projects / exim.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Lower EXIM_CLIENT_DH_MIN_BITS 1024 -> 512.
[exim.git] / src / src / tls-gnu.c
1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4
5 /* Copyright (c) University of Cambridge 1995 - 2012 */
6 /* See the file NOTICE for conditions of use and distribution. */
7
8 /* Copyright (c) Phil Pennock 2012 */
9
10 /* This file provides TLS/SSL support for Exim using the GnuTLS library,
11 one of the available supported implementations. This file is #included into
12 tls.c when USE_GNUTLS has been set.
13
14 The code herein is a revamp of GnuTLS integration using the current APIs; the
15 original tls-gnu.c was based on a patch which was contributed by Nikos
16 Mavroyanopoulos. The revamp is partially a rewrite, partially cut&paste as
17 appropriate.
18
19 APIs current as of GnuTLS 2.12.18; note that the GnuTLS manual is for GnuTLS 3,
20 which is not widely deployed by OS vendors. Will note issues below, which may
21 assist in updating the code in the future. Another sources of hints is
22 mod_gnutls for Apache (SNI callback registration and handling).
23
24 Keeping client and server variables more split than before and is currently
25 the norm, in anticipation of TLS in ACL callouts.
26
27 I wanted to switch to gnutls_certificate_set_verify_function() so that
28 certificate rejection could happen during handshake where it belongs, rather
29 than being dropped afterwards, but that was introduced in 2.10.0 and Debian
30 (6.0.5) is still on 2.8.6. So for now we have to stick with sub-par behaviour.
31
32 (I wasn't looking for libraries quite that old, when updating to get rid of
33 compiler warnings of deprecated APIs. If it turns out that a lot of the rest
34 require current GnuTLS, then we'll drop support for the ancient libraries).
35 */
36
37 #include <gnutls/gnutls.h>
38 /* needed for cert checks in verification and DN extraction: */
39 #include <gnutls/x509.h>
40 /* man-page is incorrect, gnutls_rnd() is not in gnutls.h: */
41 #include <gnutls/crypto.h>
42
43 /* GnuTLS 2 vs 3
44
45 GnuTLS 3 only:
46 gnutls_global_set_audit_log_function()
47
48 Changes:
49 gnutls_certificate_verify_peers2(): is new, drop the 2 for old version
50 */
51
52 /* Local static variables for GnuTLS */
53
54 /* Values for verify_requirement */
55
56 enum peer_verify_requirement { VERIFY_NONE, VERIFY_OPTIONAL, VERIFY_REQUIRED };
57
58 /* This holds most state for server or client; with this, we can set up an
59 outbound TLS-enabled connection in an ACL callout, while not stomping all
60 over the TLS variables available for expansion.
61
62 Some of these correspond to variables in globals.c; those variables will
63 be set to point to content in one of these instances, as appropriate for
64 the stage of the process lifetime.
65
66 Not handled here: globals tls_active, tls_bits, tls_cipher, tls_peerdn,
67 tls_certificate_verified, tls_channelbinding_b64, tls_sni.
68 */
69
70 typedef struct exim_gnutls_state {
71 gnutls_session_t session;
72 gnutls_certificate_credentials_t x509_cred;
73 gnutls_priority_t priority_cache;
74 enum peer_verify_requirement verify_requirement;
75 int fd_in;
76 int fd_out;
77 BOOL peer_cert_verified;
78 BOOL trigger_sni_changes;
79 BOOL have_set_peerdn;
80 const struct host_item *host;
81 uschar *peerdn;
82 uschar *ciphersuite;
83 uschar *received_sni;
84
85 const uschar *tls_certificate;
86 const uschar *tls_privatekey;
87 const uschar *tls_sni; /* client send only, not received */
88 const uschar *tls_verify_certificates;
89 const uschar *tls_crl;
90 const uschar *tls_require_ciphers;
91 uschar *exp_tls_certificate;
92 uschar *exp_tls_privatekey;
93 uschar *exp_tls_sni;
94 uschar *exp_tls_verify_certificates;
95 uschar *exp_tls_crl;
96 uschar *exp_tls_require_ciphers;
97
98 uschar *xfer_buffer;
99 int xfer_buffer_lwm;
100 int xfer_buffer_hwm;
101 int xfer_eof;
102 int xfer_error;
103 } exim_gnutls_state_st;
104
105 static const exim_gnutls_state_st exim_gnutls_state_init = {
106 NULL, NULL, NULL, VERIFY_NONE, -1, -1, FALSE, FALSE, FALSE,
107 NULL, NULL, NULL, NULL,
108 NULL, NULL, NULL, NULL, NULL, NULL,
109 NULL, NULL, NULL, NULL, NULL, NULL,
110 NULL, 0, 0, 0, 0,
111 };
112
113 /* Not only do we have our own APIs which don't pass around state, assuming
114 it's held in globals, GnuTLS doesn't appear to let us register callback data
115 for callbacks, or as part of the session, so we have to keep a "this is the
116 context we're currently dealing with" pointer and rely upon being
117 single-threaded to keep from processing data on an inbound TLS connection while
118 talking to another TLS connection for an outbound check. This does mean that
119 there's no way for heart-beats to be responded to, for the duration of the
120 second connection. */
121
122 static exim_gnutls_state_st state_server, state_client;
123 static exim_gnutls_state_st *current_global_tls_state;
124
125 /* dh_params are initialised once within the lifetime of a process using TLS;
126 if we used TLS in a long-lived daemon, we'd have to reconsider this. But we
127 don't want to repeat this. */
128
129 static gnutls_dh_params_t dh_server_params = NULL;
130
131 /* No idea how this value was chosen; preserving it. Default is 3600. */
132
133 static const int ssl_session_timeout = 200;
134
135 static const char * const exim_default_gnutls_priority = "NORMAL";
136
137 /* Guard library core initialisation */
138
139 static BOOL exim_gnutls_base_init_done = FALSE;
140
141
142 /* ------------------------------------------------------------------------ */
143 /* macros */
144
145 #define MAX_HOST_LEN 255
146
147 /* Set this to control gnutls_global_set_log_level(); values 0 to 9 will setup
148 the library logging; a value less than 0 disables the calls to set up logging
149 callbacks. */
150 #ifndef EXIM_GNUTLS_LIBRARY_LOG_LEVEL
151 #define EXIM_GNUTLS_LIBRARY_LOG_LEVEL -1
152 #endif
153
154 #ifndef EXIM_CLIENT_DH_MIN_BITS
155 #define EXIM_CLIENT_DH_MIN_BITS 512
156 #endif
157
158 /* With GnuTLS 2.12.x+ we have gnutls_sec_param_to_pk_bits() with which we
159 can ask for a bit-strength. Without that, we stick to the constant we had
160 before, for now. */
161 #ifndef EXIM_SERVER_DH_BITS_PRE2_12
162 #define EXIM_SERVER_DH_BITS_PRE2_12 1024
163 #endif
164
165 #define exim_gnutls_err_check(Label) do { \
166 if (rc != GNUTLS_E_SUCCESS) { return tls_error((Label), gnutls_strerror(rc), host); } } while (0)
167
168 #define expand_check_tlsvar(Varname) expand_check(state->Varname, US #Varname, &state->exp_##Varname)
169
170 #if GNUTLS_VERSION_NUMBER >= 0x020c00
171 #define HAVE_GNUTLS_SESSION_CHANNEL_BINDING
172 #define HAVE_GNUTLS_SEC_PARAM_CONSTANTS
173 #define HAVE_GNUTLS_RND
174 #endif
175
176
177
178
179 /* ------------------------------------------------------------------------ */
180 /* Callback declarations */
181
182 #if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
183 static void exim_gnutls_logger_cb(int level, const char *message);
184 #endif
185
186 static int exim_sni_handling_cb(gnutls_session_t session);
187
188
189
190
191 /* ------------------------------------------------------------------------ */
192 /* Static functions */
193
194 /*************************************************
195 * Handle TLS error *
196 *************************************************/
197
198 /* Called from lots of places when errors occur before actually starting to do
199 the TLS handshake, that is, while the session is still in clear. Always returns
200 DEFER for a server and FAIL for a client so that most calls can use "return
201 tls_error(...)" to do this processing and then give an appropriate return. A
202 single function is used for both server and client, because it is called from
203 some shared functions.
204
205 Argument:
206 prefix text to include in the logged error
207 msg additional error string (may be NULL)
208 usually obtained from gnutls_strerror()
209 host NULL if setting up a server;
210 the connected host if setting up a client
211
212 Returns: OK/DEFER/FAIL
213 */
214
215 static int
216 tls_error(const uschar *prefix, const char *msg, const host_item *host)
217 {
218 if (host)
219 {
220 log_write(0, LOG_MAIN, "TLS error on connection to %s [%s] (%s)%s%s",
221 host->name, host->address, prefix, msg ? ": " : "", msg ? msg : "");
222 return FAIL;
223 }
224 else
225 {
226 uschar *conn_info = smtp_get_connection_info();
227 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0)
228 conn_info += 5;
229 log_write(0, LOG_MAIN, "TLS error on %s (%s)%s%s",
230 conn_info, prefix, msg ? ": " : "", msg ? msg : "");
231 return DEFER;
232 }
233 }
234
235
236
237
238 /*************************************************
239 * Deal with logging errors during I/O *
240 *************************************************/
241
242 /* We have to get the identity of the peer from saved data.
243
244 Argument:
245 state the current GnuTLS exim state container
246 rc the GnuTLS error code, or 0 if it's a local error
247 when text identifying read or write
248 text local error text when ec is 0
249
250 Returns: nothing
251 */
252
253 static void
254 record_io_error(exim_gnutls_state_st *state, int rc, uschar *when, uschar *text)
255 {
256 const char *msg;
257
258 if (rc == GNUTLS_E_FATAL_ALERT_RECEIVED)
259 msg = CS string_sprintf("%s: %s", US gnutls_strerror(rc),
260 US gnutls_alert_get_name(gnutls_alert_get(state->session)));
261 else
262 msg = gnutls_strerror(rc);
263
264 tls_error(when, msg, state->host);
265 }
266
267
268
269
270 /*************************************************
271 * Set various Exim expansion vars *
272 *************************************************/
273
274 /* We set various Exim global variables from the state, once a session has
275 been established. With TLS callouts, may need to change this to stack
276 variables, or just re-call it with the server state after client callout
277 has finished.
278
279 Make sure anything set here is inset in tls_getc().
280
281 Sets:
282 tls_active fd
283 tls_bits strength indicator
284 tls_certificate_verified bool indicator
285 tls_channelbinding_b64 for some SASL mechanisms
286 tls_cipher a string
287 tls_peerdn a string
288 tls_sni a (UTF-8) string
289 Also:
290 current_global_tls_state for API limitations
291
292 Argument:
293 state the relevant exim_gnutls_state_st *
294 */
295
296 static void
297 extract_exim_vars_from_tls_state(exim_gnutls_state_st *state)
298 {
299 gnutls_cipher_algorithm_t cipher;
300 #ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
301 int old_pool;
302 int rc;
303 gnutls_datum_t channel;
304 #endif
305
306 current_global_tls_state = state;
307
308 tls_active = state->fd_out;
309
310 cipher = gnutls_cipher_get(state->session);
311 /* returns size in "bytes" */
312 tls_bits = gnutls_cipher_get_key_size(cipher) * 8;
313
314 tls_cipher = state->ciphersuite;
315
316 DEBUG(D_tls) debug_printf("cipher: %s\n", tls_cipher);
317
318 tls_certificate_verified = state->peer_cert_verified;
319
320 /* note that tls_channelbinding_b64 is not saved to the spool file, since it's
321 only available for use for authenticators while this TLS session is running. */
322
323 tls_channelbinding_b64 = NULL;
324 #ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
325 channel.data = NULL;
326 channel.size = 0;
327 rc = gnutls_session_channel_binding(state->session, GNUTLS_CB_TLS_UNIQUE, &channel);
328 if (rc) {
329 DEBUG(D_tls) debug_printf("Channel binding error: %s\n", gnutls_strerror(rc));
330 } else {
331 old_pool = store_pool;
332 store_pool = POOL_PERM;
333 tls_channelbinding_b64 = auth_b64encode(channel.data, (int)channel.size);
334 store_pool = old_pool;
335 DEBUG(D_tls) debug_printf("Have channel bindings cached for possible auth usage.\n");
336 }
337 #endif
338
339 tls_peerdn = state->peerdn;
340
341 tls_sni = state->received_sni;
342 }
343
344
345
346
347 /*************************************************
348 * Setup up DH parameters *
349 *************************************************/
350
351 /* Generating the D-H parameters may take a long time. They only need to
352 be re-generated every so often, depending on security policy. What we do is to
353 keep these parameters in a file in the spool directory. If the file does not
354 exist, we generate them. This means that it is easy to cause a regeneration.
355
356 The new file is written as a temporary file and renamed, so that an incomplete
357 file is never present. If two processes both compute some new parameters, you
358 waste a bit of effort, but it doesn't seem worth messing around with locking to
359 prevent this.
360
361 Returns: OK/DEFER/FAIL
362 */
363
364 static int
365 init_server_dh(void)
366 {
367 int fd, rc;
368 unsigned int dh_bits;
369 gnutls_datum m;
370 uschar filename_buf[PATH_MAX];
371 uschar *filename = NULL;
372 size_t sz;
373 uschar *exp_tls_dhparam;
374 BOOL use_file_in_spool = FALSE;
375 BOOL use_fixed_file = FALSE;
376 host_item *host = NULL; /* dummy for macros */
377
378 DEBUG(D_tls) debug_printf("Initialising GnuTLS server params.\n");
379
380 rc = gnutls_dh_params_init(&dh_server_params);
381 exim_gnutls_err_check(US"gnutls_dh_params_init");
382
383 m.data = NULL;
384 m.size = 0;
385
386 if (!expand_check(tls_dhparam, US"tls_dhparam", &exp_tls_dhparam))
387 return DEFER;
388
389 if (!exp_tls_dhparam)
390 {
391 DEBUG(D_tls) debug_printf("Loading default hard-coded DH params\n");
392 m.data = US std_dh_prime_default();
393 m.size = Ustrlen(m.data);
394 }
395 else if (Ustrcmp(exp_tls_dhparam, "historic") == 0)
396 use_file_in_spool = TRUE;
397 else if (Ustrcmp(exp_tls_dhparam, "none") == 0)
398 {
399 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
400 return OK;
401 }
402 else if (exp_tls_dhparam[0] != '/')
403 {
404 m.data = US std_dh_prime_named(exp_tls_dhparam);
405 if (m.data == NULL)
406 return tls_error(US"No standard prime named", CS exp_tls_dhparam, NULL);
407 m.size = Ustrlen(m.data);
408 }
409 else
410 {
411 use_fixed_file = TRUE;
412 filename = exp_tls_dhparam;
413 }
414
415 if (m.data)
416 {
417 rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM);
418 exim_gnutls_err_check(US"gnutls_dh_params_import_pkcs3");
419 DEBUG(D_tls) debug_printf("Loaded fixed standard D-H parameters\n");
420 return OK;
421 }
422
423 #ifdef HAVE_GNUTLS_SEC_PARAM_CONSTANTS
424 /* If you change this constant, also change dh_param_fn_ext so that we can use a
425 different filename and ensure we have sufficient bits. */
426 dh_bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL);
427 if (!dh_bits)
428 return tls_error(US"gnutls_sec_param_to_pk_bits() failed", NULL, NULL);
429 DEBUG(D_tls)
430 debug_printf("GnuTLS tells us that for D-H PK, NORMAL is %d bits.\n",
431 dh_bits);
432 #else
433 dh_bits = EXIM_SERVER_DH_BITS_PRE2_12;
434 DEBUG(D_tls)
435 debug_printf("GnuTLS lacks gnutls_sec_param_to_pk_bits(), using %d bits.\n",
436 dh_bits);
437 #endif
438
439 /* Some clients have hard-coded limits. */
440 if (dh_bits > tls_dh_max_bits)
441 {
442 DEBUG(D_tls)
443 debug_printf("tls_dh_max_bits clamping override, using %d bits instead.\n",
444 tls_dh_max_bits);
445 dh_bits = tls_dh_max_bits;
446 }
447
448 if (use_file_in_spool)
449 {
450 if (!string_format(filename_buf, sizeof(filename_buf),
451 "%s/gnutls-params-%d", spool_directory, dh_bits))
452 return tls_error(US"overlong filename", NULL, NULL);
453 filename = filename_buf;
454 }
455
456 /* Open the cache file for reading and if successful, read it and set up the
457 parameters. */
458
459 fd = Uopen(filename, O_RDONLY, 0);
460 if (fd >= 0)
461 {
462 struct stat statbuf;
463 FILE *fp;
464 int saved_errno;
465
466 if (fstat(fd, &statbuf) < 0) /* EIO */
467 {
468 saved_errno = errno;
469 (void)close(fd);
470 return tls_error(US"TLS cache stat failed", strerror(saved_errno), NULL);
471 }
472 if (!S_ISREG(statbuf.st_mode))
473 {
474 (void)close(fd);
475 return tls_error(US"TLS cache not a file", NULL, NULL);
476 }
477 fp = fdopen(fd, "rb");
478 if (!fp)
479 {
480 saved_errno = errno;
481 (void)close(fd);
482 return tls_error(US"fdopen(TLS cache stat fd) failed",
483 strerror(saved_errno), NULL);
484 }
485
486 m.size = statbuf.st_size;
487 m.data = malloc(m.size);
488 if (m.data == NULL)
489 {
490 fclose(fp);
491 return tls_error(US"malloc failed", strerror(errno), NULL);
492 }
493 sz = fread(m.data, m.size, 1, fp);
494 if (!sz)
495 {
496 saved_errno = errno;
497 fclose(fp);
498 free(m.data);
499 return tls_error(US"fread failed", strerror(saved_errno), NULL);
500 }
501 fclose(fp);
502
503 rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM);
504 free(m.data);
505 exim_gnutls_err_check(US"gnutls_dh_params_import_pkcs3");
506 DEBUG(D_tls) debug_printf("read D-H parameters from file \"%s\"\n", filename);
507 }
508
509 /* If the file does not exist, fall through to compute new data and cache it.
510 If there was any other opening error, it is serious. */
511
512 else if (errno == ENOENT)
513 {
514 rc = -1;
515 DEBUG(D_tls)
516 debug_printf("D-H parameter cache file \"%s\" does not exist\n", filename);
517 }
518 else
519 return tls_error(string_open_failed(errno, "\"%s\" for reading", filename),
520 NULL, NULL);
521
522 /* If ret < 0, either the cache file does not exist, or the data it contains
523 is not useful. One particular case of this is when upgrading from an older
524 release of Exim in which the data was stored in a different format. We don't
525 try to be clever and support both formats; we just regenerate new data in this
526 case. */
527
528 if (rc < 0)
529 {
530 uschar *temp_fn;
531 unsigned int dh_bits_gen = dh_bits;
532
533 if ((PATH_MAX - Ustrlen(filename)) < 10)
534 return tls_error(US"Filename too long to generate replacement",
535 CS filename, NULL);
536
537 temp_fn = string_copy(US "%s.XXXXXXX");
538 fd = mkstemp(CS temp_fn); /* modifies temp_fn */
539 if (fd < 0)
540 return tls_error(US"Unable to open temp file", strerror(errno), NULL);
541 (void)fchown(fd, exim_uid, exim_gid); /* Probably not necessary */
542
543 /* GnuTLS overshoots!
544 * If we ask for 2236, we might get 2237 or more.
545 * But there's no way to ask GnuTLS how many bits there really are.
546 * We can ask how many bits were used in a TLS session, but that's it!
547 * The prime itself is hidden behind too much abstraction.
548 * So we ask for less, and proceed on a wing and a prayer.
549 * First attempt, subtracted 3 for 2233 and got 2240.
550 */
551 if (dh_bits >= EXIM_CLIENT_DH_MIN_BITS + 10)
552 {
553 dh_bits_gen = dh_bits - 10;
554 DEBUG(D_tls)
555 debug_printf("being paranoid about DH generation, make it '%d' bits'\n",
556 dh_bits_gen);
557 }
558
559 DEBUG(D_tls)
560 debug_printf("requesting generation of %d bit Diffie-Hellman prime ...\n",
561 dh_bits_gen);
562 rc = gnutls_dh_params_generate2(dh_server_params, dh_bits_gen);
563 exim_gnutls_err_check(US"gnutls_dh_params_generate2");
564
565 /* gnutls_dh_params_export_pkcs3() will tell us the exact size, every time,
566 and I confirmed that a NULL call to get the size first is how the GnuTLS
567 sample apps handle this. */
568
569 sz = 0;
570 m.data = NULL;
571 rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM,
572 m.data, &sz);
573 if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
574 exim_gnutls_err_check(US"gnutls_dh_params_export_pkcs3(NULL) sizing");
575 m.size = sz;
576 m.data = malloc(m.size);
577 if (m.data == NULL)
578 return tls_error(US"memory allocation failed", strerror(errno), NULL);
579 /* this will return a size 1 less than the allocation size above */
580 rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM,
581 m.data, &sz);
582 if (rc != GNUTLS_E_SUCCESS)
583 {
584 free(m.data);
585 exim_gnutls_err_check(US"gnutls_dh_params_export_pkcs3() real");
586 }
587 m.size = sz; /* shrink by 1, probably */
588
589 sz = write_to_fd_buf(fd, m.data, (size_t) m.size);
590 if (sz != m.size)
591 {
592 free(m.data);
593 return tls_error(US"TLS cache write D-H params failed",
594 strerror(errno), NULL);
595 }
596 free(m.data);
597 sz = write_to_fd_buf(fd, US"\n", 1);
598 if (sz != 1)
599 return tls_error(US"TLS cache write D-H params final newline failed",
600 strerror(errno), NULL);
601
602 rc = close(fd);
603 if (rc)
604 return tls_error(US"TLS cache write close() failed",
605 strerror(errno), NULL);
606
607 if (Urename(temp_fn, filename) < 0)
608 return tls_error(string_sprintf("failed to rename \"%s\" as \"%s\"",
609 temp_fn, filename), strerror(errno), NULL);
610
611 DEBUG(D_tls) debug_printf("wrote D-H parameters to file \"%s\"\n", filename);
612 }
613
614 DEBUG(D_tls) debug_printf("initialized server D-H parameters\n");
615 return OK;
616 }
617
618
619
620
621 /*************************************************
622 * Variables re-expanded post-SNI *
623 *************************************************/
624
625 /* Called from both server and client code, via tls_init(), and also from
626 the SNI callback after receiving an SNI, if tls_certificate includes "tls_sni".
627
628 We can tell the two apart by state->received_sni being non-NULL in callback.
629
630 The callback should not call us unless state->trigger_sni_changes is true,
631 which we are responsible for setting on the first pass through.
632
633 Arguments:
634 state exim_gnutls_state_st *
635
636 Returns: OK/DEFER/FAIL
637 */
638
639 static int
640 tls_expand_session_files(exim_gnutls_state_st *state)
641 {
642 struct stat statbuf;
643 int rc;
644 const host_item *host = state->host; /* macro should be reconsidered? */
645 uschar *saved_tls_certificate = NULL;
646 uschar *saved_tls_privatekey = NULL;
647 uschar *saved_tls_verify_certificates = NULL;
648 uschar *saved_tls_crl = NULL;
649 int cert_count;
650
651 /* We check for tls_sni *before* expansion. */
652 if (!state->host)
653 {
654 if (!state->received_sni)
655 {
656 if (state->tls_certificate && Ustrstr(state->tls_certificate, US"tls_sni"))
657 {
658 DEBUG(D_tls) debug_printf("We will re-expand TLS session files if we receive SNI.\n");
659 state->trigger_sni_changes = TRUE;
660 }
661 }
662 else
663 {
664 /* useful for debugging */
665 saved_tls_certificate = state->exp_tls_certificate;
666 saved_tls_privatekey = state->exp_tls_privatekey;
667 saved_tls_verify_certificates = state->exp_tls_verify_certificates;
668 saved_tls_crl = state->exp_tls_crl;
669 }
670 }
671
672 rc = gnutls_certificate_allocate_credentials(&state->x509_cred);
673 exim_gnutls_err_check(US"gnutls_certificate_allocate_credentials");
674
675 /* remember: expand_check_tlsvar() is expand_check() but fiddling with
676 state members, assuming consistent naming; and expand_check() returns
677 false if expansion failed, unless expansion was forced to fail. */
678
679 /* check if we at least have a certificate, before doing expensive
680 D-H generation. */
681
682 if (!expand_check_tlsvar(tls_certificate))
683 return DEFER;
684
685 /* certificate is mandatory in server, optional in client */
686
687 if ((state->exp_tls_certificate == NULL) ||
688 (*state->exp_tls_certificate == '\0'))
689 {
690 if (state->host == NULL)
691 return tls_error(US"no TLS server certificate is specified", NULL, NULL);
692 else
693 DEBUG(D_tls) debug_printf("TLS: no client certificate specified; okay\n");
694 }
695
696 if (state->tls_privatekey && !expand_check_tlsvar(tls_privatekey))
697 return DEFER;
698
699 /* tls_privatekey is optional, defaulting to same file as certificate */
700
701 if (state->tls_privatekey == NULL || *state->tls_privatekey == '\0')
702 {
703 state->tls_privatekey = state->tls_certificate;
704 state->exp_tls_privatekey = state->exp_tls_certificate;
705 }
706
707
708 if (state->exp_tls_certificate && *state->exp_tls_certificate)
709 {
710 DEBUG(D_tls) debug_printf("certificate file = %s\nkey file = %s\n",
711 state->exp_tls_certificate, state->exp_tls_privatekey);
712
713 if (state->received_sni)
714 {
715 if ((Ustrcmp(state->exp_tls_certificate, saved_tls_certificate) == 0) &&
716 (Ustrcmp(state->exp_tls_privatekey, saved_tls_privatekey) == 0))
717 {
718 DEBUG(D_tls) debug_printf("TLS SNI: cert and key unchanged\n");
719 }
720 else
721 {
722 DEBUG(D_tls) debug_printf("TLS SNI: have a changed cert/key pair.\n");
723 }
724 }
725
726 rc = gnutls_certificate_set_x509_key_file(state->x509_cred,
727 CS state->exp_tls_certificate, CS state->exp_tls_privatekey,
728 GNUTLS_X509_FMT_PEM);
729 exim_gnutls_err_check(
730 string_sprintf("cert/key setup: cert=%s key=%s",
731 state->exp_tls_certificate, state->exp_tls_privatekey));
732 DEBUG(D_tls) debug_printf("TLS: cert/key registered\n");
733 } /* tls_certificate */
734
735 /* Set the trusted CAs file if one is provided, and then add the CRL if one is
736 provided. Experiment shows that, if the certificate file is empty, an unhelpful
737 error message is provided. However, if we just refrain from setting anything up
738 in that case, certificate verification fails, which seems to be the correct
739 behaviour. */
740
741 if (state->tls_verify_certificates && *state->tls_verify_certificates)
742 {
743 if (!expand_check_tlsvar(tls_verify_certificates))
744 return DEFER;
745 if (state->tls_crl && *state->tls_crl)
746 if (!expand_check_tlsvar(tls_crl))
747 return DEFER;
748
749 if (!(state->exp_tls_verify_certificates &&
750 *state->exp_tls_verify_certificates))
751 {
752 DEBUG(D_tls)
753 debug_printf("TLS: tls_verify_certificates expanded empty, ignoring\n");
754 /* With no tls_verify_certificates, we ignore tls_crl too */
755 return OK;
756 }
757 }
758 else
759 {
760 DEBUG(D_tls)
761 debug_printf("TLS: tls_verify_certificates not set or empty, ignoring\n");
762 return OK;
763 }
764
765 if (Ustat(state->exp_tls_verify_certificates, &statbuf) < 0)
766 {
767 log_write(0, LOG_MAIN|LOG_PANIC, "could not stat %s "
768 "(tls_verify_certificates): %s", state->exp_tls_verify_certificates,
769 strerror(errno));
770 return DEFER;
771 }
772
773 /* The test suite passes in /dev/null; we could check for that path explicitly,
774 but who knows if someone has some weird FIFO which always dumps some certs, or
775 other weirdness. The thing we really want to check is that it's not a
776 directory, since while OpenSSL supports that, GnuTLS does not.
777 So s/!S_ISREG/S_ISDIR/ and change some messsaging ... */
778 if (S_ISDIR(statbuf.st_mode))
779 {
780 DEBUG(D_tls)
781 debug_printf("verify certificates path is a dir: \"%s\"\n",
782 state->exp_tls_verify_certificates);
783 log_write(0, LOG_MAIN|LOG_PANIC,
784 "tls_verify_certificates \"%s\" is a directory",
785 state->exp_tls_verify_certificates);
786 return DEFER;
787 }
788
789 DEBUG(D_tls) debug_printf("verify certificates = %s size=" OFF_T_FMT "\n",
790 state->exp_tls_verify_certificates, statbuf.st_size);
791
792 if (statbuf.st_size == 0)
793 {
794 DEBUG(D_tls)
795 debug_printf("cert file empty, no certs, no verification, ignoring any CRL\n");
796 return OK;
797 }
798
799 cert_count = gnutls_certificate_set_x509_trust_file(state->x509_cred,
800 CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM);
801 if (cert_count < 0)
802 {
803 rc = cert_count;
804 exim_gnutls_err_check(US"gnutls_certificate_set_x509_trust_file");
805 }
806 DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n", cert_count);
807
808 if (state->tls_crl && *state->tls_crl &&
809 state->exp_tls_crl && *state->exp_tls_crl)
810 {
811 DEBUG(D_tls) debug_printf("loading CRL file = %s\n", state->exp_tls_crl);
812 cert_count = gnutls_certificate_set_x509_crl_file(state->x509_cred,
813 CS state->exp_tls_crl, GNUTLS_X509_FMT_PEM);
814 if (cert_count < 0)
815 {
816 rc = cert_count;
817 exim_gnutls_err_check(US"gnutls_certificate_set_x509_crl_file");
818 }
819 DEBUG(D_tls) debug_printf("Processed %d CRLs.\n", cert_count);
820 }
821
822 return OK;
823 }
824
825
826
827
828 /*************************************************
829 * Set X.509 state variables *
830 *************************************************/
831
832 /* In GnuTLS, the registered cert/key are not replaced by a later
833 set of a cert/key, so for SNI support we need a whole new x509_cred
834 structure. Which means various other non-re-expanded pieces of state
835 need to be re-set in the new struct, so the setting logic is pulled
836 out to this.
837
838 Arguments:
839 state exim_gnutls_state_st *
840
841 Returns: OK/DEFER/FAIL
842 */
843
844 static int
845 tls_set_remaining_x509(exim_gnutls_state_st *state)
846 {
847 int rc;
848 const host_item *host = state->host; /* macro should be reconsidered? */
849
850 /* Create D-H parameters, or read them from the cache file. This function does
851 its own SMTP error messaging. This only happens for the server, TLS D-H ignores
852 client-side params. */
853
854 if (!state->host)
855 {
856 if (!dh_server_params)
857 {
858 rc = init_server_dh();
859 if (rc != OK) return rc;
860 }
861 gnutls_certificate_set_dh_params(state->x509_cred, dh_server_params);
862 }
863
864 /* Link the credentials to the session. */
865
866 rc = gnutls_credentials_set(state->session, GNUTLS_CRD_CERTIFICATE, state->x509_cred);
867 exim_gnutls_err_check(US"gnutls_credentials_set");
868
869 return OK;
870 }
871
872 /*************************************************
873 * Initialize for GnuTLS *
874 *************************************************/
875
876 /* Called from both server and client code. In the case of a server, errors
877 before actual TLS negotiation return DEFER.
878
879 Arguments:
880 host connected host, if client; NULL if server
881 certificate certificate file
882 privatekey private key file
883 sni TLS SNI to send, sometimes when client; else NULL
884 cas CA certs file
885 crl CRL file
886 require_ciphers tls_require_ciphers setting
887
888 Returns: OK/DEFER/FAIL
889 */
890
891 static int
892 tls_init(
893 const host_item *host,
894 const uschar *certificate,
895 const uschar *privatekey,
896 const uschar *sni,
897 const uschar *cas,
898 const uschar *crl,
899 const uschar *require_ciphers,
900 exim_gnutls_state_st **caller_state)
901 {
902 exim_gnutls_state_st *state;
903 int rc;
904 size_t sz;
905 const char *errpos;
906 uschar *p;
907 BOOL want_default_priorities;
908
909 if (!exim_gnutls_base_init_done)
910 {
911 DEBUG(D_tls) debug_printf("GnuTLS global init required.\n");
912
913 rc = gnutls_global_init();
914 exim_gnutls_err_check(US"gnutls_global_init");
915
916 #if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
917 DEBUG(D_tls)
918 {
919 gnutls_global_set_log_function(exim_gnutls_logger_cb);
920 /* arbitrarily chosen level; bump upto 9 for more */
921 gnutls_global_set_log_level(EXIM_GNUTLS_LIBRARY_LOG_LEVEL);
922 }
923 #endif
924
925 exim_gnutls_base_init_done = TRUE;
926 }
927
928 if (host)
929 {
930 state = &state_client;
931 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
932 DEBUG(D_tls) debug_printf("initialising GnuTLS client session\n");
933 rc = gnutls_init(&state->session, GNUTLS_CLIENT);
934 }
935 else
936 {
937 state = &state_server;
938 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
939 DEBUG(D_tls) debug_printf("initialising GnuTLS server session\n");
940 rc = gnutls_init(&state->session, GNUTLS_SERVER);
941 }
942 exim_gnutls_err_check(US"gnutls_init");
943
944 state->host = host;
945
946 state->tls_certificate = certificate;
947 state->tls_privatekey = privatekey;
948 state->tls_require_ciphers = require_ciphers;
949 state->tls_sni = sni;
950 state->tls_verify_certificates = cas;
951 state->tls_crl = crl;
952
953 /* This handles the variables that might get re-expanded after TLS SNI;
954 that's tls_certificate, tls_privatekey, tls_verify_certificates, tls_crl */
955
956 DEBUG(D_tls)
957 debug_printf("Expanding various TLS configuration options for session credentials.\n");
958 rc = tls_expand_session_files(state);
959 if (rc != OK) return rc;
960
961 /* These are all other parts of the x509_cred handling, since SNI in GnuTLS
962 requires a new structure afterwards. */
963
964 rc = tls_set_remaining_x509(state);
965 if (rc != OK) return rc;
966
967 /* set SNI in client, only */
968 if (host)
969 {
970 if (!expand_check_tlsvar(tls_sni))
971 return DEFER;
972 if (state->exp_tls_sni && *state->exp_tls_sni)
973 {
974 DEBUG(D_tls)
975 debug_printf("Setting TLS client SNI to \"%s\"\n", state->exp_tls_sni);
976 sz = Ustrlen(state->exp_tls_sni);
977 rc = gnutls_server_name_set(state->session,
978 GNUTLS_NAME_DNS, state->exp_tls_sni, sz);
979 exim_gnutls_err_check(US"gnutls_server_name_set");
980 }
981 }
982 else if (state->tls_sni)
983 DEBUG(D_tls) debug_printf("*** PROBABLY A BUG *** " \
984 "have an SNI set for a client [%s]\n", state->tls_sni);
985
986 /* This is the priority string support,
987 http://www.gnu.org/software/gnutls/manual/html_node/Priority-Strings.html
988 and replaces gnutls_require_kx, gnutls_require_mac & gnutls_require_protocols.
989 This was backwards incompatible, but means Exim no longer needs to track
990 all algorithms and provide string forms for them. */
991
992 want_default_priorities = TRUE;
993
994 if (state->tls_require_ciphers && *state->tls_require_ciphers)
995 {
996 if (!expand_check_tlsvar(tls_require_ciphers))
997 return DEFER;
998 if (state->exp_tls_require_ciphers && *state->exp_tls_require_ciphers)
999 {
1000 DEBUG(D_tls) debug_printf("GnuTLS session cipher/priority \"%s\"\n",
1001 state->exp_tls_require_ciphers);
1002
1003 rc = gnutls_priority_init(&state->priority_cache,
1004 CS state->exp_tls_require_ciphers, &errpos);
1005 want_default_priorities = FALSE;
1006 p = state->exp_tls_require_ciphers;
1007 }
1008 }
1009 if (want_default_priorities)
1010 {
1011 DEBUG(D_tls)
1012 debug_printf("GnuTLS using default session cipher/priority \"%s\"\n",
1013 exim_default_gnutls_priority);
1014 rc = gnutls_priority_init(&state->priority_cache,
1015 exim_default_gnutls_priority, &errpos);
1016 p = US exim_default_gnutls_priority;
1017 }
1018
1019 exim_gnutls_err_check(string_sprintf(
1020 "gnutls_priority_init(%s) failed at offset %ld, \"%.6s..\"",
1021 p, errpos - CS p, errpos));
1022
1023 rc = gnutls_priority_set(state->session, state->priority_cache);
1024 exim_gnutls_err_check(US"gnutls_priority_set");
1025
1026 gnutls_db_set_cache_expiration(state->session, ssl_session_timeout);
1027
1028 /* Reduce security in favour of increased compatibility, if the admin
1029 decides to make that trade-off. */
1030 if (gnutls_compat_mode)
1031 {
1032 #if LIBGNUTLS_VERSION_NUMBER >= 0x020104
1033 DEBUG(D_tls) debug_printf("lowering GnuTLS security, compatibility mode\n");
1034 gnutls_session_enable_compatibility_mode(state->session);
1035 #else
1036 DEBUG(D_tls) debug_printf("Unable to set gnutls_compat_mode - GnuTLS version too old\n");
1037 #endif
1038 }
1039
1040 *caller_state = state;
1041 /* needs to happen before callbacks during handshake */
1042 current_global_tls_state = state;
1043 return OK;
1044 }
1045
1046
1047
1048
1049 /*************************************************
1050 * Extract peer information *
1051 *************************************************/
1052
1053 /* Called from both server and client code.
1054 Only this is allowed to set state->peerdn and state->have_set_peerdn
1055 and we use that to detect double-calls.
1056
1057 NOTE: the state blocks last while the TLS connection is up, which is fine
1058 for logging in the server side, but for the client side, we log after teardown
1059 in src/deliver.c. While the session is up, we can twist about states and
1060 repoint tls_* globals, but those variables used for logging or other variable
1061 expansion that happens _after_ delivery need to have a longer life-time.
1062
1063 So for those, we get the data from POOL_PERM; the re-invoke guard keeps us from
1064 doing this more than once per generation of a state context. We set them in
1065 the state context, and repoint tls_* to them. After the state goes away, the
1066 tls_* copies of the pointers remain valid and client delivery logging is happy.
1067
1068 tls_certificate_verified is a BOOL, so the tls_peerdn and tls_cipher issues
1069 don't apply.
1070
1071 Arguments:
1072 state exim_gnutls_state_st *
1073
1074 Returns: OK/DEFER/FAIL
1075 */
1076
1077 static int
1078 peer_status(exim_gnutls_state_st *state)
1079 {
1080 uschar cipherbuf[256];
1081 const gnutls_datum *cert_list;
1082 int old_pool, rc;
1083 unsigned int cert_list_size = 0;
1084 gnutls_protocol_t protocol;
1085 gnutls_cipher_algorithm_t cipher;
1086 gnutls_kx_algorithm_t kx;
1087 gnutls_mac_algorithm_t mac;
1088 gnutls_certificate_type_t ct;
1089 gnutls_x509_crt_t crt;
1090 uschar *p, *dn_buf;
1091 size_t sz;
1092
1093 if (state->have_set_peerdn)
1094 return OK;
1095 state->have_set_peerdn = TRUE;
1096
1097 state->peerdn = NULL;
1098
1099 /* tls_cipher */
1100 cipher = gnutls_cipher_get(state->session);
1101 protocol = gnutls_protocol_get_version(state->session);
1102 mac = gnutls_mac_get(state->session);
1103 kx = gnutls_kx_get(state->session);
1104
1105 string_format(cipherbuf, sizeof(cipherbuf),
1106 "%s:%s:%d",
1107 gnutls_protocol_get_name(protocol),
1108 gnutls_cipher_suite_get_name(kx, cipher, mac),
1109 (int) gnutls_cipher_get_key_size(cipher) * 8);
1110
1111 /* I don't see a way that spaces could occur, in the current GnuTLS
1112 code base, but it was a concern in the old code and perhaps older GnuTLS
1113 releases did return "TLS 1.0"; play it safe, just in case. */
1114 for (p = cipherbuf; *p != '\0'; ++p)
1115 if (isspace(*p))
1116 *p = '-';
1117 old_pool = store_pool;
1118 store_pool = POOL_PERM;
1119 state->ciphersuite = string_copy(cipherbuf);
1120 store_pool = old_pool;
1121 tls_cipher = state->ciphersuite;
1122
1123 /* tls_peerdn */
1124 cert_list = gnutls_certificate_get_peers(state->session, &cert_list_size);
1125
1126 if (cert_list == NULL || cert_list_size == 0)
1127 {
1128 DEBUG(D_tls) debug_printf("TLS: no certificate from peer (%p & %d)\n",
1129 cert_list, cert_list_size);
1130 if (state->verify_requirement == VERIFY_REQUIRED)
1131 return tls_error(US"certificate verification failed",
1132 "no certificate received from peer", state->host);
1133 return OK;
1134 }
1135
1136 ct = gnutls_certificate_type_get(state->session);
1137 if (ct != GNUTLS_CRT_X509)
1138 {
1139 const char *ctn = gnutls_certificate_type_get_name(ct);
1140 DEBUG(D_tls)
1141 debug_printf("TLS: peer cert not X.509 but instead \"%s\"\n", ctn);
1142 if (state->verify_requirement == VERIFY_REQUIRED)
1143 return tls_error(US"certificate verification not possible, unhandled type",
1144 ctn, state->host);
1145 return OK;
1146 }
1147
1148 #define exim_gnutls_peer_err(Label) do { \
1149 if (rc != GNUTLS_E_SUCCESS) { \
1150 DEBUG(D_tls) debug_printf("TLS: peer cert problem: %s: %s\n", (Label), gnutls_strerror(rc)); \
1151 if (state->verify_requirement == VERIFY_REQUIRED) { return tls_error((Label), gnutls_strerror(rc), state->host); } \
1152 return OK; } } while (0)
1153
1154 rc = gnutls_x509_crt_init(&crt);
1155 exim_gnutls_peer_err(US"gnutls_x509_crt_init (crt)");
1156
1157 rc = gnutls_x509_crt_import(crt, &cert_list[0], GNUTLS_X509_FMT_DER);
1158 exim_gnutls_peer_err(US"failed to import certificate [gnutls_x509_crt_import(cert 0)]");
1159 sz = 0;
1160 rc = gnutls_x509_crt_get_dn(crt, NULL, &sz);
1161 if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
1162 {
1163 exim_gnutls_peer_err(US"getting size for cert DN failed");
1164 return FAIL; /* should not happen */
1165 }
1166 dn_buf = store_get_perm(sz);
1167 rc = gnutls_x509_crt_get_dn(crt, CS dn_buf, &sz);
1168 exim_gnutls_peer_err(US"failed to extract certificate DN [gnutls_x509_crt_get_dn(cert 0)]");
1169 state->peerdn = dn_buf;
1170
1171 return OK;
1172 #undef exim_gnutls_peer_err
1173 }
1174
1175
1176
1177
1178 /*************************************************
1179 * Verify peer certificate *
1180 *************************************************/
1181
1182 /* Called from both server and client code.
1183 *Should* be using a callback registered with
1184 gnutls_certificate_set_verify_function() to fail the handshake if we dislike
1185 the peer information, but that's too new for some OSes.
1186
1187 Arguments:
1188 state exim_gnutls_state_st *
1189 error where to put an error message
1190
1191 Returns:
1192 FALSE if the session should be rejected
1193 TRUE if the cert is okay or we just don't care
1194 */
1195
1196 static BOOL
1197 verify_certificate(exim_gnutls_state_st *state, const char **error)
1198 {
1199 int rc;
1200 unsigned int verify;
1201
1202 *error = NULL;
1203
1204 rc = peer_status(state);
1205 if (rc != OK)
1206 {
1207 verify = GNUTLS_CERT_INVALID;
1208 *error = "not supplied";
1209 }
1210 else
1211 {
1212 rc = gnutls_certificate_verify_peers2(state->session, &verify);
1213 }
1214
1215 /* Handle the result of verification. INVALID seems to be set as well
1216 as REVOKED, but leave the test for both. */
1217
1218 if ((rc < 0) || (verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED)) != 0)
1219 {
1220 state->peer_cert_verified = FALSE;
1221 if (*error == NULL)
1222 *error = ((verify & GNUTLS_CERT_REVOKED) != 0) ? "revoked" : "invalid";
1223
1224 DEBUG(D_tls)
1225 debug_printf("TLS certificate verification failed (%s): peerdn=%s\n",
1226 *error, state->peerdn ? state->peerdn : US"<unset>");
1227
1228 if (state->verify_requirement == VERIFY_REQUIRED)
1229 {
1230 gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_BAD_CERTIFICATE);
1231 return FALSE;
1232 }
1233 DEBUG(D_tls)
1234 debug_printf("TLS verify failure overridden (host in tls_try_verify_hosts)\n");
1235 }
1236 else
1237 {
1238 state->peer_cert_verified = TRUE;
1239 DEBUG(D_tls) debug_printf("TLS certificate verified: peerdn=%s\n",
1240 state->peerdn ? state->peerdn : US"<unset>");
1241 }
1242
1243 tls_peerdn = state->peerdn;
1244
1245 return TRUE;
1246 }
1247
1248
1249
1250
1251 /* ------------------------------------------------------------------------ */
1252 /* Callbacks */
1253
1254 /* Logging function which can be registered with
1255 * gnutls_global_set_log_function()
1256 * gnutls_global_set_log_level() 0..9
1257 */
1258 #if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
1259 static void
1260 exim_gnutls_logger_cb(int level, const char *message)
1261 {
1262 size_t len = strlen(message);
1263 if (len < 1)
1264 {
1265 DEBUG(D_tls) debug_printf("GnuTLS<%d> empty debug message\n", level);
1266 return;
1267 }
1268 DEBUG(D_tls) debug_printf("GnuTLS<%d>: %s%s", level, message,
1269 message[len-1] == '\n' ? "" : "\n");
1270 }
1271 #endif
1272
1273
1274 /* Called after client hello, should handle SNI work.
1275 This will always set tls_sni (state->received_sni) if available,
1276 and may trigger presenting different certificates,
1277 if state->trigger_sni_changes is TRUE.
1278
1279 Should be registered with
1280 gnutls_handshake_set_post_client_hello_function()
1281
1282 "This callback must return 0 on success or a gnutls error code to terminate the
1283 handshake.".
1284
1285 For inability to get SNI information, we return 0.
1286 We only return non-zero if re-setup failed.
1287 */
1288
1289 static int
1290 exim_sni_handling_cb(gnutls_session_t session)
1291 {
1292 char sni_name[MAX_HOST_LEN];
1293 size_t data_len = MAX_HOST_LEN;
1294 exim_gnutls_state_st *state = current_global_tls_state;
1295 unsigned int sni_type;
1296 int rc, old_pool;
1297
1298 rc = gnutls_server_name_get(session, sni_name, &data_len, &sni_type, 0);
1299 if (rc != GNUTLS_E_SUCCESS)
1300 {
1301 DEBUG(D_tls) {
1302 if (rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
1303 debug_printf("TLS: no SNI presented in handshake.\n");
1304 else
1305 debug_printf("TLS failure: gnutls_server_name_get(): %s [%d]\n",
1306 gnutls_strerror(rc), rc);
1307 };
1308 return 0;
1309 }
1310
1311 if (sni_type != GNUTLS_NAME_DNS)
1312 {
1313 DEBUG(D_tls) debug_printf("TLS: ignoring SNI of unhandled type %u\n", sni_type);
1314 return 0;
1315 }
1316
1317 /* We now have a UTF-8 string in sni_name */
1318 old_pool = store_pool;
1319 store_pool = POOL_PERM;
1320 state->received_sni = string_copyn(US sni_name, data_len);
1321 store_pool = old_pool;
1322
1323 /* We set this one now so that variable expansions below will work */
1324 tls_sni = state->received_sni;
1325
1326 DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", sni_name,
1327 state->trigger_sni_changes ? "" : " (unused for certificate selection)");
1328
1329 if (!state->trigger_sni_changes)
1330 return 0;
1331
1332 rc = tls_expand_session_files(state);
1333 if (rc != OK)
1334 {
1335 /* If the setup of certs/etc failed before handshake, TLS would not have
1336 been offered. The best we can do now is abort. */
1337 return GNUTLS_E_APPLICATION_ERROR_MIN;
1338 }
1339
1340 rc = tls_set_remaining_x509(state);
1341 if (rc != OK) return GNUTLS_E_APPLICATION_ERROR_MIN;
1342
1343 return 0;
1344 }
1345
1346
1347
1348
1349 /* ------------------------------------------------------------------------ */
1350 /* Exported functions */
1351
1352
1353
1354
1355 /*************************************************
1356 * Start a TLS session in a server *
1357 *************************************************/
1358
1359 /* This is called when Exim is running as a server, after having received
1360 the STARTTLS command. It must respond to that command, and then negotiate
1361 a TLS session.
1362
1363 Arguments:
1364 require_ciphers list of allowed ciphers or NULL
1365
1366 Returns: OK on success
1367 DEFER for errors before the start of the negotiation
1368 FAIL for errors during the negotation; the server can't
1369 continue running.
1370 */
1371
1372 int
1373 tls_server_start(const uschar *require_ciphers)
1374 {
1375 int rc;
1376 const char *error;
1377 exim_gnutls_state_st *state = NULL;
1378
1379 /* Check for previous activation */
1380 /* nb: this will not be TLS callout safe, needs reworking as part of that. */
1381
1382 if (tls_active >= 0)
1383 {
1384 tls_error(US"STARTTLS received after TLS started", "", NULL);
1385 smtp_printf("554 Already in TLS\r\n");
1386 return FAIL;
1387 }
1388
1389 /* Initialize the library. If it fails, it will already have logged the error
1390 and sent an SMTP response. */
1391
1392 DEBUG(D_tls) debug_printf("initialising GnuTLS as a server\n");
1393
1394 rc = tls_init(NULL, tls_certificate, tls_privatekey,
1395 NULL, tls_verify_certificates, tls_crl,
1396 require_ciphers, &state);
1397 if (rc != OK) return rc;
1398
1399 /* If this is a host for which certificate verification is mandatory or
1400 optional, set up appropriately. */
1401
1402 if (verify_check_host(&tls_verify_hosts) == OK)
1403 {
1404 DEBUG(D_tls) debug_printf("TLS: a client certificate will be required.\n");
1405 state->verify_requirement = VERIFY_REQUIRED;
1406 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
1407 }
1408 else if (verify_check_host(&tls_try_verify_hosts) == OK)
1409 {
1410 DEBUG(D_tls) debug_printf("TLS: a client certificate will be requested but not required.\n");
1411 state->verify_requirement = VERIFY_OPTIONAL;
1412 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
1413 }
1414 else
1415 {
1416 DEBUG(D_tls) debug_printf("TLS: a client certificate will not be requested.\n");
1417 state->verify_requirement = VERIFY_NONE;
1418 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
1419 }
1420
1421 /* Register SNI handling; always, even if not in tls_certificate, so that the
1422 expansion variable $tls_sni is always available. */
1423
1424 gnutls_handshake_set_post_client_hello_function(state->session,
1425 exim_sni_handling_cb);
1426
1427 /* Set context and tell client to go ahead, except in the case of TLS startup
1428 on connection, where outputting anything now upsets the clients and tends to
1429 make them disconnect. We need to have an explicit fflush() here, to force out
1430 the response. Other smtp_printf() calls do not need it, because in non-TLS
1431 mode, the fflush() happens when smtp_getc() is called. */
1432
1433 if (!tls_on_connect)
1434 {
1435 smtp_printf("220 TLS go ahead\r\n");
1436 fflush(smtp_out);
1437 }
1438
1439 /* Now negotiate the TLS session. We put our own timer on it, since it seems
1440 that the GnuTLS library doesn't. */
1441
1442 gnutls_transport_set_ptr2(state->session,
1443 (gnutls_transport_ptr)fileno(smtp_in),
1444 (gnutls_transport_ptr)fileno(smtp_out));
1445 state->fd_in = fileno(smtp_in);
1446 state->fd_out = fileno(smtp_out);
1447
1448 sigalrm_seen = FALSE;
1449 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
1450 do
1451 {
1452 rc = gnutls_handshake(state->session);
1453 } while ((rc == GNUTLS_E_AGAIN) ||
1454 (rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen));
1455 alarm(0);
1456
1457 if (rc != GNUTLS_E_SUCCESS)
1458 {
1459 tls_error(US"gnutls_handshake",
1460 sigalrm_seen ? "timed out" : gnutls_strerror(rc), NULL);
1461 /* It seems that, except in the case of a timeout, we have to close the
1462 connection right here; otherwise if the other end is running OpenSSL it hangs
1463 until the server times out. */
1464
1465 if (!sigalrm_seen)
1466 {
1467 (void)fclose(smtp_out);
1468 (void)fclose(smtp_in);
1469 }
1470
1471 return FAIL;
1472 }
1473
1474 DEBUG(D_tls) debug_printf("gnutls_handshake was successful\n");
1475
1476 /* Verify after the fact */
1477
1478 if (state->verify_requirement != VERIFY_NONE)
1479 {
1480 if (!verify_certificate(state, &error))
1481 {
1482 if (state->verify_requirement == VERIFY_OPTIONAL)
1483 {
1484 DEBUG(D_tls)
1485 debug_printf("TLS: continuing on only because verification was optional, after: %s\n",
1486 error);
1487 }
1488 else
1489 {
1490 tls_error(US"certificate verification failed", error, NULL);
1491 return FAIL;
1492 }
1493 }
1494 }
1495
1496 /* Figure out peer DN, and if authenticated, etc. */
1497
1498 rc = peer_status(state);
1499 if (rc != OK) return rc;
1500
1501 /* Sets various Exim expansion variables; always safe within server */
1502
1503 extract_exim_vars_from_tls_state(state);
1504
1505 /* TLS has been set up. Adjust the input functions to read via TLS,
1506 and initialize appropriately. */
1507
1508 state->xfer_buffer = store_malloc(ssl_xfer_buffer_size);
1509
1510 receive_getc = tls_getc;
1511 receive_ungetc = tls_ungetc;
1512 receive_feof = tls_feof;
1513 receive_ferror = tls_ferror;
1514 receive_smtp_buffered = tls_smtp_buffered;
1515
1516 return OK;
1517 }
1518
1519
1520
1521
1522 /*************************************************
1523 * Start a TLS session in a client *
1524 *************************************************/
1525
1526 /* Called from the smtp transport after STARTTLS has been accepted.
1527
1528 Arguments:
1529 fd the fd of the connection
1530 host connected host (for messages)
1531 addr the first address (not used)
1532 dhparam DH parameter file (ignored, we're a client)
1533 certificate certificate file
1534 privatekey private key file
1535 sni TLS SNI to send to remote host
1536 verify_certs file for certificate verify
1537 verify_crl CRL for verify
1538 require_ciphers list of allowed ciphers or NULL
1539 timeout startup timeout
1540
1541 Returns: OK/DEFER/FAIL (because using common functions),
1542 but for a client, DEFER and FAIL have the same meaning
1543 */
1544
1545 int
1546 tls_client_start(int fd, host_item *host,
1547 address_item *addr ARG_UNUSED, uschar *dhparam ARG_UNUSED,
1548 uschar *certificate, uschar *privatekey, uschar *sni,
1549 uschar *verify_certs, uschar *verify_crl,
1550 uschar *require_ciphers, int timeout)
1551 {
1552 int rc;
1553 const char *error;
1554 exim_gnutls_state_st *state = NULL;
1555
1556 DEBUG(D_tls) debug_printf("initialising GnuTLS as a client on fd %d\n", fd);
1557
1558 rc = tls_init(host, certificate, privatekey,
1559 sni, verify_certs, verify_crl, require_ciphers, &state);
1560 if (rc != OK) return rc;
1561
1562 gnutls_dh_set_prime_bits(state->session, EXIM_CLIENT_DH_MIN_BITS);
1563
1564 if (verify_certs == NULL)
1565 {
1566 DEBUG(D_tls) debug_printf("TLS: server certificate verification not required\n");
1567 state->verify_requirement = VERIFY_NONE;
1568 /* we still ask for it, to log it, etc */
1569 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
1570 }
1571 else
1572 {
1573 DEBUG(D_tls) debug_printf("TLS: server certificate verification required\n");
1574 state->verify_requirement = VERIFY_REQUIRED;
1575 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
1576 }
1577
1578 gnutls_transport_set_ptr(state->session, (gnutls_transport_ptr)fd);
1579 state->fd_in = fd;
1580 state->fd_out = fd;
1581
1582 /* There doesn't seem to be a built-in timeout on connection. */
1583
1584 sigalrm_seen = FALSE;
1585 alarm(timeout);
1586 do
1587 {
1588 rc = gnutls_handshake(state->session);
1589 } while ((rc == GNUTLS_E_AGAIN) ||
1590 (rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen));
1591 alarm(0);
1592
1593 if (rc != GNUTLS_E_SUCCESS)
1594 return tls_error(US"gnutls_handshake",
1595 sigalrm_seen ? "timed out" : gnutls_strerror(rc), state->host);
1596
1597 DEBUG(D_tls) debug_printf("gnutls_handshake was successful\n");
1598
1599 /* Verify late */
1600
1601 if (state->verify_requirement != VERIFY_NONE &&
1602 !verify_certificate(state, &error))
1603 return tls_error(US"certificate verification failed", error, state->host);
1604
1605 /* Figure out peer DN, and if authenticated, etc. */
1606
1607 rc = peer_status(state);
1608 if (rc != OK) return rc;
1609
1610 /* Sets various Exim expansion variables; may need to adjust for ACL callouts */
1611
1612 extract_exim_vars_from_tls_state(state);
1613
1614 return OK;
1615 }
1616
1617
1618
1619
1620 /*************************************************
1621 * Close down a TLS session *
1622 *************************************************/
1623
1624 /* This is also called from within a delivery subprocess forked from the
1625 daemon, to shut down the TLS library, without actually doing a shutdown (which
1626 would tamper with the TLS session in the parent process).
1627
1628 Arguments: TRUE if gnutls_bye is to be called
1629 Returns: nothing
1630 */
1631
1632 void
1633 tls_close(BOOL shutdown)
1634 {
1635 exim_gnutls_state_st *state = current_global_tls_state;
1636
1637 if (tls_active < 0) return; /* TLS was not active */
1638
1639 if (shutdown)
1640 {
1641 DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS\n");
1642 gnutls_bye(state->session, GNUTLS_SHUT_WR);
1643 }
1644
1645 gnutls_deinit(state->session);
1646
1647 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
1648
1649 if ((state_server.session == NULL) && (state_client.session == NULL))
1650 {
1651 gnutls_global_deinit();
1652 exim_gnutls_base_init_done = FALSE;
1653 }
1654
1655 tls_active = -1;
1656 }
1657
1658
1659
1660
1661 /*************************************************
1662 * TLS version of getc *
1663 *************************************************/
1664
1665 /* This gets the next byte from the TLS input buffer. If the buffer is empty,
1666 it refills the buffer via the GnuTLS reading function.
1667
1668 This feeds DKIM and should be used for all message-body reads.
1669
1670 Arguments: none
1671 Returns: the next character or EOF
1672 */
1673
1674 int
1675 tls_getc(void)
1676 {
1677 exim_gnutls_state_st *state = current_global_tls_state;
1678 if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
1679 {
1680 ssize_t inbytes;
1681
1682 DEBUG(D_tls) debug_printf("Calling gnutls_record_recv(%p, %p, %u)\n",
1683 state->session, state->xfer_buffer, ssl_xfer_buffer_size);
1684
1685 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
1686 inbytes = gnutls_record_recv(state->session, state->xfer_buffer,
1687 ssl_xfer_buffer_size);
1688 alarm(0);
1689
1690 /* A zero-byte return appears to mean that the TLS session has been
1691 closed down, not that the socket itself has been closed down. Revert to
1692 non-TLS handling. */
1693
1694 if (inbytes == 0)
1695 {
1696 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
1697
1698 receive_getc = smtp_getc;
1699 receive_ungetc = smtp_ungetc;
1700 receive_feof = smtp_feof;
1701 receive_ferror = smtp_ferror;
1702 receive_smtp_buffered = smtp_buffered;
1703
1704 gnutls_deinit(state->session);
1705 state->session = NULL;
1706 tls_active = -1;
1707 tls_bits = 0;
1708 tls_certificate_verified = FALSE;
1709 tls_channelbinding_b64 = NULL;
1710 tls_cipher = NULL;
1711 tls_peerdn = NULL;
1712
1713 return smtp_getc();
1714 }
1715
1716 /* Handle genuine errors */
1717
1718 else if (inbytes < 0)
1719 {
1720 record_io_error(state, (int) inbytes, US"recv", NULL);
1721 state->xfer_error = 1;
1722 return EOF;
1723 }
1724 #ifndef DISABLE_DKIM
1725 dkim_exim_verify_feed(state->xfer_buffer, inbytes);
1726 #endif
1727 state->xfer_buffer_hwm = (int) inbytes;
1728 state->xfer_buffer_lwm = 0;
1729 }
1730
1731 /* Something in the buffer; return next uschar */
1732
1733 return state->xfer_buffer[state->xfer_buffer_lwm++];
1734 }
1735
1736
1737
1738
1739 /*************************************************
1740 * Read bytes from TLS channel *
1741 *************************************************/
1742
1743 /* This does not feed DKIM, so if the caller uses this for reading message body,
1744 then the caller must feed DKIM.
1745 Arguments:
1746 buff buffer of data
1747 len size of buffer
1748
1749 Returns: the number of bytes read
1750 -1 after a failed read
1751 */
1752
1753 int
1754 tls_read(uschar *buff, size_t len)
1755 {
1756 exim_gnutls_state_st *state = current_global_tls_state;
1757 ssize_t inbytes;
1758
1759 if (len > INT_MAX)
1760 len = INT_MAX;
1761
1762 if (state->xfer_buffer_lwm < state->xfer_buffer_hwm)
1763 DEBUG(D_tls)
1764 debug_printf("*** PROBABLY A BUG *** " \
1765 "tls_read() called with data in the tls_getc() buffer, %d ignored\n",
1766 state->xfer_buffer_hwm - state->xfer_buffer_lwm);
1767
1768 DEBUG(D_tls)
1769 debug_printf("Calling gnutls_record_recv(%p, %p, " SIZE_T_FMT ")\n",
1770 state->session, buff, len);
1771
1772 inbytes = gnutls_record_recv(state->session, buff, len);
1773 if (inbytes > 0) return inbytes;
1774 if (inbytes == 0)
1775 {
1776 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
1777 }
1778 else record_io_error(state, (int)inbytes, US"recv", NULL);
1779
1780 return -1;
1781 }
1782
1783
1784
1785
1786 /*************************************************
1787 * Write bytes down TLS channel *
1788 *************************************************/
1789
1790 /*
1791 Arguments:
1792 buff buffer of data
1793 len number of bytes
1794
1795 Returns: the number of bytes after a successful write,
1796 -1 after a failed write
1797 */
1798
1799 int
1800 tls_write(const uschar *buff, size_t len)
1801 {
1802 ssize_t outbytes;
1803 size_t left = len;
1804 exim_gnutls_state_st *state = current_global_tls_state;
1805
1806 DEBUG(D_tls) debug_printf("tls_do_write(%p, " SIZE_T_FMT ")\n", buff, left);
1807 while (left > 0)
1808 {
1809 DEBUG(D_tls) debug_printf("gnutls_record_send(SSL, %p, " SIZE_T_FMT ")\n",
1810 buff, left);
1811 outbytes = gnutls_record_send(state->session, buff, left);
1812
1813 DEBUG(D_tls) debug_printf("outbytes=" SSIZE_T_FMT "\n", outbytes);
1814 if (outbytes < 0)
1815 {
1816 record_io_error(state, outbytes, US"send", NULL);
1817 return -1;
1818 }
1819 if (outbytes == 0)
1820 {
1821 record_io_error(state, 0, US"send", US"TLS channel closed on write");
1822 return -1;
1823 }
1824
1825 left -= outbytes;
1826 buff += outbytes;
1827 }
1828
1829 if (len > INT_MAX)
1830 {
1831 DEBUG(D_tls)
1832 debug_printf("Whoops! Wrote more bytes (" SIZE_T_FMT ") than INT_MAX\n",
1833 len);
1834 len = INT_MAX;
1835 }
1836
1837 return (int) len;
1838 }
1839
1840
1841
1842
1843 /*************************************************
1844 * Random number generation *
1845 *************************************************/
1846
1847 /* Pseudo-random number generation. The result is not expected to be
1848 cryptographically strong but not so weak that someone will shoot themselves
1849 in the foot using it as a nonce in input in some email header scheme or
1850 whatever weirdness they'll twist this into. The result should handle fork()
1851 and avoid repeating sequences. OpenSSL handles that for us.
1852
1853 Arguments:
1854 max range maximum
1855 Returns a random number in range [0, max-1]
1856 */
1857
1858 #ifdef HAVE_GNUTLS_RND
1859 int
1860 vaguely_random_number(int max)
1861 {
1862 unsigned int r;
1863 int i, needed_len;
1864 uschar *p;
1865 uschar smallbuf[sizeof(r)];
1866
1867 if (max <= 1)
1868 return 0;
1869
1870 needed_len = sizeof(r);
1871 /* Don't take 8 times more entropy than needed if int is 8 octets and we were
1872 * asked for a number less than 10. */
1873 for (r = max, i = 0; r; ++i)
1874 r >>= 1;
1875 i = (i + 7) / 8;
1876 if (i < needed_len)
1877 needed_len = i;
1878
1879 i = gnutls_rnd(GNUTLS_RND_NONCE, smallbuf, needed_len);
1880 if (i < 0)
1881 {
1882 DEBUG(D_all) debug_printf("gnutls_rnd() failed, using fallback.\n");
1883 return vaguely_random_number_fallback(max);
1884 }
1885 r = 0;
1886 for (p = smallbuf; needed_len; --needed_len, ++p)
1887 {
1888 r *= 256;
1889 r += *p;
1890 }
1891
1892 /* We don't particularly care about weighted results; if someone wants
1893 * smooth distribution and cares enough then they should submit a patch then. */
1894 return r % max;
1895 }
1896 #else /* HAVE_GNUTLS_RND */
1897 int
1898 vaguely_random_number(int max)
1899 {
1900 return vaguely_random_number_fallback(max);
1901 }
1902 #endif /* HAVE_GNUTLS_RND */
1903
1904
1905
1906
1907 /*************************************************
1908 * Let tls_require_ciphers be checked at startup *
1909 *************************************************/
1910
1911 /* The tls_require_ciphers option, if set, must be something which the
1912 library can parse.
1913
1914 Returns: NULL on success, or error message
1915 */
1916
1917 uschar *
1918 tls_validate_require_cipher(void)
1919 {
1920 int rc;
1921 uschar *expciphers = NULL;
1922 gnutls_priority_t priority_cache;
1923 const char *errpos;
1924
1925 #define validate_check_rc(Label) do { \
1926 if (rc != GNUTLS_E_SUCCESS) { if (exim_gnutls_base_init_done) gnutls_global_deinit(); \
1927 return string_sprintf("%s failed: %s", (Label), gnutls_strerror(rc)); } } while (0)
1928 #define return_deinit(Label) do { gnutls_global_deinit(); return (Label); } while (0)
1929
1930 if (exim_gnutls_base_init_done)
1931 log_write(0, LOG_MAIN|LOG_PANIC,
1932 "already initialised GnuTLS, Exim developer bug");
1933
1934 rc = gnutls_global_init();
1935 validate_check_rc(US"gnutls_global_init()");
1936 exim_gnutls_base_init_done = TRUE;
1937
1938 if (!(tls_require_ciphers && *tls_require_ciphers))
1939 return_deinit(NULL);
1940
1941 if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers))
1942 return_deinit(US"failed to expand tls_require_ciphers");
1943
1944 if (!(expciphers && *expciphers))
1945 return_deinit(NULL);
1946
1947 DEBUG(D_tls)
1948 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
1949
1950 rc = gnutls_priority_init(&priority_cache, CS expciphers, &errpos);
1951 validate_check_rc(string_sprintf(
1952 "gnutls_priority_init(%s) failed at offset %ld, \"%.8s..\"",
1953 expciphers, errpos - CS expciphers, errpos));
1954
1955 #undef return_deinit
1956 #undef validate_check_rc
1957 gnutls_global_deinit();
1958
1959 return NULL;
1960 }
1961
1962
1963
1964
1965 /*************************************************
1966 * Report the library versions. *
1967 *************************************************/
1968
1969 /* See a description in tls-openssl.c for an explanation of why this exists.
1970
1971 Arguments: a FILE* to print the results to
1972 Returns: nothing
1973 */
1974
1975 void
1976 tls_version_report(FILE *f)
1977 {
1978 fprintf(f, "Library version: GnuTLS: Compile: %s\n"
1979 " Runtime: %s\n",
1980 LIBGNUTLS_VERSION,
1981 gnutls_check_version(NULL));
1982 }
1983
1984 /* End of tls-gnu.c */
Unnamed repository; edit this file 'description' to name the repository.