tidying: CCSS macro
[exim.git] / src / src / tls-gnu.c
1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4
5 /* Copyright (c) University of Cambridge 1995 - 2018 */
6 /* See the file NOTICE for conditions of use and distribution. */
7
8 /* Copyright (c) Phil Pennock 2012 */
9
10 /* This file provides TLS/SSL support for Exim using the GnuTLS library,
11 one of the available supported implementations. This file is #included into
12 tls.c when USE_GNUTLS has been set.
13
14 The code herein is a revamp of GnuTLS integration using the current APIs; the
15 original tls-gnu.c was based on a patch which was contributed by Nikos
16 Mavrogiannopoulos. The revamp is partially a rewrite, partially cut&paste as
17 appropriate.
18
19 APIs current as of GnuTLS 2.12.18; note that the GnuTLS manual is for GnuTLS 3,
20 which is not widely deployed by OS vendors. Will note issues below, which may
21 assist in updating the code in the future. Another sources of hints is
22 mod_gnutls for Apache (SNI callback registration and handling).
23
24 Keeping client and server variables more split than before and is currently
25 the norm, in anticipation of TLS in ACL callouts.
26
27 I wanted to switch to gnutls_certificate_set_verify_function() so that
28 certificate rejection could happen during handshake where it belongs, rather
29 than being dropped afterwards, but that was introduced in 2.10.0 and Debian
30 (6.0.5) is still on 2.8.6. So for now we have to stick with sub-par behaviour.
31
32 (I wasn't looking for libraries quite that old, when updating to get rid of
33 compiler warnings of deprecated APIs. If it turns out that a lot of the rest
34 require current GnuTLS, then we'll drop support for the ancient libraries).
35 */
36
37 #include <gnutls/gnutls.h>
38 /* needed for cert checks in verification and DN extraction: */
39 #include <gnutls/x509.h>
40 /* man-page is incorrect, gnutls_rnd() is not in gnutls.h: */
41 #include <gnutls/crypto.h>
42
43 /* needed to disable PKCS11 autoload unless requested */
44 #if GNUTLS_VERSION_NUMBER >= 0x020c00
45 # include <gnutls/pkcs11.h>
46 # define SUPPORT_PARAM_TO_PK_BITS
47 #endif
48 #if GNUTLS_VERSION_NUMBER < 0x030103 && !defined(DISABLE_OCSP)
49 # warning "GnuTLS library version too old; define DISABLE_OCSP in Makefile"
50 # define DISABLE_OCSP
51 #endif
52 #if GNUTLS_VERSION_NUMBER < 0x020a00 && !defined(DISABLE_EVENT)
53 # warning "GnuTLS library version too old; tls:cert event unsupported"
54 # define DISABLE_EVENT
55 #endif
56 #if GNUTLS_VERSION_NUMBER >= 0x030306
57 # define SUPPORT_CA_DIR
58 #else
59 # undef SUPPORT_CA_DIR
60 #endif
61 #if GNUTLS_VERSION_NUMBER >= 0x030014
62 # define SUPPORT_SYSDEFAULT_CABUNDLE
63 #endif
64 #if GNUTLS_VERSION_NUMBER >= 0x030104
65 # define GNUTLS_CERT_VFY_STATUS_PRINT
66 #endif
67 #if GNUTLS_VERSION_NUMBER >= 0x030109
68 # define SUPPORT_CORK
69 #endif
70 #if GNUTLS_VERSION_NUMBER >= 0x03010a
71 # define SUPPORT_GNUTLS_SESS_DESC
72 #endif
73 #if GNUTLS_VERSION_NUMBER >= 0x030300
74 # define GNUTLS_AUTO_GLOBAL_INIT
75 # define GNUTLS_AUTO_PKCS11_MANUAL
76 #endif
77 #if (GNUTLS_VERSION_NUMBER >= 0x030404) \
78 || (GNUTLS_VERSION_NUMBER >= 0x030311) && (GNUTLS_VERSION_NUMBER & 0xffff00 == 0x030300)
79 # ifndef DISABLE_OCSP
80 # define EXIM_HAVE_OCSP
81 # endif
82 #endif
83 #if GNUTLS_VERSION_NUMBER >= 0x030500
84 # define SUPPORT_GNUTLS_KEYLOG
85 #endif
86 #if GNUTLS_VERSION_NUMBER >= 0x030506 && !defined(DISABLE_OCSP)
87 # define SUPPORT_SRV_OCSP_STACK
88 #endif
89 #if GNUTLS_VERSION_NUMBER >= 0x030600
90 # define GNUTLS_AUTO_DHPARAMS
91 #endif
92 #if GNUTLS_VERSION_NUMBER >= 0x030603
93 # define EXIM_HAVE_TLS1_3
94 # define SUPPORT_GNUTLS_EXT_RAW_PARSE
95 # define GNUTLS_OCSP_STATUS_REQUEST_GET2
96 #endif
97
98 #ifdef SUPPORT_DANE
99 # if GNUTLS_VERSION_NUMBER >= 0x030000
100 # define DANESSL_USAGE_DANE_TA 2
101 # define DANESSL_USAGE_DANE_EE 3
102 # else
103 # error GnuTLS version too early for DANE
104 # endif
105 # if GNUTLS_VERSION_NUMBER < 0x999999
106 # define GNUTLS_BROKEN_DANE_VALIDATION
107 # endif
108 #endif
109
110 #ifdef EXPERIMENTAL_TLS_RESUME
111 # if GNUTLS_VERSION_NUMBER < 0x030603
112 # error GNUTLS version too early for session-resumption
113 # endif
114 #endif
115
116 #ifndef DISABLE_OCSP
117 # include <gnutls/ocsp.h>
118 #endif
119 #ifdef SUPPORT_DANE
120 # include <gnutls/dane.h>
121 #endif
122
123 #include "tls-cipher-stdname.c"
124
125
126 #ifdef MACRO_PREDEF
127 void
128 options_tls(void)
129 {
130 # ifdef EXPERIMENTAL_TLS_RESUME
131 builtin_macro_create_var(US"_RESUME_DECODE", RESUME_DECODE_STRING );
132 # endif
133 # ifdef EXIM_HAVE_TLS1_3
134 builtin_macro_create(US"_HAVE_TLS1_3");
135 # endif
136 # ifdef EXIM_HAVE_OCSP
137 builtin_macro_create(US"_HAVE_TLS_OCSP");
138 # endif
139 # ifdef SUPPORT_SRV_OCSP_STACK
140 builtin_macro_create(US"_HAVE_TLS_OCSP_LIST");
141 # endif
142 }
143 #else
144
145
146 /* GnuTLS 2 vs 3
147
148 GnuTLS 3 only:
149 gnutls_global_set_audit_log_function()
150
151 Changes:
152 gnutls_certificate_verify_peers2(): is new, drop the 2 for old version
153 */
154
155 /* Local static variables for GnuTLS */
156
157 /* Values for verify_requirement */
158
159 enum peer_verify_requirement
160 { VERIFY_NONE, VERIFY_OPTIONAL, VERIFY_REQUIRED, VERIFY_DANE };
161
162 /* This holds most state for server or client; with this, we can set up an
163 outbound TLS-enabled connection in an ACL callout, while not stomping all
164 over the TLS variables available for expansion.
165
166 Some of these correspond to variables in globals.c; those variables will
167 be set to point to content in one of these instances, as appropriate for
168 the stage of the process lifetime.
169
170 Not handled here: global tlsp->tls_channelbinding.
171 */
172
173 typedef struct exim_gnutls_state {
174 gnutls_session_t session;
175 gnutls_certificate_credentials_t x509_cred;
176 gnutls_priority_t priority_cache;
177 enum peer_verify_requirement verify_requirement;
178 int fd_in;
179 int fd_out;
180 BOOL peer_cert_verified;
181 BOOL peer_dane_verified;
182 BOOL trigger_sni_changes;
183 BOOL have_set_peerdn;
184 const struct host_item *host; /* NULL if server */
185 gnutls_x509_crt_t peercert;
186 uschar *peerdn;
187 uschar *ciphersuite;
188 uschar *received_sni;
189
190 const uschar *tls_certificate;
191 const uschar *tls_privatekey;
192 const uschar *tls_sni; /* client send only, not received */
193 const uschar *tls_verify_certificates;
194 const uschar *tls_crl;
195 const uschar *tls_require_ciphers;
196
197 uschar *exp_tls_certificate;
198 uschar *exp_tls_privatekey;
199 uschar *exp_tls_verify_certificates;
200 uschar *exp_tls_crl;
201 uschar *exp_tls_require_ciphers;
202 const uschar *exp_tls_verify_cert_hostnames;
203 #ifndef DISABLE_EVENT
204 uschar *event_action;
205 #endif
206 #ifdef SUPPORT_DANE
207 char * const * dane_data;
208 const int * dane_data_len;
209 #endif
210
211 tls_support *tlsp; /* set in tls_init() */
212
213 uschar *xfer_buffer;
214 int xfer_buffer_lwm;
215 int xfer_buffer_hwm;
216 BOOL xfer_eof; /*XXX never gets set! */
217 BOOL xfer_error;
218 } exim_gnutls_state_st;
219
220 static const exim_gnutls_state_st exim_gnutls_state_init = {
221 /* all elements not explicitly intialised here get 0/NULL/FALSE */
222 .fd_in = -1,
223 .fd_out = -1,
224 };
225
226 /* Not only do we have our own APIs which don't pass around state, assuming
227 it's held in globals, GnuTLS doesn't appear to let us register callback data
228 for callbacks, or as part of the session, so we have to keep a "this is the
229 context we're currently dealing with" pointer and rely upon being
230 single-threaded to keep from processing data on an inbound TLS connection while
231 talking to another TLS connection for an outbound check. This does mean that
232 there's no way for heart-beats to be responded to, for the duration of the
233 second connection.
234 XXX But see gnutls_session_get_ptr()
235 */
236
237 static exim_gnutls_state_st state_server;
238
239 #ifndef GNUTLS_AUTO_DHPARAMS
240 /* dh_params are initialised once within the lifetime of a process using TLS;
241 if we used TLS in a long-lived daemon, we'd have to reconsider this. But we
242 don't want to repeat this. */
243
244 static gnutls_dh_params_t dh_server_params = NULL;
245 #endif
246
247 static int ssl_session_timeout = 7200; /* Two hours */
248
249 static const uschar * const exim_default_gnutls_priority = US"NORMAL";
250
251 /* Guard library core initialisation */
252
253 static BOOL exim_gnutls_base_init_done = FALSE;
254
255 #ifndef DISABLE_OCSP
256 static BOOL gnutls_buggy_ocsp = FALSE;
257 static BOOL exim_testharness_disable_ocsp_validity_check = FALSE;
258 #endif
259
260 #ifdef EXPERIMENTAL_TLS_RESUME
261 static gnutls_datum_t server_sessticket_key;
262 #endif
263
264 /* ------------------------------------------------------------------------ */
265 /* macros */
266
267 #define MAX_HOST_LEN 255
268
269 /* Set this to control gnutls_global_set_log_level(); values 0 to 9 will setup
270 the library logging; a value less than 0 disables the calls to set up logging
271 callbacks. GNuTLS also looks for an environment variable - except not for
272 setuid binaries, making it useless - "GNUTLS_DEBUG_LEVEL".
273 Allegedly the testscript line "GNUTLS_DEBUG_LEVEL=9 sudo exim ..." would work,
274 but the env var must be added to /etc/sudoers too. */
275 #ifndef EXIM_GNUTLS_LIBRARY_LOG_LEVEL
276 # define EXIM_GNUTLS_LIBRARY_LOG_LEVEL -1
277 #endif
278
279 #ifndef EXIM_CLIENT_DH_MIN_BITS
280 # define EXIM_CLIENT_DH_MIN_BITS 1024
281 #endif
282
283 /* With GnuTLS 2.12.x+ we have gnutls_sec_param_to_pk_bits() with which we
284 can ask for a bit-strength. Without that, we stick to the constant we had
285 before, for now. */
286 #ifndef EXIM_SERVER_DH_BITS_PRE2_12
287 # define EXIM_SERVER_DH_BITS_PRE2_12 1024
288 #endif
289
290 #define expand_check_tlsvar(Varname, errstr) \
291 expand_check(state->Varname, US #Varname, &state->exp_##Varname, errstr)
292
293 #if GNUTLS_VERSION_NUMBER >= 0x020c00
294 # define HAVE_GNUTLS_SESSION_CHANNEL_BINDING
295 # define HAVE_GNUTLS_SEC_PARAM_CONSTANTS
296 # define HAVE_GNUTLS_RND
297 /* The security fix we provide with the gnutls_allow_auto_pkcs11 option
298 * (4.82 PP/09) introduces a compatibility regression. The symbol simply
299 * isn't available sometimes, so this needs to become a conditional
300 * compilation; the sanest way to deal with this being a problem on
301 * older OSes is to block it in the Local/Makefile with this compiler
302 * definition */
303 # ifndef AVOID_GNUTLS_PKCS11
304 # define HAVE_GNUTLS_PKCS11
305 # endif /* AVOID_GNUTLS_PKCS11 */
306 #endif
307
308
309
310
311 /* ------------------------------------------------------------------------ */
312 /* Callback declarations */
313
314 #if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
315 static void exim_gnutls_logger_cb(int level, const char *message);
316 #endif
317
318 static int exim_sni_handling_cb(gnutls_session_t session);
319
320 #ifdef EXPERIMENTAL_TLS_RESUME
321 static int
322 tls_server_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
323 unsigned incoming, const gnutls_datum_t * msg);
324 #endif
325
326
327 /* Daemon one-time initialisation */
328 void
329 tls_daemon_init(void)
330 {
331 #ifdef EXPERIMENTAL_TLS_RESUME
332 /* We are dependent on the GnuTLS implementation of the Session Ticket
333 encryption; both the strength and the key rotation period. We hope that
334 the strength at least matches that of the ciphersuite (but GnuTLS does not
335 document this). */
336
337 static BOOL once = FALSE;
338 if (once) return;
339 once = TRUE;
340 gnutls_session_ticket_key_generate(&server_sessticket_key); /* >= 2.10.0 */
341 if (f.running_in_test_harness) ssl_session_timeout = 6;
342 #endif
343 }
344
345 /* ------------------------------------------------------------------------ */
346 /* Static functions */
347
348 /*************************************************
349 * Handle TLS error *
350 *************************************************/
351
352 /* Called from lots of places when errors occur before actually starting to do
353 the TLS handshake, that is, while the session is still in clear. Always returns
354 DEFER for a server and FAIL for a client so that most calls can use "return
355 tls_error(...)" to do this processing and then give an appropriate return. A
356 single function is used for both server and client, because it is called from
357 some shared functions.
358
359 Argument:
360 prefix text to include in the logged error
361 msg additional error string (may be NULL)
362 usually obtained from gnutls_strerror()
363 host NULL if setting up a server;
364 the connected host if setting up a client
365 errstr pointer to returned error string
366
367 Returns: OK/DEFER/FAIL
368 */
369
370 static int
371 tls_error(const uschar *prefix, const uschar *msg, const host_item *host,
372 uschar ** errstr)
373 {
374 if (errstr)
375 *errstr = string_sprintf("(%s)%s%s", prefix, msg ? ": " : "", msg ? msg : US"");
376 return host ? FAIL : DEFER;
377 }
378
379
380 static int
381 tls_error_gnu(const uschar *prefix, int err, const host_item *host,
382 uschar ** errstr)
383 {
384 return tls_error(prefix, US gnutls_strerror(err), host, errstr);
385 }
386
387 static int
388 tls_error_sys(const uschar *prefix, int err, const host_item *host,
389 uschar ** errstr)
390 {
391 return tls_error(prefix, US strerror(err), host, errstr);
392 }
393
394
395 /*************************************************
396 * Deal with logging errors during I/O *
397 *************************************************/
398
399 /* We have to get the identity of the peer from saved data.
400
401 Argument:
402 state the current GnuTLS exim state container
403 rc the GnuTLS error code, or 0 if it's a local error
404 when text identifying read or write
405 text local error text when rc is 0
406
407 Returns: nothing
408 */
409
410 static void
411 record_io_error(exim_gnutls_state_st *state, int rc, uschar *when, uschar *text)
412 {
413 const uschar * msg;
414 uschar * errstr;
415
416 if (rc == GNUTLS_E_FATAL_ALERT_RECEIVED)
417 msg = string_sprintf("A TLS fatal alert has been received: %s",
418 US gnutls_alert_get_name(gnutls_alert_get(state->session)));
419 else
420 msg = US gnutls_strerror(rc);
421
422 (void) tls_error(when, msg, state->host, &errstr);
423
424 if (state->host)
425 log_write(0, LOG_MAIN, "H=%s [%s] TLS error on connection %s",
426 state->host->name, state->host->address, errstr);
427 else
428 {
429 uschar * conn_info = smtp_get_connection_info();
430 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0) conn_info += 5;
431 /* I'd like to get separated H= here, but too hard for now */
432 log_write(0, LOG_MAIN, "TLS error on %s %s", conn_info, errstr);
433 }
434 }
435
436
437
438
439 /*************************************************
440 * Set various Exim expansion vars *
441 *************************************************/
442
443 #define exim_gnutls_cert_err(Label) \
444 do \
445 { \
446 if (rc != GNUTLS_E_SUCCESS) \
447 { \
448 DEBUG(D_tls) debug_printf("TLS: cert problem: %s: %s\n", \
449 (Label), gnutls_strerror(rc)); \
450 return rc; \
451 } \
452 } while (0)
453
454 static int
455 import_cert(const gnutls_datum_t * cert, gnutls_x509_crt_t * crtp)
456 {
457 int rc;
458
459 rc = gnutls_x509_crt_init(crtp);
460 exim_gnutls_cert_err(US"gnutls_x509_crt_init (crt)");
461
462 rc = gnutls_x509_crt_import(*crtp, cert, GNUTLS_X509_FMT_DER);
463 exim_gnutls_cert_err(US"failed to import certificate [gnutls_x509_crt_import(cert)]");
464
465 return rc;
466 }
467
468 #undef exim_gnutls_cert_err
469
470
471 /* We set various Exim global variables from the state, once a session has
472 been established. With TLS callouts, may need to change this to stack
473 variables, or just re-call it with the server state after client callout
474 has finished.
475
476 Make sure anything set here is unset in tls_getc().
477
478 Sets:
479 tls_active fd
480 tls_bits strength indicator
481 tls_certificate_verified bool indicator
482 tls_channelbinding for some SASL mechanisms
483 tls_ver a string
484 tls_cipher a string
485 tls_peercert pointer to library internal
486 tls_peerdn a string
487 tls_sni a (UTF-8) string
488 tls_ourcert pointer to library internal
489
490 Argument:
491 state the relevant exim_gnutls_state_st *
492 */
493
494 static void
495 extract_exim_vars_from_tls_state(exim_gnutls_state_st * state)
496 {
497 #ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
498 int old_pool;
499 int rc;
500 gnutls_datum_t channel;
501 #endif
502 tls_support * tlsp = state->tlsp;
503
504 tlsp->active.sock = state->fd_out;
505 tlsp->active.tls_ctx = state;
506
507 DEBUG(D_tls) debug_printf("cipher: %s\n", state->ciphersuite);
508
509 tlsp->certificate_verified = state->peer_cert_verified;
510 #ifdef SUPPORT_DANE
511 tlsp->dane_verified = state->peer_dane_verified;
512 #endif
513
514 /* note that tls_channelbinding is not saved to the spool file, since it's
515 only available for use for authenticators while this TLS session is running. */
516
517 tlsp->channelbinding = NULL;
518 #ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
519 channel.data = NULL;
520 channel.size = 0;
521 if ((rc = gnutls_session_channel_binding(state->session, GNUTLS_CB_TLS_UNIQUE, &channel)))
522 { DEBUG(D_tls) debug_printf("Channel binding error: %s\n", gnutls_strerror(rc)); }
523 else
524 {
525 /* Declare the taintedness of the binding info. On server, untainted; on
526 client, tainted - being the Finish msg from the server. */
527
528 old_pool = store_pool;
529 store_pool = POOL_PERM;
530 tlsp->channelbinding = b64encode_taint(CUS channel.data, (int)channel.size,
531 !!state->host);
532 store_pool = old_pool;
533 DEBUG(D_tls) debug_printf("Have channel bindings cached for possible auth usage\n");
534 }
535 #endif
536
537 /* peercert is set in peer_status() */
538 tlsp->peerdn = state->peerdn;
539 tlsp->sni = state->received_sni;
540
541 /* record our certificate */
542 {
543 const gnutls_datum_t * cert = gnutls_certificate_get_ours(state->session);
544 gnutls_x509_crt_t crt;
545
546 tlsp->ourcert = cert && import_cert(cert, &crt)==0 ? crt : NULL;
547 }
548 }
549
550
551
552
553 #ifndef GNUTLS_AUTO_DHPARAMS
554 /*************************************************
555 * Setup up DH parameters *
556 *************************************************/
557
558 /* Generating the D-H parameters may take a long time. They only need to
559 be re-generated every so often, depending on security policy. What we do is to
560 keep these parameters in a file in the spool directory. If the file does not
561 exist, we generate them. This means that it is easy to cause a regeneration.
562
563 The new file is written as a temporary file and renamed, so that an incomplete
564 file is never present. If two processes both compute some new parameters, you
565 waste a bit of effort, but it doesn't seem worth messing around with locking to
566 prevent this.
567
568 Returns: OK/DEFER/FAIL
569 */
570
571 static int
572 init_server_dh(uschar ** errstr)
573 {
574 int fd, rc;
575 unsigned int dh_bits;
576 gnutls_datum_t m = {.data = NULL, .size = 0};
577 uschar filename_buf[PATH_MAX];
578 uschar *filename = NULL;
579 size_t sz;
580 uschar *exp_tls_dhparam;
581 BOOL use_file_in_spool = FALSE;
582 host_item *host = NULL; /* dummy for macros */
583
584 DEBUG(D_tls) debug_printf("Initialising GnuTLS server params.\n");
585
586 if ((rc = gnutls_dh_params_init(&dh_server_params)))
587 return tls_error_gnu(US"gnutls_dh_params_init", rc, host, errstr);
588
589 if (!expand_check(tls_dhparam, US"tls_dhparam", &exp_tls_dhparam, errstr))
590 return DEFER;
591
592 if (!exp_tls_dhparam)
593 {
594 DEBUG(D_tls) debug_printf("Loading default hard-coded DH params\n");
595 m.data = US std_dh_prime_default();
596 m.size = Ustrlen(m.data);
597 }
598 else if (Ustrcmp(exp_tls_dhparam, "historic") == 0)
599 use_file_in_spool = TRUE;
600 else if (Ustrcmp(exp_tls_dhparam, "none") == 0)
601 {
602 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
603 return OK;
604 }
605 else if (exp_tls_dhparam[0] != '/')
606 {
607 if (!(m.data = US std_dh_prime_named(exp_tls_dhparam)))
608 return tls_error(US"No standard prime named", exp_tls_dhparam, NULL, errstr);
609 m.size = Ustrlen(m.data);
610 }
611 else
612 filename = exp_tls_dhparam;
613
614 if (m.data)
615 {
616 if ((rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM)))
617 return tls_error_gnu(US"gnutls_dh_params_import_pkcs3", rc, host, errstr);
618 DEBUG(D_tls) debug_printf("Loaded fixed standard D-H parameters\n");
619 return OK;
620 }
621
622 #ifdef HAVE_GNUTLS_SEC_PARAM_CONSTANTS
623 /* If you change this constant, also change dh_param_fn_ext so that we can use a
624 different filename and ensure we have sufficient bits. */
625
626 if (!(dh_bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL)))
627 return tls_error(US"gnutls_sec_param_to_pk_bits() failed", NULL, NULL, errstr);
628 DEBUG(D_tls)
629 debug_printf("GnuTLS tells us that for D-H PK, NORMAL is %d bits.\n",
630 dh_bits);
631 #else
632 dh_bits = EXIM_SERVER_DH_BITS_PRE2_12;
633 DEBUG(D_tls)
634 debug_printf("GnuTLS lacks gnutls_sec_param_to_pk_bits(), using %d bits.\n",
635 dh_bits);
636 #endif
637
638 /* Some clients have hard-coded limits. */
639 if (dh_bits > tls_dh_max_bits)
640 {
641 DEBUG(D_tls)
642 debug_printf("tls_dh_max_bits clamping override, using %d bits instead.\n",
643 tls_dh_max_bits);
644 dh_bits = tls_dh_max_bits;
645 }
646
647 if (use_file_in_spool)
648 {
649 if (!string_format(filename_buf, sizeof(filename_buf),
650 "%s/gnutls-params-%d", spool_directory, dh_bits))
651 return tls_error(US"overlong filename", NULL, NULL, errstr);
652 filename = filename_buf;
653 }
654
655 /* Open the cache file for reading and if successful, read it and set up the
656 parameters. */
657
658 if ((fd = Uopen(filename, O_RDONLY, 0)) >= 0)
659 {
660 struct stat statbuf;
661 FILE *fp;
662 int saved_errno;
663
664 if (fstat(fd, &statbuf) < 0) /* EIO */
665 {
666 saved_errno = errno;
667 (void)close(fd);
668 return tls_error_sys(US"TLS cache stat failed", saved_errno, NULL, errstr);
669 }
670 if (!S_ISREG(statbuf.st_mode))
671 {
672 (void)close(fd);
673 return tls_error(US"TLS cache not a file", NULL, NULL, errstr);
674 }
675 if (!(fp = fdopen(fd, "rb")))
676 {
677 saved_errno = errno;
678 (void)close(fd);
679 return tls_error_sys(US"fdopen(TLS cache stat fd) failed",
680 saved_errno, NULL, errstr);
681 }
682
683 m.size = statbuf.st_size;
684 if (!(m.data = store_malloc(m.size)))
685 {
686 fclose(fp);
687 return tls_error_sys(US"malloc failed", errno, NULL, errstr);
688 }
689 if (!(sz = fread(m.data, m.size, 1, fp)))
690 {
691 saved_errno = errno;
692 fclose(fp);
693 store_free(m.data);
694 return tls_error_sys(US"fread failed", saved_errno, NULL, errstr);
695 }
696 fclose(fp);
697
698 rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM);
699 store_free(m.data);
700 if (rc)
701 return tls_error_gnu(US"gnutls_dh_params_import_pkcs3", rc, host, errstr);
702 DEBUG(D_tls) debug_printf("read D-H parameters from file \"%s\"\n", filename);
703 }
704
705 /* If the file does not exist, fall through to compute new data and cache it.
706 If there was any other opening error, it is serious. */
707
708 else if (errno == ENOENT)
709 {
710 rc = -1;
711 DEBUG(D_tls)
712 debug_printf("D-H parameter cache file \"%s\" does not exist\n", filename);
713 }
714 else
715 return tls_error(string_open_failed(errno, "\"%s\" for reading", filename),
716 NULL, NULL, errstr);
717
718 /* If ret < 0, either the cache file does not exist, or the data it contains
719 is not useful. One particular case of this is when upgrading from an older
720 release of Exim in which the data was stored in a different format. We don't
721 try to be clever and support both formats; we just regenerate new data in this
722 case. */
723
724 if (rc < 0)
725 {
726 uschar *temp_fn;
727 unsigned int dh_bits_gen = dh_bits;
728
729 if ((PATH_MAX - Ustrlen(filename)) < 10)
730 return tls_error(US"Filename too long to generate replacement",
731 filename, NULL, errstr);
732
733 temp_fn = string_copy(US"%s.XXXXXXX");
734 if ((fd = mkstemp(CS temp_fn)) < 0) /* modifies temp_fn */
735 return tls_error_sys(US"Unable to open temp file", errno, NULL, errstr);
736 (void)exim_chown(temp_fn, exim_uid, exim_gid); /* Probably not necessary */
737
738 /* GnuTLS overshoots! If we ask for 2236, we might get 2237 or more. But
739 there's no way to ask GnuTLS how many bits there really are. We can ask
740 how many bits were used in a TLS session, but that's it! The prime itself
741 is hidden behind too much abstraction. So we ask for less, and proceed on
742 a wing and a prayer. First attempt, subtracted 3 for 2233 and got 2240. */
743
744 if (dh_bits >= EXIM_CLIENT_DH_MIN_BITS + 10)
745 {
746 dh_bits_gen = dh_bits - 10;
747 DEBUG(D_tls)
748 debug_printf("being paranoid about DH generation, make it '%d' bits'\n",
749 dh_bits_gen);
750 }
751
752 DEBUG(D_tls)
753 debug_printf("requesting generation of %d bit Diffie-Hellman prime ...\n",
754 dh_bits_gen);
755 if ((rc = gnutls_dh_params_generate2(dh_server_params, dh_bits_gen)))
756 return tls_error_gnu(US"gnutls_dh_params_generate2", rc, host, errstr);
757
758 /* gnutls_dh_params_export_pkcs3() will tell us the exact size, every time,
759 and I confirmed that a NULL call to get the size first is how the GnuTLS
760 sample apps handle this. */
761
762 sz = 0;
763 m.data = NULL;
764 if ( (rc = gnutls_dh_params_export_pkcs3(dh_server_params,
765 GNUTLS_X509_FMT_PEM, m.data, &sz))
766 && rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
767 return tls_error_gnu(US"gnutls_dh_params_export_pkcs3(NULL) sizing",
768 rc, host, errstr);
769 m.size = sz;
770 if (!(m.data = store_malloc(m.size)))
771 return tls_error_sys(US"memory allocation failed", errno, NULL, errstr);
772
773 /* this will return a size 1 less than the allocation size above */
774 if ((rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM,
775 m.data, &sz)))
776 {
777 store_free(m.data);
778 return tls_error_gnu(US"gnutls_dh_params_export_pkcs3() real", rc, host, errstr);
779 }
780 m.size = sz; /* shrink by 1, probably */
781
782 if ((sz = write_to_fd_buf(fd, m.data, (size_t) m.size)) != m.size)
783 {
784 store_free(m.data);
785 return tls_error_sys(US"TLS cache write D-H params failed",
786 errno, NULL, errstr);
787 }
788 store_free(m.data);
789 if ((sz = write_to_fd_buf(fd, US"\n", 1)) != 1)
790 return tls_error_sys(US"TLS cache write D-H params final newline failed",
791 errno, NULL, errstr);
792
793 if ((rc = close(fd)))
794 return tls_error_sys(US"TLS cache write close() failed", errno, NULL, errstr);
795
796 if (Urename(temp_fn, filename) < 0)
797 return tls_error_sys(string_sprintf("failed to rename \"%s\" as \"%s\"",
798 temp_fn, filename), errno, NULL, errstr);
799
800 DEBUG(D_tls) debug_printf("wrote D-H parameters to file \"%s\"\n", filename);
801 }
802
803 DEBUG(D_tls) debug_printf("initialized server D-H parameters\n");
804 return OK;
805 }
806 #endif
807
808
809
810
811 /* Create and install a selfsigned certificate, for use in server mode */
812
813 static int
814 tls_install_selfsign(exim_gnutls_state_st * state, uschar ** errstr)
815 {
816 gnutls_x509_crt_t cert = NULL;
817 time_t now;
818 gnutls_x509_privkey_t pkey = NULL;
819 const uschar * where;
820 int rc;
821
822 where = US"initialising pkey";
823 if ((rc = gnutls_x509_privkey_init(&pkey))) goto err;
824
825 where = US"initialising cert";
826 if ((rc = gnutls_x509_crt_init(&cert))) goto err;
827
828 where = US"generating pkey";
829 if ((rc = gnutls_x509_privkey_generate(pkey, GNUTLS_PK_RSA,
830 #ifdef SUPPORT_PARAM_TO_PK_BITS
831 # ifndef GNUTLS_SEC_PARAM_MEDIUM
832 # define GNUTLS_SEC_PARAM_MEDIUM GNUTLS_SEC_PARAM_HIGH
833 # endif
834 gnutls_sec_param_to_pk_bits(GNUTLS_PK_RSA, GNUTLS_SEC_PARAM_MEDIUM),
835 #else
836 2048,
837 #endif
838 0)))
839 goto err;
840
841 where = US"configuring cert";
842 now = 1;
843 if ( (rc = gnutls_x509_crt_set_version(cert, 3))
844 || (rc = gnutls_x509_crt_set_serial(cert, &now, sizeof(now)))
845 || (rc = gnutls_x509_crt_set_activation_time(cert, now = time(NULL)))
846 || (rc = gnutls_x509_crt_set_expiration_time(cert, now + 60 * 60)) /* 1 hr */
847 || (rc = gnutls_x509_crt_set_key(cert, pkey))
848
849 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
850 GNUTLS_OID_X520_COUNTRY_NAME, 0, "UK", 2))
851 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
852 GNUTLS_OID_X520_ORGANIZATION_NAME, 0, "Exim Developers", 15))
853 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
854 GNUTLS_OID_X520_COMMON_NAME, 0,
855 smtp_active_hostname, Ustrlen(smtp_active_hostname)))
856 )
857 goto err;
858
859 where = US"signing cert";
860 if ((rc = gnutls_x509_crt_sign(cert, cert, pkey))) goto err;
861
862 where = US"installing selfsign cert";
863 /* Since: 2.4.0 */
864 if ((rc = gnutls_certificate_set_x509_key(state->x509_cred, &cert, 1, pkey)))
865 goto err;
866
867 rc = OK;
868
869 out:
870 if (cert) gnutls_x509_crt_deinit(cert);
871 if (pkey) gnutls_x509_privkey_deinit(pkey);
872 return rc;
873
874 err:
875 rc = tls_error_gnu(where, rc, NULL, errstr);
876 goto out;
877 }
878
879
880
881
882 /* Add certificate and key, from files.
883
884 Return:
885 Zero or negative: good. Negate value for certificate index if < 0.
886 Greater than zero: FAIL or DEFER code.
887 */
888
889 static int
890 tls_add_certfile(exim_gnutls_state_st * state, const host_item * host,
891 uschar * certfile, uschar * keyfile, uschar ** errstr)
892 {
893 int rc = gnutls_certificate_set_x509_key_file(state->x509_cred,
894 CS certfile, CS keyfile, GNUTLS_X509_FMT_PEM);
895 if (rc < 0)
896 return tls_error_gnu(
897 string_sprintf("cert/key setup: cert=%s key=%s", certfile, keyfile),
898 rc, host, errstr);
899 return -rc;
900 }
901
902
903 #if !defined(DISABLE_OCSP) && !defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
904 /* Load an OCSP proof from file for sending by the server. Called
905 on getting a status-request handshake message, for earlier versions
906 of GnuTLS. */
907
908 static int
909 server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
910 gnutls_datum_t * ocsp_response)
911 {
912 int ret;
913 DEBUG(D_tls) debug_printf("OCSP stapling callback: %s\n", US ptr);
914
915 if ((ret = gnutls_load_file(ptr, ocsp_response)) < 0)
916 {
917 DEBUG(D_tls) debug_printf("Failed to load ocsp stapling file %s\n",
918 CS ptr);
919 tls_in.ocsp = OCSP_NOT_RESP;
920 return GNUTLS_E_NO_CERTIFICATE_STATUS;
921 }
922
923 tls_in.ocsp = OCSP_VFY_NOT_TRIED;
924 return 0;
925 }
926 #endif
927
928
929 #ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
930 /* Make a note that we saw a status-request */
931 static int
932 tls_server_clienthello_ext(void * ctx, unsigned tls_id,
933 const unsigned char *data, unsigned size)
934 {
935 /* https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml */
936 if (tls_id == 5) /* status_request */
937 {
938 DEBUG(D_tls) debug_printf("Seen status_request extension from client\n");
939 tls_in.ocsp = OCSP_NOT_RESP;
940 }
941 return 0;
942 }
943
944 /* Callback for client-hello, on server, if we think we might serve stapled-OCSP */
945 static int
946 tls_server_clienthello_cb(gnutls_session_t session, unsigned int htype,
947 unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
948 {
949 /* Call fn for each extension seen. 3.6.3 onwards */
950 return gnutls_ext_raw_parse(NULL, tls_server_clienthello_ext, msg,
951 GNUTLS_EXT_RAW_FLAG_TLS_CLIENT_HELLO);
952 }
953
954
955 /* Make a note that we saw a status-response */
956 static int
957 tls_server_servercerts_ext(void * ctx, unsigned tls_id,
958 const unsigned char *data, unsigned size)
959 {
960 /* debug_printf("%s %u\n", __FUNCTION__, tls_id); */
961 /* https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml */
962 if (FALSE && tls_id == 5) /* status_request */
963 {
964 DEBUG(D_tls) debug_printf("Seen status_request extension\n");
965 tls_in.ocsp = exim_testharness_disable_ocsp_validity_check
966 ? OCSP_VFY_NOT_TRIED : OCSP_VFIED; /* We know that GnuTLS verifies responses */
967 }
968 return 0;
969 }
970
971 /* Callback for certificates packet, on server, if we think we might serve stapled-OCSP */
972 static int
973 tls_server_servercerts_cb(gnutls_session_t session, unsigned int htype,
974 unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
975 {
976 /* Call fn for each extension seen. 3.6.3 onwards */
977 #ifdef notdef
978 /*XXX crashes */
979 return gnutls_ext_raw_parse(NULL, tls_server_servercerts_ext, msg, 0);
980 #endif
981 }
982 #endif
983
984 /*XXX in tls1.3 the cert-status travel as an extension next to the cert, in the
985 "Handshake Protocol: Certificate" record.
986 So we need to spot the Certificate handshake message, parse it and spot any status_request extension(s)
987
988 This is different to tls1.2 - where it is a separate record (wireshake term) / handshake message (gnutls term).
989 */
990
991 #if defined(EXPERIMENTAL_TLS_RESUME) || defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
992 /* Callback for certificate-status, on server. We sent stapled OCSP. */
993 static int
994 tls_server_certstatus_cb(gnutls_session_t session, unsigned int htype,
995 unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
996 {
997 DEBUG(D_tls) debug_printf("Sending certificate-status\n"); /*XXX we get this for tls1.2 but not for 1.3 */
998 #ifdef SUPPORT_SRV_OCSP_STACK
999 tls_in.ocsp = exim_testharness_disable_ocsp_validity_check
1000 ? OCSP_VFY_NOT_TRIED : OCSP_VFIED; /* We know that GnuTLS verifies responses */
1001 #else
1002 tls_in.ocsp = OCSP_VFY_NOT_TRIED;
1003 #endif
1004 return 0;
1005 }
1006
1007 /* Callback for handshake messages, on server */
1008 static int
1009 tls_server_hook_cb(gnutls_session_t sess, u_int htype, unsigned when,
1010 unsigned incoming, const gnutls_datum_t * msg)
1011 {
1012 /* debug_printf("%s: htype %u\n", __FUNCTION__, htype); */
1013 switch (htype)
1014 {
1015 # ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
1016 case GNUTLS_HANDSHAKE_CLIENT_HELLO:
1017 return tls_server_clienthello_cb(sess, htype, when, incoming, msg);
1018 case GNUTLS_HANDSHAKE_CERTIFICATE_PKT:
1019 return tls_server_servercerts_cb(sess, htype, when, incoming, msg);
1020 # endif
1021 case GNUTLS_HANDSHAKE_CERTIFICATE_STATUS:
1022 return tls_server_certstatus_cb(sess, htype, when, incoming, msg);
1023 # ifdef EXPERIMENTAL_TLS_RESUME
1024 case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET:
1025 return tls_server_ticket_cb(sess, htype, when, incoming, msg);
1026 # endif
1027 default:
1028 return 0;
1029 }
1030 }
1031 #endif
1032
1033
1034 #if !defined(DISABLE_OCSP) && defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
1035 static void
1036 tls_server_testharness_ocsp_fiddle(void)
1037 {
1038 extern char ** environ;
1039 if (environ) for (uschar ** p = USS environ; *p; p++)
1040 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
1041 {
1042 DEBUG(D_tls) debug_printf("Permitting known bad OCSP response\n");
1043 exim_testharness_disable_ocsp_validity_check = TRUE;
1044 }
1045 }
1046 #endif
1047
1048 /*************************************************
1049 * Variables re-expanded post-SNI *
1050 *************************************************/
1051
1052 /* Called from both server and client code, via tls_init(), and also from
1053 the SNI callback after receiving an SNI, if tls_certificate includes "tls_sni".
1054
1055 We can tell the two apart by state->received_sni being non-NULL in callback.
1056
1057 The callback should not call us unless state->trigger_sni_changes is true,
1058 which we are responsible for setting on the first pass through.
1059
1060 Arguments:
1061 state exim_gnutls_state_st *
1062 errstr error string pointer
1063
1064 Returns: OK/DEFER/FAIL
1065 */
1066
1067 static int
1068 tls_expand_session_files(exim_gnutls_state_st * state, uschar ** errstr)
1069 {
1070 struct stat statbuf;
1071 int rc;
1072 const host_item *host = state->host; /* macro should be reconsidered? */
1073 uschar *saved_tls_certificate = NULL;
1074 uschar *saved_tls_privatekey = NULL;
1075 uschar *saved_tls_verify_certificates = NULL;
1076 uschar *saved_tls_crl = NULL;
1077 int cert_count;
1078
1079 /* We check for tls_sni *before* expansion. */
1080 if (!host) /* server */
1081 if (!state->received_sni)
1082 {
1083 if ( state->tls_certificate
1084 && ( Ustrstr(state->tls_certificate, US"tls_sni")
1085 || Ustrstr(state->tls_certificate, US"tls_in_sni")
1086 || Ustrstr(state->tls_certificate, US"tls_out_sni")
1087 ) )
1088 {
1089 DEBUG(D_tls) debug_printf("We will re-expand TLS session files if we receive SNI.\n");
1090 state->trigger_sni_changes = TRUE;
1091 }
1092 }
1093 else
1094 {
1095 /* useful for debugging */
1096 saved_tls_certificate = state->exp_tls_certificate;
1097 saved_tls_privatekey = state->exp_tls_privatekey;
1098 saved_tls_verify_certificates = state->exp_tls_verify_certificates;
1099 saved_tls_crl = state->exp_tls_crl;
1100 }
1101
1102 if ((rc = gnutls_certificate_allocate_credentials(&state->x509_cred)))
1103 return tls_error_gnu(US"gnutls_certificate_allocate_credentials",
1104 rc, host, errstr);
1105
1106 #ifdef SUPPORT_SRV_OCSP_STACK
1107 gnutls_certificate_set_flags(state->x509_cred, GNUTLS_CERTIFICATE_API_V2);
1108
1109 # if !defined(DISABLE_OCSP) && defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
1110 if (!host && tls_ocsp_file)
1111 {
1112 if (f.running_in_test_harness)
1113 tls_server_testharness_ocsp_fiddle();
1114
1115 if (exim_testharness_disable_ocsp_validity_check)
1116 gnutls_certificate_set_flags(state->x509_cred,
1117 GNUTLS_CERTIFICATE_API_V2 | GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK);
1118 }
1119 # endif
1120 #endif
1121
1122 /* remember: expand_check_tlsvar() is expand_check() but fiddling with
1123 state members, assuming consistent naming; and expand_check() returns
1124 false if expansion failed, unless expansion was forced to fail. */
1125
1126 /* check if we at least have a certificate, before doing expensive
1127 D-H generation. */
1128
1129 if (!expand_check_tlsvar(tls_certificate, errstr))
1130 return DEFER;
1131
1132 /* certificate is mandatory in server, optional in client */
1133
1134 if ( !state->exp_tls_certificate
1135 || !*state->exp_tls_certificate
1136 )
1137 if (!host)
1138 return tls_install_selfsign(state, errstr);
1139 else
1140 DEBUG(D_tls) debug_printf("TLS: no client certificate specified; okay\n");
1141
1142 if (state->tls_privatekey && !expand_check_tlsvar(tls_privatekey, errstr))
1143 return DEFER;
1144
1145 /* tls_privatekey is optional, defaulting to same file as certificate */
1146
1147 if (!state->tls_privatekey || !*state->tls_privatekey)
1148 {
1149 state->tls_privatekey = state->tls_certificate;
1150 state->exp_tls_privatekey = state->exp_tls_certificate;
1151 }
1152
1153
1154 if (state->exp_tls_certificate && *state->exp_tls_certificate)
1155 {
1156 DEBUG(D_tls) debug_printf("certificate file = %s\nkey file = %s\n",
1157 state->exp_tls_certificate, state->exp_tls_privatekey);
1158
1159 if (state->received_sni)
1160 if ( Ustrcmp(state->exp_tls_certificate, saved_tls_certificate) == 0
1161 && Ustrcmp(state->exp_tls_privatekey, saved_tls_privatekey) == 0
1162 )
1163 {
1164 DEBUG(D_tls) debug_printf("TLS SNI: cert and key unchanged\n");
1165 }
1166 else
1167 {
1168 DEBUG(D_tls) debug_printf("TLS SNI: have a changed cert/key pair.\n");
1169 }
1170
1171 if (!host) /* server */
1172 {
1173 const uschar * clist = state->exp_tls_certificate;
1174 const uschar * klist = state->exp_tls_privatekey;
1175 const uschar * olist;
1176 int csep = 0, ksep = 0, osep = 0, cnt = 0;
1177 uschar * cfile, * kfile, * ofile;
1178 #ifndef DISABLE_OCSP
1179 # ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
1180 gnutls_x509_crt_fmt_t ocsp_fmt = GNUTLS_X509_FMT_DER;
1181 # endif
1182
1183 if (!expand_check(tls_ocsp_file, US"tls_ocsp_file", &ofile, errstr))
1184 return DEFER;
1185 olist = ofile;
1186 #endif
1187
1188 while (cfile = string_nextinlist(&clist, &csep, NULL, 0))
1189
1190 if (!(kfile = string_nextinlist(&klist, &ksep, NULL, 0)))
1191 return tls_error(US"cert/key setup: out of keys", NULL, host, errstr);
1192 else if (0 < (rc = tls_add_certfile(state, host, cfile, kfile, errstr)))
1193 return rc;
1194 else
1195 {
1196 int gnutls_cert_index = -rc;
1197 DEBUG(D_tls) debug_printf("TLS: cert/key %d %s registered\n",
1198 gnutls_cert_index, cfile);
1199
1200 #ifndef DISABLE_OCSP
1201 if (tls_ocsp_file)
1202 {
1203 /* Set the OCSP stapling server info */
1204 if (gnutls_buggy_ocsp)
1205 {
1206 DEBUG(D_tls)
1207 debug_printf("GnuTLS library is buggy for OCSP; avoiding\n");
1208 }
1209 else if ((ofile = string_nextinlist(&olist, &osep, NULL, 0)))
1210 {
1211 DEBUG(D_tls) debug_printf("OCSP response file %d = %s\n",
1212 gnutls_cert_index, ofile);
1213 # ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
1214 if (Ustrncmp(ofile, US"PEM ", 4) == 0)
1215 {
1216 ocsp_fmt = GNUTLS_X509_FMT_PEM;
1217 ofile += 4;
1218 }
1219 else if (Ustrncmp(ofile, US"DER ", 4) == 0)
1220 {
1221 ocsp_fmt = GNUTLS_X509_FMT_DER;
1222 ofile += 4;
1223 }
1224
1225 if ((rc = gnutls_certificate_set_ocsp_status_request_file2(
1226 state->x509_cred, CCS ofile, gnutls_cert_index,
1227 ocsp_fmt)) < 0)
1228 return tls_error_gnu(
1229 US"gnutls_certificate_set_ocsp_status_request_file2",
1230 rc, host, errstr);
1231 DEBUG(D_tls)
1232 debug_printf(" %d response%s loaded\n", rc, rc>1 ? "s":"");
1233
1234 /* Arrange callbacks for OCSP request observability */
1235
1236 gnutls_handshake_set_hook_function(state->session,
1237 GNUTLS_HANDSHAKE_ANY, GNUTLS_HOOK_POST, tls_server_hook_cb);
1238
1239 # else
1240 # if defined(SUPPORT_SRV_OCSP_STACK)
1241 if ((rc = gnutls_certificate_set_ocsp_status_request_function2(
1242 state->x509_cred, gnutls_cert_index,
1243 server_ocsp_stapling_cb, ofile)))
1244 return tls_error_gnu(
1245 US"gnutls_certificate_set_ocsp_status_request_function2",
1246 rc, host, errstr);
1247 else
1248 # endif
1249 {
1250 if (cnt++ > 0)
1251 {
1252 DEBUG(D_tls)
1253 debug_printf("oops; multiple OCSP files not supported\n");
1254 break;
1255 }
1256 gnutls_certificate_set_ocsp_status_request_function(
1257 state->x509_cred, server_ocsp_stapling_cb, ofile);
1258 }
1259 # endif /* SUPPORT_GNUTLS_EXT_RAW_PARSE */
1260 }
1261 else
1262 DEBUG(D_tls) debug_printf("ran out of OCSP response files in list\n");
1263 }
1264 #endif /* DISABLE_OCSP */
1265 }
1266 }
1267 else /* client */
1268 {
1269 if (0 < (rc = tls_add_certfile(state, host,
1270 state->exp_tls_certificate, state->exp_tls_privatekey, errstr)))
1271 return rc;
1272 DEBUG(D_tls) debug_printf("TLS: cert/key registered\n");
1273 }
1274
1275 } /* tls_certificate */
1276
1277
1278 /* Set the trusted CAs file if one is provided, and then add the CRL if one is
1279 provided. Experiment shows that, if the certificate file is empty, an unhelpful
1280 error message is provided. However, if we just refrain from setting anything up
1281 in that case, certificate verification fails, which seems to be the correct
1282 behaviour. */
1283
1284 if (state->tls_verify_certificates && *state->tls_verify_certificates)
1285 {
1286 if (!expand_check_tlsvar(tls_verify_certificates, errstr))
1287 return DEFER;
1288 #ifndef SUPPORT_SYSDEFAULT_CABUNDLE
1289 if (Ustrcmp(state->exp_tls_verify_certificates, "system") == 0)
1290 state->exp_tls_verify_certificates = NULL;
1291 #endif
1292 if (state->tls_crl && *state->tls_crl)
1293 if (!expand_check_tlsvar(tls_crl, errstr))
1294 return DEFER;
1295
1296 if (!(state->exp_tls_verify_certificates &&
1297 *state->exp_tls_verify_certificates))
1298 {
1299 DEBUG(D_tls)
1300 debug_printf("TLS: tls_verify_certificates expanded empty, ignoring\n");
1301 /* With no tls_verify_certificates, we ignore tls_crl too */
1302 return OK;
1303 }
1304 }
1305 else
1306 {
1307 DEBUG(D_tls)
1308 debug_printf("TLS: tls_verify_certificates not set or empty, ignoring\n");
1309 return OK;
1310 }
1311
1312 #ifdef SUPPORT_SYSDEFAULT_CABUNDLE
1313 if (Ustrcmp(state->exp_tls_verify_certificates, "system") == 0)
1314 cert_count = gnutls_certificate_set_x509_system_trust(state->x509_cred);
1315 else
1316 #endif
1317 {
1318 if (Ustat(state->exp_tls_verify_certificates, &statbuf) < 0)
1319 {
1320 log_write(0, LOG_MAIN|LOG_PANIC, "could not stat '%s' "
1321 "(tls_verify_certificates): %s", state->exp_tls_verify_certificates,
1322 strerror(errno));
1323 return DEFER;
1324 }
1325
1326 #ifndef SUPPORT_CA_DIR
1327 /* The test suite passes in /dev/null; we could check for that path explicitly,
1328 but who knows if someone has some weird FIFO which always dumps some certs, or
1329 other weirdness. The thing we really want to check is that it's not a
1330 directory, since while OpenSSL supports that, GnuTLS does not.
1331 So s/!S_ISREG/S_ISDIR/ and change some messaging ... */
1332 if (S_ISDIR(statbuf.st_mode))
1333 {
1334 DEBUG(D_tls)
1335 debug_printf("verify certificates path is a dir: \"%s\"\n",
1336 state->exp_tls_verify_certificates);
1337 log_write(0, LOG_MAIN|LOG_PANIC,
1338 "tls_verify_certificates \"%s\" is a directory",
1339 state->exp_tls_verify_certificates);
1340 return DEFER;
1341 }
1342 #endif
1343
1344 DEBUG(D_tls) debug_printf("verify certificates = %s size=" OFF_T_FMT "\n",
1345 state->exp_tls_verify_certificates, statbuf.st_size);
1346
1347 if (statbuf.st_size == 0)
1348 {
1349 DEBUG(D_tls)
1350 debug_printf("cert file empty, no certs, no verification, ignoring any CRL\n");
1351 return OK;
1352 }
1353
1354 cert_count =
1355
1356 #ifdef SUPPORT_CA_DIR
1357 (statbuf.st_mode & S_IFMT) == S_IFDIR
1358 ?
1359 gnutls_certificate_set_x509_trust_dir(state->x509_cred,
1360 CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM)
1361 :
1362 #endif
1363 gnutls_certificate_set_x509_trust_file(state->x509_cred,
1364 CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM);
1365
1366 #ifdef SUPPORT_CA_DIR
1367 /* Mimic the behaviour with OpenSSL of not advertising a usable-cert list
1368 when using the directory-of-certs config model. */
1369
1370 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
1371 gnutls_certificate_send_x509_rdn_sequence(state->session, 1);
1372 #endif
1373 }
1374
1375 if (cert_count < 0)
1376 return tls_error_gnu(US"setting certificate trust", cert_count, host, errstr);
1377 DEBUG(D_tls)
1378 debug_printf("Added %d certificate authorities.\n", cert_count);
1379
1380 if (state->tls_crl && *state->tls_crl &&
1381 state->exp_tls_crl && *state->exp_tls_crl)
1382 {
1383 DEBUG(D_tls) debug_printf("loading CRL file = %s\n", state->exp_tls_crl);
1384 if ((cert_count = gnutls_certificate_set_x509_crl_file(state->x509_cred,
1385 CS state->exp_tls_crl, GNUTLS_X509_FMT_PEM)) < 0)
1386 return tls_error_gnu(US"gnutls_certificate_set_x509_crl_file",
1387 cert_count, host, errstr);
1388
1389 DEBUG(D_tls) debug_printf("Processed %d CRLs.\n", cert_count);
1390 }
1391
1392 return OK;
1393 }
1394
1395
1396
1397
1398 /*************************************************
1399 * Set X.509 state variables *
1400 *************************************************/
1401
1402 /* In GnuTLS, the registered cert/key are not replaced by a later
1403 set of a cert/key, so for SNI support we need a whole new x509_cred
1404 structure. Which means various other non-re-expanded pieces of state
1405 need to be re-set in the new struct, so the setting logic is pulled
1406 out to this.
1407
1408 Arguments:
1409 state exim_gnutls_state_st *
1410 errstr error string pointer
1411
1412 Returns: OK/DEFER/FAIL
1413 */
1414
1415 static int
1416 tls_set_remaining_x509(exim_gnutls_state_st *state, uschar ** errstr)
1417 {
1418 int rc;
1419 const host_item *host = state->host; /* macro should be reconsidered? */
1420
1421 #ifndef GNUTLS_AUTO_DHPARAMS
1422 /* Create D-H parameters, or read them from the cache file. This function does
1423 its own SMTP error messaging. This only happens for the server, TLS D-H ignores
1424 client-side params. */
1425
1426 if (!state->host)
1427 {
1428 if (!dh_server_params)
1429 if ((rc = init_server_dh(errstr)) != OK) return rc;
1430
1431 /* Unnecessary & discouraged with 3.6.0 or later */
1432 gnutls_certificate_set_dh_params(state->x509_cred, dh_server_params);
1433 }
1434 #endif
1435
1436 /* Link the credentials to the session. */
1437
1438 if ((rc = gnutls_credentials_set(state->session,
1439 GNUTLS_CRD_CERTIFICATE, state->x509_cred)))
1440 return tls_error_gnu(US"gnutls_credentials_set", rc, host, errstr);
1441
1442 return OK;
1443 }
1444
1445 /*************************************************
1446 * Initialize for GnuTLS *
1447 *************************************************/
1448
1449
1450 #ifndef DISABLE_OCSP
1451
1452 static BOOL
1453 tls_is_buggy_ocsp(void)
1454 {
1455 const uschar * s;
1456 uschar maj, mid, mic;
1457
1458 s = CUS gnutls_check_version(NULL);
1459 maj = atoi(CCS s);
1460 if (maj == 3)
1461 {
1462 while (*s && *s != '.') s++;
1463 mid = atoi(CCS ++s);
1464 if (mid <= 2)
1465 return TRUE;
1466 else if (mid >= 5)
1467 return FALSE;
1468 else
1469 {
1470 while (*s && *s != '.') s++;
1471 mic = atoi(CCS ++s);
1472 return mic <= (mid == 3 ? 16 : 3);
1473 }
1474 }
1475 return FALSE;
1476 }
1477
1478 #endif
1479
1480
1481 /* Called from both server and client code. In the case of a server, errors
1482 before actual TLS negotiation return DEFER.
1483
1484 Arguments:
1485 host connected host, if client; NULL if server
1486 certificate certificate file
1487 privatekey private key file
1488 sni TLS SNI to send, sometimes when client; else NULL
1489 cas CA certs file
1490 crl CRL file
1491 require_ciphers tls_require_ciphers setting
1492 caller_state returned state-info structure
1493 errstr error string pointer
1494
1495 Returns: OK/DEFER/FAIL
1496 */
1497
1498 static int
1499 tls_init(
1500 const host_item *host,
1501 const uschar *certificate,
1502 const uschar *privatekey,
1503 const uschar *sni,
1504 const uschar *cas,
1505 const uschar *crl,
1506 const uschar *require_ciphers,
1507 exim_gnutls_state_st **caller_state,
1508 tls_support * tlsp,
1509 uschar ** errstr)
1510 {
1511 exim_gnutls_state_st * state;
1512 int rc;
1513 size_t sz;
1514 const char * errpos;
1515 const uschar * p;
1516
1517 if (!exim_gnutls_base_init_done)
1518 {
1519 DEBUG(D_tls) debug_printf("GnuTLS global init required.\n");
1520
1521 #if defined(HAVE_GNUTLS_PKCS11) && !defined(GNUTLS_AUTO_PKCS11_MANUAL)
1522 /* By default, gnutls_global_init will init PKCS11 support in auto mode,
1523 which loads modules from a config file, which sounds good and may be wanted
1524 by some sysadmin, but also means in common configurations that GNOME keyring
1525 environment variables are used and so breaks for users calling mailq.
1526 To prevent this, we init PKCS11 first, which is the documented approach. */
1527 if (!gnutls_allow_auto_pkcs11)
1528 if ((rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL)))
1529 return tls_error_gnu(US"gnutls_pkcs11_init", rc, host, errstr);
1530 #endif
1531
1532 #ifndef GNUTLS_AUTO_GLOBAL_INIT
1533 if ((rc = gnutls_global_init()))
1534 return tls_error_gnu(US"gnutls_global_init", rc, host, errstr);
1535 #endif
1536
1537 #if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
1538 DEBUG(D_tls)
1539 {
1540 gnutls_global_set_log_function(exim_gnutls_logger_cb);
1541 /* arbitrarily chosen level; bump up to 9 for more */
1542 gnutls_global_set_log_level(EXIM_GNUTLS_LIBRARY_LOG_LEVEL);
1543 }
1544 #endif
1545
1546 #ifndef DISABLE_OCSP
1547 if (tls_ocsp_file && (gnutls_buggy_ocsp = tls_is_buggy_ocsp()))
1548 log_write(0, LOG_MAIN, "OCSP unusable with this GnuTLS library version");
1549 #endif
1550
1551 exim_gnutls_base_init_done = TRUE;
1552 }
1553
1554 if (host)
1555 {
1556 /* For client-side sessions we allocate a context. This lets us run
1557 several in parallel. */
1558 int old_pool = store_pool;
1559 store_pool = POOL_PERM;
1560 state = store_get(sizeof(exim_gnutls_state_st), FALSE);
1561 store_pool = old_pool;
1562
1563 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
1564 state->tlsp = tlsp;
1565 DEBUG(D_tls) debug_printf("initialising GnuTLS client session\n");
1566 rc = gnutls_init(&state->session, GNUTLS_CLIENT);
1567 }
1568 else
1569 {
1570 state = &state_server;
1571 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
1572 state->tlsp = tlsp;
1573 DEBUG(D_tls) debug_printf("initialising GnuTLS server session\n");
1574 rc = gnutls_init(&state->session, GNUTLS_SERVER);
1575 }
1576 if (rc)
1577 return tls_error_gnu(US"gnutls_init", rc, host, errstr);
1578
1579 state->host = host;
1580
1581 state->tls_certificate = certificate;
1582 state->tls_privatekey = privatekey;
1583 state->tls_require_ciphers = require_ciphers;
1584 state->tls_sni = sni;
1585 state->tls_verify_certificates = cas;
1586 state->tls_crl = crl;
1587
1588 /* This handles the variables that might get re-expanded after TLS SNI;
1589 that's tls_certificate, tls_privatekey, tls_verify_certificates, tls_crl */
1590
1591 DEBUG(D_tls)
1592 debug_printf("Expanding various TLS configuration options for session credentials.\n");
1593 if ((rc = tls_expand_session_files(state, errstr)) != OK) return rc;
1594
1595 /* These are all other parts of the x509_cred handling, since SNI in GnuTLS
1596 requires a new structure afterwards. */
1597
1598 if ((rc = tls_set_remaining_x509(state, errstr)) != OK) return rc;
1599
1600 /* set SNI in client, only */
1601 if (host)
1602 {
1603 if (!expand_check(sni, US"tls_out_sni", &state->tlsp->sni, errstr))
1604 return DEFER;
1605 if (state->tlsp->sni && *state->tlsp->sni)
1606 {
1607 DEBUG(D_tls)
1608 debug_printf("Setting TLS client SNI to \"%s\"\n", state->tlsp->sni);
1609 sz = Ustrlen(state->tlsp->sni);
1610 if ((rc = gnutls_server_name_set(state->session,
1611 GNUTLS_NAME_DNS, state->tlsp->sni, sz)))
1612 return tls_error_gnu(US"gnutls_server_name_set", rc, host, errstr);
1613 }
1614 }
1615 else if (state->tls_sni)
1616 DEBUG(D_tls) debug_printf("*** PROBABLY A BUG *** " \
1617 "have an SNI set for a server [%s]\n", state->tls_sni);
1618
1619 /* This is the priority string support,
1620 http://www.gnutls.org/manual/html_node/Priority-Strings.html
1621 and replaces gnutls_require_kx, gnutls_require_mac & gnutls_require_protocols.
1622 This was backwards incompatible, but means Exim no longer needs to track
1623 all algorithms and provide string forms for them. */
1624
1625 p = NULL;
1626 if (state->tls_require_ciphers && *state->tls_require_ciphers)
1627 {
1628 if (!expand_check_tlsvar(tls_require_ciphers, errstr))
1629 return DEFER;
1630 if (state->exp_tls_require_ciphers && *state->exp_tls_require_ciphers)
1631 {
1632 p = state->exp_tls_require_ciphers;
1633 DEBUG(D_tls) debug_printf("GnuTLS session cipher/priority \"%s\"\n", p);
1634 }
1635 }
1636 if (!p)
1637 {
1638 p = exim_default_gnutls_priority;
1639 DEBUG(D_tls)
1640 debug_printf("GnuTLS using default session cipher/priority \"%s\"\n", p);
1641 }
1642
1643 if ((rc = gnutls_priority_init(&state->priority_cache, CCS p, &errpos)))
1644 return tls_error_gnu(string_sprintf(
1645 "gnutls_priority_init(%s) failed at offset %ld, \"%.6s..\"",
1646 p, errpos - CS p, errpos),
1647 rc, host, errstr);
1648
1649 if ((rc = gnutls_priority_set(state->session, state->priority_cache)))
1650 return tls_error_gnu(US"gnutls_priority_set", rc, host, errstr);
1651
1652 /* This also sets the server ticket expiration time to the same, and
1653 the STEK rotation time to 3x. */
1654
1655 gnutls_db_set_cache_expiration(state->session, ssl_session_timeout);
1656
1657 /* Reduce security in favour of increased compatibility, if the admin
1658 decides to make that trade-off. */
1659 if (gnutls_compat_mode)
1660 {
1661 #if LIBGNUTLS_VERSION_NUMBER >= 0x020104
1662 DEBUG(D_tls) debug_printf("lowering GnuTLS security, compatibility mode\n");
1663 gnutls_session_enable_compatibility_mode(state->session);
1664 #else
1665 DEBUG(D_tls) debug_printf("Unable to set gnutls_compat_mode - GnuTLS version too old\n");
1666 #endif
1667 }
1668
1669 *caller_state = state;
1670 return OK;
1671 }
1672
1673
1674
1675 /*************************************************
1676 * Extract peer information *
1677 *************************************************/
1678
1679 static const uschar *
1680 cipher_stdname_kcm(gnutls_kx_algorithm_t kx, gnutls_cipher_algorithm_t cipher,
1681 gnutls_mac_algorithm_t mac)
1682 {
1683 uschar cs_id[2];
1684 gnutls_kx_algorithm_t kx_i;
1685 gnutls_cipher_algorithm_t cipher_i;
1686 gnutls_mac_algorithm_t mac_i;
1687
1688 for (size_t i = 0;
1689 gnutls_cipher_suite_info(i, cs_id, &kx_i, &cipher_i, &mac_i, NULL);
1690 i++)
1691 if (kx_i == kx && cipher_i == cipher && mac_i == mac)
1692 return cipher_stdname(cs_id[0], cs_id[1]);
1693 return NULL;
1694 }
1695
1696
1697
1698 /* Called from both server and client code.
1699 Only this is allowed to set state->peerdn and state->have_set_peerdn
1700 and we use that to detect double-calls.
1701
1702 NOTE: the state blocks last while the TLS connection is up, which is fine
1703 for logging in the server side, but for the client side, we log after teardown
1704 in src/deliver.c. While the session is up, we can twist about states and
1705 repoint tls_* globals, but those variables used for logging or other variable
1706 expansion that happens _after_ delivery need to have a longer life-time.
1707
1708 So for those, we get the data from POOL_PERM; the re-invoke guard keeps us from
1709 doing this more than once per generation of a state context. We set them in
1710 the state context, and repoint tls_* to them. After the state goes away, the
1711 tls_* copies of the pointers remain valid and client delivery logging is happy.
1712
1713 tls_certificate_verified is a BOOL, so the tls_peerdn and tls_cipher issues
1714 don't apply.
1715
1716 Arguments:
1717 state exim_gnutls_state_st *
1718 errstr pointer to error string
1719
1720 Returns: OK/DEFER/FAIL
1721 */
1722
1723 static int
1724 peer_status(exim_gnutls_state_st * state, uschar ** errstr)
1725 {
1726 gnutls_session_t session = state->session;
1727 const gnutls_datum_t * cert_list;
1728 int old_pool, rc;
1729 unsigned int cert_list_size = 0;
1730 gnutls_protocol_t protocol;
1731 gnutls_cipher_algorithm_t cipher;
1732 gnutls_kx_algorithm_t kx;
1733 gnutls_mac_algorithm_t mac;
1734 gnutls_certificate_type_t ct;
1735 gnutls_x509_crt_t crt;
1736 uschar * dn_buf;
1737 size_t sz;
1738
1739 if (state->have_set_peerdn)
1740 return OK;
1741 state->have_set_peerdn = TRUE;
1742
1743 state->peerdn = NULL;
1744
1745 /* tls_cipher */
1746 cipher = gnutls_cipher_get(session);
1747 protocol = gnutls_protocol_get_version(session);
1748 mac = gnutls_mac_get(session);
1749 kx =
1750 #ifdef GNUTLS_TLS1_3
1751 protocol >= GNUTLS_TLS1_3 ? 0 :
1752 #endif
1753 gnutls_kx_get(session);
1754
1755 old_pool = store_pool;
1756 {
1757 tls_support * tlsp = state->tlsp;
1758 store_pool = POOL_PERM;
1759
1760 #ifdef SUPPORT_GNUTLS_SESS_DESC
1761 {
1762 gstring * g = NULL;
1763 uschar * s = US gnutls_session_get_desc(session), c;
1764
1765 /* Nikos M suggests we use this by preference. It returns like:
1766 (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
1767
1768 For partial back-compat, put a colon after the TLS version, replace the
1769 )-( grouping with __, replace in-group - with _ and append the :keysize. */
1770
1771 /* debug_printf("peer_status: gnutls_session_get_desc %s\n", s); */
1772
1773 for (s++; (c = *s) && c != ')'; s++) g = string_catn(g, s, 1);
1774
1775 tlsp->ver = string_copyn(g->s, g->ptr);
1776 for (uschar * p = US tlsp->ver; *p; p++)
1777 if (*p == '-') { *p = '\0'; break; } /* TLS1.0-PKIX -> TLS1.0 */
1778
1779 g = string_catn(g, US":", 1);
1780 if (*s) s++; /* now on _ between groups */
1781 while ((c = *s))
1782 {
1783 for (*++s && ++s; (c = *s) && c != ')'; s++)
1784 g = string_catn(g, c == '-' ? US"_" : s, 1);
1785 /* now on ) closing group */
1786 if ((c = *s) && *++s == '-') g = string_catn(g, US"__", 2);
1787 /* now on _ between groups */
1788 }
1789 g = string_catn(g, US":", 1);
1790 g = string_cat(g, string_sprintf("%d", (int) gnutls_cipher_get_key_size(cipher) * 8));
1791 state->ciphersuite = string_from_gstring(g);
1792 }
1793 #else
1794 state->ciphersuite = string_sprintf("%s:%s:%d",
1795 gnutls_protocol_get_name(protocol),
1796 gnutls_cipher_suite_get_name(kx, cipher, mac),
1797 (int) gnutls_cipher_get_key_size(cipher) * 8);
1798
1799 /* I don't see a way that spaces could occur, in the current GnuTLS
1800 code base, but it was a concern in the old code and perhaps older GnuTLS
1801 releases did return "TLS 1.0"; play it safe, just in case. */
1802
1803 for (uschar * p = state->ciphersuite; *p; p++) if (isspace(*p)) *p = '-';
1804 tlsp->ver = string_copyn(state->ciphersuite,
1805 Ustrchr(state->ciphersuite, ':') - state->ciphersuite);
1806 #endif
1807
1808 /* debug_printf("peer_status: ciphersuite %s\n", state->ciphersuite); */
1809
1810 tlsp->cipher = state->ciphersuite;
1811 tlsp->bits = gnutls_cipher_get_key_size(cipher) * 8;
1812
1813 tlsp->cipher_stdname = cipher_stdname_kcm(kx, cipher, mac);
1814 }
1815 store_pool = old_pool;
1816
1817 /* tls_peerdn */
1818 cert_list = gnutls_certificate_get_peers(session, &cert_list_size);
1819
1820 if (!cert_list || cert_list_size == 0)
1821 {
1822 DEBUG(D_tls) debug_printf("TLS: no certificate from peer (%p & %d)\n",
1823 cert_list, cert_list_size);
1824 if (state->verify_requirement >= VERIFY_REQUIRED)
1825 return tls_error(US"certificate verification failed",
1826 US"no certificate received from peer", state->host, errstr);
1827 return OK;
1828 }
1829
1830 if ((ct = gnutls_certificate_type_get(session)) != GNUTLS_CRT_X509)
1831 {
1832 const uschar * ctn = US gnutls_certificate_type_get_name(ct);
1833 DEBUG(D_tls)
1834 debug_printf("TLS: peer cert not X.509 but instead \"%s\"\n", ctn);
1835 if (state->verify_requirement >= VERIFY_REQUIRED)
1836 return tls_error(US"certificate verification not possible, unhandled type",
1837 ctn, state->host, errstr);
1838 return OK;
1839 }
1840
1841 #define exim_gnutls_peer_err(Label) \
1842 do { \
1843 if (rc != GNUTLS_E_SUCCESS) \
1844 { \
1845 DEBUG(D_tls) debug_printf("TLS: peer cert problem: %s: %s\n", \
1846 (Label), gnutls_strerror(rc)); \
1847 if (state->verify_requirement >= VERIFY_REQUIRED) \
1848 return tls_error_gnu((Label), rc, state->host, errstr); \
1849 return OK; \
1850 } \
1851 } while (0)
1852
1853 rc = import_cert(&cert_list[0], &crt);
1854 exim_gnutls_peer_err(US"cert 0");
1855
1856 state->tlsp->peercert = state->peercert = crt;
1857
1858 sz = 0;
1859 rc = gnutls_x509_crt_get_dn(crt, NULL, &sz);
1860 if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
1861 {
1862 exim_gnutls_peer_err(US"getting size for cert DN failed");
1863 return FAIL; /* should not happen */
1864 }
1865 dn_buf = store_get_perm(sz, TRUE); /* tainted */
1866 rc = gnutls_x509_crt_get_dn(crt, CS dn_buf, &sz);
1867 exim_gnutls_peer_err(US"failed to extract certificate DN [gnutls_x509_crt_get_dn(cert 0)]");
1868
1869 state->peerdn = dn_buf;
1870
1871 return OK;
1872 #undef exim_gnutls_peer_err
1873 }
1874
1875
1876
1877
1878 /*************************************************
1879 * Verify peer certificate *
1880 *************************************************/
1881
1882 /* Called from both server and client code.
1883 *Should* be using a callback registered with
1884 gnutls_certificate_set_verify_function() to fail the handshake if we dislike
1885 the peer information, but that's too new for some OSes.
1886
1887 Arguments:
1888 state exim_gnutls_state_st *
1889 errstr where to put an error message
1890
1891 Returns:
1892 FALSE if the session should be rejected
1893 TRUE if the cert is okay or we just don't care
1894 */
1895
1896 static BOOL
1897 verify_certificate(exim_gnutls_state_st * state, uschar ** errstr)
1898 {
1899 int rc;
1900 uint verify;
1901
1902 DEBUG(D_tls) debug_printf("TLS: checking peer certificate\n");
1903 *errstr = NULL;
1904 rc = peer_status(state, errstr);
1905
1906 if (state->verify_requirement == VERIFY_NONE)
1907 return TRUE;
1908
1909 if (rc != OK || !state->peerdn)
1910 {
1911 verify = GNUTLS_CERT_INVALID;
1912 *errstr = US"certificate not supplied";
1913 }
1914 else
1915
1916 {
1917 #ifdef SUPPORT_DANE
1918 if (state->verify_requirement == VERIFY_DANE && state->host)
1919 {
1920 /* Using dane_verify_session_crt() would be easy, as it does it all for us
1921 including talking to a DNS resolver. But we want to do that bit ourselves
1922 as the testsuite intercepts and fakes its own DNS environment. */
1923
1924 dane_state_t s;
1925 dane_query_t r;
1926 uint lsize;
1927 const gnutls_datum_t * certlist =
1928 gnutls_certificate_get_peers(state->session, &lsize);
1929 int usage = tls_out.tlsa_usage;
1930
1931 # ifdef GNUTLS_BROKEN_DANE_VALIDATION
1932 /* Split the TLSA records into two sets, TA and EE selectors. Run the
1933 dane-verification separately so that we know which selector verified;
1934 then we know whether to do name-verification (needed for TA but not EE). */
1935
1936 if (usage == ((1<<DANESSL_USAGE_DANE_TA) | (1<<DANESSL_USAGE_DANE_EE)))
1937 { /* a mixed-usage bundle */
1938 int i, j, nrec;
1939 const char ** dd;
1940 int * ddl;
1941
1942 for (nrec = 0; state->dane_data_len[nrec]; ) nrec++;
1943 nrec++;
1944
1945 dd = store_get(nrec * sizeof(uschar *), FALSE);
1946 ddl = store_get(nrec * sizeof(int), FALSE);
1947 nrec--;
1948
1949 if ((rc = dane_state_init(&s, 0)))
1950 goto tlsa_prob;
1951
1952 for (usage = DANESSL_USAGE_DANE_EE;
1953 usage >= DANESSL_USAGE_DANE_TA; usage--)
1954 { /* take records with this usage */
1955 for (j = i = 0; i < nrec; i++)
1956 if (state->dane_data[i][0] == usage)
1957 {
1958 dd[j] = state->dane_data[i];
1959 ddl[j++] = state->dane_data_len[i];
1960 }
1961 if (j)
1962 {
1963 dd[j] = NULL;
1964 ddl[j] = 0;
1965
1966 if ((rc = dane_raw_tlsa(s, &r, (char * const *)dd, ddl, 1, 0)))
1967 goto tlsa_prob;
1968
1969 if ((rc = dane_verify_crt_raw(s, certlist, lsize,
1970 gnutls_certificate_type_get(state->session),
1971 r, 0,
1972 usage == DANESSL_USAGE_DANE_EE
1973 ? DANE_VFLAG_ONLY_CHECK_EE_USAGE : 0,
1974 &verify)))
1975 {
1976 DEBUG(D_tls)
1977 debug_printf("TLSA record problem: %s\n", dane_strerror(rc));
1978 }
1979 else if (verify == 0) /* verification passed */
1980 {
1981 usage = 1 << usage;
1982 break;
1983 }
1984 }
1985 }
1986
1987 if (rc) goto tlsa_prob;
1988 }
1989 else
1990 # endif
1991 {
1992 if ( (rc = dane_state_init(&s, 0))
1993 || (rc = dane_raw_tlsa(s, &r, state->dane_data, state->dane_data_len,
1994 1, 0))
1995 || (rc = dane_verify_crt_raw(s, certlist, lsize,
1996 gnutls_certificate_type_get(state->session),
1997 r, 0,
1998 # ifdef GNUTLS_BROKEN_DANE_VALIDATION
1999 usage == (1 << DANESSL_USAGE_DANE_EE)
2000 ? DANE_VFLAG_ONLY_CHECK_EE_USAGE : 0,
2001 # else
2002 0,
2003 # endif
2004 &verify))
2005 )
2006 goto tlsa_prob;
2007 }
2008
2009 if (verify != 0) /* verification failed */
2010 {
2011 gnutls_datum_t str;
2012 (void) dane_verification_status_print(verify, &str, 0);
2013 *errstr = US str.data; /* don't bother to free */
2014 goto badcert;
2015 }
2016
2017 # ifdef GNUTLS_BROKEN_DANE_VALIDATION
2018 /* If a TA-mode TLSA record was used for verification we must additionally
2019 verify the cert name (but not the CA chain). For EE-mode, skip it. */
2020
2021 if (usage & (1 << DANESSL_USAGE_DANE_EE))
2022 # endif
2023 {
2024 state->peer_dane_verified = state->peer_cert_verified = TRUE;
2025 goto goodcert;
2026 }
2027 # ifdef GNUTLS_BROKEN_DANE_VALIDATION
2028 /* Assume that the name on the A-record is the one that should be matching
2029 the cert. An alternate view is that the domain part of the email address
2030 is also permissible. */
2031
2032 if (gnutls_x509_crt_check_hostname(state->tlsp->peercert,
2033 CS state->host->name))
2034 {
2035 state->peer_dane_verified = state->peer_cert_verified = TRUE;
2036 goto goodcert;
2037 }
2038 # endif
2039 }
2040 #endif /*SUPPORT_DANE*/
2041
2042 rc = gnutls_certificate_verify_peers2(state->session, &verify);
2043 }
2044
2045 /* Handle the result of verification. INVALID is set if any others are. */
2046
2047 if (rc < 0 || verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED))
2048 {
2049 state->peer_cert_verified = FALSE;
2050 if (!*errstr)
2051 {
2052 #ifdef GNUTLS_CERT_VFY_STATUS_PRINT
2053 DEBUG(D_tls)
2054 {
2055 gnutls_datum_t txt;
2056
2057 if (gnutls_certificate_verification_status_print(verify,
2058 gnutls_certificate_type_get(state->session), &txt, 0)
2059 == GNUTLS_E_SUCCESS)
2060 {
2061 debug_printf("%s\n", txt.data);
2062 gnutls_free(txt.data);
2063 }
2064 }
2065 #endif
2066 *errstr = verify & GNUTLS_CERT_REVOKED
2067 ? US"certificate revoked" : US"certificate invalid";
2068 }
2069
2070 DEBUG(D_tls)
2071 debug_printf("TLS certificate verification failed (%s): peerdn=\"%s\"\n",
2072 *errstr, state->peerdn ? state->peerdn : US"<unset>");
2073
2074 if (state->verify_requirement >= VERIFY_REQUIRED)
2075 goto badcert;
2076 DEBUG(D_tls)
2077 debug_printf("TLS verify failure overridden (host in tls_try_verify_hosts)\n");
2078 }
2079
2080 else
2081 {
2082 /* Client side, check the server's certificate name versus the name on the
2083 A-record for the connection we made. What to do for server side - what name
2084 to use for client? We document that there is no such checking for server
2085 side. */
2086
2087 if ( state->exp_tls_verify_cert_hostnames
2088 && !gnutls_x509_crt_check_hostname(state->tlsp->peercert,
2089 CS state->exp_tls_verify_cert_hostnames)
2090 )
2091 {
2092 DEBUG(D_tls)
2093 debug_printf("TLS certificate verification failed: cert name mismatch\n");
2094 if (state->verify_requirement >= VERIFY_REQUIRED)
2095 goto badcert;
2096 return TRUE;
2097 }
2098
2099 state->peer_cert_verified = TRUE;
2100 DEBUG(D_tls) debug_printf("TLS certificate verified: peerdn=\"%s\"\n",
2101 state->peerdn ? state->peerdn : US"<unset>");
2102 }
2103
2104 goodcert:
2105 state->tlsp->peerdn = state->peerdn;
2106 return TRUE;
2107
2108 #ifdef SUPPORT_DANE
2109 tlsa_prob:
2110 *errstr = string_sprintf("TLSA record problem: %s",
2111 rc == DANE_E_REQUESTED_DATA_NOT_AVAILABLE ? "none usable" : dane_strerror(rc));
2112 #endif
2113
2114 badcert:
2115 gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_BAD_CERTIFICATE);
2116 return FALSE;
2117 }
2118
2119
2120
2121
2122 /* ------------------------------------------------------------------------ */
2123 /* Callbacks */
2124
2125 /* Logging function which can be registered with
2126 * gnutls_global_set_log_function()
2127 * gnutls_global_set_log_level() 0..9
2128 */
2129 #if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
2130 static void
2131 exim_gnutls_logger_cb(int level, const char *message)
2132 {
2133 size_t len = strlen(message);
2134 if (len < 1)
2135 {
2136 DEBUG(D_tls) debug_printf("GnuTLS<%d> empty debug message\n", level);
2137 return;
2138 }
2139 DEBUG(D_tls) debug_printf("GnuTLS<%d>: %s%s", level, message,
2140 message[len-1] == '\n' ? "" : "\n");
2141 }
2142 #endif
2143
2144
2145 /* Called after client hello, should handle SNI work.
2146 This will always set tls_sni (state->received_sni) if available,
2147 and may trigger presenting different certificates,
2148 if state->trigger_sni_changes is TRUE.
2149
2150 Should be registered with
2151 gnutls_handshake_set_post_client_hello_function()
2152
2153 "This callback must return 0 on success or a gnutls error code to terminate the
2154 handshake.".
2155
2156 For inability to get SNI information, we return 0.
2157 We only return non-zero if re-setup failed.
2158 Only used for server-side TLS.
2159 */
2160
2161 static int
2162 exim_sni_handling_cb(gnutls_session_t session)
2163 {
2164 char sni_name[MAX_HOST_LEN];
2165 size_t data_len = MAX_HOST_LEN;
2166 exim_gnutls_state_st *state = &state_server;
2167 unsigned int sni_type;
2168 int rc, old_pool;
2169 uschar * dummy_errstr;
2170
2171 rc = gnutls_server_name_get(session, sni_name, &data_len, &sni_type, 0);
2172 if (rc != GNUTLS_E_SUCCESS)
2173 {
2174 DEBUG(D_tls)
2175 if (rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
2176 debug_printf("TLS: no SNI presented in handshake.\n");
2177 else
2178 debug_printf("TLS failure: gnutls_server_name_get(): %s [%d]\n",
2179 gnutls_strerror(rc), rc);
2180 return 0;
2181 }
2182
2183 if (sni_type != GNUTLS_NAME_DNS)
2184 {
2185 DEBUG(D_tls) debug_printf("TLS: ignoring SNI of unhandled type %u\n", sni_type);
2186 return 0;
2187 }
2188
2189 /* We now have a UTF-8 string in sni_name */
2190 old_pool = store_pool;
2191 store_pool = POOL_PERM;
2192 state->received_sni = string_copy_taint(US sni_name, TRUE);
2193 store_pool = old_pool;
2194
2195 /* We set this one now so that variable expansions below will work */
2196 state->tlsp->sni = state->received_sni;
2197
2198 DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", sni_name,
2199 state->trigger_sni_changes ? "" : " (unused for certificate selection)");
2200
2201 if (!state->trigger_sni_changes)
2202 return 0;
2203
2204 if ((rc = tls_expand_session_files(state, &dummy_errstr)) != OK)
2205 {
2206 /* If the setup of certs/etc failed before handshake, TLS would not have
2207 been offered. The best we can do now is abort. */
2208 return GNUTLS_E_APPLICATION_ERROR_MIN;
2209 }
2210
2211 rc = tls_set_remaining_x509(state, &dummy_errstr);
2212 if (rc != OK) return GNUTLS_E_APPLICATION_ERROR_MIN;
2213
2214 return 0;
2215 }
2216
2217
2218
2219 #ifndef DISABLE_EVENT
2220 /*
2221 We use this callback to get observability and detail-level control
2222 for an exim TLS connection (either direction), raising a tls:cert event
2223 for each cert in the chain presented by the peer. Any event
2224 can deny verification.
2225
2226 Return 0 for the handshake to continue or non-zero to terminate.
2227 */
2228
2229 static int
2230 verify_cb(gnutls_session_t session)
2231 {
2232 const gnutls_datum_t * cert_list;
2233 unsigned int cert_list_size = 0;
2234 gnutls_x509_crt_t crt;
2235 int rc;
2236 uschar * yield;
2237 exim_gnutls_state_st * state = gnutls_session_get_ptr(session);
2238
2239 if ((cert_list = gnutls_certificate_get_peers(session, &cert_list_size)))
2240 while (cert_list_size--)
2241 {
2242 if ((rc = import_cert(&cert_list[cert_list_size], &crt)) != GNUTLS_E_SUCCESS)
2243 {
2244 DEBUG(D_tls) debug_printf("TLS: peer cert problem: depth %d: %s\n",
2245 cert_list_size, gnutls_strerror(rc));
2246 break;
2247 }
2248
2249 state->tlsp->peercert = crt;
2250 if ((yield = event_raise(state->event_action,
2251 US"tls:cert", string_sprintf("%d", cert_list_size))))
2252 {
2253 log_write(0, LOG_MAIN,
2254 "SSL verify denied by event-action: depth=%d: %s",
2255 cert_list_size, yield);
2256 return 1; /* reject */
2257 }
2258 state->tlsp->peercert = NULL;
2259 }
2260
2261 return 0;
2262 }
2263
2264 #endif
2265
2266
2267 static gstring *
2268 ddump(gnutls_datum_t * d)
2269 {
2270 gstring * g = string_get((d->size+1) * 2);
2271 uschar * s = d->data;
2272 for (unsigned i = d->size; i > 0; i--, s++)
2273 {
2274 g = string_catn(g, US "0123456789abcdef" + (*s >> 4), 1);
2275 g = string_catn(g, US "0123456789abcdef" + (*s & 0xf), 1);
2276 }
2277 return g;
2278 }
2279
2280 static void
2281 post_handshake_debug(exim_gnutls_state_st * state)
2282 {
2283 #ifdef SUPPORT_GNUTLS_SESS_DESC
2284 debug_printf("%s\n", gnutls_session_get_desc(state->session));
2285 #endif
2286
2287 #ifdef SUPPORT_GNUTLS_KEYLOG
2288 # ifdef EXIM_HAVE_TLS1_3
2289 if (gnutls_protocol_get_version(state->session) < GNUTLS_TLS1_3)
2290 # else
2291 if (TRUE)
2292 # endif
2293 {
2294 gnutls_datum_t c, s;
2295 gstring * gc, * gs;
2296 /* For TLS1.2 we only want the client random and the master secret */
2297 gnutls_session_get_random(state->session, &c, &s);
2298 gnutls_session_get_master_secret(state->session, &s);
2299 gc = ddump(&c);
2300 gs = ddump(&s);
2301 debug_printf("CLIENT_RANDOM %.*s %.*s\n", (int)gc->ptr, gc->s, (int)gs->ptr, gs->s);
2302 }
2303 else
2304 debug_printf("To get keying info for TLS1.3 is hard:\n"
2305 " set environment variable SSLKEYLOGFILE to a filename writable by uid exim\n"
2306 " add SSLKEYLOGFILE to keep_environment in the exim config\n"
2307 " run exim as root\n"
2308 " if using sudo, add SSLKEYLOGFILE to env_keep in /etc/sudoers\n"
2309 " (works for TLS1.2 also, and saves cut-paste into file)"
2310 " Trying to use add_environment for this will not work\n");
2311 #endif
2312 }
2313
2314
2315 #ifdef EXPERIMENTAL_TLS_RESUME
2316 static int
2317 tls_server_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
2318 unsigned incoming, const gnutls_datum_t * msg)
2319 {
2320 DEBUG(D_tls) debug_printf("newticket cb\n");
2321 tls_in.resumption |= RESUME_CLIENT_REQUESTED;
2322 return 0;
2323 }
2324
2325 static void
2326 tls_server_resume_prehandshake(exim_gnutls_state_st * state)
2327 {
2328 /* Should the server offer session resumption? */
2329 tls_in.resumption = RESUME_SUPPORTED;
2330 if (verify_check_host(&tls_resumption_hosts) == OK)
2331 {
2332 int rc;
2333 /* GnuTLS appears to not do ticket overlap, but does emit a fresh ticket when
2334 an offered resumption is unacceptable. We lose one resumption per ticket
2335 lifetime, and sessions cannot be indefinitely re-used. There seems to be no
2336 way (3.6.7) of changing the default number of 2 TLS1.3 tickets issued, but at
2337 least they go out in a single packet. */
2338
2339 if (!(rc = gnutls_session_ticket_enable_server(state->session,
2340 &server_sessticket_key)))
2341 tls_in.resumption |= RESUME_SERVER_TICKET;
2342 else
2343 DEBUG(D_tls)
2344 debug_printf("enabling session tickets: %s\n", US gnutls_strerror(rc));
2345
2346 /* Try to tell if we see a ticket request */
2347 gnutls_handshake_set_hook_function(state->session,
2348 GNUTLS_HANDSHAKE_ANY, GNUTLS_HOOK_POST, tls_server_hook_cb);
2349 }
2350 }
2351
2352 static void
2353 tls_server_resume_posthandshake(exim_gnutls_state_st * state)
2354 {
2355 if (gnutls_session_resumption_requested(state->session))
2356 {
2357 /* This tells us the client sent a full ticket. We use a
2358 callback on session-ticket request, elsewhere, to tell
2359 if a client asked for a ticket. */
2360
2361 tls_in.resumption |= RESUME_CLIENT_SUGGESTED;
2362 DEBUG(D_tls) debug_printf("client requested resumption\n");
2363 }
2364 if (gnutls_session_is_resumed(state->session))
2365 {
2366 tls_in.resumption |= RESUME_USED;
2367 DEBUG(D_tls) debug_printf("Session resumed\n");
2368 }
2369 }
2370 #endif
2371 /* ------------------------------------------------------------------------ */
2372 /* Exported functions */
2373
2374
2375
2376
2377 /*************************************************
2378 * Start a TLS session in a server *
2379 *************************************************/
2380
2381 /* This is called when Exim is running as a server, after having received
2382 the STARTTLS command. It must respond to that command, and then negotiate
2383 a TLS session.
2384
2385 Arguments:
2386 require_ciphers list of allowed ciphers or NULL
2387 errstr pointer to error string
2388
2389 Returns: OK on success
2390 DEFER for errors before the start of the negotiation
2391 FAIL for errors during the negotiation; the server can't
2392 continue running.
2393 */
2394
2395 int
2396 tls_server_start(const uschar * require_ciphers, uschar ** errstr)
2397 {
2398 int rc;
2399 exim_gnutls_state_st * state = NULL;
2400
2401 /* Check for previous activation */
2402 if (tls_in.active.sock >= 0)
2403 {
2404 tls_error(US"STARTTLS received after TLS started", US "", NULL, errstr);
2405 smtp_printf("554 Already in TLS\r\n", FALSE);
2406 return FAIL;
2407 }
2408
2409 /* Initialize the library. If it fails, it will already have logged the error
2410 and sent an SMTP response. */
2411
2412 DEBUG(D_tls) debug_printf("initialising GnuTLS as a server\n");
2413
2414 {
2415 #ifdef MEASURE_TIMING
2416 struct timeval t0;
2417 gettimeofday(&t0, NULL);
2418 #endif
2419
2420 if ((rc = tls_init(NULL, tls_certificate, tls_privatekey,
2421 NULL, tls_verify_certificates, tls_crl,
2422 require_ciphers, &state, &tls_in, errstr)) != OK) return rc;
2423
2424 #ifdef MEASURE_TIMING
2425 report_time_since(&t0, US"server tls_init (delta)");
2426 #endif
2427 }
2428
2429 #ifdef EXPERIMENTAL_TLS_RESUME
2430 tls_server_resume_prehandshake(state);
2431 #endif
2432
2433 /* If this is a host for which certificate verification is mandatory or
2434 optional, set up appropriately. */
2435
2436 if (verify_check_host(&tls_verify_hosts) == OK)
2437 {
2438 DEBUG(D_tls)
2439 debug_printf("TLS: a client certificate will be required.\n");
2440 state->verify_requirement = VERIFY_REQUIRED;
2441 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
2442 }
2443 else if (verify_check_host(&tls_try_verify_hosts) == OK)
2444 {
2445 DEBUG(D_tls)
2446 debug_printf("TLS: a client certificate will be requested but not required.\n");
2447 state->verify_requirement = VERIFY_OPTIONAL;
2448 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
2449 }
2450 else
2451 {
2452 DEBUG(D_tls)
2453 debug_printf("TLS: a client certificate will not be requested.\n");
2454 state->verify_requirement = VERIFY_NONE;
2455 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
2456 }
2457
2458 #ifndef DISABLE_EVENT
2459 if (event_action)
2460 {
2461 state->event_action = event_action;
2462 gnutls_session_set_ptr(state->session, state);
2463 gnutls_certificate_set_verify_function(state->x509_cred, verify_cb);
2464 }
2465 #endif
2466
2467 /* Register SNI handling; always, even if not in tls_certificate, so that the
2468 expansion variable $tls_sni is always available. */
2469
2470 gnutls_handshake_set_post_client_hello_function(state->session,
2471 exim_sni_handling_cb);
2472
2473 /* Set context and tell client to go ahead, except in the case of TLS startup
2474 on connection, where outputting anything now upsets the clients and tends to
2475 make them disconnect. We need to have an explicit fflush() here, to force out
2476 the response. Other smtp_printf() calls do not need it, because in non-TLS
2477 mode, the fflush() happens when smtp_getc() is called. */
2478
2479 if (!state->tlsp->on_connect)
2480 {
2481 smtp_printf("220 TLS go ahead\r\n", FALSE);
2482 fflush(smtp_out);
2483 }
2484
2485 /* Now negotiate the TLS session. We put our own timer on it, since it seems
2486 that the GnuTLS library doesn't.
2487 From 3.1.0 there is gnutls_handshake_set_timeout() - but it requires you
2488 to set (and clear down afterwards) up a pull-timeout callback function that does
2489 a select, so we're no better off unless avoiding signals becomes an issue. */
2490
2491 gnutls_transport_set_ptr2(state->session,
2492 (gnutls_transport_ptr_t)(long) fileno(smtp_in),
2493 (gnutls_transport_ptr_t)(long) fileno(smtp_out));
2494 state->fd_in = fileno(smtp_in);
2495 state->fd_out = fileno(smtp_out);
2496
2497 sigalrm_seen = FALSE;
2498 if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
2499 do
2500 rc = gnutls_handshake(state->session);
2501 while (rc == GNUTLS_E_AGAIN || rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen);
2502 ALARM_CLR(0);
2503
2504 if (rc != GNUTLS_E_SUCCESS)
2505 {
2506 /* It seems that, except in the case of a timeout, we have to close the
2507 connection right here; otherwise if the other end is running OpenSSL it hangs
2508 until the server times out. */
2509
2510 if (sigalrm_seen)
2511 {
2512 tls_error(US"gnutls_handshake", US"timed out", NULL, errstr);
2513 gnutls_db_remove_session(state->session);
2514 }
2515 else
2516 {
2517 tls_error_gnu(US"gnutls_handshake", rc, NULL, errstr);
2518 (void) gnutls_alert_send_appropriate(state->session, rc);
2519 gnutls_deinit(state->session);
2520 gnutls_certificate_free_credentials(state->x509_cred);
2521 millisleep(500);
2522 shutdown(state->fd_out, SHUT_WR);
2523 for (int i = 1024; fgetc(smtp_in) != EOF && i > 0; ) i--; /* drain skt */
2524 (void)fclose(smtp_out);
2525 (void)fclose(smtp_in);
2526 smtp_out = smtp_in = NULL;
2527 }
2528
2529 return FAIL;
2530 }
2531
2532 #ifdef GNUTLS_SFLAGS_EXT_MASTER_SECRET
2533 if (gnutls_session_get_flags(state->session) & GNUTLS_SFLAGS_EXT_MASTER_SECRET)
2534 tls_in.ext_master_secret = TRUE;
2535 #endif
2536
2537 #ifdef EXPERIMENTAL_TLS_RESUME
2538 tls_server_resume_posthandshake(state);
2539 #endif
2540
2541 DEBUG(D_tls) post_handshake_debug(state);
2542
2543 /* Verify after the fact */
2544
2545 if (!verify_certificate(state, errstr))
2546 {
2547 if (state->verify_requirement != VERIFY_OPTIONAL)
2548 {
2549 (void) tls_error(US"certificate verification failed", *errstr, NULL, errstr);
2550 return FAIL;
2551 }
2552 DEBUG(D_tls)
2553 debug_printf("TLS: continuing on only because verification was optional, after: %s\n",
2554 *errstr);
2555 }
2556
2557 /* Sets various Exim expansion variables; always safe within server */
2558
2559 extract_exim_vars_from_tls_state(state);
2560
2561 /* TLS has been set up. Adjust the input functions to read via TLS,
2562 and initialize appropriately. */
2563
2564 state->xfer_buffer = store_malloc(ssl_xfer_buffer_size);
2565
2566 receive_getc = tls_getc;
2567 receive_getbuf = tls_getbuf;
2568 receive_get_cache = tls_get_cache;
2569 receive_ungetc = tls_ungetc;
2570 receive_feof = tls_feof;
2571 receive_ferror = tls_ferror;
2572 receive_smtp_buffered = tls_smtp_buffered;
2573
2574 return OK;
2575 }
2576
2577
2578
2579
2580 static void
2581 tls_client_setup_hostname_checks(host_item * host, exim_gnutls_state_st * state,
2582 smtp_transport_options_block * ob)
2583 {
2584 if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
2585 {
2586 state->exp_tls_verify_cert_hostnames =
2587 #ifdef SUPPORT_I18N
2588 string_domain_utf8_to_alabel(host->name, NULL);
2589 #else
2590 host->name;
2591 #endif
2592 DEBUG(D_tls)
2593 debug_printf("TLS: server cert verification includes hostname: \"%s\".\n",
2594 state->exp_tls_verify_cert_hostnames);
2595 }
2596 }
2597
2598
2599
2600
2601 #ifdef SUPPORT_DANE
2602 /* Given our list of RRs from the TLSA lookup, build a lookup block in
2603 GnuTLS-DANE's preferred format. Hang it on the state str for later
2604 use in DANE verification.
2605
2606 We point at the dnsa data not copy it, so it must remain valid until
2607 after verification is done.*/
2608
2609 static BOOL
2610 dane_tlsa_load(exim_gnutls_state_st * state, dns_answer * dnsa)
2611 {
2612 dns_scan dnss;
2613 int i;
2614 const char ** dane_data;
2615 int * dane_data_len;
2616
2617 i = 1;
2618 for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
2619 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
2620 ) if (rr->type == T_TLSA) i++;
2621
2622 dane_data = store_get(i * sizeof(uschar *), FALSE);
2623 dane_data_len = store_get(i * sizeof(int), FALSE);
2624
2625 i = 0;
2626 for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
2627 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
2628 ) if (rr->type == T_TLSA && rr->size > 3)
2629 {
2630 const uschar * p = rr->data;
2631 /*XXX need somehow to mark rr and its data as tainted. Doues this mean copying it? */
2632 uint8_t usage = p[0], sel = p[1], type = p[2];
2633
2634 DEBUG(D_tls)
2635 debug_printf("TLSA: %d %d %d size %d\n", usage, sel, type, rr->size);
2636
2637 if ( (usage != DANESSL_USAGE_DANE_TA && usage != DANESSL_USAGE_DANE_EE)
2638 || (sel != 0 && sel != 1)
2639 )
2640 continue;
2641 switch(type)
2642 {
2643 case 0: /* Full: cannot check at present */
2644 break;
2645 case 1: if (rr->size != 3 + 256/8) continue; /* sha2-256 */
2646 break;
2647 case 2: if (rr->size != 3 + 512/8) continue; /* sha2-512 */
2648 break;
2649 default: continue;
2650 }
2651
2652 tls_out.tlsa_usage |= 1<<usage;
2653 dane_data[i] = CS p;
2654 dane_data_len[i++] = rr->size;
2655 }
2656
2657 if (!i) return FALSE;
2658
2659 dane_data[i] = NULL;
2660 dane_data_len[i] = 0;
2661
2662 state->dane_data = (char * const *)dane_data;
2663 state->dane_data_len = dane_data_len;
2664 return TRUE;
2665 }
2666 #endif
2667
2668
2669
2670 #ifdef EXPERIMENTAL_TLS_RESUME
2671 /* On the client, get any stashed session for the given IP from hints db
2672 and apply it to the ssl-connection for attempted resumption. Although
2673 there is a gnutls_session_ticket_enable_client() interface it is
2674 documented as unnecessary (as of 3.6.7) as "session tickets are emabled
2675 by deafult". There seems to be no way to disable them, so even hosts not
2676 enabled by the transport option will be sent a ticket request. We will
2677 however avoid storing and retrieving session information. */
2678
2679 static void
2680 tls_retrieve_session(tls_support * tlsp, gnutls_session_t session,
2681 host_item * host, smtp_transport_options_block * ob)
2682 {
2683 tlsp->resumption = RESUME_SUPPORTED;
2684 if (verify_check_given_host(CUSS &ob->tls_resumption_hosts, host) == OK)
2685 {
2686 dbdata_tls_session * dt;
2687 int len, rc;
2688 open_db dbblock, * dbm_file;
2689
2690 DEBUG(D_tls)
2691 debug_printf("check for resumable session for %s\n", host->address);
2692 tlsp->host_resumable = TRUE;
2693 tlsp->resumption |= RESUME_CLIENT_REQUESTED;
2694 if ((dbm_file = dbfn_open(US"tls", O_RDONLY, &dbblock, FALSE, FALSE)))
2695 {
2696 /* Key for the db is the IP. We'd like to filter the retrieved session
2697 for ticket advisory expiry, but 3.6.1 seems to give no access to that */
2698
2699 if ((dt = dbfn_read_with_length(dbm_file, host->address, &len)))
2700 if (!(rc = gnutls_session_set_data(session,
2701 CUS dt->session, (size_t)len - sizeof(dbdata_tls_session))))
2702 {
2703 DEBUG(D_tls) debug_printf("good session\n");
2704 tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
2705 }
2706 else DEBUG(D_tls) debug_printf("setting session resumption data: %s\n",
2707 US gnutls_strerror(rc));
2708 dbfn_close(dbm_file);
2709 }
2710 }
2711 }
2712
2713
2714 static void
2715 tls_save_session(tls_support * tlsp, gnutls_session_t session, const host_item * host)
2716 {
2717 /* TLS 1.2 - we get both the callback and the direct posthandshake call,
2718 but this flag is not set until the second. TLS 1.3 it's the other way about.
2719 Keep both calls as the session data cannot be extracted before handshake
2720 completes. */
2721
2722 if (gnutls_session_get_flags(session) & GNUTLS_SFLAGS_SESSION_TICKET)
2723 {
2724 gnutls_datum_t tkt;
2725 int rc;
2726
2727 DEBUG(D_tls) debug_printf("server offered session ticket\n");
2728 tlsp->ticket_received = TRUE;
2729 tlsp->resumption |= RESUME_SERVER_TICKET;
2730
2731 if (tlsp->host_resumable)
2732 if (!(rc = gnutls_session_get_data2(session, &tkt)))
2733 {
2734 open_db dbblock, * dbm_file;
2735 int dlen = sizeof(dbdata_tls_session) + tkt.size;
2736 dbdata_tls_session * dt = store_get(dlen, TRUE);
2737
2738 DEBUG(D_tls) debug_printf("session data size %u\n", (unsigned)tkt.size);
2739 memcpy(dt->session, tkt.data, tkt.size);
2740 gnutls_free(tkt.data);
2741
2742 if ((dbm_file = dbfn_open(US"tls", O_RDWR, &dbblock, FALSE, FALSE)))
2743 {
2744 /* key for the db is the IP */
2745 dbfn_delete(dbm_file, host->address);
2746 dbfn_write(dbm_file, host->address, dt, dlen);
2747 dbfn_close(dbm_file);
2748
2749 DEBUG(D_tls)
2750 debug_printf("wrote session db (len %u)\n", (unsigned)dlen);
2751 }
2752 }
2753 else DEBUG(D_tls)
2754 debug_printf("extract session data: %s\n", US gnutls_strerror(rc));
2755 }
2756 }
2757
2758
2759 /* With a TLS1.3 session, the ticket(s) are not seen until
2760 the first data read is attempted. And there's often two of them.
2761 Pick them up with this callback. We are also called for 1.2
2762 but we do nothing.
2763 */
2764 static int
2765 tls_client_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
2766 unsigned incoming, const gnutls_datum_t * msg)
2767 {
2768 exim_gnutls_state_st * state = gnutls_session_get_ptr(sess);
2769 tls_support * tlsp = state->tlsp;
2770
2771 DEBUG(D_tls) debug_printf("newticket cb\n");
2772
2773 if (!tlsp->ticket_received)
2774 tls_save_session(tlsp, sess, state->host);
2775 return 0;
2776 }
2777
2778
2779 static void
2780 tls_client_resume_prehandshake(exim_gnutls_state_st * state,
2781 tls_support * tlsp, host_item * host,
2782 smtp_transport_options_block * ob)
2783 {
2784 gnutls_session_set_ptr(state->session, state);
2785 gnutls_handshake_set_hook_function(state->session,
2786 GNUTLS_HANDSHAKE_NEW_SESSION_TICKET, GNUTLS_HOOK_POST, tls_client_ticket_cb);
2787
2788 tls_retrieve_session(tlsp, state->session, host, ob);
2789 }
2790
2791 static void
2792 tls_client_resume_posthandshake(exim_gnutls_state_st * state,
2793 tls_support * tlsp, host_item * host)
2794 {
2795 if (gnutls_session_is_resumed(state->session))
2796 {
2797 DEBUG(D_tls) debug_printf("Session resumed\n");
2798 tlsp->resumption |= RESUME_USED;
2799 }
2800
2801 tls_save_session(tlsp, state->session, host);
2802 }
2803 #endif /* EXPERIMENTAL_TLS_RESUME */
2804
2805
2806 /*************************************************
2807 * Start a TLS session in a client *
2808 *************************************************/
2809
2810 /* Called from the smtp transport after STARTTLS has been accepted.
2811
2812 Arguments:
2813 cctx connection context
2814 conn_args connection details
2815 cookie datum for randomness (not used)
2816 tlsp record details of channel configuration here; must be non-NULL
2817 errstr error string pointer
2818
2819 Returns: TRUE for success with TLS session context set in smtp context,
2820 FALSE on error
2821 */
2822
2823 BOOL
2824 tls_client_start(client_conn_ctx * cctx, smtp_connect_args * conn_args,
2825 void * cookie ARG_UNUSED,
2826 tls_support * tlsp, uschar ** errstr)
2827 {
2828 host_item * host = conn_args->host; /* for msgs and option-tests */
2829 transport_instance * tb = conn_args->tblock; /* always smtp or NULL */
2830 smtp_transport_options_block * ob = tb
2831 ? (smtp_transport_options_block *)tb->options_block
2832 : &smtp_transport_option_defaults;
2833 int rc;
2834 exim_gnutls_state_st * state = NULL;
2835 uschar * cipher_list = NULL;
2836
2837 #ifndef DISABLE_OCSP
2838 BOOL require_ocsp =
2839 verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK;
2840 BOOL request_ocsp = require_ocsp ? TRUE
2841 : verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
2842 #endif
2843
2844 DEBUG(D_tls) debug_printf("initialising GnuTLS as a client on fd %d\n", cctx->sock);
2845
2846 #ifdef SUPPORT_DANE
2847 /* If dane is flagged, have either request or require dane for this host, and
2848 a TLSA record found. Therefore, dane verify required. Which implies cert must
2849 be requested and supplied, dane verify must pass, and cert verify irrelevant
2850 (incl. hostnames), and (caller handled) require_tls */
2851
2852 if (conn_args->dane && ob->dane_require_tls_ciphers)
2853 {
2854 /* not using expand_check_tlsvar because not yet in state */
2855 if (!expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
2856 &cipher_list, errstr))
2857 return FALSE;
2858 cipher_list = cipher_list && *cipher_list
2859 ? ob->dane_require_tls_ciphers : ob->tls_require_ciphers;
2860 }
2861 #endif
2862
2863 if (!cipher_list)
2864 cipher_list = ob->tls_require_ciphers;
2865
2866 {
2867 #ifdef MEASURE_TIMING
2868 struct timeval t0;
2869 gettimeofday(&t0, NULL);
2870 #endif
2871
2872 if (tls_init(host, ob->tls_certificate, ob->tls_privatekey,
2873 ob->tls_sni, ob->tls_verify_certificates, ob->tls_crl,
2874 cipher_list, &state, tlsp, errstr) != OK)
2875 return FALSE;
2876
2877 #ifdef MEASURE_TIMING
2878 report_time_since(&t0, US"client tls_init (delta)");
2879 #endif
2880 }
2881
2882 {
2883 int dh_min_bits = ob->tls_dh_min_bits;
2884 if (dh_min_bits < EXIM_CLIENT_DH_MIN_MIN_BITS)
2885 {
2886 DEBUG(D_tls)
2887 debug_printf("WARNING: tls_dh_min_bits far too low,"
2888 " clamping %d up to %d\n",
2889 dh_min_bits, EXIM_CLIENT_DH_MIN_MIN_BITS);
2890 dh_min_bits = EXIM_CLIENT_DH_MIN_MIN_BITS;
2891 }
2892
2893 DEBUG(D_tls) debug_printf("Setting D-H prime minimum"
2894 " acceptable bits to %d\n",
2895 dh_min_bits);
2896 gnutls_dh_set_prime_bits(state->session, dh_min_bits);
2897 }
2898
2899 /* Stick to the old behaviour for compatibility if tls_verify_certificates is
2900 set but both tls_verify_hosts and tls_try_verify_hosts are unset. Check only
2901 the specified host patterns if one of them is defined */
2902
2903 #ifdef SUPPORT_DANE
2904 if (conn_args->dane && dane_tlsa_load(state, &conn_args->tlsa_dnsa))
2905 {
2906 DEBUG(D_tls)
2907 debug_printf("TLS: server certificate DANE required.\n");
2908 state->verify_requirement = VERIFY_DANE;
2909 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
2910 }
2911 else
2912 #endif
2913 if ( ( state->exp_tls_verify_certificates
2914 && !ob->tls_verify_hosts
2915 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
2916 )
2917 || verify_check_given_host(CUSS &ob->tls_verify_hosts, host) == OK
2918 )
2919 {
2920 tls_client_setup_hostname_checks(host, state, ob);
2921 DEBUG(D_tls)
2922 debug_printf("TLS: server certificate verification required.\n");
2923 state->verify_requirement = VERIFY_REQUIRED;
2924 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
2925 }
2926 else if (verify_check_given_host(CUSS &ob->tls_try_verify_hosts, host) == OK)
2927 {
2928 tls_client_setup_hostname_checks(host, state, ob);
2929 DEBUG(D_tls)
2930 debug_printf("TLS: server certificate verification optional.\n");
2931 state->verify_requirement = VERIFY_OPTIONAL;
2932 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
2933 }
2934 else
2935 {
2936 DEBUG(D_tls)
2937 debug_printf("TLS: server certificate verification not required.\n");
2938 state->verify_requirement = VERIFY_NONE;
2939 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
2940 }
2941
2942 #ifndef DISABLE_OCSP
2943 /* supported since GnuTLS 3.1.3 */
2944 if (request_ocsp)
2945 {
2946 DEBUG(D_tls) debug_printf("TLS: will request OCSP stapling\n");
2947 if ((rc = gnutls_ocsp_status_request_enable_client(state->session,
2948 NULL, 0, NULL)) != OK)
2949 {
2950 tls_error_gnu(US"cert-status-req", rc, state->host, errstr);
2951 return FALSE;
2952 }
2953 tlsp->ocsp = OCSP_NOT_RESP;
2954 }
2955 #endif
2956
2957 #ifdef EXPERIMENTAL_TLS_RESUME
2958 tls_client_resume_prehandshake(state, tlsp, host, ob);
2959 #endif
2960
2961 #ifndef DISABLE_EVENT
2962 if (tb && tb->event_action)
2963 {
2964 state->event_action = tb->event_action;
2965 gnutls_session_set_ptr(state->session, state);
2966 gnutls_certificate_set_verify_function(state->x509_cred, verify_cb);
2967 }
2968 #endif
2969
2970 gnutls_transport_set_ptr(state->session, (gnutls_transport_ptr_t)(long) cctx->sock);
2971 state->fd_in = cctx->sock;
2972 state->fd_out = cctx->sock;
2973
2974 DEBUG(D_tls) debug_printf("about to gnutls_handshake\n");
2975 /* There doesn't seem to be a built-in timeout on connection. */
2976
2977 sigalrm_seen = FALSE;
2978 ALARM(ob->command_timeout);
2979 do
2980 rc = gnutls_handshake(state->session);
2981 while (rc == GNUTLS_E_AGAIN || rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen);
2982 ALARM_CLR(0);
2983
2984 if (rc != GNUTLS_E_SUCCESS)
2985 {
2986 if (sigalrm_seen)
2987 {
2988 gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_USER_CANCELED);
2989 tls_error(US"gnutls_handshake", US"timed out", state->host, errstr);
2990 }
2991 else
2992 tls_error_gnu(US"gnutls_handshake", rc, state->host, errstr);
2993 return FALSE;
2994 }
2995
2996 DEBUG(D_tls) post_handshake_debug(state);
2997
2998 /* Verify late */
2999
3000 if (!verify_certificate(state, errstr))
3001 {
3002 tls_error(US"certificate verification failed", *errstr, state->host, errstr);
3003 return FALSE;
3004 }
3005
3006 #ifdef GNUTLS_SFLAGS_EXT_MASTER_SECRET
3007 if (gnutls_session_get_flags(state->session) & GNUTLS_SFLAGS_EXT_MASTER_SECRET)
3008 tlsp->ext_master_secret = TRUE;
3009 #endif
3010
3011 #ifndef DISABLE_OCSP
3012 if (request_ocsp)
3013 {
3014 DEBUG(D_tls)
3015 {
3016 gnutls_datum_t stapling;
3017 gnutls_ocsp_resp_t resp;
3018 gnutls_datum_t printed;
3019 unsigned idx = 0;
3020
3021 for (;
3022 # ifdef GNUTLS_OCSP_STATUS_REQUEST_GET2
3023 (rc = gnutls_ocsp_status_request_get2(state->session, idx, &stapling)) == 0;
3024 #else
3025 (rc = gnutls_ocsp_status_request_get(state->session, &stapling)) == 0;
3026 #endif
3027 idx++)
3028 if ( (rc= gnutls_ocsp_resp_init(&resp)) == 0
3029 && (rc= gnutls_ocsp_resp_import(resp, &stapling)) == 0
3030 && (rc= gnutls_ocsp_resp_print(resp, GNUTLS_OCSP_PRINT_COMPACT, &printed)) == 0
3031 )
3032 {
3033 debug_printf("%.4096s", printed.data);
3034 gnutls_free(printed.data);
3035 }
3036 else
3037 (void) tls_error_gnu(US"ocsp decode", rc, state->host, errstr);
3038 if (idx == 0 && rc)
3039 (void) tls_error_gnu(US"ocsp decode", rc, state->host, errstr);
3040 }
3041
3042 if (gnutls_ocsp_status_request_is_checked(state->session, 0) == 0)
3043 {
3044 tlsp->ocsp = OCSP_FAILED;
3045 tls_error(US"certificate status check failed", NULL, state->host, errstr);
3046 if (require_ocsp)
3047 return FALSE;
3048 }
3049 else
3050 {
3051 DEBUG(D_tls) debug_printf("Passed OCSP checking\n");
3052 tlsp->ocsp = OCSP_VFIED;
3053 }
3054 }
3055 #endif
3056
3057 #ifdef EXPERIMENTAL_TLS_RESUME
3058 tls_client_resume_posthandshake(state, tlsp, host);
3059 #endif
3060
3061 /* Sets various Exim expansion variables; may need to adjust for ACL callouts */
3062
3063 extract_exim_vars_from_tls_state(state);
3064
3065 cctx->tls_ctx = state;
3066 return TRUE;
3067 }
3068
3069
3070
3071
3072 /*************************************************
3073 * Close down a TLS session *
3074 *************************************************/
3075
3076 /* This is also called from within a delivery subprocess forked from the
3077 daemon, to shut down the TLS library, without actually doing a shutdown (which
3078 would tamper with the TLS session in the parent process).
3079
3080 Arguments:
3081 ct_ctx client context pointer, or NULL for the one global server context
3082 shutdown 1 if TLS close-alert is to be sent,
3083 2 if also response to be waited for
3084
3085 Returns: nothing
3086 */
3087
3088 void
3089 tls_close(void * ct_ctx, int shutdown)
3090 {
3091 exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
3092 tls_support * tlsp = state->tlsp;
3093
3094 if (!tlsp || tlsp->active.sock < 0) return; /* TLS was not active */
3095
3096 if (shutdown)
3097 {
3098 DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS%s\n",
3099 shutdown > 1 ? " (with response-wait)" : "");
3100
3101 ALARM(2);
3102 gnutls_bye(state->session, shutdown > 1 ? GNUTLS_SHUT_RDWR : GNUTLS_SHUT_WR);
3103 ALARM_CLR(0);
3104 }
3105
3106 if (!ct_ctx) /* server */
3107 {
3108 receive_getc = smtp_getc;
3109 receive_getbuf = smtp_getbuf;
3110 receive_get_cache = smtp_get_cache;
3111 receive_ungetc = smtp_ungetc;
3112 receive_feof = smtp_feof;
3113 receive_ferror = smtp_ferror;
3114 receive_smtp_buffered = smtp_buffered;
3115 }
3116
3117 gnutls_deinit(state->session);
3118 gnutls_certificate_free_credentials(state->x509_cred);
3119
3120 tlsp->active.sock = -1;
3121 tlsp->active.tls_ctx = NULL;
3122 /* Leave bits, peercert, cipher, peerdn, certificate_verified set, for logging */
3123 tlsp->channelbinding = NULL;
3124
3125
3126 if (state->xfer_buffer) store_free(state->xfer_buffer);
3127 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
3128 }
3129
3130
3131
3132
3133 static BOOL
3134 tls_refill(unsigned lim)
3135 {
3136 exim_gnutls_state_st * state = &state_server;
3137 ssize_t inbytes;
3138
3139 DEBUG(D_tls) debug_printf("Calling gnutls_record_recv(%p, %p, %u)\n",
3140 state->session, state->xfer_buffer, ssl_xfer_buffer_size);
3141
3142 sigalrm_seen = FALSE;
3143 if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
3144
3145 do
3146 inbytes = gnutls_record_recv(state->session, state->xfer_buffer,
3147 MIN(ssl_xfer_buffer_size, lim));
3148 while (inbytes == GNUTLS_E_AGAIN);
3149
3150 if (smtp_receive_timeout > 0) ALARM_CLR(0);
3151
3152 if (had_command_timeout) /* set by signal handler */
3153 smtp_command_timeout_exit(); /* does not return */
3154 if (had_command_sigterm)
3155 smtp_command_sigterm_exit();
3156 if (had_data_timeout)
3157 smtp_data_timeout_exit();
3158 if (had_data_sigint)
3159 smtp_data_sigint_exit();
3160
3161 /* Timeouts do not get this far. A zero-byte return appears to mean that the
3162 TLS session has been closed down, not that the socket itself has been closed
3163 down. Revert to non-TLS handling. */
3164
3165 if (sigalrm_seen)
3166 {
3167 DEBUG(D_tls) debug_printf("Got tls read timeout\n");
3168 state->xfer_error = TRUE;
3169 return FALSE;
3170 }
3171
3172 else if (inbytes == 0)
3173 {
3174 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
3175 tls_close(NULL, TLS_NO_SHUTDOWN);
3176 return FALSE;
3177 }
3178
3179 /* Handle genuine errors */
3180
3181 else if (inbytes < 0)
3182 {
3183 DEBUG(D_tls) debug_printf("%s: err from gnutls_record_recv\n", __FUNCTION__);
3184 record_io_error(state, (int) inbytes, US"recv", NULL);
3185 state->xfer_error = TRUE;
3186 return FALSE;
3187 }
3188 #ifndef DISABLE_DKIM
3189 dkim_exim_verify_feed(state->xfer_buffer, inbytes);
3190 #endif
3191 state->xfer_buffer_hwm = (int) inbytes;
3192 state->xfer_buffer_lwm = 0;
3193 return TRUE;
3194 }
3195
3196 /*************************************************
3197 * TLS version of getc *
3198 *************************************************/
3199
3200 /* This gets the next byte from the TLS input buffer. If the buffer is empty,
3201 it refills the buffer via the GnuTLS reading function.
3202 Only used by the server-side TLS.
3203
3204 This feeds DKIM and should be used for all message-body reads.
3205
3206 Arguments: lim Maximum amount to read/buffer
3207 Returns: the next character or EOF
3208 */
3209
3210 int
3211 tls_getc(unsigned lim)
3212 {
3213 exim_gnutls_state_st * state = &state_server;
3214
3215 if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
3216 if (!tls_refill(lim))
3217 return state->xfer_error ? EOF : smtp_getc(lim);
3218
3219 /* Something in the buffer; return next uschar */
3220
3221 return state->xfer_buffer[state->xfer_buffer_lwm++];
3222 }
3223
3224 uschar *
3225 tls_getbuf(unsigned * len)
3226 {
3227 exim_gnutls_state_st * state = &state_server;
3228 unsigned size;
3229 uschar * buf;
3230
3231 if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
3232 if (!tls_refill(*len))
3233 {
3234 if (!state->xfer_error) return smtp_getbuf(len);
3235 *len = 0;
3236 return NULL;
3237 }
3238
3239 if ((size = state->xfer_buffer_hwm - state->xfer_buffer_lwm) > *len)
3240 size = *len;
3241 buf = &state->xfer_buffer[state->xfer_buffer_lwm];
3242 state->xfer_buffer_lwm += size;
3243 *len = size;
3244 return buf;
3245 }
3246
3247
3248 void
3249 tls_get_cache()
3250 {
3251 #ifndef DISABLE_DKIM
3252 exim_gnutls_state_st * state = &state_server;
3253 int n = state->xfer_buffer_hwm - state->xfer_buffer_lwm;
3254 if (n > 0)
3255 dkim_exim_verify_feed(state->xfer_buffer+state->xfer_buffer_lwm, n);
3256 #endif
3257 }
3258
3259
3260 BOOL
3261 tls_could_read(void)
3262 {
3263 return state_server.xfer_buffer_lwm < state_server.xfer_buffer_hwm
3264 || gnutls_record_check_pending(state_server.session) > 0;
3265 }
3266
3267
3268
3269
3270 /*************************************************
3271 * Read bytes from TLS channel *
3272 *************************************************/
3273
3274 /* This does not feed DKIM, so if the caller uses this for reading message body,
3275 then the caller must feed DKIM.
3276
3277 Arguments:
3278 ct_ctx client context pointer, or NULL for the one global server context
3279 buff buffer of data
3280 len size of buffer
3281
3282 Returns: the number of bytes read
3283 -1 after a failed read, including EOF
3284 */
3285
3286 int
3287 tls_read(void * ct_ctx, uschar *buff, size_t len)
3288 {
3289 exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
3290 ssize_t inbytes;
3291
3292 if (len > INT_MAX)
3293 len = INT_MAX;
3294
3295 if (state->xfer_buffer_lwm < state->xfer_buffer_hwm)
3296 DEBUG(D_tls)
3297 debug_printf("*** PROBABLY A BUG *** " \
3298 "tls_read() called with data in the tls_getc() buffer, %d ignored\n",
3299 state->xfer_buffer_hwm - state->xfer_buffer_lwm);
3300
3301 DEBUG(D_tls)
3302 debug_printf("Calling gnutls_record_recv(%p, %p, " SIZE_T_FMT ")\n",
3303 state->session, buff, len);
3304
3305 do
3306 inbytes = gnutls_record_recv(state->session, buff, len);
3307 while (inbytes == GNUTLS_E_AGAIN);
3308
3309 if (inbytes > 0) return inbytes;
3310 if (inbytes == 0)
3311 {
3312 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
3313 }
3314 else
3315 {
3316 DEBUG(D_tls) debug_printf("%s: err from gnutls_record_recv\n", __FUNCTION__);
3317 record_io_error(state, (int)inbytes, US"recv", NULL);
3318 }
3319
3320 return -1;
3321 }
3322
3323
3324
3325
3326 /*************************************************
3327 * Write bytes down TLS channel *
3328 *************************************************/
3329
3330 /*
3331 Arguments:
3332 ct_ctx client context pointer, or NULL for the one global server context
3333 buff buffer of data
3334 len number of bytes
3335 more more data expected soon
3336
3337 Calling with len zero and more unset will flush buffered writes. The buff
3338 argument can be null for that case.
3339
3340 Returns: the number of bytes after a successful write,
3341 -1 after a failed write
3342 */
3343
3344 int
3345 tls_write(void * ct_ctx, const uschar * buff, size_t len, BOOL more)
3346 {
3347 ssize_t outbytes;
3348 size_t left = len;
3349 exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
3350 #ifdef SUPPORT_CORK
3351 static BOOL corked = FALSE;
3352
3353 if (more && !corked) gnutls_record_cork(state->session);
3354 #endif
3355
3356 DEBUG(D_tls) debug_printf("%s(%p, " SIZE_T_FMT "%s)\n", __FUNCTION__,
3357 buff, left, more ? ", more" : "");
3358
3359 while (left > 0)
3360 {
3361 DEBUG(D_tls) debug_printf("gnutls_record_send(SSL, %p, " SIZE_T_FMT ")\n",
3362 buff, left);
3363
3364 do
3365 outbytes = gnutls_record_send(state->session, buff, left);
3366 while (outbytes == GNUTLS_E_AGAIN);
3367
3368 DEBUG(D_tls) debug_printf("outbytes=" SSIZE_T_FMT "\n", outbytes);
3369 if (outbytes < 0)
3370 {
3371 DEBUG(D_tls) debug_printf("%s: gnutls_record_send err\n", __FUNCTION__);
3372 record_io_error(state, outbytes, US"send", NULL);
3373 return -1;
3374 }
3375 if (outbytes == 0)
3376 {
3377 record_io_error(state, 0, US"send", US"TLS channel closed on write");
3378 return -1;
3379 }
3380
3381 left -= outbytes;
3382 buff += outbytes;
3383 }
3384
3385 if (len > INT_MAX)
3386 {
3387 DEBUG(D_tls)
3388 debug_printf("Whoops! Wrote more bytes (" SIZE_T_FMT ") than INT_MAX\n",
3389 len);
3390 len = INT_MAX;
3391 }
3392
3393 #ifdef SUPPORT_CORK
3394 if (more != corked)
3395 {
3396 if (!more) (void) gnutls_record_uncork(state->session, 0);
3397 corked = more;
3398 }
3399 #endif
3400
3401 return (int) len;
3402 }
3403
3404
3405
3406
3407 /*************************************************
3408 * Random number generation *
3409 *************************************************/
3410
3411 /* Pseudo-random number generation. The result is not expected to be
3412 cryptographically strong but not so weak that someone will shoot themselves
3413 in the foot using it as a nonce in input in some email header scheme or
3414 whatever weirdness they'll twist this into. The result should handle fork()
3415 and avoid repeating sequences. OpenSSL handles that for us.
3416
3417 Arguments:
3418 max range maximum
3419 Returns a random number in range [0, max-1]
3420 */
3421
3422 #ifdef HAVE_GNUTLS_RND
3423 int
3424 vaguely_random_number(int max)
3425 {
3426 unsigned int r;
3427 int i, needed_len;
3428 uschar smallbuf[sizeof(r)];
3429
3430 if (max <= 1)
3431 return 0;
3432
3433 needed_len = sizeof(r);
3434 /* Don't take 8 times more entropy than needed if int is 8 octets and we were
3435 asked for a number less than 10. */
3436
3437 for (r = max, i = 0; r; ++i)
3438 r >>= 1;
3439 i = (i + 7) / 8;
3440 if (i < needed_len)
3441 needed_len = i;
3442
3443 i = gnutls_rnd(GNUTLS_RND_NONCE, smallbuf, needed_len);
3444 if (i < 0)
3445 {
3446 DEBUG(D_all) debug_printf("gnutls_rnd() failed, using fallback.\n");
3447 return vaguely_random_number_fallback(max);
3448 }
3449 r = 0;
3450 for (uschar * p = smallbuf; needed_len; --needed_len, ++p)
3451 r = r * 256 + *p;
3452
3453 /* We don't particularly care about weighted results; if someone wants
3454 * smooth distribution and cares enough then they should submit a patch then. */
3455 return r % max;
3456 }
3457 #else /* HAVE_GNUTLS_RND */
3458 int
3459 vaguely_random_number(int max)
3460 {
3461 return vaguely_random_number_fallback(max);
3462 }
3463 #endif /* HAVE_GNUTLS_RND */
3464