY, 0);
548if (fd >= 0)
549 {
550 struct stat statbuf;
551 FILE *fp;
552 int saved_errno;
553
554 if (fstat(fd, &statbuf) < 0) /* EIO */
555 {
556 saved_errno = errno;
557 (void)close(fd);
558 return tls_error(US"TLS cache stat failed", strerror(saved_errno), NULL);
559 }
560 if (!S_ISREG(statbuf.st_mode))
561 {
562 (void)close(fd);
563 return tls_error(US"TLS cache not a file", NULL, NULL);
564 }
565 fp = fdopen(fd, "rb");
566 if (!fp)
567 {
568 saved_errno = errno;
569 (void)close(fd);
570 return tls_error(US"fdopen(TLS cache stat fd) failed",
571 strerror(saved_errno), NULL);
572 }
573
574 m.size = statbuf.st_size;
575 m.data = malloc(m.size);
576 if (m.data == NULL)
577 {
578 fclose(fp);
579 return tls_error(US"malloc failed", strerror(errno), NULL);
580 }
581 sz = fread(m.data, m.size, 1, fp);
582 if (!sz)
583 {
584 saved_errno = errno;
585 fclose(fp);
586 free(m.data);
587 return tls_error(US"fread failed", strerror(saved_errno), NULL);
588 }
589 fclose(fp);
590
591 rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM);
592 free(m.data);
593 exim_gnutls_err_check(US"gnutls_dh_params_import_pkcs3");
594 DEBUG(D_tls) debug_printf("read D-H parameters from file \"%s\"\n", filename);
595 }
596
597/* If the file does not exist, fall through to compute new data and cache it.
598If there was any other opening error, it is serious. */
599
600else if (errno == ENOENT)
601 {
602 rc = -1;
603 DEBUG(D_tls)
604 debug_printf("D-H parameter cache file \"%s\" does not exist\n", filename);
605 }
606else
607 return tls_error(string_open_failed(errno, "\"%s\" for reading", filename),
608 NULL, NULL);
609
610/* If ret < 0, either the cache file does not exist, or the data it contains
611is not useful. One particular case of this is when upgrading from an older
612release of Exim in which the data was stored in a different format. We don't
613try to be clever and support both formats; we just regenerate new data in this
614case. */
615
616if (rc < 0)
617 {
618 uschar *temp_fn;
619 unsigned int dh_bits_gen = dh_bits;
620
621 if ((PATH_MAX - Ustrlen(filename)) < 10)
622 return tls_error(US"Filename too long to generate replacement",
623 CS filename, NULL);
624
625 temp_fn = string_copy(US "%s.XXXXXXX");
626 fd = mkstemp(CS temp_fn); /* modifies temp_fn */
627 if (fd < 0)
628 return tls_error(US"Unable to open temp file", strerror(errno), NULL);
629 (void)fchown(fd, exim_uid, exim_gid); /* Probably not necessary */
630
631 /* GnuTLS overshoots!
632 * If we ask for 2236, we might get 2237 or more.
633 * But there's no way to ask GnuTLS how many bits there really are.
634 * We can ask how many bits were used in a TLS session, but that's it!
635 * The prime itself is hidden behind too much abstraction.
636 * So we ask for less, and proceed on a wing and a prayer.
637 * First attempt, subtracted 3 for 2233 and got 2240.
638 */
639 if (dh_bits >= EXIM_CLIENT_DH_MIN_BITS + 10)
640 {
641 dh_bits_gen = dh_bits - 10;
642 DEBUG(D_tls)
643 debug_printf("being paranoid about DH generation, make it '%d' bits'\n",
644 dh_bits_gen);
645 }
646
647 DEBUG(D_tls)
648 debug_printf("requesting generation of %d bit Diffie-Hellman prime ...\n",
649 dh_bits_gen);
650 rc = gnutls_dh_params_generate2(dh_server_params, dh_bits_gen);
651 exim_gnutls_err_check(US"gnutls_dh_params_generate2");
652
653 /* gnutls_dh_params_export_pkcs3() will tell us the exact size, every time,
654 and I confirmed that a NULL call to get the size first is how the GnuTLS
655 sample apps handle this. */
656
657 sz = 0;
658 m.data = NULL;
659 rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM,
660 m.data, &sz);
661 if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
662 exim_gnutls_err_check(US"gnutls_dh_params_export_pkcs3(NULL) sizing");
663 m.size = sz;
664 m.data = malloc(m.size);
665 if (m.data == NULL)
666 return tls_error(US"memory allocation failed", strerror(errno), NULL);
667 /* this will return a size 1 less than the allocation size above */
668 rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM,
669 m.data, &sz);
670 if (rc != GNUTLS_E_SUCCESS)
671 {
672 free(m.data);
673 exim_gnutls_err_check(US"gnutls_dh_params_export_pkcs3() real");
674 }
675 m.size = sz; /* shrink by 1, probably */
676
677 sz = write_to_fd_buf(fd, m.data, (size_t) m.size);
678 if (sz != m.size)
679 {
680 free(m.data);
681 return tls_error(US"TLS cache write D-H params failed",
682 strerror(errno), NULL);
683 }
684 free(m.data);
685 sz = write_to_fd_buf(fd, US"\n", 1);
686 if (sz != 1)
687 return tls_error(US"TLS cache write D-H params final newline failed",
688 strerror(errno), NULL);
689
690 rc = close(fd);
691 if (rc)
692 return tls_error(US"TLS cache write close() failed",
693 strerror(errno), NULL);
694
695 if (Urename(temp_fn, filename) < 0)
696 return tls_error(string_sprintf("failed to rename \"%s\" as \"%s\"",
697 temp_fn, filename), strerror(errno), NULL);
698
699 DEBUG(D_tls) debug_printf("wrote D-H parameters to file \"%s\"\n", filename);
700 }
701
702DEBUG(D_tls) debug_printf("initialized server D-H parameters\n");
703return OK;
704}
705
706
707
708
709/*************************************************
710* Variables re-expanded post-SNI *
711*************************************************/
712
713/* Called from both server and client code, via tls_init(), and also from
714the SNI callback after receiving an SNI, if tls_certificate includes "tls_sni".
715
716We can tell the two apart by state->received_sni being non-NULL in callback.
717
718The callback should not call us unless state->trigger_sni_changes is true,
719which we are responsible for setting on the first pass through.
720
721Arguments:
722 state exim_gnutls_state_st *
723
724Returns: OK/DEFER/FAIL
725*/
726
727static int
728tls_expand_session_files(exim_gnutls_state_st *state)
729{
730struct stat statbuf;
731int rc;
732const host_item *host = state->host; /* macro should be reconsidered? */
733uschar *saved_tls_certificate = NULL;
734uschar *saved_tls_privatekey = NULL;
735uschar *saved_tls_verify_certificates = NULL;
736uschar *saved_tls_crl = NULL;
737int cert_count;
738
739/* We check for tls_sni *before* expansion. */
740if (!host) /* server */
741 {
742 if (!state->received_sni)
743 {
744 if (state->tls_certificate &&
745 (Ustrstr(state->tls_certificate, US"tls_sni") ||
746 Ustrstr(state->tls_certificate, US"tls_in_sni") ||
747 Ustrstr(state->tls_certificate, US"tls_out_sni")
748 ))
749 {
750 DEBUG(D_tls) debug_printf("We will re-expand TLS session files if we receive SNI.\n");
751 state->trigger_sni_changes = TRUE;
752 }
753 }
754 else
755 {
756 /* useful for debugging */
757 saved_tls_certificate = state->exp_tls_certificate;
758 saved_tls_privatekey = state->exp_tls_privatekey;
759 saved_tls_verify_certificates = state->exp_tls_verify_certificates;
760 saved_tls_crl = state->exp_tls_crl;
761 }
762 }
763
764rc = gnutls_certificate_allocate_credentials(&state->x509_cred);
765exim_gnutls_err_check(US"gnutls_certificate_allocate_credentials");
766
767/* remember: expand_check_tlsvar() is expand_check() but fiddling with
768state members, assuming consistent naming; and expand_check() returns
769false if expansion failed, unless expansion was forced to fail. */
770
771/* check if we at least have a certificate, before doing expensive
772D-H generation. */
773
774if (!expand_check_tlsvar(tls_certificate))
775 return DEFER;
776
777/* certificate is mandatory in server, optional in client */
778
779if ((state->exp_tls_certificate == NULL) ||
780 (*state->exp_tls_certificate == '\0'))
781 {
782 if (!host)
783 return tls_error(US"no TLS server certificate is specified", NULL, NULL);
784 else
785 DEBUG(D_tls) debug_printf("TLS: no client certificate specified; okay\n");
786 }
787
788if (state->tls_privatekey && !expand_check_tlsvar(tls_privatekey))
789 return DEFER;
790
791/* tls_privatekey is optional, defaulting to same file as certificate */
792
793if (state->tls_privatekey == NULL || *state->tls_privatekey == '\0')
794 {
795 state->tls_privatekey = state->tls_certificate;
796 state->exp_tls_privatekey = state->exp_tls_certificate;
797 }
798
799
800if (state->exp_tls_certificate && *state->exp_tls_certificate)
801 {
802 DEBUG(D_tls) debug_printf("certificate file = %s\nkey file = %s\n",
803 state->exp_tls_certificate, state->exp_tls_privatekey);
804
805 if (state->received_sni)
806 {
807 if ((Ustrcmp(state->exp_tls_certificate, saved_tls_certificate) == 0) &&
808 (Ustrcmp(state->exp_tls_privatekey, saved_tls_privatekey) == 0))
809 {
810 DEBUG(D_tls) debug_printf("TLS SNI: cert and key unchanged\n");
811 }
812 else
813 {
814 DEBUG(D_tls) debug_printf("TLS SNI: have a changed cert/key pair.\n");
815 }
816 }
817
818 rc = gnutls_certificate_set_x509_key_file(state->x509_cred,
819 CS state->exp_tls_certificate, CS state->exp_tls_privatekey,
820 GNUTLS_X509_FMT_PEM);
821 exim_gnutls_err_check(
822 string_sprintf("cert/key setup: cert=%s key=%s",
823 state->exp_tls_certificate, state->exp_tls_privatekey));
824 DEBUG(D_tls) debug_printf("TLS: cert/key registered\n");
825 } /* tls_certificate */
826
827
828/* Set the OCSP stapling server info */
829
830#ifndef DISABLE_OCSP
831if ( !host /* server */
832 && tls_ocsp_file
833 )
834 {
835 if (!expand_check(tls_ocsp_file, US"tls_ocsp_file",
836 &state->exp_tls_ocsp_file))
837 return DEFER;
838
839 /* Use the full callback method for stapling just to get observability.
840 More efficient would be to read the file once only, if it never changed
841 (due to SNI). Would need restart on file update, or watch datestamp. */
842
843 gnutls_certificate_set_ocsp_status_request_function(state->x509_cred,
844 server_ocsp_stapling_cb, state->exp_tls_ocsp_file);
845
846 DEBUG(D_tls) debug_printf("Set OCSP response file %s\n", &state->exp_tls_ocsp_file);
847 }
848#endif
849
850
851/* Set the trusted CAs file if one is provided, and then add the CRL if one is
852provided. Experiment shows that, if the certificate file is empty, an unhelpful
853error message is provided. However, if we just refrain from setting anything up
854in that case, certificate verification fails, which seems to be the correct
855behaviour. */
856
857if (state->tls_verify_certificates && *state->tls_verify_certificates)
858 {
859 if (!expand_check_tlsvar(tls_verify_certificates))
860 return DEFER;
861 if (state->tls_crl && *state->tls_crl)
862 if (!expand_check_tlsvar(tls_crl))
863 return DEFER;
864
865 if (!(state->exp_tls_verify_certificates &&
866 *state->exp_tls_verify_certificates))
867 {
868 DEBUG(D_tls)
869 debug_printf("TLS: tls_verify_certificates expanded empty, ignoring\n");
870 /* With no tls_verify_certificates, we ignore tls_crl too */
871 return OK;
872 }
873 }
874else
875 {
876 DEBUG(D_tls)
877 debug_printf("TLS: tls_verify_certificates not set or empty, ignoring\n");
878 return OK;
879 }
880
881if (Ustat(state->exp_tls_verify_certificates, &statbuf) < 0)
882 {
883 log_write(0, LOG_MAIN|LOG_PANIC, "could not stat %s "
884 "(tls_verify_certificates): %s", state->exp_tls_verify_certificates,
885 strerror(errno));
886 return DEFER;
887 }
888
889#ifndef SUPPORT_CA_DIR
890/* The test suite passes in /dev/null; we could check for that path explicitly,
891but who knows if someone has some weird FIFO which always dumps some certs, or
892other weirdness. The thing we really want to check is that it's not a
893directory, since while OpenSSL supports that, GnuTLS does not.
894So s/!S_ISREG/S_ISDIR/ and change some messsaging ... */
895if (S_ISDIR(statbuf.st_mode))
896 {
897 DEBUG(D_tls)
898 debug_printf("verify certificates path is a dir: \"%s\"\n",
899 state->exp_tls_verify_certificates);
900 log_write(0, LOG_MAIN|LOG_PANIC,
901 "tls_verify_certificates \"%s\" is a directory",
902 state->exp_tls_verify_certificates);
903 return DEFER;
904 }
905#endif
906
907DEBUG(D_tls) debug_printf("verify certificates = %s size=" OFF_T_FMT "\n",
908 state->exp_tls_verify_certificates, statbuf.st_size);
909
910if (statbuf.st_size == 0)
911 {
912 DEBUG(D_tls)
913 debug_printf("cert file empty, no certs, no verification, ignoring any CRL\n");
914 return OK;
915 }
916
917cert_count =
918
919#ifdef SUPPORT_CA_DIR
920 (statbuf.st_mode & S_IFMT) == S_IFDIR
921 ?
922 gnutls_certificate_set_x509_trust_dir(state->x509_cred,
923 CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM)
924 :
925#endif
926 gnutls_certificate_set_x509_trust_file(state->x509_cred,
927 CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM);
928
929if (cert_count < 0)
930 {
931 rc = cert_count;
932 exim_gnutls_err_check(US"gnutls_certificate_set_x509_trust_file");
933 }
934DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n", cert_count);
935
936if (state->tls_crl && *state->tls_crl &&
937 state->exp_tls_crl && *state->exp_tls_crl)
938 {
939 DEBUG(D_tls) debug_printf("loading CRL file = %s\n", state->exp_tls_crl);
940 cert_count = gnutls_certificate_set_x509_crl_file(state->x509_cred,
941 CS state->exp_tls_crl, GNUTLS_X509_FMT_PEM);
942 if (cert_count < 0)
943 {
944 rc = cert_count;
945 exim_gnutls_err_check(US"gnutls_certificate_set_x509_crl_file");
946 }
947 DEBUG(D_tls) debug_printf("Processed %d CRLs.\n", cert_count);
948 }
949
950return OK;
951}
952
953
954
955
956/*************************************************
957* Set X.509 state variables *
958*************************************************/
959
960/* In GnuTLS, the registered cert/key are not replaced by a later
961set of a cert/key, so for SNI support we need a whole new x509_cred
962structure. Which means various other non-re-expanded pieces of state
963need to be re-set in the new struct, so the setting logic is pulled
964out to this.
965
966Arguments:
967 state exim_gnutls_state_st *
968
969Returns: OK/DEFER/FAIL
970*/
971
972static int
973tls_set_remaining_x509(exim_gnutls_state_st *state)
974{
975int rc;
976const host_item *host = state->host; /* macro should be reconsidered? */
977
978/* Create D-H parameters, or read them from the cache file. This function does
979its own SMTP error messaging. This only happens for the server, TLS D-H ignores
980client-side params. */
981
982if (!state->host)
983 {
984 if (!dh_server_params)
985 {
986 rc = init_server_dh();
987 if (rc != OK) return rc;
988 }
989 gnutls_certificate_set_dh_params(state->x509_cred, dh_server_params);
990 }
991
992/* Link the credentials to the session. */
993
994rc = gnutls_credentials_set(state->session, GNUTLS_CRD_CERTIFICATE, state->x509_cred);
995exim_gnutls_err_check(US"gnutls_credentials_set");
996
997return OK;
998}
999
1000/*************************************************
1001* Initialize for GnuTLS *
1002*************************************************/
1003
1004/* Called from both server and client code. In the case of a server, errors
1005before actual TLS negotiation return DEFER.
1006
1007Arguments:
1008 host connected host, if client; NULL if server
1009 certificate certificate file
1010 privatekey private key file
1011 sni TLS SNI to send, sometimes when client; else NULL
1012 cas CA certs file
1013 crl CRL file
1014 require_ciphers tls_require_ciphers setting
1015 caller_state returned state-info structure
1016
1017Returns: OK/DEFER/FAIL
1018*/
1019
1020static int
1021tls_init(
1022 const host_item *host,
1023 const uschar *certificate,
1024 const uschar *privatekey,
1025 const uschar *sni,
1026 const uschar *cas,
1027 const uschar *crl,
1028 const uschar *require_ciphers,
1029 exim_gnutls_state_st **caller_state)
1030{
1031exim_gnutls_state_st *state;
1032int rc;
1033size_t sz;
1034const char *errpos;
1035uschar *p;
1036BOOL want_default_priorities;
1037
1038if (!exim_gnutls_base_init_done)
1039 {
1040 DEBUG(D_tls) debug_printf("GnuTLS global init required.\n");
1041
1042#ifdef HAVE_GNUTLS_PKCS11
1043 /* By default, gnutls_global_init will init PKCS11 support in auto mode,
1044 which loads modules from a config file, which sounds good and may be wanted
1045 by some sysadmin, but also means in common configurations that GNOME keyring
1046 environment variables are used and so breaks for users calling mailq.
1047 To prevent this, we init PKCS11 first, which is the documented approach. */
1048 if (!gnutls_allow_auto_pkcs11)
1049 {
1050 rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
1051 exim_gnutls_err_check(US"gnutls_pkcs11_init");
1052 }
1053#endif
1054
1055 rc = gnutls_global_init();
1056 exim_gnutls_err_check(US"gnutls_global_init");
1057
1058#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
1059 DEBUG(D_tls)
1060 {
1061 gnutls_global_set_log_function(exim_gnutls_logger_cb);
1062 /* arbitrarily chosen level; bump upto 9 for more */
1063 gnutls_global_set_log_level(EXIM_GNUTLS_LIBRARY_LOG_LEVEL);
1064 }
1065#endif
1066
1067 exim_gnutls_base_init_done = TRUE;
1068 }
1069
1070if (host)
1071 {
1072 state = &state_client;
1073 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
1074 state->tlsp = &tls_out;
1075 DEBUG(D_tls) debug_printf("initialising GnuTLS client session\n");
1076 rc = gnutls_init(&state->session, GNUTLS_CLIENT);
1077 }
1078else
1079 {
1080 state = &state_server;
1081 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
1082 state->tlsp = &tls_in;
1083 DEBUG(D_tls) debug_printf("initialising GnuTLS server session\n");
1084 rc = gnutls_init(&state->session, GNUTLS_SERVER);
1085 }
1086exim_gnutls_err_check(US"gnutls_init");
1087
1088state->host = host;
1089
1090state->tls_certificate = certificate;
1091state->tls_privatekey = privatekey;
1092state->tls_require_ciphers = require_ciphers;
1093state->tls_sni = sni;
1094state->tls_verify_certificates = cas;
1095state->tls_crl = crl;
1096
1097/* This handles the variables that might get re-expanded after TLS SNI;
1098that's tls_certificate, tls_privatekey, tls_verify_certificates, tls_crl */
1099
1100DEBUG(D_tls)
1101 debug_printf("Expanding various TLS configuration options for session credentials.\n");
1102rc = tls_expand_session_files(state);
1103if (rc != OK) return rc;
1104
1105/* These are all other parts of the x509_cred handling, since SNI in GnuTLS
1106requires a new structure afterwards. */
1107
1108rc = tls_set_remaining_x509(state);
1109if (rc != OK) return rc;
1110
1111/* set SNI in client, only */
1112if (host)
1113 {
1114 if (!expand_check(sni, US"tls_out_sni", &state->tlsp->sni))
1115 return DEFER;
1116 if (state->tlsp->sni && *state->tlsp->sni)
1117 {
1118 DEBUG(D_tls)
1119 debug_printf("Setting TLS client SNI to \"%s\"\n", state->tlsp->sni);
1120 sz = Ustrlen(state->tlsp->sni);
1121 rc = gnutls_server_name_set(state->session,
1122 GNUTLS_NAME_DNS, state->tlsp->sni, sz);
1123 exim_gnutls_err_check(US"gnutls_server_name_set");
1124 }
1125 }
1126else if (state->tls_sni)
1127 DEBUG(D_tls) debug_printf("*** PROBABLY A BUG *** " \
1128 "have an SNI set for a client [%s]\n", state->tls_sni);
1129
1130/* This is the priority string support,
1131http://www.gnutls.org/manual/html_node/Priority-Strings.html
1132and replaces gnutls_require_kx, gnutls_require_mac & gnutls_require_protocols.
1133This was backwards incompatible, but means Exim no longer needs to track
1134all algorithms and provide string forms for them. */
1135
1136want_default_priorities = TRUE;
1137
1138if (state->tls_require_ciphers && *state->tls_require_ciphers)
1139 {
1140 if (!expand_check_tlsvar(tls_require_ciphers))
1141 return DEFER;
1142 if (state->exp_tls_require_ciphers && *state->exp_tls_require_ciphers)
1143 {
1144 DEBUG(D_tls) debug_printf("GnuTLS session cipher/priority \"%s\"\n",
1145 state->exp_tls_require_ciphers);
1146
1147 rc = gnutls_priority_init(&state->priority_cache,
1148 CS state->exp_tls_require_ciphers, &errpos);
1149 want_default_priorities = FALSE;
1150 p = state->exp_tls_require_ciphers;
1151 }
1152 }
1153if (want_default_priorities)
1154 {
1155 DEBUG(D_tls)
1156 debug_printf("GnuTLS using default session cipher/priority \"%s\"\n",
1157 exim_default_gnutls_priority);
1158 rc = gnutls_priority_init(&state->priority_cache,
1159 exim_default_gnutls_priority, &errpos);
1160 p = US exim_default_gnutls_priority;
1161 }
1162
1163exim_gnutls_err_check(string_sprintf(
1164 "gnutls_priority_init(%s) failed at offset %ld, \"%.6s..\"",
1165 p, errpos - CS p, errpos));
1166
1167rc = gnutls_priority_set(state->session, state->priority_cache);
1168exim_gnutls_err_check(US"gnutls_priority_set");
1169
1170gnutls_db_set_cache_expiration(state->session, ssl_session_timeout);
1171
1172/* Reduce security in favour of increased compatibility, if the admin
1173decides to make that trade-off. */
1174if (gnutls_compat_mode)
1175 {
1176#if LIBGNUTLS_VERSION_NUMBER >= 0x020104
1177 DEBUG(D_tls) debug_printf("lowering GnuTLS security, compatibility mode\n");
1178 gnutls_session_enable_compatibility_mode(state->session);
1179#else
1180 DEBUG(D_tls) debug_printf("Unable to set gnutls_compat_mode - GnuTLS version too old\n");
1181#endif
1182 }
1183
1184*caller_state = state;
1185return OK;
1186}
1187
1188
1189
1190/*************************************************
1191* Extract peer information *
1192*************************************************/
1193
1194/* Called from both server and client code.
1195Only this is allowed to set state->peerdn and state->have_set_peerdn
1196and we use that to detect double-calls.
1197
1198NOTE: the state blocks last while the TLS connection is up, which is fine
1199for logging in the server side, but for the client side, we log after teardown
1200in src/deliver.c. While the session is up, we can twist about states and
1201repoint tls_* globals, but those variables used for logging or other variable
1202expansion that happens _after_ delivery need to have a longer life-time.
1203
1204So for those, we get the data from POOL_PERM; the re-invoke guard keeps us from
1205doing this more than once per generation of a state context. We set them in
1206the state context, and repoint tls_* to them. After the state goes away, the
1207tls_* copies of the pointers remain valid and client delivery logging is happy.
1208
1209tls_certificate_verified is a BOOL, so the tls_peerdn and tls_cipher issues
1210don't apply.
1211
1212Arguments:
1213 state exim_gnutls_state_st *
1214
1215Returns: OK/DEFER/FAIL
1216*/
1217
1218static int
1219peer_status(exim_gnutls_state_st *state)
1220{
1221uschar cipherbuf[256];
1222const gnutls_datum *cert_list;
1223int old_pool, rc;
1224unsigned int cert_list_size = 0;
1225gnutls_protocol_t protocol;
1226gnutls_cipher_algorithm_t cipher;
1227gnutls_kx_algorithm_t kx;
1228gnutls_mac_algorithm_t mac;
1229gnutls_certificate_type_t ct;
1230gnutls_x509_crt_t crt;
1231uschar *p, *dn_buf;
1232size_t sz;
1233
1234if (state->have_set_peerdn)
1235 return OK;
1236state->have_set_peerdn = TRUE;
1237
1238state->peerdn = NULL;
1239
1240/* tls_cipher */
1241cipher = gnutls_cipher_get(state->session);
1242protocol = gnutls_protocol_get_version(state->session);
1243mac = gnutls_mac_get(state->session);
1244kx = gnutls_kx_get(state->session);
1245
1246string_format(cipherbuf, sizeof(cipherbuf),
1247 "%s:%s:%d",
1248 gnutls_protocol_get_name(protocol),
1249 gnutls_cipher_suite_get_name(kx, cipher, mac),
1250 (int) gnutls_cipher_get_key_size(cipher) * 8);
1251
1252/* I don't see a way that spaces could occur, in the current GnuTLS
1253code base, but it was a concern in the old code and perhaps older GnuTLS
1254releases did return "TLS 1.0"; play it safe, just in case. */
1255for (p = cipherbuf; *p != '\0'; ++p)
1256 if (isspace(*p))
1257 *p = '-';
1258old_pool = store_pool;
1259store_pool = POOL_PERM;
1260state->ciphersuite = string_copy(cipherbuf);
1261store_pool = old_pool;
1262state->tlsp->cipher = state->ciphersuite;
1263
1264/* tls_peerdn */
1265cert_list = gnutls_certificate_get_peers(state->session, &cert_list_size);
1266
1267if (cert_list == NULL || cert_list_size == 0)
1268 {
1269 DEBUG(D_tls) debug_printf("TLS: no certificate from peer (%p & %d)\n",
1270 cert_list, cert_list_size);
1271 if (state->verify_requirement >= VERIFY_REQUIRED)
1272 return tls_error(US"certificate verification failed",
1273 "no certificate received from peer", state->host);
1274 return OK;
1275 }
1276
1277ct = gnutls_certificate_type_get(state->session);
1278if (ct != GNUTLS_CRT_X509)
1279 {
1280 const char *ctn = gnutls_certificate_type_get_name(ct);
1281 DEBUG(D_tls)
1282 debug_printf("TLS: peer cert not X.509 but instead \"%s\"\n", ctn);
1283 if (state->verify_requirement >= VERIFY_REQUIRED)
1284 return tls_error(US"certificate verification not possible, unhandled type",
1285 ctn, state->host);
1286 return OK;
1287 }
1288
1289#define exim_gnutls_peer_err(Label) \
1290 do { \
1291 if (rc != GNUTLS_E_SUCCESS) \
1292 { \
1293 DEBUG(D_tls) debug_printf("TLS: peer cert problem: %s: %s\n", \
1294 (Label), gnutls_strerror(rc)); \
1295 if (state->verify_requirement >= VERIFY_REQUIRED) \
1296 return tls_error((Label), gnutls_strerror(rc), state->host); \
1297 return OK; \
1298 } \
1299 } while (0)
1300
1301rc = import_cert(&cert_list[0], &crt);
1302exim_gnutls_peer_err(US"cert 0");
1303
1304state->tlsp->peercert = state->peercert = crt;
1305
1306sz = 0;
1307rc = gnutls_x509_crt_get_dn(crt, NULL, &sz);
1308if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
1309 {
1310 exim_gnutls_peer_err(US"getting size for cert DN failed");
1311 return FAIL; /* should not happen */
1312 }
1313dn_buf = store_get_perm(sz);
1314rc = gnutls_x509_crt_get_dn(crt, CS dn_buf, &sz);
1315exim_gnutls_peer_err(US"failed to extract certificate DN [gnutls_x509_crt_get_dn(cert 0)]");
1316
1317state->peerdn = dn_buf;
1318
1319return OK;
1320#undef exim_gnutls_peer_err
1321}
1322
1323
1324
1325
1326/*************************************************
1327* Verify peer certificate *
1328*************************************************/
1329
1330/* Called from both server and client code.
1331*Should* be using a callback registered with
1332gnutls_certificate_set_verify_function() to fail the handshake if we dislike
1333the peer information, but that's too new for some OSes.
1334
1335Arguments:
1336 state exim_gnutls_state_st *
1337 error where to put an error message
1338
1339Returns:
1340 FALSE if the session should be rejected
1341 TRUE if the cert is okay or we just don't care
1342*/
1343
1344static BOOL
1345verify_certificate(exim_gnutls_state_st *state, const char **error)
1346{
1347int rc;
1348unsigned int verify;
1349
1350*error = NULL;
1351
1352if ((rc = peer_status(state)) != OK)
1353 {
1354 verify = GNUTLS_CERT_INVALID;
1355 *error = "certificate not supplied";
1356 }
1357else
1358 rc = gnutls_certificate_verify_peers2(state->session, &verify);
1359
1360/* Handle the result of verification. INVALID seems to be set as well
1361as REVOKED, but leave the test for both. */
1362
1363if (rc < 0 ||
1364 verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED)
1365 )
1366 {
1367 state->peer_cert_verified = FALSE;
1368 if (!*error)
1369 *error = verify & GNUTLS_CERT_REVOKED
1370 ? "certificate revoked" : "certificate invalid";
1371
1372 DEBUG(D_tls)
1373 debug_printf("TLS certificate verification failed (%s): peerdn=\"%s\"\n",
1374 *error, state->peerdn ? state->peerdn : US"<unset>");
1375
1376 if (state->verify_requirement >= VERIFY_REQUIRED)
1377 {
1378 gnutls_alert_send(state->session,
1379 GNUTLS_AL_FATAL, GNUTLS_A_BAD_CERTIFICATE);
1380 return FALSE;
1381 }
1382 DEBUG(D_tls)
1383 debug_printf("TLS verify failure overridden (host in tls_try_verify_hosts)\n");
1384 }
1385
1386else
1387 {
1388#ifdef EXPERIMENTAL_CERTNAMES
1389 if (state->exp_tls_verify_cert_hostnames)
1390 {
1391 int sep = 0;
1392 uschar * list = state->exp_tls_verify_cert_hostnames;
1393 uschar * name;
1394 while (name = string_nextinlist(&list, &sep, NULL, 0))
1395 if (gnutls_x509_crt_check_hostname(state->tlsp->peercert, CS name))
1396 break;
1397 if (!name)
1398 {
1399 DEBUG(D_tls)
1400 debug_printf("TLS certificate verification failed: cert name mismatch\n");
1401 if (state->verify_requirement >= VERIFY_REQUIRED)
1402 {
1403 gnutls_alert_send(state->session,
1404 GNUTLS_AL_FATAL, GNUTLS_A_BAD_CERTIFICATE);
1405 return FALSE;
1406 }
1407 return TRUE;
1408 }
1409 }
1410#endif
1411 state->peer_cert_verified = TRUE;
1412 DEBUG(D_tls) debug_printf("TLS certificate verified: peerdn=\"%s\"\n",
1413 state->peerdn ? state->peerdn : US"<unset>");
1414 }
1415
1416state->tlsp->peerdn = state->peerdn;
1417
1418return TRUE;
1419}
1420
1421
1422
1423
1424/* ------------------------------------------------------------------------ */
1425/* Callbacks */
1426
1427/* Logging function which can be registered with
1428 * gnutls_global_set_log_function()
1429 * gnutls_global_set_log_level() 0..9
1430 */
1431#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
1432static void
1433exim_gnutls_logger_cb(int level, const char *message)
1434{
1435 size_t len = strlen(message);
1436 if (len < 1)
1437 {
1438 DEBUG(D_tls) debug_printf("GnuTLS<%d> empty debug message\n", level);
1439 return;
1440 }
1441 DEBUG(D_tls) debug_printf("GnuTLS<%d>: %s%s", level, message,
1442 message[len-1] == '\n' ? "" : "\n");
1443}
1444#endif
1445
1446
1447/* Called after client hello, should handle SNI work.
1448This will always set tls_sni (state->received_sni) if available,
1449and may trigger presenting different certificates,
1450if state->trigger_sni_changes is TRUE.
1451
1452Should be registered with
1453 gnutls_handshake_set_post_client_hello_function()
1454
1455"This callback must return 0 on success or a gnutls error code to terminate the
1456handshake.".
1457
1458For inability to get SNI information, we return 0.
1459We only return non-zero if re-setup failed.
1460Only used for server-side TLS.
1461*/
1462
1463static int
1464exim_sni_handling_cb(gnutls_session_t session)
1465{
1466char sni_name[MAX_HOST_LEN];
1467size_t data_len = MAX_HOST_LEN;
1468exim_gnutls_state_st *state = &state_server;
1469unsigned int sni_type;
1470int rc, old_pool;
1471
1472rc = gnutls_server_name_get(session, sni_name, &data_len, &sni_type, 0);
1473if (rc != GNUTLS_E_SUCCESS)
1474 {
1475 DEBUG(D_tls) {
1476 if (rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
1477 debug_printf("TLS: no SNI presented in handshake.\n");
1478 else
1479 debug_printf("TLS failure: gnutls_server_name_get(): %s [%d]\n",
1480 gnutls_strerror(rc), rc);
1481 };
1482 return 0;
1483 }
1484
1485if (sni_type != GNUTLS_NAME_DNS)
1486 {
1487 DEBUG(D_tls) debug_printf("TLS: ignoring SNI of unhandled type %u\n", sni_type);
1488 return 0;
1489 }
1490
1491/* We now have a UTF-8 string in sni_name */
1492old_pool = store_pool;
1493store_pool = POOL_PERM;
1494state->received_sni = string_copyn(US sni_name, data_len);
1495store_pool = old_pool;
1496
1497/* We set this one now so that variable expansions below will work */
1498state->tlsp->sni = state->received_sni;
1499
1500DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", sni_name,
1501 state->trigger_sni_changes ? "" : " (unused for certificate selection)");
1502
1503if (!state->trigger_sni_changes)
1504 return 0;
1505
1506rc = tls_expand_session_files(state);
1507if (rc != OK)
1508 {
1509 /* If the setup of certs/etc failed before handshake, TLS would not have
1510 been offered. The best we can do now is abort. */
1511 return GNUTLS_E_APPLICATION_ERROR_MIN;
1512 }
1513
1514rc = tls_set_remaining_x509(state);
1515if (rc != OK) return GNUTLS_E_APPLICATION_ERROR_MIN;
1516
1517return 0;
1518}
1519
1520
1521
1522#ifndef DISABLE_OCSP
1523
1524static int
1525server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
1526 gnutls_datum_t * ocsp_response)
1527{
1528int ret;
1529
1530if ((ret = gnutls_load_file(ptr, ocsp_response)) < 0)
1531 {
1532 DEBUG(D_tls) debug_printf("Failed to load ocsp stapling file %s\n",
1533 (char *)ptr);
1534 tls_in.ocsp = OCSP_NOT_RESP;
1535 return GNUTLS_E_NO_CERTIFICATE_STATUS;
1536 }
1537
1538tls_in.ocsp = OCSP_VFY_NOT_TRIED;
1539return 0;
1540}
1541
1542#endif
1543
1544
1545#ifdef EXPERIMENTAL_EVENT
1546/*
1547We use this callback to get observability and detail-level control
1548for an exim TLS connection (either direction), raising a tls:cert event
1549for each cert in the chain presented by the peer. Any event
1550can deny verification.
1551
1552Return 0 for the handshake to continue or non-zero to terminate.
1553*/
1554
1555static int
1556verify_cb(gnutls_session_t session)
1557{
1558const gnutls_datum * cert_list;
1559unsigned int cert_list_size = 0;
1560gnutls_x509_crt_t crt;
1561int rc;
1562uschar * yield;
1563exim_gnutls_state_st * state = gnutls_session_get_ptr(session);
1564
1565cert_list = gnutls_certificate_get_peers(session, &cert_list_size);
1566if (cert_list)
1567 while (cert_list_size--)
1568 {
1569 rc = import_cert(&cert_list[cert_list_size], &crt);
1570 if (rc != GNUTLS_E_SUCCESS)
1571 {
1572 DEBUG(D_tls) debug_printf("TLS: peer cert problem: depth %d: %s\n",
1573 cert_list_size, gnutls_strerror(rc));
1574 break;
1575 }
1576
1577 state->tlsp->peercert = crt;
1578 if ((yield = event_raise(state->event_action,
1579 US"tls:cert", string_sprintf("%d", cert_list_size))))
1580 {
1581 log_write(0, LOG_MAIN,
1582 "SSL verify denied by event-action: depth=%d: %s",
1583 cert_list_size, yield);
1584 return 1; /* reject */
1585 }
1586 state->tlsp->peercert = NULL;
1587 }
1588
1589return 0;
1590}
1591
1592#endif
1593
1594
1595
1596/* ------------------------------------------------------------------------ */
1597/* Exported functions */
1598
1599
1600
1601
1602/*************************************************
1603* Start a TLS session in a server *
1604*************************************************/
1605
1606/* This is called when Exim is running as a server, after having received
1607the STARTTLS command. It must respond to that command, and then negotiate
1608a TLS session.
1609
1610Arguments:
1611 require_ciphers list of allowed ciphers or NULL
1612
1613Returns: OK on success
1614 DEFER for errors before the start of the negotiation
1615 FAIL for errors during the negotation; the server can't
1616 continue running.
1617*/
1618
1619int
1620tls_server_start(const uschar *require_ciphers)
1621{
1622int rc;
1623const char *error;
1624exim_gnutls_state_st *state = NULL;
1625
1626/* Check for previous activation */
1627if (tls_in.active >= 0)
1628 {
1629 tls_error(US"STARTTLS received after TLS started", "", NULL);
1630 smtp_printf("554 Already in TLS\r\n");
1631 return FAIL;
1632 }
1633
1634/* Initialize the library. If it fails, it will already have logged the error
1635and sent an SMTP response. */
1636
1637DEBUG(D_tls) debug_printf("initialising GnuTLS as a server\n");
1638
1639rc = tls_init(NULL, tls_certificate, tls_privatekey,
1640 NULL, tls_verify_certificates, tls_crl,
1641 require_ciphers, &state);
1642if (rc != OK) return rc;
1643
1644/* If this is a host for which certificate verification is mandatory or
1645optional, set up appropriately. */
1646
1647if (verify_check_host(&tls_verify_hosts) == OK)
1648 {
1649 DEBUG(D_tls)
1650 debug_printf("TLS: a client certificate will be required.\n");
1651 state->verify_requirement = VERIFY_REQUIRED;
1652 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
1653 }
1654else if (verify_check_host(&tls_try_verify_hosts) == OK)
1655 {
1656 DEBUG(D_tls)
1657 debug_printf("TLS: a client certificate will be requested but not required.\n");
1658 state->verify_requirement = VERIFY_OPTIONAL;
1659 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
1660 }
1661else
1662 {
1663 DEBUG(D_tls)
1664 debug_printf("TLS: a client certificate will not be requested.\n");
1665 state->verify_requirement = VERIFY_NONE;
1666 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
1667 }
1668
1669#ifdef EXPERIMENTAL_EVENT
1670if (event_action)
1671 {
1672 state->event_action = event_action;
1673 gnutls_session_set_ptr(state->session, state);
1674 gnutls_certificate_set_verify_function(state->x509_cred, verify_cb);
1675 }
1676#endif
1677
1678/* Register SNI handling; always, even if not in tls_certificate, so that the
1679expansion variable $tls_sni is always available. */
1680
1681gnutls_handshake_set_post_client_hello_function(state->session,
1682 exim_sni_handling_cb);
1683
1684/* Set context and tell client to go ahead, except in the case of TLS startup
1685on connection, where outputting anything now upsets the clients and tends to
1686make them disconnect. We need to have an explicit fflush() here, to force out
1687the response. Other smtp_printf() calls do not need it, because in non-TLS
1688mode, the fflush() happens when smtp_getc() is called. */
1689
1690if (!state->tlsp->on_connect)
1691 {
1692 smtp_printf("220 TLS go ahead\r\n");
1693 fflush(smtp_out);
1694 }
1695
1696/* Now negotiate the TLS session. We put our own timer on it, since it seems
1697that the GnuTLS library doesn't. */
1698
1699gnutls_transport_set_ptr2(state->session,
1700 (gnutls_transport_ptr)(long) fileno(smtp_in),
1701 (gnutls_transport_ptr)(long) fileno(smtp_out));
1702state->fd_in = fileno(smtp_in);
1703state->fd_out = fileno(smtp_out);
1704
1705sigalrm_seen = FALSE;
1706if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
1707do
1708 {
1709 rc = gnutls_handshake(state->session);
1710 } while ((rc == GNUTLS_E_AGAIN) ||
1711 (rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen));
1712alarm(0);
1713
1714if (rc != GNUTLS_E_SUCCESS)
1715 {
1716 tls_error(US"gnutls_handshake",
1717 sigalrm_seen ? "timed out" : gnutls_strerror(rc), NULL);
1718 /* It seems that, except in the case of a timeout, we have to close the
1719 connection right here; otherwise if the other end is running OpenSSL it hangs
1720 until the server times out. */
1721
1722 if (!sigalrm_seen)
1723 {
1724 (void)fclose(smtp_out);
1725 (void)fclose(smtp_in);
1726 }
1727
1728 return FAIL;
1729 }
1730
1731DEBUG(D_tls) debug_printf("gnutls_handshake was successful\n");
1732
1733/* Verify after the fact */
1734
1735if ( state->verify_requirement != VERIFY_NONE
1736 && !verify_certificate(state, &error))
1737 {
1738 if (state->verify_requirement != VERIFY_OPTIONAL)
1739 {
1740 tls_error(US"certificate verification failed", error, NULL);
1741 return FAIL;
1742 }
1743 DEBUG(D_tls)
1744 debug_printf("TLS: continuing on only because verification was optional, after: %s\n",
1745 error);
1746 }
1747
1748/* Figure out peer DN, and if authenticated, etc. */
1749
1750rc = peer_status(state);
1751if (rc != OK) return rc;
1752
1753/* Sets various Exim expansion variables; always safe within server */
1754
1755extract_exim_vars_from_tls_state(state);
1756
1757/* TLS has been set up. Adjust the input functions to read via TLS,
1758and initialize appropriately. */
1759
1760state->xfer_buffer = store_malloc(ssl_xfer_buffer_size);
1761
1762receive_getc = tls_getc;
1763receive_ungetc = tls_ungetc;
1764receive_feof = tls_feof;
1765receive_ferror = tls_ferror;
1766receive_smtp_buffered = tls_smtp_buffered;
1767
1768return OK;
1769}
1770
1771
1772
1773
1774#ifdef EXPERIMENTAL_CERTNAMES
1775static void
1776tls_client_setup_hostname_checks(host_item * host, exim_gnutls_state_st * state,
1777 smtp_transport_options_block * ob)
1778{
1779if (verify_check_given_host(&ob->tls_verify_cert_hostnames, host) == OK)
1780 {
1781 state->exp_tls_verify_cert_hostnames = host->name;
1782 DEBUG(D_tls)
1783 debug_printf("TLS: server cert verification includes hostname: \"%s\".\n",
1784 state->exp_tls_verify_cert_hostnames);
1785 }
1786}
1787#endif
1788
1789
1790/*************************************************
1791* Start a TLS session in a client *
1792*************************************************/
1793
1794/* Called from the smtp transport after STARTTLS has been accepted.
1795
1796Arguments:
1797 fd the fd of the connection
1798 host connected host (for messages)
1799 addr the first address (not used)
1800 tb transport (always smtp)
1801
1802Returns: OK/DEFER/FAIL (because using common functions),
1803 but for a client, DEFER and FAIL have the same meaning
1804*/
1805
1806int
1807tls_client_start(int fd, host_item *host,
1808 address_item *addr ARG_UNUSED,
1809 transport_instance *tb
1810#ifdef EXPERIMENTAL_DANE
1811 , dne_answer * unused_tlsa_dnsa
1812#endif
1813 )
1814{
1815smtp_transport_options_block *ob =
1816 (smtp_transport_options_block *)tb->options_block;
1817int rc;
1818const char *error;
1819exim_gnutls_state_st *state = NULL;
1820#ifndef DISABLE_OCSP
1821BOOL require_ocsp =
1822 verify_check_given_host(&ob->hosts_require_ocsp, host) == OK;
1823BOOL request_ocsp = require_ocsp ? TRUE
1824 : verify_check_given_host(&ob->hosts_request_ocsp, host) == OK;
1825#endif
1826
1827DEBUG(D_tls) debug_printf("initialising GnuTLS as a client on fd %d\n", fd);
1828
1829if ((rc = tls_init(host, ob->tls_certificate, ob->tls_privatekey,
1830 ob->tls_sni, ob->tls_verify_certificates, ob->tls_crl,
1831 ob->tls_require_ciphers, &state)) != OK)
1832 return rc;
1833
1834 {
1835 int dh_min_bits = ob->tls_dh_min_bits;
1836 if (dh_min_bits < EXIM_CLIENT_DH_MIN_MIN_BITS)
1837 {
1838 DEBUG(D_tls)
1839 debug_printf("WARNING: tls_dh_min_bits far too low,"
1840 " clamping %d up to %d\n",
1841 dh_min_bits, EXIM_CLIENT_DH_MIN_MIN_BITS);
1842 dh_min_bits = EXIM_CLIENT_DH_MIN_MIN_BITS;
1843 }
1844
1845 DEBUG(D_tls) debug_printf("Setting D-H prime minimum"
1846 " acceptable bits to %d\n",
1847 dh_min_bits);
1848 gnutls_dh_set_prime_bits(state->session, dh_min_bits);
1849 }
1850
1851/* Stick to the old behaviour for compatibility if tls_verify_certificates is
1852set but both tls_verify_hosts and tls_try_verify_hosts are unset. Check only
1853the specified host patterns if one of them is defined */
1854
1855if ( ( state->exp_tls_verify_certificates
1856 && !ob->tls_verify_hosts
1857 && !ob->tls_try_verify_hosts
1858 )
1859 || verify_check_given_host(&ob->tls_verify_hosts, host) == OK
1860 )
1861 {
1862#ifdef EXPERIMENTAL_CERTNAMES
1863 tls_client_setup_hostname_checks(host, state, ob);
1864#endif
1865 DEBUG(D_tls)
1866 debug_printf("TLS: server certificate verification required.\n");
1867 state->verify_requirement = VERIFY_REQUIRED;
1868 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
1869 }
1870else if (verify_check_given_host(&ob->tls_try_verify_hosts, host) == OK)
1871 {
1872#ifdef EXPERIMENTAL_CERTNAMES
1873 tls_client_setup_hostname_checks(host, state, ob);
1874#endif
1875 DEBUG(D_tls)
1876 debug_printf("TLS: server certificate verification optional.\n");
1877 state->verify_requirement = VERIFY_OPTIONAL;
1878 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
1879 }
1880else
1881 {
1882 DEBUG(D_tls)
1883 debug_printf("TLS: server certificate verification not required.\n");
1884 state->verify_requirement = VERIFY_NONE;
1885 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
1886 }
1887
1888#ifndef DISABLE_OCSP
1889 /* supported since GnuTLS 3.1.3 */
1890if (request_ocsp)
1891 {
1892 DEBUG(D_tls) debug_printf("TLS: will request OCSP stapling\n");
1893 if ((rc = gnutls_ocsp_status_request_enable_client(state->session,
1894 NULL, 0, NULL)) != OK)
1895 return tls_error(US"cert-status-req",
1896 gnutls_strerror(rc), state->host);
1897 tls_out.ocsp = OCSP_NOT_RESP;
1898 }
1899#endif
1900
1901#ifdef EXPERIMENTAL_EVENT
1902if (tb->event_action)
1903 {
1904 state->event_action = tb->event_action;
1905 gnutls_session_set_ptr(state->session, state);
1906 gnutls_certificate_set_verify_function(state->x509_cred, verify_cb);
1907 }
1908#endif
1909
1910gnutls_transport_set_ptr(state->session, (gnutls_transport_ptr)(long) fd);
1911state->fd_in = fd;
1912state->fd_out = fd;
1913
1914DEBUG(D_tls) debug_printf("about to gnutls_handshake\n");
1915/* There doesn't seem to be a built-in timeout on connection. */
1916
1917sigalrm_seen = FALSE;
1918alarm(ob->command_timeout);
1919do
1920 {
1921 rc = gnutls_handshake(state->session);
1922 } while ((rc == GNUTLS_E_AGAIN) ||
1923 (rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen));
1924alarm(0);
1925
1926if (rc != GNUTLS_E_SUCCESS)
1927 return tls_error(US"gnutls_handshake",
1928 sigalrm_seen ? "timed out" : gnutls_strerror(rc), state->host);
1929
1930DEBUG(D_tls) debug_printf("gnutls_handshake was successful\n");
1931
1932/* Verify late */
1933
1934if (state->verify_requirement != VERIFY_NONE &&
1935 !verify_certificate(state, &error))
1936 return tls_error(US"certificate verification failed", error, state->host);
1937
1938#ifndef DISABLE_OCSP
1939if (require_ocsp)
1940 {
1941 DEBUG(D_tls)
1942 {
1943 gnutls_datum_t stapling;
1944 gnutls_ocsp_resp_t resp;
1945 gnutls_datum_t printed;
1946 if ( (rc= gnutls_ocsp_status_request_get(state->session, &stapling)) == 0
1947 && (rc= gnutls_ocsp_resp_init(&resp)) == 0
1948 && (rc= gnutls_ocsp_resp_import(resp, &stapling)) == 0
1949 && (rc= gnutls_ocsp_resp_print(resp, GNUTLS_OCSP_PRINT_FULL, &printed)) == 0
1950 )
1951 {
1952 debug_printf("%.4096s", printed.data);
1953 gnutls_free(printed.data);
1954 }
1955 else
1956 (void) tls_error(US"ocsp decode", gnutls_strerror(rc), state->host);
1957 }
1958
1959 if (gnutls_ocsp_status_request_is_checked(state->session, 0) == 0)
1960 {
1961 tls_out.ocsp = OCSP_FAILED;
1962 return tls_error(US"certificate status check failed", NULL, state->host);
1963 }
1964 DEBUG(D_tls) debug_printf("Passed OCSP checking\n");
1965 tls_out.ocsp = OCSP_VFIED;
1966 }
1967#endif
1968
1969/* Figure out peer DN, and if authenticated, etc. */
1970
1971if ((rc = peer_status(state)) != OK)
1972 return rc;
1973
1974/* Sets various Exim expansion variables; may need to adjust for ACL callouts */
1975
1976extract_exim_vars_from_tls_state(state);
1977
1978return OK;
1979}
1980
1981
1982
1983
1984/*************************************************
1985* Close down a TLS session *
1986*************************************************/
1987
1988/* This is also called from within a delivery subprocess forked from the
1989daemon, to shut down the TLS library, without actually doing a shutdown (which
1990would tamper with the TLS session in the parent process).
1991
1992Arguments: TRUE if gnutls_bye is to be called
1993Returns: nothing
1994*/
1995
1996void
1997tls_close(BOOL is_server, BOOL shutdown)
1998{
1999exim_gnutls_state_st *state = is_server ? &state_server : &state_client;
2000
2001if (!state->tlsp || state->tlsp->active < 0) return; /* TLS was not active */
2002
2003if (shutdown)
2004 {
2005 DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS\n");
2006 gnutls_bye(state->session, GNUTLS_SHUT_WR);
2007 }
2008
2009gnutls_deinit(state->session);
2010
2011state->tlsp->active = -1;
2012memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
2013
2014if ((state_server.session == NULL) && (state_client.session == NULL))
2015 {
2016 gnutls_global_deinit();
2017 exim_gnutls_base_init_done = FALSE;
2018 }
2019
2020}
2021
2022
2023
2024
2025/*************************************************
2026* TLS version of getc *
2027*************************************************/
2028
2029/* This gets the next byte from the TLS input buffer. If the buffer is empty,
2030it refills the buffer via the GnuTLS reading function.
2031Only used by the server-side TLS.
2032
2033This feeds DKIM and should be used for all message-body reads.
2034
2035Arguments: none
2036Returns: the next character or EOF
2037*/
2038
2039int
2040tls_getc(void)
2041{
2042exim_gnutls_state_st *state = &state_server;
2043if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
2044 {
2045 ssize_t inbytes;
2046
2047 DEBUG(D_tls) debug_printf("Calling gnutls_record_recv(%p, %p, %u)\n",
2048 state->session, state->xfer_buffer, ssl_xfer_buffer_size);
2049
2050 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
2051 inbytes = gnutls_record_recv(state->session, state->xfer_buffer,
2052 ssl_xfer_buffer_size);
2053 alarm(0);
2054
2055 /* A zero-byte return appears to mean that the TLS session has been
2056 closed down, not that the socket itself has been closed down. Revert to
2057 non-TLS handling. */
2058
2059 if (inbytes == 0)
2060 {
2061 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
2062
2063 receive_getc = smtp_getc;
2064 receive_ungetc = smtp_ungetc;
2065 receive_feof = smtp_feof;
2066 receive_ferror = smtp_ferror;
2067 receive_smtp_buffered = smtp_buffered;
2068
2069 gnutls_deinit(state->session);
2070 state->session = NULL;
2071 state->tlsp->active = -1;
2072 state->tlsp->bits = 0;
2073 state->tlsp->certificate_verified = FALSE;
2074 tls_channelbinding_b64 = NULL;
2075 state->tlsp->cipher = NULL;
2076 state->tlsp->peercert = NULL;
2077 state->tlsp->peerdn = NULL;
2078
2079 return smtp_getc();
2080 }
2081
2082 /* Handle genuine errors */
2083
2084 else if (inbytes < 0)
2085 {
2086 record_io_error(state, (int) inbytes, US"recv", NULL);
2087 state->xfer_error = 1;
2088 return EOF;
2089 }
2090#ifndef DISABLE_DKIM
2091 dkim_exim_verify_feed(state->xfer_buffer, inbytes);
2092#endif
2093 state->xfer_buffer_hwm = (int) inbytes;
2094 state->xfer_buffer_lwm = 0;
2095 }
2096
2097/* Something in the buffer; return next uschar */
2098
2099return state->xfer_buffer[state->xfer_buffer_lwm++];
2100}
2101
2102
2103
2104
2105/*************************************************
2106* Read bytes from TLS channel *
2107*************************************************/
2108
2109/* This does not feed DKIM, so if the caller uses this for reading message body,
2110then the caller must feed DKIM.
2111
2112Arguments:
2113 buff buffer of data
2114 len size of buffer
2115
2116Returns: the number of bytes read
2117 -1 after a failed read
2118*/
2119
2120int
2121tls_read(BOOL is_server, uschar *buff, size_t len)
2122{
2123exim_gnutls_state_st *state = is_server ? &state_server : &state_client;
2124ssize_t inbytes;
2125
2126if (len > INT_MAX)
2127 len = INT_MAX;
2128
2129if (state->xfer_buffer_lwm < state->xfer_buffer_hwm)
2130 DEBUG(D_tls)
2131 debug_printf("*** PROBABLY A BUG *** " \
2132 "tls_read() called with data in the tls_getc() buffer, %d ignored\n",
2133 state->xfer_buffer_hwm - state->xfer_buffer_lwm);
2134
2135DEBUG(D_tls)
2136 debug_printf("Calling gnutls_record_recv(%p, %p, " SIZE_T_FMT ")\n",
2137 state->session, buff, len);
2138
2139inbytes = gnutls_record_recv(state->session, buff, len);
2140if (inbytes > 0) return inbytes;
2141if (inbytes == 0)
2142 {
2143 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
2144 }
2145else record_io_error(state, (int)inbytes, US"recv", NULL);
2146
2147return -1;
2148}
2149
2150
2151
2152
2153/*************************************************
2154* Write bytes down TLS channel *
2155*************************************************/
2156
2157/*
2158Arguments:
2159 is_server channel specifier
2160 buff buffer of data
2161 len number of bytes
2162
2163Returns: the number of bytes after a successful write,
2164 -1 after a failed write
2165*/
2166
2167int
2168tls_write(BOOL is_server, const uschar *buff, size_t len)
2169{
2170ssize_t outbytes;
2171size_t left = len;
2172exim_gnutls_state_st *state = is_server ? &state_server : &state_client;
2173
2174DEBUG(D_tls) debug_printf("tls_do_write(%p, " SIZE_T_FMT ")\n", buff, left);
2175while (left > 0)
2176 {
2177 DEBUG(D_tls) debug_printf("gnutls_record_send(SSL, %p, " SIZE_T_FMT ")\n",
2178 buff, left);
2179 outbytes = gnutls_record_send(state->session, buff, left);
2180
2181 DEBUG(D_tls) debug_printf("outbytes=" SSIZE_T_FMT "\n", outbytes);
2182 if (outbytes < 0)
2183 {
2184 record_io_error(state, outbytes, US"send", NULL);
2185 return -1;
2186 }
2187 if (outbytes == 0)
2188 {
2189 record_io_error(state, 0, US"send", US"TLS channel closed on write");
2190 return -1;
2191 }
2192
2193 left -= outbytes;
2194 buff += outbytes;
2195 }
2196
2197if (len > INT_MAX)
2198 {
2199 DEBUG(D_tls)
2200 debug_printf("Whoops! Wrote more bytes (" SIZE_T_FMT ") than INT_MAX\n",
2201 len);
2202 len = INT_MAX;
2203 }
2204
2205return (int) len;
2206}
2207
2208
2209
2210
2211/*************************************************
2212* Random number generation *
2213*************************************************/
2214
2215/* Pseudo-random number generation. The result is not expected to be
2216cryptographically strong but not so weak that someone will shoot themselves
2217in the foot using it as a nonce in input in some email header scheme or
2218whatever weirdness they'll twist this into. The result should handle fork()
2219and avoid repeating sequences. OpenSSL handles that for us.
2220
2221Arguments:
2222 max range maximum
2223Returns a random number in range [0, max-1]
2224*/
2225
2226#ifdef HAVE_GNUTLS_RND
2227int
2228vaguely_random_number(int max)
2229{
2230unsigned int r;
2231int i, needed_len;
2232uschar *p;
2233uschar smallbuf[sizeof(r)];
2234
2235if (max <= 1)
2236 return 0;
2237
2238needed_len = sizeof(r);
2239/* Don't take 8 times more entropy than needed if int is 8 octets and we were
2240 * asked for a number less than 10. */
2241for (r = max, i = 0; r; ++i)
2242 r >>= 1;
2243i = (i + 7) / 8;
2244if (i < needed_len)
2245 needed_len = i;
2246
2247i = gnutls_rnd(GNUTLS_RND_NONCE, smallbuf, needed_len);
2248if (i < 0)
2249 {
2250 DEBUG(D_all) debug_printf("gnutls_rnd() failed, using fallback.\n");
2251 return vaguely_random_number_fallback(max);
2252 }
2253r = 0;
2254for (p = smallbuf; needed_len; --needed_len, ++p)
2255 {
2256 r *= 256;
2257 r += *p;
2258 }
2259
2260/* We don't particularly care about weighted results; if someone wants
2261 * smooth distribution and cares enough then they should submit a patch then. */
2262return r % max;
2263}
2264#else /* HAVE_GNUTLS_RND */
2265int
2266vaguely_random_number(int max)
2267{
2268 return vaguely_random_number_fallback(max);
2269}
2270#endif /* HAVE_GNUTLS_RND */
2271
2272
2273
2274
2275/*************************************************
2276* Let tls_require_ciphers be checked at startup *
2277*************************************************/
2278
2279/* The tls_require_ciphers option, if set, must be something which the
2280library can parse.
2281
2282Returns: NULL on success, or error message
2283*/
2284
2285uschar *
2286tls_validate_require_cipher(void)
2287{
2288int rc;
2289uschar *expciphers = NULL;
2290gnutls_priority_t priority_cache;
2291const char *errpos;
2292
2293#define validate_check_rc(Label) do { \
2294 if (rc != GNUTLS_E_SUCCESS) { if (exim_gnutls_base_init_done) gnutls_global_deinit(); \
2295 return string_sprintf("%s failed: %s", (Label), gnutls_strerror(rc)); } } while (0)
2296#define return_deinit(Label) do { gnutls_global_deinit(); return (Label); } while (0)
2297
2298if (exim_gnutls_base_init_done)
2299 log_write(0, LOG_MAIN|LOG_PANIC,
2300 "already initialised GnuTLS, Exim developer bug");
2301
2302#ifdef HAVE_GNUTLS_PKCS11
2303if (!gnutls_allow_auto_pkcs11)
2304 {
2305 rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
2306 validate_check_rc(US"gnutls_pkcs11_init");
2307 }
2308#endif
2309rc = gnutls_global_init();
2310validate_check_rc(US"gnutls_global_init()");
2311exim_gnutls_base_init_done = TRUE;
2312
2313if (!(tls_require_ciphers && *tls_require_ciphers))
2314 return_deinit(NULL);
2315
2316if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers))
2317 return_deinit(US"failed to expand tls_require_ciphers");
2318
2319if (!(expciphers && *expciphers))
2320 return_deinit(NULL);
2321
2322DEBUG(D_tls)
2323 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
2324
2325rc = gnutls_priority_init(&priority_cache, CS expciphers, &errpos);
2326validate_check_rc(string_sprintf(
2327 "gnutls_priority_init(%s) failed at offset %ld, \"%.8s..\"",
2328 expciphers, errpos - CS expciphers, errpos));
2329
2330#undef return_deinit
2331#undef validate_check_rc
2332gnutls_global_deinit();
2333
2334return NULL;
2335}
2336
2337
2338
2339
2340/*************************************************
2341* Report the library versions. *
2342*************************************************/
2343
2344/* See a description in tls-openssl.c for an explanation of why this exists.
2345
2346Arguments: a FILE* to print the results to
2347Returns: nothing
2348*/
2349
2350void
2351tls_version_report(FILE *f)
2352{
2353fprintf(f, "Library version: GnuTLS: Compile: %s\n"
2354 " Runtime: %s\n",
2355 LIBGNUTLS_VERSION,
2356 gnutls_check_version(NULL));
2357}
2358
2359/* vi: aw ai sw=2
2360*/
2361/* End of tls-gnu.c */
Unnamed repository; edit this file 'description' to name the repository.