projects / exim.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
TLS: Feature macros
[exim.git] / src / src / tls-gnu.c
1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4
5 /* Copyright (c) University of Cambridge 1995 - 2018 */
6 /* See the file NOTICE for conditions of use and distribution. */
7
8 /* Copyright (c) Phil Pennock 2012 */
9
10 /* This file provides TLS/SSL support for Exim using the GnuTLS library,
11 one of the available supported implementations. This file is #included into
12 tls.c when USE_GNUTLS has been set.
13
14 The code herein is a revamp of GnuTLS integration using the current APIs; the
15 original tls-gnu.c was based on a patch which was contributed by Nikos
16 Mavrogiannopoulos. The revamp is partially a rewrite, partially cut&paste as
17 appropriate.
18
19 APIs current as of GnuTLS 2.12.18; note that the GnuTLS manual is for GnuTLS 3,
20 which is not widely deployed by OS vendors. Will note issues below, which may
21 assist in updating the code in the future. Another sources of hints is
22 mod_gnutls for Apache (SNI callback registration and handling).
23
24 Keeping client and server variables more split than before and is currently
25 the norm, in anticipation of TLS in ACL callouts.
26
27 I wanted to switch to gnutls_certificate_set_verify_function() so that
28 certificate rejection could happen during handshake where it belongs, rather
29 than being dropped afterwards, but that was introduced in 2.10.0 and Debian
30 (6.0.5) is still on 2.8.6. So for now we have to stick with sub-par behaviour.
31
32 (I wasn't looking for libraries quite that old, when updating to get rid of
33 compiler warnings of deprecated APIs. If it turns out that a lot of the rest
34 require current GnuTLS, then we'll drop support for the ancient libraries).
35 */
36
37 #include <gnutls/gnutls.h>
38 /* needed for cert checks in verification and DN extraction: */
39 #include <gnutls/x509.h>
40 /* man-page is incorrect, gnutls_rnd() is not in gnutls.h: */
41 #include <gnutls/crypto.h>
42
43 /* needed to disable PKCS11 autoload unless requested */
44 #if GNUTLS_VERSION_NUMBER >= 0x020c00
45 # include <gnutls/pkcs11.h>
46 # define SUPPORT_PARAM_TO_PK_BITS
47 #endif
48 #if GNUTLS_VERSION_NUMBER < 0x030103 && !defined(DISABLE_OCSP)
49 # warning "GnuTLS library version too old; define DISABLE_OCSP in Makefile"
50 # define DISABLE_OCSP
51 #endif
52 #if GNUTLS_VERSION_NUMBER < 0x020a00 && !defined(DISABLE_EVENT)
53 # warning "GnuTLS library version too old; tls:cert event unsupported"
54 # define DISABLE_EVENT
55 #endif
56 #if GNUTLS_VERSION_NUMBER >= 0x030306
57 # define SUPPORT_CA_DIR
58 #else
59 # undef SUPPORT_CA_DIR
60 #endif
61 #if GNUTLS_VERSION_NUMBER >= 0x030014
62 # define SUPPORT_SYSDEFAULT_CABUNDLE
63 #endif
64 #if GNUTLS_VERSION_NUMBER >= 0x030104
65 # define GNUTLS_CERT_VFY_STATUS_PRINT
66 #endif
67 #if GNUTLS_VERSION_NUMBER >= 0x030109
68 # define SUPPORT_CORK
69 #endif
70 #if GNUTLS_VERSION_NUMBER >= 0x03010a
71 # define SUPPORT_GNUTLS_SESS_DESC
72 #endif
73 #if GNUTLS_VERSION_NUMBER >= 0x030300
74 # define GNUTLS_AUTO_GLOBAL_INIT
75 # define GNUTLS_AUTO_PKCS11_MANUAL
76 #endif
77 #if (GNUTLS_VERSION_NUMBER >= 0x030404) \
78 || (GNUTLS_VERSION_NUMBER >= 0x030311) && (GNUTLS_VERSION_NUMBER & 0xffff00 == 0x030300)
79 # ifndef DISABLE_OCSP
80 # define EXIM_HAVE_OCSP
81 # endif
82 #endif
83 #if GNUTLS_VERSION_NUMBER >= 0x030500
84 # define SUPPORT_GNUTLS_KEYLOG
85 #endif
86 #if GNUTLS_VERSION_NUMBER >= 0x030506 && !defined(DISABLE_OCSP)
87 # define SUPPORT_SRV_OCSP_STACK
88 #endif
89 #if GNUTLS_VERSION_NUMBER >= 0x030600
90 # define GNUTLS_AUTO_DHPARAMS
91 #endif
92 #if GNUTLS_VERSION_NUMBER >= 0x030603
93 # define EXIM_HAVE_TLS1_3
94 # define SUPPORT_GNUTLS_EXT_RAW_PARSE
95 # define GNUTLS_OCSP_STATUS_REQUEST_GET2
96 #endif
97
98 #ifdef SUPPORT_DANE
99 # if GNUTLS_VERSION_NUMBER >= 0x030000
100 # define DANESSL_USAGE_DANE_TA 2
101 # define DANESSL_USAGE_DANE_EE 3
102 # else
103 # error GnuTLS version too early for DANE
104 # endif
105 # if GNUTLS_VERSION_NUMBER < 0x999999
106 # define GNUTLS_BROKEN_DANE_VALIDATION
107 # endif
108 #endif
109
110 #ifdef EXPERIMENTAL_TLS_RESUME
111 # if GNUTLS_VERSION_NUMBER < 0x030603
112 # error GNUTLS version too early for session-resumption
113 # endif
114 #endif
115
116 #ifndef DISABLE_OCSP
117 # include <gnutls/ocsp.h>
118 #endif
119 #ifdef SUPPORT_DANE
120 # include <gnutls/dane.h>
121 #endif
122
123 #include "tls-cipher-stdname.c"
124
125
126 #ifdef MACRO_PREDEF
127 void
128 options_tls(void)
129 {
130 # ifdef EXPERIMENTAL_TLS_RESUME
131 builtin_macro_create_var(US"_RESUME_DECODE", RESUME_DECODE_STRING );
132 # endif
133 # ifdef EXIM_HAVE_TLS1_3
134 builtin_macro_create(US"_HAVE_TLS1_3");
135 # endif
136 # ifdef EXIM_HAVE_OCSP
137 builtin_macro_create(US"_HAVE_TLS_OCSP");
138 # endif
139 # ifdef SUPPORT_SRV_OCSP_STACK
140 builtin_macro_create(US"_HAVE_TLS_OCSP_LIST");
141 # endif
142 }
143 #else
144
145
146 /* GnuTLS 2 vs 3
147
148 GnuTLS 3 only:
149 gnutls_global_set_audit_log_function()
150
151 Changes:
152 gnutls_certificate_verify_peers2(): is new, drop the 2 for old version
153 */
154
155 /* Local static variables for GnuTLS */
156
157 /* Values for verify_requirement */
158
159 enum peer_verify_requirement
160 { VERIFY_NONE, VERIFY_OPTIONAL, VERIFY_REQUIRED, VERIFY_DANE };
161
162 /* This holds most state for server or client; with this, we can set up an
163 outbound TLS-enabled connection in an ACL callout, while not stomping all
164 over the TLS variables available for expansion.
165
166 Some of these correspond to variables in globals.c; those variables will
167 be set to point to content in one of these instances, as appropriate for
168 the stage of the process lifetime.
169
170 Not handled here: global tls_channelbinding_b64.
171 */
172
173 typedef struct exim_gnutls_state {
174 gnutls_session_t session;
175 gnutls_certificate_credentials_t x509_cred;
176 gnutls_priority_t priority_cache;
177 enum peer_verify_requirement verify_requirement;
178 int fd_in;
179 int fd_out;
180 BOOL peer_cert_verified;
181 BOOL peer_dane_verified;
182 BOOL trigger_sni_changes;
183 BOOL have_set_peerdn;
184 const struct host_item *host; /* NULL if server */
185 gnutls_x509_crt_t peercert;
186 uschar *peerdn;
187 uschar *ciphersuite;
188 uschar *received_sni;
189
190 const uschar *tls_certificate;
191 const uschar *tls_privatekey;
192 const uschar *tls_sni; /* client send only, not received */
193 const uschar *tls_verify_certificates;
194 const uschar *tls_crl;
195 const uschar *tls_require_ciphers;
196
197 uschar *exp_tls_certificate;
198 uschar *exp_tls_privatekey;
199 uschar *exp_tls_verify_certificates;
200 uschar *exp_tls_crl;
201 uschar *exp_tls_require_ciphers;
202 const uschar *exp_tls_verify_cert_hostnames;
203 #ifndef DISABLE_EVENT
204 uschar *event_action;
205 #endif
206 #ifdef SUPPORT_DANE
207 char * const * dane_data;
208 const int * dane_data_len;
209 #endif
210
211 tls_support *tlsp; /* set in tls_init() */
212
213 uschar *xfer_buffer;
214 int xfer_buffer_lwm;
215 int xfer_buffer_hwm;
216 BOOL xfer_eof; /*XXX never gets set! */
217 BOOL xfer_error;
218 } exim_gnutls_state_st;
219
220 static const exim_gnutls_state_st exim_gnutls_state_init = {
221 /* all elements not explicitly intialised here get 0/NULL/FALSE */
222 .fd_in = -1,
223 .fd_out = -1,
224 };
225
226 /* Not only do we have our own APIs which don't pass around state, assuming
227 it's held in globals, GnuTLS doesn't appear to let us register callback data
228 for callbacks, or as part of the session, so we have to keep a "this is the
229 context we're currently dealing with" pointer and rely upon being
230 single-threaded to keep from processing data on an inbound TLS connection while
231 talking to another TLS connection for an outbound check. This does mean that
232 there's no way for heart-beats to be responded to, for the duration of the
233 second connection.
234 XXX But see gnutls_session_get_ptr()
235 */
236
237 static exim_gnutls_state_st state_server;
238
239 #ifndef GNUTLS_AUTO_DHPARAMS
240 /* dh_params are initialised once within the lifetime of a process using TLS;
241 if we used TLS in a long-lived daemon, we'd have to reconsider this. But we
242 don't want to repeat this. */
243
244 static gnutls_dh_params_t dh_server_params = NULL;
245 #endif
246
247 static int ssl_session_timeout = 7200; /* Two hours */
248
249 static const uschar * const exim_default_gnutls_priority = US"NORMAL";
250
251 /* Guard library core initialisation */
252
253 static BOOL exim_gnutls_base_init_done = FALSE;
254
255 #ifndef DISABLE_OCSP
256 static BOOL gnutls_buggy_ocsp = FALSE;
257 static BOOL exim_testharness_disable_ocsp_validity_check = FALSE;
258 #endif
259
260 #ifdef EXPERIMENTAL_TLS_RESUME
261 static gnutls_datum_t server_sessticket_key;
262 #endif
263
264 /* ------------------------------------------------------------------------ */
265 /* macros */
266
267 #define MAX_HOST_LEN 255
268
269 /* Set this to control gnutls_global_set_log_level(); values 0 to 9 will setup
270 the library logging; a value less than 0 disables the calls to set up logging
271 callbacks. GNuTLS also looks for an environment variable - except not for
272 setuid binaries, making it useless - "GNUTLS_DEBUG_LEVEL".
273 Allegedly the testscript line "GNUTLS_DEBUG_LEVEL=9 sudo exim ..." would work,
274 but the env var must be added to /etc/sudoers too. */
275 #ifndef EXIM_GNUTLS_LIBRARY_LOG_LEVEL
276 # define EXIM_GNUTLS_LIBRARY_LOG_LEVEL -1
277 #endif
278
279 #ifndef EXIM_CLIENT_DH_MIN_BITS
280 # define EXIM_CLIENT_DH_MIN_BITS 1024
281 #endif
282
283 /* With GnuTLS 2.12.x+ we have gnutls_sec_param_to_pk_bits() with which we
284 can ask for a bit-strength. Without that, we stick to the constant we had
285 before, for now. */
286 #ifndef EXIM_SERVER_DH_BITS_PRE2_12
287 # define EXIM_SERVER_DH_BITS_PRE2_12 1024
288 #endif
289
290 #define expand_check_tlsvar(Varname, errstr) \
291 expand_check(state->Varname, US #Varname, &state->exp_##Varname, errstr)
292
293 #if GNUTLS_VERSION_NUMBER >= 0x020c00
294 # define HAVE_GNUTLS_SESSION_CHANNEL_BINDING
295 # define HAVE_GNUTLS_SEC_PARAM_CONSTANTS
296 # define HAVE_GNUTLS_RND
297 /* The security fix we provide with the gnutls_allow_auto_pkcs11 option
298 * (4.82 PP/09) introduces a compatibility regression. The symbol simply
299 * isn't available sometimes, so this needs to become a conditional
300 * compilation; the sanest way to deal with this being a problem on
301 * older OSes is to block it in the Local/Makefile with this compiler
302 * definition */
303 # ifndef AVOID_GNUTLS_PKCS11
304 # define HAVE_GNUTLS_PKCS11
305 # endif /* AVOID_GNUTLS_PKCS11 */
306 #endif
307
308
309
310
311 /* ------------------------------------------------------------------------ */
312 /* Callback declarations */
313
314 #if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
315 static void exim_gnutls_logger_cb(int level, const char *message);
316 #endif
317
318 static int exim_sni_handling_cb(gnutls_session_t session);
319
320 #ifdef EXPERIMENTAL_TLS_RESUME
321 static int
322 tls_server_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
323 unsigned incoming, const gnutls_datum_t * msg);
324 #endif
325
326
327 /* Daemon one-time initialisation */
328 void
329 tls_daemon_init(void)
330 {
331 #ifdef EXPERIMENTAL_TLS_RESUME
332 /* We are dependent on the GnuTLS implementation of the Session Ticket
333 encryption; both the strength and the key rotation period. We hope that
334 the strength at least matches that of the ciphersuite (but GnuTLS does not
335 document this). */
336
337 static BOOL once = FALSE;
338 if (once) return;
339 once = TRUE;
340 gnutls_session_ticket_key_generate(&server_sessticket_key); /* >= 2.10.0 */
341 if (f.running_in_test_harness) ssl_session_timeout = 6;
342 #endif
343 }
344
345 /* ------------------------------------------------------------------------ */
346 /* Static functions */
347
348 /*************************************************
349 * Handle TLS error *
350 *************************************************/
351
352 /* Called from lots of places when errors occur before actually starting to do
353 the TLS handshake, that is, while the session is still in clear. Always returns
354 DEFER for a server and FAIL for a client so that most calls can use "return
355 tls_error(...)" to do this processing and then give an appropriate return. A
356 single function is used for both server and client, because it is called from
357 some shared functions.
358
359 Argument:
360 prefix text to include in the logged error
361 msg additional error string (may be NULL)
362 usually obtained from gnutls_strerror()
363 host NULL if setting up a server;
364 the connected host if setting up a client
365 errstr pointer to returned error string
366
367 Returns: OK/DEFER/FAIL
368 */
369
370 static int
371 tls_error(const uschar *prefix, const uschar *msg, const host_item *host,
372 uschar ** errstr)
373 {
374 if (errstr)
375 *errstr = string_sprintf("(%s)%s%s", prefix, msg ? ": " : "", msg ? msg : US"");
376 return host ? FAIL : DEFER;
377 }
378
379
380 static int
381 tls_error_gnu(const uschar *prefix, int err, const host_item *host,
382 uschar ** errstr)
383 {
384 return tls_error(prefix, US gnutls_strerror(err), host, errstr);
385 }
386
387 static int
388 tls_error_sys(const uschar *prefix, int err, const host_item *host,
389 uschar ** errstr)
390 {
391 return tls_error(prefix, US strerror(err), host, errstr);
392 }
393
394
395 /*************************************************
396 * Deal with logging errors during I/O *
397 *************************************************/
398
399 /* We have to get the identity of the peer from saved data.
400
401 Argument:
402 state the current GnuTLS exim state container
403 rc the GnuTLS error code, or 0 if it's a local error
404 when text identifying read or write
405 text local error text when rc is 0
406
407 Returns: nothing
408 */
409
410 static void
411 record_io_error(exim_gnutls_state_st *state, int rc, uschar *when, uschar *text)
412 {
413 const uschar * msg;
414 uschar * errstr;
415
416 if (rc == GNUTLS_E_FATAL_ALERT_RECEIVED)
417 msg = string_sprintf("A TLS fatal alert has been received: %s",
418 US gnutls_alert_get_name(gnutls_alert_get(state->session)));
419 else
420 msg = US gnutls_strerror(rc);
421
422 (void) tls_error(when, msg, state->host, &errstr);
423
424 if (state->host)
425 log_write(0, LOG_MAIN, "H=%s [%s] TLS error on connection %s",
426 state->host->name, state->host->address, errstr);
427 else
428 {
429 uschar * conn_info = smtp_get_connection_info();
430 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0) conn_info += 5;
431 /* I'd like to get separated H= here, but too hard for now */
432 log_write(0, LOG_MAIN, "TLS error on %s %s", conn_info, errstr);
433 }
434 }
435
436
437
438
439 /*************************************************
440 * Set various Exim expansion vars *
441 *************************************************/
442
443 #define exim_gnutls_cert_err(Label) \
444 do \
445 { \
446 if (rc != GNUTLS_E_SUCCESS) \
447 { \
448 DEBUG(D_tls) debug_printf("TLS: cert problem: %s: %s\n", \
449 (Label), gnutls_strerror(rc)); \
450 return rc; \
451 } \
452 } while (0)
453
454 static int
455 import_cert(const gnutls_datum_t * cert, gnutls_x509_crt_t * crtp)
456 {
457 int rc;
458
459 rc = gnutls_x509_crt_init(crtp);
460 exim_gnutls_cert_err(US"gnutls_x509_crt_init (crt)");
461
462 rc = gnutls_x509_crt_import(*crtp, cert, GNUTLS_X509_FMT_DER);
463 exim_gnutls_cert_err(US"failed to import certificate [gnutls_x509_crt_import(cert)]");
464
465 return rc;
466 }
467
468 #undef exim_gnutls_cert_err
469
470
471 /* We set various Exim global variables from the state, once a session has
472 been established. With TLS callouts, may need to change this to stack
473 variables, or just re-call it with the server state after client callout
474 has finished.
475
476 Make sure anything set here is unset in tls_getc().
477
478 Sets:
479 tls_active fd
480 tls_bits strength indicator
481 tls_certificate_verified bool indicator
482 tls_channelbinding_b64 for some SASL mechanisms
483 tls_cipher a string
484 tls_peercert pointer to library internal
485 tls_peerdn a string
486 tls_sni a (UTF-8) string
487 tls_ourcert pointer to library internal
488
489 Argument:
490 state the relevant exim_gnutls_state_st *
491 */
492
493 static void
494 extract_exim_vars_from_tls_state(exim_gnutls_state_st * state)
495 {
496 #ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
497 int old_pool;
498 int rc;
499 gnutls_datum_t channel;
500 #endif
501 tls_support * tlsp = state->tlsp;
502
503 tlsp->active.sock = state->fd_out;
504 tlsp->active.tls_ctx = state;
505
506 DEBUG(D_tls) debug_printf("cipher: %s\n", state->ciphersuite);
507
508 tlsp->certificate_verified = state->peer_cert_verified;
509 #ifdef SUPPORT_DANE
510 tlsp->dane_verified = state->peer_dane_verified;
511 #endif
512
513 /* note that tls_channelbinding_b64 is not saved to the spool file, since it's
514 only available for use for authenticators while this TLS session is running. */
515
516 tls_channelbinding_b64 = NULL;
517 #ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
518 channel.data = NULL;
519 channel.size = 0;
520 if ((rc = gnutls_session_channel_binding(state->session, GNUTLS_CB_TLS_UNIQUE, &channel)))
521 { DEBUG(D_tls) debug_printf("Channel binding error: %s\n", gnutls_strerror(rc)); }
522 else
523 {
524 old_pool = store_pool;
525 store_pool = POOL_PERM;
526 tls_channelbinding_b64 = b64encode(CUS channel.data, (int)channel.size);
527 store_pool = old_pool;
528 DEBUG(D_tls) debug_printf("Have channel bindings cached for possible auth usage.\n");
529 }
530 #endif
531
532 /* peercert is set in peer_status() */
533 tlsp->peerdn = state->peerdn;
534 tlsp->sni = state->received_sni;
535
536 /* record our certificate */
537 {
538 const gnutls_datum_t * cert = gnutls_certificate_get_ours(state->session);
539 gnutls_x509_crt_t crt;
540
541 tlsp->ourcert = cert && import_cert(cert, &crt)==0 ? crt : NULL;
542 }
543 }
544
545
546
547
548 #ifndef GNUTLS_AUTO_DHPARAMS
549 /*************************************************
550 * Setup up DH parameters *
551 *************************************************/
552
553 /* Generating the D-H parameters may take a long time. They only need to
554 be re-generated every so often, depending on security policy. What we do is to
555 keep these parameters in a file in the spool directory. If the file does not
556 exist, we generate them. This means that it is easy to cause a regeneration.
557
558 The new file is written as a temporary file and renamed, so that an incomplete
559 file is never present. If two processes both compute some new parameters, you
560 waste a bit of effort, but it doesn't seem worth messing around with locking to
561 prevent this.
562
563 Returns: OK/DEFER/FAIL
564 */
565
566 static int
567 init_server_dh(uschar ** errstr)
568 {
569 int fd, rc;
570 unsigned int dh_bits;
571 gnutls_datum_t m = {.data = NULL, .size = 0};
572 uschar filename_buf[PATH_MAX];
573 uschar *filename = NULL;
574 size_t sz;
575 uschar *exp_tls_dhparam;
576 BOOL use_file_in_spool = FALSE;
577 host_item *host = NULL; /* dummy for macros */
578
579 DEBUG(D_tls) debug_printf("Initialising GnuTLS server params.\n");
580
581 if ((rc = gnutls_dh_params_init(&dh_server_params)))
582 return tls_error_gnu(US"gnutls_dh_params_init", rc, host, errstr);
583
584 if (!expand_check(tls_dhparam, US"tls_dhparam", &exp_tls_dhparam, errstr))
585 return DEFER;
586
587 if (!exp_tls_dhparam)
588 {
589 DEBUG(D_tls) debug_printf("Loading default hard-coded DH params\n");
590 m.data = US std_dh_prime_default();
591 m.size = Ustrlen(m.data);
592 }
593 else if (Ustrcmp(exp_tls_dhparam, "historic") == 0)
594 use_file_in_spool = TRUE;
595 else if (Ustrcmp(exp_tls_dhparam, "none") == 0)
596 {
597 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
598 return OK;
599 }
600 else if (exp_tls_dhparam[0] != '/')
601 {
602 if (!(m.data = US std_dh_prime_named(exp_tls_dhparam)))
603 return tls_error(US"No standard prime named", exp_tls_dhparam, NULL, errstr);
604 m.size = Ustrlen(m.data);
605 }
606 else
607 filename = exp_tls_dhparam;
608
609 if (m.data)
610 {
611 if ((rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM)))
612 return tls_error_gnu(US"gnutls_dh_params_import_pkcs3", rc, host, errstr);
613 DEBUG(D_tls) debug_printf("Loaded fixed standard D-H parameters\n");
614 return OK;
615 }
616
617 #ifdef HAVE_GNUTLS_SEC_PARAM_CONSTANTS
618 /* If you change this constant, also change dh_param_fn_ext so that we can use a
619 different filename and ensure we have sufficient bits. */
620
621 if (!(dh_bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL)))
622 return tls_error(US"gnutls_sec_param_to_pk_bits() failed", NULL, NULL, errstr);
623 DEBUG(D_tls)
624 debug_printf("GnuTLS tells us that for D-H PK, NORMAL is %d bits.\n",
625 dh_bits);
626 #else
627 dh_bits = EXIM_SERVER_DH_BITS_PRE2_12;
628 DEBUG(D_tls)
629 debug_printf("GnuTLS lacks gnutls_sec_param_to_pk_bits(), using %d bits.\n",
630 dh_bits);
631 #endif
632
633 /* Some clients have hard-coded limits. */
634 if (dh_bits > tls_dh_max_bits)
635 {
636 DEBUG(D_tls)
637 debug_printf("tls_dh_max_bits clamping override, using %d bits instead.\n",
638 tls_dh_max_bits);
639 dh_bits = tls_dh_max_bits;
640 }
641
642 if (use_file_in_spool)
643 {
644 if (!string_format(filename_buf, sizeof(filename_buf),
645 "%s/gnutls-params-%d", spool_directory, dh_bits))
646 return tls_error(US"overlong filename", NULL, NULL, errstr);
647 filename = filename_buf;
648 }
649
650 /* Open the cache file for reading and if successful, read it and set up the
651 parameters. */
652
653 if ((fd = Uopen(filename, O_RDONLY, 0)) >= 0)
654 {
655 struct stat statbuf;
656 FILE *fp;
657 int saved_errno;
658
659 if (fstat(fd, &statbuf) < 0) /* EIO */
660 {
661 saved_errno = errno;
662 (void)close(fd);
663 return tls_error_sys(US"TLS cache stat failed", saved_errno, NULL, errstr);
664 }
665 if (!S_ISREG(statbuf.st_mode))
666 {
667 (void)close(fd);
668 return tls_error(US"TLS cache not a file", NULL, NULL, errstr);
669 }
670 if (!(fp = fdopen(fd, "rb")))
671 {
672 saved_errno = errno;
673 (void)close(fd);
674 return tls_error_sys(US"fdopen(TLS cache stat fd) failed",
675 saved_errno, NULL, errstr);
676 }
677
678 m.size = statbuf.st_size;
679 if (!(m.data = store_malloc(m.size)))
680 {
681 fclose(fp);
682 return tls_error_sys(US"malloc failed", errno, NULL, errstr);
683 }
684 if (!(sz = fread(m.data, m.size, 1, fp)))
685 {
686 saved_errno = errno;
687 fclose(fp);
688 store_free(m.data);
689 return tls_error_sys(US"fread failed", saved_errno, NULL, errstr);
690 }
691 fclose(fp);
692
693 rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM);
694 store_free(m.data);
695 if (rc)
696 return tls_error_gnu(US"gnutls_dh_params_import_pkcs3", rc, host, errstr);
697 DEBUG(D_tls) debug_printf("read D-H parameters from file \"%s\"\n", filename);
698 }
699
700 /* If the file does not exist, fall through to compute new data and cache it.
701 If there was any other opening error, it is serious. */
702
703 else if (errno == ENOENT)
704 {
705 rc = -1;
706 DEBUG(D_tls)
707 debug_printf("D-H parameter cache file \"%s\" does not exist\n", filename);
708 }
709 else
710 return tls_error(string_open_failed(errno, "\"%s\" for reading", filename),
711 NULL, NULL, errstr);
712
713 /* If ret < 0, either the cache file does not exist, or the data it contains
714 is not useful. One particular case of this is when upgrading from an older
715 release of Exim in which the data was stored in a different format. We don't
716 try to be clever and support both formats; we just regenerate new data in this
717 case. */
718
719 if (rc < 0)
720 {
721 uschar *temp_fn;
722 unsigned int dh_bits_gen = dh_bits;
723
724 if ((PATH_MAX - Ustrlen(filename)) < 10)
725 return tls_error(US"Filename too long to generate replacement",
726 filename, NULL, errstr);
727
728 temp_fn = string_copy(US"%s.XXXXXXX");
729 if ((fd = mkstemp(CS temp_fn)) < 0) /* modifies temp_fn */
730 return tls_error_sys(US"Unable to open temp file", errno, NULL, errstr);
731 (void)exim_chown(temp_fn, exim_uid, exim_gid); /* Probably not necessary */
732
733 /* GnuTLS overshoots! If we ask for 2236, we might get 2237 or more. But
734 there's no way to ask GnuTLS how many bits there really are. We can ask
735 how many bits were used in a TLS session, but that's it! The prime itself
736 is hidden behind too much abstraction. So we ask for less, and proceed on
737 a wing and a prayer. First attempt, subtracted 3 for 2233 and got 2240. */
738
739 if (dh_bits >= EXIM_CLIENT_DH_MIN_BITS + 10)
740 {
741 dh_bits_gen = dh_bits - 10;
742 DEBUG(D_tls)
743 debug_printf("being paranoid about DH generation, make it '%d' bits'\n",
744 dh_bits_gen);
745 }
746
747 DEBUG(D_tls)
748 debug_printf("requesting generation of %d bit Diffie-Hellman prime ...\n",
749 dh_bits_gen);
750 if ((rc = gnutls_dh_params_generate2(dh_server_params, dh_bits_gen)))
751 return tls_error_gnu(US"gnutls_dh_params_generate2", rc, host, errstr);
752
753 /* gnutls_dh_params_export_pkcs3() will tell us the exact size, every time,
754 and I confirmed that a NULL call to get the size first is how the GnuTLS
755 sample apps handle this. */
756
757 sz = 0;
758 m.data = NULL;
759 if ( (rc = gnutls_dh_params_export_pkcs3(dh_server_params,
760 GNUTLS_X509_FMT_PEM, m.data, &sz))
761 && rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
762 return tls_error_gnu(US"gnutls_dh_params_export_pkcs3(NULL) sizing",
763 rc, host, errstr);
764 m.size = sz;
765 if (!(m.data = store_malloc(m.size)))
766 return tls_error_sys(US"memory allocation failed", errno, NULL, errstr);
767
768 /* this will return a size 1 less than the allocation size above */
769 if ((rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM,
770 m.data, &sz)))
771 {
772 store_free(m.data);
773 return tls_error_gnu(US"gnutls_dh_params_export_pkcs3() real", rc, host, errstr);
774 }
775 m.size = sz; /* shrink by 1, probably */
776
777 if ((sz = write_to_fd_buf(fd, m.data, (size_t) m.size)) != m.size)
778 {
779 store_free(m.data);
780 return tls_error_sys(US"TLS cache write D-H params failed",
781 errno, NULL, errstr);
782 }
783 store_free(m.data);
784 if ((sz = write_to_fd_buf(fd, US"\n", 1)) != 1)
785 return tls_error_sys(US"TLS cache write D-H params final newline failed",
786 errno, NULL, errstr);
787
788 if ((rc = close(fd)))
789 return tls_error_sys(US"TLS cache write close() failed", errno, NULL, errstr);
790
791 if (Urename(temp_fn, filename) < 0)
792 return tls_error_sys(string_sprintf("failed to rename \"%s\" as \"%s\"",
793 temp_fn, filename), errno, NULL, errstr);
794
795 DEBUG(D_tls) debug_printf("wrote D-H parameters to file \"%s\"\n", filename);
796 }
797
798 DEBUG(D_tls) debug_printf("initialized server D-H parameters\n");
799 return OK;
800 }
801 #endif
802
803
804
805
806 /* Create and install a selfsigned certificate, for use in server mode */
807
808 static int
809 tls_install_selfsign(exim_gnutls_state_st * state, uschar ** errstr)
810 {
811 gnutls_x509_crt_t cert = NULL;
812 time_t now;
813 gnutls_x509_privkey_t pkey = NULL;
814 const uschar * where;
815 int rc;
816
817 where = US"initialising pkey";
818 if ((rc = gnutls_x509_privkey_init(&pkey))) goto err;
819
820 where = US"initialising cert";
821 if ((rc = gnutls_x509_crt_init(&cert))) goto err;
822
823 where = US"generating pkey";
824 if ((rc = gnutls_x509_privkey_generate(pkey, GNUTLS_PK_RSA,
825 #ifdef SUPPORT_PARAM_TO_PK_BITS
826 # ifndef GNUTLS_SEC_PARAM_MEDIUM
827 # define GNUTLS_SEC_PARAM_MEDIUM GNUTLS_SEC_PARAM_HIGH
828 # endif
829 gnutls_sec_param_to_pk_bits(GNUTLS_PK_RSA, GNUTLS_SEC_PARAM_MEDIUM),
830 #else
831 2048,
832 #endif
833 0)))
834 goto err;
835
836 where = US"configuring cert";
837 now = 1;
838 if ( (rc = gnutls_x509_crt_set_version(cert, 3))
839 || (rc = gnutls_x509_crt_set_serial(cert, &now, sizeof(now)))
840 || (rc = gnutls_x509_crt_set_activation_time(cert, now = time(NULL)))
841 || (rc = gnutls_x509_crt_set_expiration_time(cert, now + 60 * 60)) /* 1 hr */
842 || (rc = gnutls_x509_crt_set_key(cert, pkey))
843
844 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
845 GNUTLS_OID_X520_COUNTRY_NAME, 0, "UK", 2))
846 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
847 GNUTLS_OID_X520_ORGANIZATION_NAME, 0, "Exim Developers", 15))
848 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
849 GNUTLS_OID_X520_COMMON_NAME, 0,
850 smtp_active_hostname, Ustrlen(smtp_active_hostname)))
851 )
852 goto err;
853
854 where = US"signing cert";
855 if ((rc = gnutls_x509_crt_sign(cert, cert, pkey))) goto err;
856
857 where = US"installing selfsign cert";
858 /* Since: 2.4.0 */
859 if ((rc = gnutls_certificate_set_x509_key(state->x509_cred, &cert, 1, pkey)))
860 goto err;
861
862 rc = OK;
863
864 out:
865 if (cert) gnutls_x509_crt_deinit(cert);
866 if (pkey) gnutls_x509_privkey_deinit(pkey);
867 return rc;
868
869 err:
870 rc = tls_error_gnu(where, rc, NULL, errstr);
871 goto out;
872 }
873
874
875
876
877 /* Add certificate and key, from files.
878
879 Return:
880 Zero or negative: good. Negate value for certificate index if < 0.
881 Greater than zero: FAIL or DEFER code.
882 */
883
884 static int
885 tls_add_certfile(exim_gnutls_state_st * state, const host_item * host,
886 uschar * certfile, uschar * keyfile, uschar ** errstr)
887 {
888 int rc = gnutls_certificate_set_x509_key_file(state->x509_cred,
889 CS certfile, CS keyfile, GNUTLS_X509_FMT_PEM);
890 if (rc < 0)
891 return tls_error_gnu(
892 string_sprintf("cert/key setup: cert=%s key=%s", certfile, keyfile),
893 rc, host, errstr);
894 return -rc;
895 }
896
897
898 #if !defined(DISABLE_OCSP) && !defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
899 /* Load an OCSP proof from file for sending by the server. Called
900 on getting a status-request handshake message, for earlier versions
901 of GnuTLS. */
902
903 static int
904 server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
905 gnutls_datum_t * ocsp_response)
906 {
907 int ret;
908 DEBUG(D_tls) debug_printf("OCSP stapling callback: %s\n", US ptr);
909
910 if ((ret = gnutls_load_file(ptr, ocsp_response)) < 0)
911 {
912 DEBUG(D_tls) debug_printf("Failed to load ocsp stapling file %s\n",
913 CS ptr);
914 tls_in.ocsp = OCSP_NOT_RESP;
915 return GNUTLS_E_NO_CERTIFICATE_STATUS;
916 }
917
918 tls_in.ocsp = OCSP_VFY_NOT_TRIED;
919 return 0;
920 }
921 #endif
922
923
924 #ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
925 /* Make a note that we saw a status-request */
926 static int
927 tls_server_clienthello_ext(void * ctx, unsigned tls_id,
928 const unsigned char *data, unsigned size)
929 {
930 /* https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml */
931 if (tls_id == 5) /* status_request */
932 {
933 DEBUG(D_tls) debug_printf("Seen status_request extension from client\n");
934 tls_in.ocsp = OCSP_NOT_RESP;
935 }
936 return 0;
937 }
938
939 /* Callback for client-hello, on server, if we think we might serve stapled-OCSP */
940 static int
941 tls_server_clienthello_cb(gnutls_session_t session, unsigned int htype,
942 unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
943 {
944 /* Call fn for each extension seen. 3.6.3 onwards */
945 return gnutls_ext_raw_parse(NULL, tls_server_clienthello_ext, msg,
946 GNUTLS_EXT_RAW_FLAG_TLS_CLIENT_HELLO);
947 }
948
949
950 /* Make a note that we saw a status-response */
951 static int
952 tls_server_servercerts_ext(void * ctx, unsigned tls_id,
953 const unsigned char *data, unsigned size)
954 {
955 /* debug_printf("%s %u\n", __FUNCTION__, tls_id); */
956 /* https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml */
957 if (FALSE && tls_id == 5) /* status_request */
958 {
959 DEBUG(D_tls) debug_printf("Seen status_request extension\n");
960 tls_in.ocsp = exim_testharness_disable_ocsp_validity_check
961 ? OCSP_VFY_NOT_TRIED : OCSP_VFIED; /* We know that GnuTLS verifies responses */
962 }
963 return 0;
964 }
965
966 /* Callback for certificates packet, on server, if we think we might serve stapled-OCSP */
967 static int
968 tls_server_servercerts_cb(gnutls_session_t session, unsigned int htype,
969 unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
970 {
971 /* Call fn for each extension seen. 3.6.3 onwards */
972 #ifdef notdef
973 /*XXX crashes */
974 return gnutls_ext_raw_parse(NULL, tls_server_servercerts_ext, msg, 0);
975 #endif
976 }
977 #endif
978
979 /*XXX in tls1.3 the cert-status travel as an extension next to the cert, in the
980 "Handshake Protocol: Certificate" record.
981 So we need to spot the Certificate handshake message, parse it and spot any status_request extension(s)
982
983 This is different to tls1.2 - where it is a separate record (wireshake term) / handshake message (gnutls term).
984 */
985
986 #if defined(EXPERIMENTAL_TLS_RESUME) || defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
987 /* Callback for certificate-status, on server. We sent stapled OCSP. */
988 static int
989 tls_server_certstatus_cb(gnutls_session_t session, unsigned int htype,
990 unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
991 {
992 DEBUG(D_tls) debug_printf("Sending certificate-status\n"); /*XXX we get this for tls1.2 but not for 1.3 */
993 #ifdef SUPPORT_SRV_OCSP_STACK
994 tls_in.ocsp = exim_testharness_disable_ocsp_validity_check
995 ? OCSP_VFY_NOT_TRIED : OCSP_VFIED; /* We know that GnuTLS verifies responses */
996 #else
997 tls_in.ocsp = OCSP_VFY_NOT_TRIED;
998 #endif
999 return 0;
1000 }
1001
1002 /* Callback for handshake messages, on server */
1003 static int
1004 tls_server_hook_cb(gnutls_session_t sess, u_int htype, unsigned when,
1005 unsigned incoming, const gnutls_datum_t * msg)
1006 {
1007 /* debug_printf("%s: htype %u\n", __FUNCTION__, htype); */
1008 switch (htype)
1009 {
1010 # ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
1011 case GNUTLS_HANDSHAKE_CLIENT_HELLO:
1012 return tls_server_clienthello_cb(sess, htype, when, incoming, msg);
1013 case GNUTLS_HANDSHAKE_CERTIFICATE_PKT:
1014 return tls_server_servercerts_cb(sess, htype, when, incoming, msg);
1015 # endif
1016 case GNUTLS_HANDSHAKE_CERTIFICATE_STATUS:
1017 return tls_server_certstatus_cb(sess, htype, when, incoming, msg);
1018 # ifdef EXPERIMENTAL_TLS_RESUME
1019 case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET:
1020 return tls_server_ticket_cb(sess, htype, when, incoming, msg);
1021 # endif
1022 default:
1023 return 0;
1024 }
1025 }
1026 #endif
1027
1028
1029 #if !defined(DISABLE_OCSP) && defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
1030 static void
1031 tls_server_testharness_ocsp_fiddle(void)
1032 {
1033 extern char ** environ;
1034 if (environ) for (uschar ** p = USS environ; *p; p++)
1035 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
1036 {
1037 DEBUG(D_tls) debug_printf("Permitting known bad OCSP response\n");
1038 exim_testharness_disable_ocsp_validity_check = TRUE;
1039 }
1040 }
1041 #endif
1042
1043 /*************************************************
1044 * Variables re-expanded post-SNI *
1045 *************************************************/
1046
1047 /* Called from both server and client code, via tls_init(), and also from
1048 the SNI callback after receiving an SNI, if tls_certificate includes "tls_sni".
1049
1050 We can tell the two apart by state->received_sni being non-NULL in callback.
1051
1052 The callback should not call us unless state->trigger_sni_changes is true,
1053 which we are responsible for setting on the first pass through.
1054
1055 Arguments:
1056 state exim_gnutls_state_st *
1057 errstr error string pointer
1058
1059 Returns: OK/DEFER/FAIL
1060 */
1061
1062 static int
1063 tls_expand_session_files(exim_gnutls_state_st * state, uschar ** errstr)
1064 {
1065 struct stat statbuf;
1066 int rc;
1067 const host_item *host = state->host; /* macro should be reconsidered? */
1068 uschar *saved_tls_certificate = NULL;
1069 uschar *saved_tls_privatekey = NULL;
1070 uschar *saved_tls_verify_certificates = NULL;
1071 uschar *saved_tls_crl = NULL;
1072 int cert_count;
1073
1074 /* We check for tls_sni *before* expansion. */
1075 if (!host) /* server */
1076 if (!state->received_sni)
1077 {
1078 if ( state->tls_certificate
1079 && ( Ustrstr(state->tls_certificate, US"tls_sni")
1080 || Ustrstr(state->tls_certificate, US"tls_in_sni")
1081 || Ustrstr(state->tls_certificate, US"tls_out_sni")
1082 ) )
1083 {
1084 DEBUG(D_tls) debug_printf("We will re-expand TLS session files if we receive SNI.\n");
1085 state->trigger_sni_changes = TRUE;
1086 }
1087 }
1088 else
1089 {
1090 /* useful for debugging */
1091 saved_tls_certificate = state->exp_tls_certificate;
1092 saved_tls_privatekey = state->exp_tls_privatekey;
1093 saved_tls_verify_certificates = state->exp_tls_verify_certificates;
1094 saved_tls_crl = state->exp_tls_crl;
1095 }
1096
1097 if ((rc = gnutls_certificate_allocate_credentials(&state->x509_cred)))
1098 return tls_error_gnu(US"gnutls_certificate_allocate_credentials",
1099 rc, host, errstr);
1100
1101 #ifdef SUPPORT_SRV_OCSP_STACK
1102 gnutls_certificate_set_flags(state->x509_cred, GNUTLS_CERTIFICATE_API_V2);
1103
1104 # if !defined(DISABLE_OCSP) && defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
1105 if (!host && tls_ocsp_file)
1106 {
1107 if (f.running_in_test_harness)
1108 tls_server_testharness_ocsp_fiddle();
1109
1110 if (exim_testharness_disable_ocsp_validity_check)
1111 gnutls_certificate_set_flags(state->x509_cred,
1112 GNUTLS_CERTIFICATE_API_V2 | GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK);
1113 }
1114 # endif
1115 #endif
1116
1117 /* remember: expand_check_tlsvar() is expand_check() but fiddling with
1118 state members, assuming consistent naming; and expand_check() returns
1119 false if expansion failed, unless expansion was forced to fail. */
1120
1121 /* check if we at least have a certificate, before doing expensive
1122 D-H generation. */
1123
1124 if (!expand_check_tlsvar(tls_certificate, errstr))
1125 return DEFER;
1126
1127 /* certificate is mandatory in server, optional in client */
1128
1129 if ( !state->exp_tls_certificate
1130 || !*state->exp_tls_certificate
1131 )
1132 if (!host)
1133 return tls_install_selfsign(state, errstr);
1134 else
1135 DEBUG(D_tls) debug_printf("TLS: no client certificate specified; okay\n");
1136
1137 if (state->tls_privatekey && !expand_check_tlsvar(tls_privatekey, errstr))
1138 return DEFER;
1139
1140 /* tls_privatekey is optional, defaulting to same file as certificate */
1141
1142 if (!state->tls_privatekey || !*state->tls_privatekey)
1143 {
1144 state->tls_privatekey = state->tls_certificate;
1145 state->exp_tls_privatekey = state->exp_tls_certificate;
1146 }
1147
1148
1149 if (state->exp_tls_certificate && *state->exp_tls_certificate)
1150 {
1151 DEBUG(D_tls) debug_printf("certificate file = %s\nkey file = %s\n",
1152 state->exp_tls_certificate, state->exp_tls_privatekey);
1153
1154 if (state->received_sni)
1155 if ( Ustrcmp(state->exp_tls_certificate, saved_tls_certificate) == 0
1156 && Ustrcmp(state->exp_tls_privatekey, saved_tls_privatekey) == 0
1157 )
1158 {
1159 DEBUG(D_tls) debug_printf("TLS SNI: cert and key unchanged\n");
1160 }
1161 else
1162 {
1163 DEBUG(D_tls) debug_printf("TLS SNI: have a changed cert/key pair.\n");
1164 }
1165
1166 if (!host) /* server */
1167 {
1168 const uschar * clist = state->exp_tls_certificate;
1169 const uschar * klist = state->exp_tls_privatekey;
1170 const uschar * olist;
1171 int csep = 0, ksep = 0, osep = 0, cnt = 0;
1172 uschar * cfile, * kfile, * ofile;
1173 #ifndef DISABLE_OCSP
1174 # ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
1175 gnutls_x509_crt_fmt_t ocsp_fmt = GNUTLS_X509_FMT_DER;
1176 # endif
1177
1178 if (!expand_check(tls_ocsp_file, US"tls_ocsp_file", &ofile, errstr))
1179 return DEFER;
1180 olist = ofile;
1181 #endif
1182
1183 while (cfile = string_nextinlist(&clist, &csep, NULL, 0))
1184
1185 if (!(kfile = string_nextinlist(&klist, &ksep, NULL, 0)))
1186 return tls_error(US"cert/key setup: out of keys", NULL, host, errstr);
1187 else if (0 < (rc = tls_add_certfile(state, host, cfile, kfile, errstr)))
1188 return rc;
1189 else
1190 {
1191 int gnutls_cert_index = -rc;
1192 DEBUG(D_tls) debug_printf("TLS: cert/key %d %s registered\n",
1193 gnutls_cert_index, cfile);
1194
1195 #ifndef DISABLE_OCSP
1196 if (tls_ocsp_file)
1197 {
1198 /* Set the OCSP stapling server info */
1199 if (gnutls_buggy_ocsp)
1200 {
1201 DEBUG(D_tls)
1202 debug_printf("GnuTLS library is buggy for OCSP; avoiding\n");
1203 }
1204 else if ((ofile = string_nextinlist(&olist, &osep, NULL, 0)))
1205 {
1206 DEBUG(D_tls) debug_printf("OCSP response file %d = %s\n",
1207 gnutls_cert_index, ofile);
1208 # ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
1209 if (Ustrncmp(ofile, US"PEM ", 4) == 0)
1210 {
1211 ocsp_fmt = GNUTLS_X509_FMT_PEM;
1212 ofile += 4;
1213 }
1214 else if (Ustrncmp(ofile, US"DER ", 4) == 0)
1215 {
1216 ocsp_fmt = GNUTLS_X509_FMT_DER;
1217 ofile += 4;
1218 }
1219
1220 if ((rc = gnutls_certificate_set_ocsp_status_request_file2(
1221 state->x509_cred, CCS ofile, gnutls_cert_index,
1222 ocsp_fmt)) < 0)
1223 return tls_error_gnu(
1224 US"gnutls_certificate_set_ocsp_status_request_file2",
1225 rc, host, errstr);
1226 DEBUG(D_tls)
1227 debug_printf(" %d response%s loaded\n", rc, rc>1 ? "s":"");
1228
1229 /* Arrange callbacks for OCSP request observability */
1230
1231 gnutls_handshake_set_hook_function(state->session,
1232 GNUTLS_HANDSHAKE_ANY, GNUTLS_HOOK_POST, tls_server_hook_cb);
1233
1234 # else
1235 # if defined(SUPPORT_SRV_OCSP_STACK)
1236 if ((rc = gnutls_certificate_set_ocsp_status_request_function2(
1237 state->x509_cred, gnutls_cert_index,
1238 server_ocsp_stapling_cb, ofile)))
1239 return tls_error_gnu(
1240 US"gnutls_certificate_set_ocsp_status_request_function2",
1241 rc, host, errstr);
1242 else
1243 # endif
1244 {
1245 if (cnt++ > 0)
1246 {
1247 DEBUG(D_tls)
1248 debug_printf("oops; multiple OCSP files not supported\n");
1249 break;
1250 }
1251 gnutls_certificate_set_ocsp_status_request_function(
1252 state->x509_cred, server_ocsp_stapling_cb, ofile);
1253 }
1254 # endif /* SUPPORT_GNUTLS_EXT_RAW_PARSE */
1255 }
1256 else
1257 DEBUG(D_tls) debug_printf("ran out of OCSP response files in list\n");
1258 }
1259 #endif /* DISABLE_OCSP */
1260 }
1261 }
1262 else /* client */
1263 {
1264 if (0 < (rc = tls_add_certfile(state, host,
1265 state->exp_tls_certificate, state->exp_tls_privatekey, errstr)))
1266 return rc;
1267 DEBUG(D_tls) debug_printf("TLS: cert/key registered\n");
1268 }
1269
1270 } /* tls_certificate */
1271
1272
1273 /* Set the trusted CAs file if one is provided, and then add the CRL if one is
1274 provided. Experiment shows that, if the certificate file is empty, an unhelpful
1275 error message is provided. However, if we just refrain from setting anything up
1276 in that case, certificate verification fails, which seems to be the correct
1277 behaviour. */
1278
1279 if (state->tls_verify_certificates && *state->tls_verify_certificates)
1280 {
1281 if (!expand_check_tlsvar(tls_verify_certificates, errstr))
1282 return DEFER;
1283 #ifndef SUPPORT_SYSDEFAULT_CABUNDLE
1284 if (Ustrcmp(state->exp_tls_verify_certificates, "system") == 0)
1285 state->exp_tls_verify_certificates = NULL;
1286 #endif
1287 if (state->tls_crl && *state->tls_crl)
1288 if (!expand_check_tlsvar(tls_crl, errstr))
1289 return DEFER;
1290
1291 if (!(state->exp_tls_verify_certificates &&
1292 *state->exp_tls_verify_certificates))
1293 {
1294 DEBUG(D_tls)
1295 debug_printf("TLS: tls_verify_certificates expanded empty, ignoring\n");
1296 /* With no tls_verify_certificates, we ignore tls_crl too */
1297 return OK;
1298 }
1299 }
1300 else
1301 {
1302 DEBUG(D_tls)
1303 debug_printf("TLS: tls_verify_certificates not set or empty, ignoring\n");
1304 return OK;
1305 }
1306
1307 #ifdef SUPPORT_SYSDEFAULT_CABUNDLE
1308 if (Ustrcmp(state->exp_tls_verify_certificates, "system") == 0)
1309 cert_count = gnutls_certificate_set_x509_system_trust(state->x509_cred);
1310 else
1311 #endif
1312 {
1313 if (Ustat(state->exp_tls_verify_certificates, &statbuf) < 0)
1314 {
1315 log_write(0, LOG_MAIN|LOG_PANIC, "could not stat '%s' "
1316 "(tls_verify_certificates): %s", state->exp_tls_verify_certificates,
1317 strerror(errno));
1318 return DEFER;
1319 }
1320
1321 #ifndef SUPPORT_CA_DIR
1322 /* The test suite passes in /dev/null; we could check for that path explicitly,
1323 but who knows if someone has some weird FIFO which always dumps some certs, or
1324 other weirdness. The thing we really want to check is that it's not a
1325 directory, since while OpenSSL supports that, GnuTLS does not.
1326 So s/!S_ISREG/S_ISDIR/ and change some messaging ... */
1327 if (S_ISDIR(statbuf.st_mode))
1328 {
1329 DEBUG(D_tls)
1330 debug_printf("verify certificates path is a dir: \"%s\"\n",
1331 state->exp_tls_verify_certificates);
1332 log_write(0, LOG_MAIN|LOG_PANIC,
1333 "tls_verify_certificates \"%s\" is a directory",
1334 state->exp_tls_verify_certificates);
1335 return DEFER;
1336 }
1337 #endif
1338
1339 DEBUG(D_tls) debug_printf("verify certificates = %s size=" OFF_T_FMT "\n",
1340 state->exp_tls_verify_certificates, statbuf.st_size);
1341
1342 if (statbuf.st_size == 0)
1343 {
1344 DEBUG(D_tls)
1345 debug_printf("cert file empty, no certs, no verification, ignoring any CRL\n");
1346 return OK;
1347 }
1348
1349 cert_count =
1350
1351 #ifdef SUPPORT_CA_DIR
1352 (statbuf.st_mode & S_IFMT) == S_IFDIR
1353 ?
1354 gnutls_certificate_set_x509_trust_dir(state->x509_cred,
1355 CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM)
1356 :
1357 #endif
1358 gnutls_certificate_set_x509_trust_file(state->x509_cred,
1359 CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM);
1360
1361 #ifdef SUPPORT_CA_DIR
1362 /* Mimic the behaviour with OpenSSL of not advertising a usable-cert list
1363 when using the directory-of-certs config model. */
1364
1365 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
1366 gnutls_certificate_send_x509_rdn_sequence(state->session, 1);
1367 #endif
1368 }
1369
1370 if (cert_count < 0)
1371 return tls_error_gnu(US"setting certificate trust", cert_count, host, errstr);
1372 DEBUG(D_tls)
1373 debug_printf("Added %d certificate authorities.\n", cert_count);
1374
1375 if (state->tls_crl && *state->tls_crl &&
1376 state->exp_tls_crl && *state->exp_tls_crl)
1377 {
1378 DEBUG(D_tls) debug_printf("loading CRL file = %s\n", state->exp_tls_crl);
1379 if ((cert_count = gnutls_certificate_set_x509_crl_file(state->x509_cred,
1380 CS state->exp_tls_crl, GNUTLS_X509_FMT_PEM)) < 0)
1381 return tls_error_gnu(US"gnutls_certificate_set_x509_crl_file",
1382 cert_count, host, errstr);
1383
1384 DEBUG(D_tls) debug_printf("Processed %d CRLs.\n", cert_count);
1385 }
1386
1387 return OK;
1388 }
1389
1390
1391
1392
1393 /*************************************************
1394 * Set X.509 state variables *
1395 *************************************************/
1396
1397 /* In GnuTLS, the registered cert/key are not replaced by a later
1398 set of a cert/key, so for SNI support we need a whole new x509_cred
1399 structure. Which means various other non-re-expanded pieces of state
1400 need to be re-set in the new struct, so the setting logic is pulled
1401 out to this.
1402
1403 Arguments:
1404 state exim_gnutls_state_st *
1405 errstr error string pointer
1406
1407 Returns: OK/DEFER/FAIL
1408 */
1409
1410 static int
1411 tls_set_remaining_x509(exim_gnutls_state_st *state, uschar ** errstr)
1412 {
1413 int rc;
1414 const host_item *host = state->host; /* macro should be reconsidered? */
1415
1416 #ifndef GNUTLS_AUTO_DHPARAMS
1417 /* Create D-H parameters, or read them from the cache file. This function does
1418 its own SMTP error messaging. This only happens for the server, TLS D-H ignores
1419 client-side params. */
1420
1421 if (!state->host)
1422 {
1423 if (!dh_server_params)
1424 if ((rc = init_server_dh(errstr)) != OK) return rc;
1425
1426 /* Unnecessary & discouraged with 3.6.0 or later */
1427 gnutls_certificate_set_dh_params(state->x509_cred, dh_server_params);
1428 }
1429 #endif
1430
1431 /* Link the credentials to the session. */
1432
1433 if ((rc = gnutls_credentials_set(state->session,
1434 GNUTLS_CRD_CERTIFICATE, state->x509_cred)))
1435 return tls_error_gnu(US"gnutls_credentials_set", rc, host, errstr);
1436
1437 return OK;
1438 }
1439
1440 /*************************************************
1441 * Initialize for GnuTLS *
1442 *************************************************/
1443
1444
1445 #ifndef DISABLE_OCSP
1446
1447 static BOOL
1448 tls_is_buggy_ocsp(void)
1449 {
1450 const uschar * s;
1451 uschar maj, mid, mic;
1452
1453 s = CUS gnutls_check_version(NULL);
1454 maj = atoi(CCS s);
1455 if (maj == 3)
1456 {
1457 while (*s && *s != '.') s++;
1458 mid = atoi(CCS ++s);
1459 if (mid <= 2)
1460 return TRUE;
1461 else if (mid >= 5)
1462 return FALSE;
1463 else
1464 {
1465 while (*s && *s != '.') s++;
1466 mic = atoi(CCS ++s);
1467 return mic <= (mid == 3 ? 16 : 3);
1468 }
1469 }
1470 return FALSE;
1471 }
1472
1473 #endif
1474
1475
1476 /* Called from both server and client code. In the case of a server, errors
1477 before actual TLS negotiation return DEFER.
1478
1479 Arguments:
1480 host connected host, if client; NULL if server
1481 certificate certificate file
1482 privatekey private key file
1483 sni TLS SNI to send, sometimes when client; else NULL
1484 cas CA certs file
1485 crl CRL file
1486 require_ciphers tls_require_ciphers setting
1487 caller_state returned state-info structure
1488 errstr error string pointer
1489
1490 Returns: OK/DEFER/FAIL
1491 */
1492
1493 static int
1494 tls_init(
1495 const host_item *host,
1496 const uschar *certificate,
1497 const uschar *privatekey,
1498 const uschar *sni,
1499 const uschar *cas,
1500 const uschar *crl,
1501 const uschar *require_ciphers,
1502 exim_gnutls_state_st **caller_state,
1503 tls_support * tlsp,
1504 uschar ** errstr)
1505 {
1506 exim_gnutls_state_st * state;
1507 int rc;
1508 size_t sz;
1509 const char * errpos;
1510 const uschar * p;
1511
1512 if (!exim_gnutls_base_init_done)
1513 {
1514 DEBUG(D_tls) debug_printf("GnuTLS global init required.\n");
1515
1516 #if defined(HAVE_GNUTLS_PKCS11) && !defined(GNUTLS_AUTO_PKCS11_MANUAL)
1517 /* By default, gnutls_global_init will init PKCS11 support in auto mode,
1518 which loads modules from a config file, which sounds good and may be wanted
1519 by some sysadmin, but also means in common configurations that GNOME keyring
1520 environment variables are used and so breaks for users calling mailq.
1521 To prevent this, we init PKCS11 first, which is the documented approach. */
1522 if (!gnutls_allow_auto_pkcs11)
1523 if ((rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL)))
1524 return tls_error_gnu(US"gnutls_pkcs11_init", rc, host, errstr);
1525 #endif
1526
1527 #ifndef GNUTLS_AUTO_GLOBAL_INIT
1528 if ((rc = gnutls_global_init()))
1529 return tls_error_gnu(US"gnutls_global_init", rc, host, errstr);
1530 #endif
1531
1532 #if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
1533 DEBUG(D_tls)
1534 {
1535 gnutls_global_set_log_function(exim_gnutls_logger_cb);
1536 /* arbitrarily chosen level; bump up to 9 for more */
1537 gnutls_global_set_log_level(EXIM_GNUTLS_LIBRARY_LOG_LEVEL);
1538 }
1539 #endif
1540
1541 #ifndef DISABLE_OCSP
1542 if (tls_ocsp_file && (gnutls_buggy_ocsp = tls_is_buggy_ocsp()))
1543 log_write(0, LOG_MAIN, "OCSP unusable with this GnuTLS library version");
1544 #endif
1545
1546 exim_gnutls_base_init_done = TRUE;
1547 }
1548
1549 if (host)
1550 {
1551 /* For client-side sessions we allocate a context. This lets us run
1552 several in parallel. */
1553 int old_pool = store_pool;
1554 store_pool = POOL_PERM;
1555 state = store_get(sizeof(exim_gnutls_state_st), FALSE);
1556 store_pool = old_pool;
1557
1558 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
1559 state->tlsp = tlsp;
1560 DEBUG(D_tls) debug_printf("initialising GnuTLS client session\n");
1561 rc = gnutls_init(&state->session, GNUTLS_CLIENT);
1562 }
1563 else
1564 {
1565 state = &state_server;
1566 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
1567 state->tlsp = tlsp;
1568 DEBUG(D_tls) debug_printf("initialising GnuTLS server session\n");
1569 rc = gnutls_init(&state->session, GNUTLS_SERVER);
1570 }
1571 if (rc)
1572 return tls_error_gnu(US"gnutls_init", rc, host, errstr);
1573
1574 state->host = host;
1575
1576 state->tls_certificate = certificate;
1577 state->tls_privatekey = privatekey;
1578 state->tls_require_ciphers = require_ciphers;
1579 state->tls_sni = sni;
1580 state->tls_verify_certificates = cas;
1581 state->tls_crl = crl;
1582
1583 /* This handles the variables that might get re-expanded after TLS SNI;
1584 that's tls_certificate, tls_privatekey, tls_verify_certificates, tls_crl */
1585
1586 DEBUG(D_tls)
1587 debug_printf("Expanding various TLS configuration options for session credentials.\n");
1588 if ((rc = tls_expand_session_files(state, errstr)) != OK) return rc;
1589
1590 /* These are all other parts of the x509_cred handling, since SNI in GnuTLS
1591 requires a new structure afterwards. */
1592
1593 if ((rc = tls_set_remaining_x509(state, errstr)) != OK) return rc;
1594
1595 /* set SNI in client, only */
1596 if (host)
1597 {
1598 if (!expand_check(sni, US"tls_out_sni", &state->tlsp->sni, errstr))
1599 return DEFER;
1600 if (state->tlsp->sni && *state->tlsp->sni)
1601 {
1602 DEBUG(D_tls)
1603 debug_printf("Setting TLS client SNI to \"%s\"\n", state->tlsp->sni);
1604 sz = Ustrlen(state->tlsp->sni);
1605 if ((rc = gnutls_server_name_set(state->session,
1606 GNUTLS_NAME_DNS, state->tlsp->sni, sz)))
1607 return tls_error_gnu(US"gnutls_server_name_set", rc, host, errstr);
1608 }
1609 }
1610 else if (state->tls_sni)
1611 DEBUG(D_tls) debug_printf("*** PROBABLY A BUG *** " \
1612 "have an SNI set for a server [%s]\n", state->tls_sni);
1613
1614 /* This is the priority string support,
1615 http://www.gnutls.org/manual/html_node/Priority-Strings.html
1616 and replaces gnutls_require_kx, gnutls_require_mac & gnutls_require_protocols.
1617 This was backwards incompatible, but means Exim no longer needs to track
1618 all algorithms and provide string forms for them. */
1619
1620 p = NULL;
1621 if (state->tls_require_ciphers && *state->tls_require_ciphers)
1622 {
1623 if (!expand_check_tlsvar(tls_require_ciphers, errstr))
1624 return DEFER;
1625 if (state->exp_tls_require_ciphers && *state->exp_tls_require_ciphers)
1626 {
1627 p = state->exp_tls_require_ciphers;
1628 DEBUG(D_tls) debug_printf("GnuTLS session cipher/priority \"%s\"\n", p);
1629 }
1630 }
1631 if (!p)
1632 {
1633 p = exim_default_gnutls_priority;
1634 DEBUG(D_tls)
1635 debug_printf("GnuTLS using default session cipher/priority \"%s\"\n", p);
1636 }
1637
1638 if ((rc = gnutls_priority_init(&state->priority_cache, CCS p, &errpos)))
1639 return tls_error_gnu(string_sprintf(
1640 "gnutls_priority_init(%s) failed at offset %ld, \"%.6s..\"",
1641 p, errpos - CS p, errpos),
1642 rc, host, errstr);
1643
1644 if ((rc = gnutls_priority_set(state->session, state->priority_cache)))
1645 return tls_error_gnu(US"gnutls_priority_set", rc, host, errstr);
1646
1647 /* This also sets the server ticket expiration time to the same, and
1648 the STEK rotation time to 3x. */
1649
1650 gnutls_db_set_cache_expiration(state->session, ssl_session_timeout);
1651
1652 /* Reduce security in favour of increased compatibility, if the admin
1653 decides to make that trade-off. */
1654 if (gnutls_compat_mode)
1655 {
1656 #if LIBGNUTLS_VERSION_NUMBER >= 0x020104
1657 DEBUG(D_tls) debug_printf("lowering GnuTLS security, compatibility mode\n");
1658 gnutls_session_enable_compatibility_mode(state->session);
1659 #else
1660 DEBUG(D_tls) debug_printf("Unable to set gnutls_compat_mode - GnuTLS version too old\n");
1661 #endif
1662 }
1663
1664 *caller_state = state;
1665 return OK;
1666 }
1667
1668
1669
1670 /*************************************************
1671 * Extract peer information *
1672 *************************************************/
1673
1674 static const uschar *
1675 cipher_stdname_kcm(gnutls_kx_algorithm_t kx, gnutls_cipher_algorithm_t cipher,
1676 gnutls_mac_algorithm_t mac)
1677 {
1678 uschar cs_id[2];
1679 gnutls_kx_algorithm_t kx_i;
1680 gnutls_cipher_algorithm_t cipher_i;
1681 gnutls_mac_algorithm_t mac_i;
1682
1683 for (size_t i = 0;
1684 gnutls_cipher_suite_info(i, cs_id, &kx_i, &cipher_i, &mac_i, NULL);
1685 i++)
1686 if (kx_i == kx && cipher_i == cipher && mac_i == mac)
1687 return cipher_stdname(cs_id[0], cs_id[1]);
1688 return NULL;
1689 }
1690
1691
1692
1693 /* Called from both server and client code.
1694 Only this is allowed to set state->peerdn and state->have_set_peerdn
1695 and we use that to detect double-calls.
1696
1697 NOTE: the state blocks last while the TLS connection is up, which is fine
1698 for logging in the server side, but for the client side, we log after teardown
1699 in src/deliver.c. While the session is up, we can twist about states and
1700 repoint tls_* globals, but those variables used for logging or other variable
1701 expansion that happens _after_ delivery need to have a longer life-time.
1702
1703 So for those, we get the data from POOL_PERM; the re-invoke guard keeps us from
1704 doing this more than once per generation of a state context. We set them in
1705 the state context, and repoint tls_* to them. After the state goes away, the
1706 tls_* copies of the pointers remain valid and client delivery logging is happy.
1707
1708 tls_certificate_verified is a BOOL, so the tls_peerdn and tls_cipher issues
1709 don't apply.
1710
1711 Arguments:
1712 state exim_gnutls_state_st *
1713 errstr pointer to error string
1714
1715 Returns: OK/DEFER/FAIL
1716 */
1717
1718 static int
1719 peer_status(exim_gnutls_state_st * state, uschar ** errstr)
1720 {
1721 gnutls_session_t session = state->session;
1722 const gnutls_datum_t * cert_list;
1723 int old_pool, rc;
1724 unsigned int cert_list_size = 0;
1725 gnutls_protocol_t protocol;
1726 gnutls_cipher_algorithm_t cipher;
1727 gnutls_kx_algorithm_t kx;
1728 gnutls_mac_algorithm_t mac;
1729 gnutls_certificate_type_t ct;
1730 gnutls_x509_crt_t crt;
1731 uschar * dn_buf;
1732 size_t sz;
1733
1734 if (state->have_set_peerdn)
1735 return OK;
1736 state->have_set_peerdn = TRUE;
1737
1738 state->peerdn = NULL;
1739
1740 /* tls_cipher */
1741 cipher = gnutls_cipher_get(session);
1742 protocol = gnutls_protocol_get_version(session);
1743 mac = gnutls_mac_get(session);
1744 kx =
1745 #ifdef GNUTLS_TLS1_3
1746 protocol >= GNUTLS_TLS1_3 ? 0 :
1747 #endif
1748 gnutls_kx_get(session);
1749
1750 old_pool = store_pool;
1751 {
1752 tls_support * tlsp = state->tlsp;
1753 store_pool = POOL_PERM;
1754
1755 #ifdef SUPPORT_GNUTLS_SESS_DESC
1756 {
1757 gstring * g = NULL;
1758 uschar * s = US gnutls_session_get_desc(session), c;
1759
1760 /* Nikos M suggests we use this by preference. It returns like:
1761 (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
1762
1763 For partial back-compat, put a colon after the TLS version, replace the
1764 )-( grouping with __, replace in-group - with _ and append the :keysize. */
1765
1766 /* debug_printf("peer_status: gnutls_session_get_desc %s\n", s); */
1767
1768 for (s++; (c = *s) && c != ')'; s++) g = string_catn(g, s, 1);
1769 g = string_catn(g, US":", 1);
1770 if (*s) s++; /* now on _ between groups */
1771 while ((c = *s))
1772 {
1773 for (*++s && ++s; (c = *s) && c != ')'; s++) g = string_catn(g, c == '-' ? US"_" : s, 1);
1774 /* now on ) closing group */
1775 if ((c = *s) && *++s == '-') g = string_catn(g, US"__", 2);
1776 /* now on _ between groups */
1777 }
1778 g = string_catn(g, US":", 1);
1779 g = string_cat(g, string_sprintf("%d", (int) gnutls_cipher_get_key_size(cipher) * 8));
1780 state->ciphersuite = string_from_gstring(g);
1781 }
1782 #else
1783 state->ciphersuite = string_sprintf("%s:%s:%d",
1784 gnutls_protocol_get_name(protocol),
1785 gnutls_cipher_suite_get_name(kx, cipher, mac),
1786 (int) gnutls_cipher_get_key_size(cipher) * 8);
1787
1788 /* I don't see a way that spaces could occur, in the current GnuTLS
1789 code base, but it was a concern in the old code and perhaps older GnuTLS
1790 releases did return "TLS 1.0"; play it safe, just in case. */
1791
1792 for (uschar * p = state->ciphersuite; *p; p++) if (isspace(*p)) *p = '-';
1793 #endif
1794
1795 /* debug_printf("peer_status: ciphersuite %s\n", state->ciphersuite); */
1796
1797 tlsp->cipher = state->ciphersuite;
1798 tlsp->bits = gnutls_cipher_get_key_size(cipher) * 8;
1799
1800 tlsp->cipher_stdname = cipher_stdname_kcm(kx, cipher, mac);
1801 }
1802 store_pool = old_pool;
1803
1804 /* tls_peerdn */
1805 cert_list = gnutls_certificate_get_peers(session, &cert_list_size);
1806
1807 if (!cert_list || cert_list_size == 0)
1808 {
1809 DEBUG(D_tls) debug_printf("TLS: no certificate from peer (%p & %d)\n",
1810 cert_list, cert_list_size);
1811 if (state->verify_requirement >= VERIFY_REQUIRED)
1812 return tls_error(US"certificate verification failed",
1813 US"no certificate received from peer", state->host, errstr);
1814 return OK;
1815 }
1816
1817 if ((ct = gnutls_certificate_type_get(session)) != GNUTLS_CRT_X509)
1818 {
1819 const uschar * ctn = US gnutls_certificate_type_get_name(ct);
1820 DEBUG(D_tls)
1821 debug_printf("TLS: peer cert not X.509 but instead \"%s\"\n", ctn);
1822 if (state->verify_requirement >= VERIFY_REQUIRED)
1823 return tls_error(US"certificate verification not possible, unhandled type",
1824 ctn, state->host, errstr);
1825 return OK;
1826 }
1827
1828 #define exim_gnutls_peer_err(Label) \
1829 do { \
1830 if (rc != GNUTLS_E_SUCCESS) \
1831 { \
1832 DEBUG(D_tls) debug_printf("TLS: peer cert problem: %s: %s\n", \
1833 (Label), gnutls_strerror(rc)); \
1834 if (state->verify_requirement >= VERIFY_REQUIRED) \
1835 return tls_error_gnu((Label), rc, state->host, errstr); \
1836 return OK; \
1837 } \
1838 } while (0)
1839
1840 rc = import_cert(&cert_list[0], &crt);
1841 exim_gnutls_peer_err(US"cert 0");
1842
1843 state->tlsp->peercert = state->peercert = crt;
1844
1845 sz = 0;
1846 rc = gnutls_x509_crt_get_dn(crt, NULL, &sz);
1847 if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
1848 {
1849 exim_gnutls_peer_err(US"getting size for cert DN failed");
1850 return FAIL; /* should not happen */
1851 }
1852 dn_buf = store_get_perm(sz, TRUE); /* tainted */
1853 rc = gnutls_x509_crt_get_dn(crt, CS dn_buf, &sz);
1854 exim_gnutls_peer_err(US"failed to extract certificate DN [gnutls_x509_crt_get_dn(cert 0)]");
1855
1856 state->peerdn = dn_buf;
1857
1858 return OK;
1859 #undef exim_gnutls_peer_err
1860 }
1861
1862
1863
1864
1865 /*************************************************
1866 * Verify peer certificate *
1867 *************************************************/
1868
1869 /* Called from both server and client code.
1870 *Should* be using a callback registered with
1871 gnutls_certificate_set_verify_function() to fail the handshake if we dislike
1872 the peer information, but that's too new for some OSes.
1873
1874 Arguments:
1875 state exim_gnutls_state_st *
1876 errstr where to put an error message
1877
1878 Returns:
1879 FALSE if the session should be rejected
1880 TRUE if the cert is okay or we just don't care
1881 */
1882
1883 static BOOL
1884 verify_certificate(exim_gnutls_state_st * state, uschar ** errstr)
1885 {
1886 int rc;
1887 uint verify;
1888
1889 DEBUG(D_tls) debug_printf("TLS: checking peer certificate\n");
1890 *errstr = NULL;
1891 rc = peer_status(state, errstr);
1892
1893 if (state->verify_requirement == VERIFY_NONE)
1894 return TRUE;
1895
1896 if (rc != OK || !state->peerdn)
1897 {
1898 verify = GNUTLS_CERT_INVALID;
1899 *errstr = US"certificate not supplied";
1900 }
1901 else
1902
1903 {
1904 #ifdef SUPPORT_DANE
1905 if (state->verify_requirement == VERIFY_DANE && state->host)
1906 {
1907 /* Using dane_verify_session_crt() would be easy, as it does it all for us
1908 including talking to a DNS resolver. But we want to do that bit ourselves
1909 as the testsuite intercepts and fakes its own DNS environment. */
1910
1911 dane_state_t s;
1912 dane_query_t r;
1913 uint lsize;
1914 const gnutls_datum_t * certlist =
1915 gnutls_certificate_get_peers(state->session, &lsize);
1916 int usage = tls_out.tlsa_usage;
1917
1918 # ifdef GNUTLS_BROKEN_DANE_VALIDATION
1919 /* Split the TLSA records into two sets, TA and EE selectors. Run the
1920 dane-verification separately so that we know which selector verified;
1921 then we know whether to do name-verification (needed for TA but not EE). */
1922
1923 if (usage == ((1<<DANESSL_USAGE_DANE_TA) | (1<<DANESSL_USAGE_DANE_EE)))
1924 { /* a mixed-usage bundle */
1925 int i, j, nrec;
1926 const char ** dd;
1927 int * ddl;
1928
1929 for(nrec = 0; state->dane_data_len[nrec]; ) nrec++;
1930 nrec++;
1931
1932 dd = store_get(nrec * sizeof(uschar *), FALSE);
1933 ddl = store_get(nrec * sizeof(int), FALSE);
1934 nrec--;
1935
1936 if ((rc = dane_state_init(&s, 0)))
1937 goto tlsa_prob;
1938
1939 for (usage = DANESSL_USAGE_DANE_EE;
1940 usage >= DANESSL_USAGE_DANE_TA; usage--)
1941 { /* take records with this usage */
1942 for (j = i = 0; i < nrec; i++)
1943 if (state->dane_data[i][0] == usage)
1944 {
1945 dd[j] = state->dane_data[i];
1946 ddl[j++] = state->dane_data_len[i];
1947 }
1948 if (j)
1949 {
1950 dd[j] = NULL;
1951 ddl[j] = 0;
1952
1953 if ((rc = dane_raw_tlsa(s, &r, (char * const *)dd, ddl, 1, 0)))
1954 goto tlsa_prob;
1955
1956 if ((rc = dane_verify_crt_raw(s, certlist, lsize,
1957 gnutls_certificate_type_get(state->session),
1958 r, 0,
1959 usage == DANESSL_USAGE_DANE_EE
1960 ? DANE_VFLAG_ONLY_CHECK_EE_USAGE : 0,
1961 &verify)))
1962 {
1963 DEBUG(D_tls)
1964 debug_printf("TLSA record problem: %s\n", dane_strerror(rc));
1965 }
1966 else if (verify == 0) /* verification passed */
1967 {
1968 usage = 1 << usage;
1969 break;
1970 }
1971 }
1972 }
1973
1974 if (rc) goto tlsa_prob;
1975 }
1976 else
1977 # endif
1978 {
1979 if ( (rc = dane_state_init(&s, 0))
1980 || (rc = dane_raw_tlsa(s, &r, state->dane_data, state->dane_data_len,
1981 1, 0))
1982 || (rc = dane_verify_crt_raw(s, certlist, lsize,
1983 gnutls_certificate_type_get(state->session),
1984 r, 0,
1985 # ifdef GNUTLS_BROKEN_DANE_VALIDATION
1986 usage == (1 << DANESSL_USAGE_DANE_EE)
1987 ? DANE_VFLAG_ONLY_CHECK_EE_USAGE : 0,
1988 # else
1989 0,
1990 # endif
1991 &verify))
1992 )
1993 goto tlsa_prob;
1994 }
1995
1996 if (verify != 0) /* verification failed */
1997 {
1998 gnutls_datum_t str;
1999 (void) dane_verification_status_print(verify, &str, 0);
2000 *errstr = US str.data; /* don't bother to free */
2001 goto badcert;
2002 }
2003
2004 # ifdef GNUTLS_BROKEN_DANE_VALIDATION
2005 /* If a TA-mode TLSA record was used for verification we must additionally
2006 verify the cert name (but not the CA chain). For EE-mode, skip it. */
2007
2008 if (usage & (1 << DANESSL_USAGE_DANE_EE))
2009 # endif
2010 {
2011 state->peer_dane_verified = state->peer_cert_verified = TRUE;
2012 goto goodcert;
2013 }
2014 # ifdef GNUTLS_BROKEN_DANE_VALIDATION
2015 /* Assume that the name on the A-record is the one that should be matching
2016 the cert. An alternate view is that the domain part of the email address
2017 is also permissible. */
2018
2019 if (gnutls_x509_crt_check_hostname(state->tlsp->peercert,
2020 CS state->host->name))
2021 {
2022 state->peer_dane_verified = state->peer_cert_verified = TRUE;
2023 goto goodcert;
2024 }
2025 # endif
2026 }
2027 #endif /*SUPPORT_DANE*/
2028
2029 rc = gnutls_certificate_verify_peers2(state->session, &verify);
2030 }
2031
2032 /* Handle the result of verification. INVALID is set if any others are. */
2033
2034 if (rc < 0 || verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED))
2035 {
2036 state->peer_cert_verified = FALSE;
2037 if (!*errstr)
2038 {
2039 #ifdef GNUTLS_CERT_VFY_STATUS_PRINT
2040 DEBUG(D_tls)
2041 {
2042 gnutls_datum_t txt;
2043
2044 if (gnutls_certificate_verification_status_print(verify,
2045 gnutls_certificate_type_get(state->session), &txt, 0)
2046 == GNUTLS_E_SUCCESS)
2047 {
2048 debug_printf("%s\n", txt.data);
2049 gnutls_free(txt.data);
2050 }
2051 }
2052 #endif
2053 *errstr = verify & GNUTLS_CERT_REVOKED
2054 ? US"certificate revoked" : US"certificate invalid";
2055 }
2056
2057 DEBUG(D_tls)
2058 debug_printf("TLS certificate verification failed (%s): peerdn=\"%s\"\n",
2059 *errstr, state->peerdn ? state->peerdn : US"<unset>");
2060
2061 if (state->verify_requirement >= VERIFY_REQUIRED)
2062 goto badcert;
2063 DEBUG(D_tls)
2064 debug_printf("TLS verify failure overridden (host in tls_try_verify_hosts)\n");
2065 }
2066
2067 else
2068 {
2069 /* Client side, check the server's certificate name versus the name on the
2070 A-record for the connection we made. What to do for server side - what name
2071 to use for client? We document that there is no such checking for server
2072 side. */
2073
2074 if ( state->exp_tls_verify_cert_hostnames
2075 && !gnutls_x509_crt_check_hostname(state->tlsp->peercert,
2076 CS state->exp_tls_verify_cert_hostnames)
2077 )
2078 {
2079 DEBUG(D_tls)
2080 debug_printf("TLS certificate verification failed: cert name mismatch\n");
2081 if (state->verify_requirement >= VERIFY_REQUIRED)
2082 goto badcert;
2083 return TRUE;
2084 }
2085
2086 state->peer_cert_verified = TRUE;
2087 DEBUG(D_tls) debug_printf("TLS certificate verified: peerdn=\"%s\"\n",
2088 state->peerdn ? state->peerdn : US"<unset>");
2089 }
2090
2091 goodcert:
2092 state->tlsp->peerdn = state->peerdn;
2093 return TRUE;
2094
2095 #ifdef SUPPORT_DANE
2096 tlsa_prob:
2097 *errstr = string_sprintf("TLSA record problem: %s",
2098 rc == DANE_E_REQUESTED_DATA_NOT_AVAILABLE ? "none usable" : dane_strerror(rc));
2099 #endif
2100
2101 badcert:
2102 gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_BAD_CERTIFICATE);
2103 return FALSE;
2104 }
2105
2106
2107
2108
2109 /* ------------------------------------------------------------------------ */
2110 /* Callbacks */
2111
2112 /* Logging function which can be registered with
2113 * gnutls_global_set_log_function()
2114 * gnutls_global_set_log_level() 0..9
2115 */
2116 #if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
2117 static void
2118 exim_gnutls_logger_cb(int level, const char *message)
2119 {
2120 size_t len = strlen(message);
2121 if (len < 1)
2122 {
2123 DEBUG(D_tls) debug_printf("GnuTLS<%d> empty debug message\n", level);
2124 return;
2125 }
2126 DEBUG(D_tls) debug_printf("GnuTLS<%d>: %s%s", level, message,
2127 message[len-1] == '\n' ? "" : "\n");
2128 }
2129 #endif
2130
2131
2132 /* Called after client hello, should handle SNI work.
2133 This will always set tls_sni (state->received_sni) if available,
2134 and may trigger presenting different certificates,
2135 if state->trigger_sni_changes is TRUE.
2136
2137 Should be registered with
2138 gnutls_handshake_set_post_client_hello_function()
2139
2140 "This callback must return 0 on success or a gnutls error code to terminate the
2141 handshake.".
2142
2143 For inability to get SNI information, we return 0.
2144 We only return non-zero if re-setup failed.
2145 Only used for server-side TLS.
2146 */
2147
2148 static int
2149 exim_sni_handling_cb(gnutls_session_t session)
2150 {
2151 char sni_name[MAX_HOST_LEN];
2152 size_t data_len = MAX_HOST_LEN;
2153 exim_gnutls_state_st *state = &state_server;
2154 unsigned int sni_type;
2155 int rc, old_pool;
2156 uschar * dummy_errstr;
2157
2158 rc = gnutls_server_name_get(session, sni_name, &data_len, &sni_type, 0);
2159 if (rc != GNUTLS_E_SUCCESS)
2160 {
2161 DEBUG(D_tls)
2162 if (rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
2163 debug_printf("TLS: no SNI presented in handshake.\n");
2164 else
2165 debug_printf("TLS failure: gnutls_server_name_get(): %s [%d]\n",
2166 gnutls_strerror(rc), rc);
2167 return 0;
2168 }
2169
2170 if (sni_type != GNUTLS_NAME_DNS)
2171 {
2172 DEBUG(D_tls) debug_printf("TLS: ignoring SNI of unhandled type %u\n", sni_type);
2173 return 0;
2174 }
2175
2176 /* We now have a UTF-8 string in sni_name */
2177 old_pool = store_pool;
2178 store_pool = POOL_PERM;
2179 state->received_sni = string_copy_taint(US sni_name, TRUE);
2180 store_pool = old_pool;
2181
2182 /* We set this one now so that variable expansions below will work */
2183 state->tlsp->sni = state->received_sni;
2184
2185 DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", sni_name,
2186 state->trigger_sni_changes ? "" : " (unused for certificate selection)");
2187
2188 if (!state->trigger_sni_changes)
2189 return 0;
2190
2191 if ((rc = tls_expand_session_files(state, &dummy_errstr)) != OK)
2192 {
2193 /* If the setup of certs/etc failed before handshake, TLS would not have
2194 been offered. The best we can do now is abort. */
2195 return GNUTLS_E_APPLICATION_ERROR_MIN;
2196 }
2197
2198 rc = tls_set_remaining_x509(state, &dummy_errstr);
2199 if (rc != OK) return GNUTLS_E_APPLICATION_ERROR_MIN;
2200
2201 return 0;
2202 }
2203
2204
2205
2206 #ifndef DISABLE_EVENT
2207 /*
2208 We use this callback to get observability and detail-level control
2209 for an exim TLS connection (either direction), raising a tls:cert event
2210 for each cert in the chain presented by the peer. Any event
2211 can deny verification.
2212
2213 Return 0 for the handshake to continue or non-zero to terminate.
2214 */
2215
2216 static int
2217 verify_cb(gnutls_session_t session)
2218 {
2219 const gnutls_datum_t * cert_list;
2220 unsigned int cert_list_size = 0;
2221 gnutls_x509_crt_t crt;
2222 int rc;
2223 uschar * yield;
2224 exim_gnutls_state_st * state = gnutls_session_get_ptr(session);
2225
2226 if ((cert_list = gnutls_certificate_get_peers(session, &cert_list_size)))
2227 while (cert_list_size--)
2228 {
2229 if ((rc = import_cert(&cert_list[cert_list_size], &crt)) != GNUTLS_E_SUCCESS)
2230 {
2231 DEBUG(D_tls) debug_printf("TLS: peer cert problem: depth %d: %s\n",
2232 cert_list_size, gnutls_strerror(rc));
2233 break;
2234 }
2235
2236 state->tlsp->peercert = crt;
2237 if ((yield = event_raise(state->event_action,
2238 US"tls:cert", string_sprintf("%d", cert_list_size))))
2239 {
2240 log_write(0, LOG_MAIN,
2241 "SSL verify denied by event-action: depth=%d: %s",
2242 cert_list_size, yield);
2243 return 1; /* reject */
2244 }
2245 state->tlsp->peercert = NULL;
2246 }
2247
2248 return 0;
2249 }
2250
2251 #endif
2252
2253
2254 static gstring *
2255 ddump(gnutls_datum_t * d)
2256 {
2257 gstring * g = string_get((d->size+1) * 2);
2258 uschar * s = d->data;
2259 for (unsigned i = d->size; i > 0; i--, s++)
2260 {
2261 g = string_catn(g, US "0123456789abcdef" + (*s >> 4), 1);
2262 g = string_catn(g, US "0123456789abcdef" + (*s & 0xf), 1);
2263 }
2264 return g;
2265 }
2266
2267 static void
2268 post_handshake_debug(exim_gnutls_state_st * state)
2269 {
2270 #ifdef SUPPORT_GNUTLS_SESS_DESC
2271 debug_printf("%s\n", gnutls_session_get_desc(state->session));
2272 #endif
2273
2274 #ifdef SUPPORT_GNUTLS_KEYLOG
2275 # ifdef EXIM_HAVE_TLS1_3
2276 if (gnutls_protocol_get_version(state->session) < GNUTLS_TLS1_3)
2277 # else
2278 if (TRUE)
2279 # endif
2280 {
2281 gnutls_datum_t c, s;
2282 gstring * gc, * gs;
2283 /* For TLS1.2 we only want the client random and the master secret */
2284 gnutls_session_get_random(state->session, &c, &s);
2285 gnutls_session_get_master_secret(state->session, &s);
2286 gc = ddump(&c);
2287 gs = ddump(&s);
2288 debug_printf("CLIENT_RANDOM %.*s %.*s\n", (int)gc->ptr, gc->s, (int)gs->ptr, gs->s);
2289 }
2290 else
2291 debug_printf("To get keying info for TLS1.3 is hard:\n"
2292 " set environment variable SSLKEYLOGFILE to a filename writable by uid exim\n"
2293 " add SSLKEYLOGFILE to keep_environment in the exim config\n"
2294 " run exim as root\n"
2295 " if using sudo, add SSLKEYLOGFILE to env_keep in /etc/sudoers\n"
2296 " (works for TLS1.2 also, and saves cut-paste into file)"
2297 " Trying to use add_environment for this will not work\n");
2298 #endif
2299 }
2300
2301
2302 #ifdef EXPERIMENTAL_TLS_RESUME
2303 static int
2304 tls_server_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
2305 unsigned incoming, const gnutls_datum_t * msg)
2306 {
2307 DEBUG(D_tls) debug_printf("newticket cb\n");
2308 tls_in.resumption |= RESUME_CLIENT_REQUESTED;
2309 return 0;
2310 }
2311
2312 static void
2313 tls_server_resume_prehandshake(exim_gnutls_state_st * state)
2314 {
2315 /* Should the server offer session resumption? */
2316 tls_in.resumption = RESUME_SUPPORTED;
2317 if (verify_check_host(&tls_resumption_hosts) == OK)
2318 {
2319 int rc;
2320 /* GnuTLS appears to not do ticket overlap, but does emit a fresh ticket when
2321 an offered resumption is unacceptable. We lose one resumption per ticket
2322 lifetime, and sessions cannot be indefinitely re-used. There seems to be no
2323 way (3.6.7) of changing the default number of 2 TLS1.3 tickets issued, but at
2324 least they go out in a single packet. */
2325
2326 if (!(rc = gnutls_session_ticket_enable_server(state->session,
2327 &server_sessticket_key)))
2328 tls_in.resumption |= RESUME_SERVER_TICKET;
2329 else
2330 DEBUG(D_tls)
2331 debug_printf("enabling session tickets: %s\n", US gnutls_strerror(rc));
2332
2333 /* Try to tell if we see a ticket request */
2334 gnutls_handshake_set_hook_function(state->session,
2335 GNUTLS_HANDSHAKE_ANY, GNUTLS_HOOK_POST, tls_server_hook_cb);
2336 }
2337 }
2338
2339 static void
2340 tls_server_resume_posthandshake(exim_gnutls_state_st * state)
2341 {
2342 if (gnutls_session_resumption_requested(state->session))
2343 {
2344 /* This tells us the client sent a full ticket. We use a
2345 callback on session-ticket request, elsewhere, to tell
2346 if a client asked for a ticket. */
2347
2348 tls_in.resumption |= RESUME_CLIENT_SUGGESTED;
2349 DEBUG(D_tls) debug_printf("client requested resumption\n");
2350 }
2351 if (gnutls_session_is_resumed(state->session))
2352 {
2353 tls_in.resumption |= RESUME_USED;
2354 DEBUG(D_tls) debug_printf("Session resumed\n");
2355 }
2356 }
2357 #endif
2358 /* ------------------------------------------------------------------------ */
2359 /* Exported functions */
2360
2361
2362
2363
2364 /*************************************************
2365 * Start a TLS session in a server *
2366 *************************************************/
2367
2368 /* This is called when Exim is running as a server, after having received
2369 the STARTTLS command. It must respond to that command, and then negotiate
2370 a TLS session.
2371
2372 Arguments:
2373 require_ciphers list of allowed ciphers or NULL
2374 errstr pointer to error string
2375
2376 Returns: OK on success
2377 DEFER for errors before the start of the negotiation
2378 FAIL for errors during the negotiation; the server can't
2379 continue running.
2380 */
2381
2382 int
2383 tls_server_start(const uschar * require_ciphers, uschar ** errstr)
2384 {
2385 int rc;
2386 exim_gnutls_state_st * state = NULL;
2387
2388 /* Check for previous activation */
2389 if (tls_in.active.sock >= 0)
2390 {
2391 tls_error(US"STARTTLS received after TLS started", US "", NULL, errstr);
2392 smtp_printf("554 Already in TLS\r\n", FALSE);
2393 return FAIL;
2394 }
2395
2396 /* Initialize the library. If it fails, it will already have logged the error
2397 and sent an SMTP response. */
2398
2399 DEBUG(D_tls) debug_printf("initialising GnuTLS as a server\n");
2400
2401 if ((rc = tls_init(NULL, tls_certificate, tls_privatekey,
2402 NULL, tls_verify_certificates, tls_crl,
2403 require_ciphers, &state, &tls_in, errstr)) != OK) return rc;
2404
2405 #ifdef EXPERIMENTAL_TLS_RESUME
2406 tls_server_resume_prehandshake(state);
2407 #endif
2408
2409 /* If this is a host for which certificate verification is mandatory or
2410 optional, set up appropriately. */
2411
2412 if (verify_check_host(&tls_verify_hosts) == OK)
2413 {
2414 DEBUG(D_tls)
2415 debug_printf("TLS: a client certificate will be required.\n");
2416 state->verify_requirement = VERIFY_REQUIRED;
2417 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
2418 }
2419 else if (verify_check_host(&tls_try_verify_hosts) == OK)
2420 {
2421 DEBUG(D_tls)
2422 debug_printf("TLS: a client certificate will be requested but not required.\n");
2423 state->verify_requirement = VERIFY_OPTIONAL;
2424 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
2425 }
2426 else
2427 {
2428 DEBUG(D_tls)
2429 debug_printf("TLS: a client certificate will not be requested.\n");
2430 state->verify_requirement = VERIFY_NONE;
2431 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
2432 }
2433
2434 #ifndef DISABLE_EVENT
2435 if (event_action)
2436 {
2437 state->event_action = event_action;
2438 gnutls_session_set_ptr(state->session, state);
2439 gnutls_certificate_set_verify_function(state->x509_cred, verify_cb);
2440 }
2441 #endif
2442
2443 /* Register SNI handling; always, even if not in tls_certificate, so that the
2444 expansion variable $tls_sni is always available. */
2445
2446 gnutls_handshake_set_post_client_hello_function(state->session,
2447 exim_sni_handling_cb);
2448
2449 /* Set context and tell client to go ahead, except in the case of TLS startup
2450 on connection, where outputting anything now upsets the clients and tends to
2451 make them disconnect. We need to have an explicit fflush() here, to force out
2452 the response. Other smtp_printf() calls do not need it, because in non-TLS
2453 mode, the fflush() happens when smtp_getc() is called. */
2454
2455 if (!state->tlsp->on_connect)
2456 {
2457 smtp_printf("220 TLS go ahead\r\n", FALSE);
2458 fflush(smtp_out);
2459 }
2460
2461 /* Now negotiate the TLS session. We put our own timer on it, since it seems
2462 that the GnuTLS library doesn't.
2463 From 3.1.0 there is gnutls_handshake_set_timeout() - but it requires you
2464 to set (and clear down afterwards) up a pull-timeout callback function that does
2465 a select, so we're no better off unless avoiding signals becomes an issue. */
2466
2467 gnutls_transport_set_ptr2(state->session,
2468 (gnutls_transport_ptr_t)(long) fileno(smtp_in),
2469 (gnutls_transport_ptr_t)(long) fileno(smtp_out));
2470 state->fd_in = fileno(smtp_in);
2471 state->fd_out = fileno(smtp_out);
2472
2473 sigalrm_seen = FALSE;
2474 if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
2475 do
2476 rc = gnutls_handshake(state->session);
2477 while (rc == GNUTLS_E_AGAIN || rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen);
2478 ALARM_CLR(0);
2479
2480 if (rc != GNUTLS_E_SUCCESS)
2481 {
2482 /* It seems that, except in the case of a timeout, we have to close the
2483 connection right here; otherwise if the other end is running OpenSSL it hangs
2484 until the server times out. */
2485
2486 if (sigalrm_seen)
2487 {
2488 tls_error(US"gnutls_handshake", US"timed out", NULL, errstr);
2489 gnutls_db_remove_session(state->session);
2490 }
2491 else
2492 {
2493 tls_error_gnu(US"gnutls_handshake", rc, NULL, errstr);
2494 (void) gnutls_alert_send_appropriate(state->session, rc);
2495 gnutls_deinit(state->session);
2496 gnutls_certificate_free_credentials(state->x509_cred);
2497 millisleep(500);
2498 shutdown(state->fd_out, SHUT_WR);
2499 for (int i = 1024; fgetc(smtp_in) != EOF && i > 0; ) i--; /* drain skt */
2500 (void)fclose(smtp_out);
2501 (void)fclose(smtp_in);
2502 smtp_out = smtp_in = NULL;
2503 }
2504
2505 return FAIL;
2506 }
2507
2508 #ifdef EXPERIMENTAL_TLS_RESUME
2509 tls_server_resume_posthandshake(state);
2510 #endif
2511
2512 DEBUG(D_tls) post_handshake_debug(state);
2513
2514 /* Verify after the fact */
2515
2516 if (!verify_certificate(state, errstr))
2517 {
2518 if (state->verify_requirement != VERIFY_OPTIONAL)
2519 {
2520 (void) tls_error(US"certificate verification failed", *errstr, NULL, errstr);
2521 return FAIL;
2522 }
2523 DEBUG(D_tls)
2524 debug_printf("TLS: continuing on only because verification was optional, after: %s\n",
2525 *errstr);
2526 }
2527
2528 /* Sets various Exim expansion variables; always safe within server */
2529
2530 extract_exim_vars_from_tls_state(state);
2531
2532 /* TLS has been set up. Adjust the input functions to read via TLS,
2533 and initialize appropriately. */
2534
2535 state->xfer_buffer = store_malloc(ssl_xfer_buffer_size);
2536
2537 receive_getc = tls_getc;
2538 receive_getbuf = tls_getbuf;
2539 receive_get_cache = tls_get_cache;
2540 receive_ungetc = tls_ungetc;
2541 receive_feof = tls_feof;
2542 receive_ferror = tls_ferror;
2543 receive_smtp_buffered = tls_smtp_buffered;
2544
2545 return OK;
2546 }
2547
2548
2549
2550
2551 static void
2552 tls_client_setup_hostname_checks(host_item * host, exim_gnutls_state_st * state,
2553 smtp_transport_options_block * ob)
2554 {
2555 if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
2556 {
2557 state->exp_tls_verify_cert_hostnames =
2558 #ifdef SUPPORT_I18N
2559 string_domain_utf8_to_alabel(host->name, NULL);
2560 #else
2561 host->name;
2562 #endif
2563 DEBUG(D_tls)
2564 debug_printf("TLS: server cert verification includes hostname: \"%s\".\n",
2565 state->exp_tls_verify_cert_hostnames);
2566 }
2567 }
2568
2569
2570
2571
2572 #ifdef SUPPORT_DANE
2573 /* Given our list of RRs from the TLSA lookup, build a lookup block in
2574 GnuTLS-DANE's preferred format. Hang it on the state str for later
2575 use in DANE verification.
2576
2577 We point at the dnsa data not copy it, so it must remain valid until
2578 after verification is done.*/
2579
2580 static BOOL
2581 dane_tlsa_load(exim_gnutls_state_st * state, dns_answer * dnsa)
2582 {
2583 dns_scan dnss;
2584 int i;
2585 const char ** dane_data;
2586 int * dane_data_len;
2587
2588 i = 1;
2589 for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
2590 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
2591 ) if (rr->type == T_TLSA) i++;
2592
2593 dane_data = store_get(i * sizeof(uschar *), FALSE);
2594 dane_data_len = store_get(i * sizeof(int), FALSE);
2595
2596 i = 0;
2597 for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
2598 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
2599 ) if (rr->type == T_TLSA && rr->size > 3)
2600 {
2601 const uschar * p = rr->data;
2602 /*XXX need somehow to mark rr and its data as tainted. Doues this mean copying it? */
2603 uint8_t usage = p[0], sel = p[1], type = p[2];
2604
2605 DEBUG(D_tls)
2606 debug_printf("TLSA: %d %d %d size %d\n", usage, sel, type, rr->size);
2607
2608 if ( (usage != DANESSL_USAGE_DANE_TA && usage != DANESSL_USAGE_DANE_EE)
2609 || (sel != 0 && sel != 1)
2610 )
2611 continue;
2612 switch(type)
2613 {
2614 case 0: /* Full: cannot check at present */
2615 break;
2616 case 1: if (rr->size != 3 + 256/8) continue; /* sha2-256 */
2617 break;
2618 case 2: if (rr->size != 3 + 512/8) continue; /* sha2-512 */
2619 break;
2620 default: continue;
2621 }
2622
2623 tls_out.tlsa_usage |= 1<<usage;
2624 dane_data[i] = CS p;
2625 dane_data_len[i++] = rr->size;
2626 }
2627
2628 if (!i) return FALSE;
2629
2630 dane_data[i] = NULL;
2631 dane_data_len[i] = 0;
2632
2633 state->dane_data = (char * const *)dane_data;
2634 state->dane_data_len = dane_data_len;
2635 return TRUE;
2636 }
2637 #endif
2638
2639
2640
2641 #ifdef EXPERIMENTAL_TLS_RESUME
2642 /* On the client, get any stashed session for the given IP from hints db
2643 and apply it to the ssl-connection for attempted resumption. Although
2644 there is a gnutls_session_ticket_enable_client() interface it is
2645 documented as unnecessary (as of 3.6.7) as "session tickets are emabled
2646 by deafult". There seems to be no way to disable them, so even hosts not
2647 enabled by the transport option will be sent a ticket request. We will
2648 however avoid storing and retrieving session information. */
2649
2650 static void
2651 tls_retrieve_session(tls_support * tlsp, gnutls_session_t session,
2652 host_item * host, smtp_transport_options_block * ob)
2653 {
2654 tlsp->resumption = RESUME_SUPPORTED;
2655 if (verify_check_given_host(CUSS &ob->tls_resumption_hosts, host) == OK)
2656 {
2657 dbdata_tls_session * dt;
2658 int len, rc;
2659 open_db dbblock, * dbm_file;
2660
2661 DEBUG(D_tls)
2662 debug_printf("check for resumable session for %s\n", host->address);
2663 tlsp->host_resumable = TRUE;
2664 tlsp->resumption |= RESUME_CLIENT_REQUESTED;
2665 if ((dbm_file = dbfn_open(US"tls", O_RDONLY, &dbblock, FALSE, FALSE)))
2666 {
2667 /* Key for the db is the IP. We'd like to filter the retrieved session
2668 for ticket advisory expiry, but 3.6.1 seems to give no access to that */
2669
2670 if ((dt = dbfn_read_with_length(dbm_file, host->address, &len)))
2671 if (!(rc = gnutls_session_set_data(session,
2672 CUS dt->session, (size_t)len - sizeof(dbdata_tls_session))))
2673 {
2674 DEBUG(D_tls) debug_printf("good session\n");
2675 tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
2676 }
2677 else DEBUG(D_tls) debug_printf("setting session resumption data: %s\n",
2678 US gnutls_strerror(rc));
2679 dbfn_close(dbm_file);
2680 }
2681 }
2682 }
2683
2684
2685 static void
2686 tls_save_session(tls_support * tlsp, gnutls_session_t session, const host_item * host)
2687 {
2688 /* TLS 1.2 - we get both the callback and the direct posthandshake call,
2689 but this flag is not set until the second. TLS 1.3 it's the other way about.
2690 Keep both calls as the session data cannot be extracted before handshake
2691 completes. */
2692
2693 if (gnutls_session_get_flags(session) & GNUTLS_SFLAGS_SESSION_TICKET)
2694 {
2695 gnutls_datum_t tkt;
2696 int rc;
2697
2698 DEBUG(D_tls) debug_printf("server offered session ticket\n");
2699 tlsp->ticket_received = TRUE;
2700 tlsp->resumption |= RESUME_SERVER_TICKET;
2701
2702 if (tlsp->host_resumable)
2703 if (!(rc = gnutls_session_get_data2(session, &tkt)))
2704 {
2705 open_db dbblock, * dbm_file;
2706 int dlen = sizeof(dbdata_tls_session) + tkt.size;
2707 dbdata_tls_session * dt = store_get(dlen, TRUE);
2708
2709 DEBUG(D_tls) debug_printf("session data size %u\n", (unsigned)tkt.size);
2710 memcpy(dt->session, tkt.data, tkt.size);
2711 gnutls_free(tkt.data);
2712
2713 if ((dbm_file = dbfn_open(US"tls", O_RDWR, &dbblock, FALSE, FALSE)))
2714 {
2715 /* key for the db is the IP */
2716 dbfn_delete(dbm_file, host->address);
2717 dbfn_write(dbm_file, host->address, dt, dlen);
2718 dbfn_close(dbm_file);
2719
2720 DEBUG(D_tls)
2721 debug_printf("wrote session db (len %u)\n", (unsigned)dlen);
2722 }
2723 }
2724 else DEBUG(D_tls)
2725 debug_printf("extract session data: %s\n", US gnutls_strerror(rc));
2726 }
2727 }
2728
2729
2730 /* With a TLS1.3 session, the ticket(s) are not seen until
2731 the first data read is attempted. And there's often two of them.
2732 Pick them up with this callback. We are also called for 1.2
2733 but we do nothing.
2734 */
2735 static int
2736 tls_client_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
2737 unsigned incoming, const gnutls_datum_t * msg)
2738 {
2739 exim_gnutls_state_st * state = gnutls_session_get_ptr(sess);
2740 tls_support * tlsp = state->tlsp;
2741
2742 DEBUG(D_tls) debug_printf("newticket cb\n");
2743
2744 if (!tlsp->ticket_received)
2745 tls_save_session(tlsp, sess, state->host);
2746 return 0;
2747 }
2748
2749
2750 static void
2751 tls_client_resume_prehandshake(exim_gnutls_state_st * state,
2752 tls_support * tlsp, host_item * host,
2753 smtp_transport_options_block * ob)
2754 {
2755 gnutls_session_set_ptr(state->session, state);
2756 gnutls_handshake_set_hook_function(state->session,
2757 GNUTLS_HANDSHAKE_NEW_SESSION_TICKET, GNUTLS_HOOK_POST, tls_client_ticket_cb);
2758
2759 tls_retrieve_session(tlsp, state->session, host, ob);
2760 }
2761
2762 static void
2763 tls_client_resume_posthandshake(exim_gnutls_state_st * state,
2764 tls_support * tlsp, host_item * host)
2765 {
2766 if (gnutls_session_is_resumed(state->session))
2767 {
2768 DEBUG(D_tls) debug_printf("Session resumed\n");
2769 tlsp->resumption |= RESUME_USED;
2770 }
2771
2772 tls_save_session(tlsp, state->session, host);
2773 }
2774 #endif /* EXPERIMENTAL_TLS_RESUME */
2775
2776
2777 /*************************************************
2778 * Start a TLS session in a client *
2779 *************************************************/
2780
2781 /* Called from the smtp transport after STARTTLS has been accepted.
2782
2783 Arguments:
2784 cctx connection context
2785 conn_args connection details
2786 cookie datum for randomness (not used)
2787 tlsp record details of channel configuration here; must be non-NULL
2788 errstr error string pointer
2789
2790 Returns: TRUE for success with TLS session context set in smtp context,
2791 FALSE on error
2792 */
2793
2794 BOOL
2795 tls_client_start(client_conn_ctx * cctx, smtp_connect_args * conn_args,
2796 void * cookie ARG_UNUSED,
2797 tls_support * tlsp, uschar ** errstr)
2798 {
2799 host_item * host = conn_args->host; /* for msgs and option-tests */
2800 transport_instance * tb = conn_args->tblock; /* always smtp or NULL */
2801 smtp_transport_options_block * ob = tb
2802 ? (smtp_transport_options_block *)tb->options_block
2803 : &smtp_transport_option_defaults;
2804 int rc;
2805 exim_gnutls_state_st * state = NULL;
2806 uschar * cipher_list = NULL;
2807
2808 #ifndef DISABLE_OCSP
2809 BOOL require_ocsp =
2810 verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK;
2811 BOOL request_ocsp = require_ocsp ? TRUE
2812 : verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
2813 #endif
2814
2815 DEBUG(D_tls) debug_printf("initialising GnuTLS as a client on fd %d\n", cctx->sock);
2816
2817 #ifdef SUPPORT_DANE
2818 /* If dane is flagged, have either request or require dane for this host, and
2819 a TLSA record found. Therefore, dane verify required. Which implies cert must
2820 be requested and supplied, dane verify must pass, and cert verify irrelevant
2821 (incl. hostnames), and (caller handled) require_tls */
2822
2823 if (conn_args->dane && ob->dane_require_tls_ciphers)
2824 {
2825 /* not using expand_check_tlsvar because not yet in state */
2826 if (!expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
2827 &cipher_list, errstr))
2828 return FALSE;
2829 cipher_list = cipher_list && *cipher_list
2830 ? ob->dane_require_tls_ciphers : ob->tls_require_ciphers;
2831 }
2832 #endif
2833
2834 if (!cipher_list)
2835 cipher_list = ob->tls_require_ciphers;
2836
2837 if (tls_init(host, ob->tls_certificate, ob->tls_privatekey,
2838 ob->tls_sni, ob->tls_verify_certificates, ob->tls_crl,
2839 cipher_list, &state, tlsp, errstr) != OK)
2840 return FALSE;
2841
2842 {
2843 int dh_min_bits = ob->tls_dh_min_bits;
2844 if (dh_min_bits < EXIM_CLIENT_DH_MIN_MIN_BITS)
2845 {
2846 DEBUG(D_tls)
2847 debug_printf("WARNING: tls_dh_min_bits far too low,"
2848 " clamping %d up to %d\n",
2849 dh_min_bits, EXIM_CLIENT_DH_MIN_MIN_BITS);
2850 dh_min_bits = EXIM_CLIENT_DH_MIN_MIN_BITS;
2851 }
2852
2853 DEBUG(D_tls) debug_printf("Setting D-H prime minimum"
2854 " acceptable bits to %d\n",
2855 dh_min_bits);
2856 gnutls_dh_set_prime_bits(state->session, dh_min_bits);
2857 }
2858
2859 /* Stick to the old behaviour for compatibility if tls_verify_certificates is
2860 set but both tls_verify_hosts and tls_try_verify_hosts are unset. Check only
2861 the specified host patterns if one of them is defined */
2862
2863 #ifdef SUPPORT_DANE
2864 if (conn_args->dane && dane_tlsa_load(state, &conn_args->tlsa_dnsa))
2865 {
2866 DEBUG(D_tls)
2867 debug_printf("TLS: server certificate DANE required.\n");
2868 state->verify_requirement = VERIFY_DANE;
2869 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
2870 }
2871 else
2872 #endif
2873 if ( ( state->exp_tls_verify_certificates
2874 && !ob->tls_verify_hosts
2875 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
2876 )
2877 || verify_check_given_host(CUSS &ob->tls_verify_hosts, host) == OK
2878 )
2879 {
2880 tls_client_setup_hostname_checks(host, state, ob);
2881 DEBUG(D_tls)
2882 debug_printf("TLS: server certificate verification required.\n");
2883 state->verify_requirement = VERIFY_REQUIRED;
2884 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
2885 }
2886 else if (verify_check_given_host(CUSS &ob->tls_try_verify_hosts, host) == OK)
2887 {
2888 tls_client_setup_hostname_checks(host, state, ob);
2889 DEBUG(D_tls)
2890 debug_printf("TLS: server certificate verification optional.\n");
2891 state->verify_requirement = VERIFY_OPTIONAL;
2892 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
2893 }
2894 else
2895 {
2896 DEBUG(D_tls)
2897 debug_printf("TLS: server certificate verification not required.\n");
2898 state->verify_requirement = VERIFY_NONE;
2899 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
2900 }
2901
2902 #ifndef DISABLE_OCSP
2903 /* supported since GnuTLS 3.1.3 */
2904 if (request_ocsp)
2905 {
2906 DEBUG(D_tls) debug_printf("TLS: will request OCSP stapling\n");
2907 if ((rc = gnutls_ocsp_status_request_enable_client(state->session,
2908 NULL, 0, NULL)) != OK)
2909 {
2910 tls_error_gnu(US"cert-status-req", rc, state->host, errstr);
2911 return FALSE;
2912 }
2913 tlsp->ocsp = OCSP_NOT_RESP;
2914 }
2915 #endif
2916
2917 #ifdef EXPERIMENTAL_TLS_RESUME
2918 tls_client_resume_prehandshake(state, tlsp, host, ob);
2919 #endif
2920
2921 #ifndef DISABLE_EVENT
2922 if (tb && tb->event_action)
2923 {
2924 state->event_action = tb->event_action;
2925 gnutls_session_set_ptr(state->session, state);
2926 gnutls_certificate_set_verify_function(state->x509_cred, verify_cb);
2927 }
2928 #endif
2929
2930 gnutls_transport_set_ptr(state->session, (gnutls_transport_ptr_t)(long) cctx->sock);
2931 state->fd_in = cctx->sock;
2932 state->fd_out = cctx->sock;
2933
2934 DEBUG(D_tls) debug_printf("about to gnutls_handshake\n");
2935 /* There doesn't seem to be a built-in timeout on connection. */
2936
2937 sigalrm_seen = FALSE;
2938 ALARM(ob->command_timeout);
2939 do
2940 rc = gnutls_handshake(state->session);
2941 while (rc == GNUTLS_E_AGAIN || rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen);
2942 ALARM_CLR(0);
2943
2944 if (rc != GNUTLS_E_SUCCESS)
2945 {
2946 if (sigalrm_seen)
2947 {
2948 gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_USER_CANCELED);
2949 tls_error(US"gnutls_handshake", US"timed out", state->host, errstr);
2950 }
2951 else
2952 tls_error_gnu(US"gnutls_handshake", rc, state->host, errstr);
2953 return FALSE;
2954 }
2955
2956 DEBUG(D_tls) post_handshake_debug(state);
2957
2958 /* Verify late */
2959
2960 if (!verify_certificate(state, errstr))
2961 {
2962 tls_error(US"certificate verification failed", *errstr, state->host, errstr);
2963 return FALSE;
2964 }
2965
2966 #ifndef DISABLE_OCSP
2967 if (request_ocsp)
2968 {
2969 DEBUG(D_tls)
2970 {
2971 gnutls_datum_t stapling;
2972 gnutls_ocsp_resp_t resp;
2973 gnutls_datum_t printed;
2974 unsigned idx = 0;
2975
2976 for (;
2977 # ifdef GNUTLS_OCSP_STATUS_REQUEST_GET2
2978 (rc = gnutls_ocsp_status_request_get2(state->session, idx, &stapling)) == 0;
2979 #else
2980 (rc = gnutls_ocsp_status_request_get(state->session, &stapling)) == 0;
2981 #endif
2982 idx++)
2983 if ( (rc= gnutls_ocsp_resp_init(&resp)) == 0
2984 && (rc= gnutls_ocsp_resp_import(resp, &stapling)) == 0
2985 && (rc= gnutls_ocsp_resp_print(resp, GNUTLS_OCSP_PRINT_COMPACT, &printed)) == 0
2986 )
2987 {
2988 debug_printf("%.4096s", printed.data);
2989 gnutls_free(printed.data);
2990 }
2991 else
2992 (void) tls_error_gnu(US"ocsp decode", rc, state->host, errstr);
2993 if (idx == 0 && rc)
2994 (void) tls_error_gnu(US"ocsp decode", rc, state->host, errstr);
2995 }
2996
2997 if (gnutls_ocsp_status_request_is_checked(state->session, 0) == 0)
2998 {
2999 tlsp->ocsp = OCSP_FAILED;
3000 tls_error(US"certificate status check failed", NULL, state->host, errstr);
3001 if (require_ocsp)
3002 return FALSE;
3003 }
3004 else
3005 {
3006 DEBUG(D_tls) debug_printf("Passed OCSP checking\n");
3007 tlsp->ocsp = OCSP_VFIED;
3008 }
3009 }
3010 #endif
3011
3012 #ifdef EXPERIMENTAL_TLS_RESUME
3013 tls_client_resume_posthandshake(state, tlsp, host);
3014 #endif
3015
3016 /* Sets various Exim expansion variables; may need to adjust for ACL callouts */
3017
3018 extract_exim_vars_from_tls_state(state);
3019
3020 cctx->tls_ctx = state;
3021 return TRUE;
3022 }
3023
3024
3025
3026
3027 /*************************************************
3028 * Close down a TLS session *
3029 *************************************************/
3030
3031 /* This is also called from within a delivery subprocess forked from the
3032 daemon, to shut down the TLS library, without actually doing a shutdown (which
3033 would tamper with the TLS session in the parent process).
3034
3035 Arguments:
3036 ct_ctx client context pointer, or NULL for the one global server context
3037 shutdown 1 if TLS close-alert is to be sent,
3038 2 if also response to be waited for
3039
3040 Returns: nothing
3041 */
3042
3043 void
3044 tls_close(void * ct_ctx, int shutdown)
3045 {
3046 exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
3047 tls_support * tlsp = state->tlsp;
3048
3049 if (!tlsp || tlsp->active.sock < 0) return; /* TLS was not active */
3050
3051 if (shutdown)
3052 {
3053 DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS%s\n",
3054 shutdown > 1 ? " (with response-wait)" : "");
3055
3056 ALARM(2);
3057 gnutls_bye(state->session, shutdown > 1 ? GNUTLS_SHUT_RDWR : GNUTLS_SHUT_WR);
3058 ALARM_CLR(0);
3059 }
3060
3061 if (!ct_ctx) /* server */
3062 {
3063 receive_getc = smtp_getc;
3064 receive_getbuf = smtp_getbuf;
3065 receive_get_cache = smtp_get_cache;
3066 receive_ungetc = smtp_ungetc;
3067 receive_feof = smtp_feof;
3068 receive_ferror = smtp_ferror;
3069 receive_smtp_buffered = smtp_buffered;
3070 }
3071
3072 gnutls_deinit(state->session);
3073 gnutls_certificate_free_credentials(state->x509_cred);
3074
3075 tlsp->active.sock = -1;
3076 tlsp->active.tls_ctx = NULL;
3077 /* Leave bits, peercert, cipher, peerdn, certificate_verified set, for logging */
3078 tls_channelbinding_b64 = NULL;
3079
3080
3081 if (state->xfer_buffer) store_free(state->xfer_buffer);
3082 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
3083 }
3084
3085
3086
3087
3088 static BOOL
3089 tls_refill(unsigned lim)
3090 {
3091 exim_gnutls_state_st * state = &state_server;
3092 ssize_t inbytes;
3093
3094 DEBUG(D_tls) debug_printf("Calling gnutls_record_recv(%p, %p, %u)\n",
3095 state->session, state->xfer_buffer, ssl_xfer_buffer_size);
3096
3097 sigalrm_seen = FALSE;
3098 if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
3099
3100 do
3101 inbytes = gnutls_record_recv(state->session, state->xfer_buffer,
3102 MIN(ssl_xfer_buffer_size, lim));
3103 while (inbytes == GNUTLS_E_AGAIN);
3104
3105 if (smtp_receive_timeout > 0) ALARM_CLR(0);
3106
3107 if (had_command_timeout) /* set by signal handler */
3108 smtp_command_timeout_exit(); /* does not return */
3109 if (had_command_sigterm)
3110 smtp_command_sigterm_exit();
3111 if (had_data_timeout)
3112 smtp_data_timeout_exit();
3113 if (had_data_sigint)
3114 smtp_data_sigint_exit();
3115
3116 /* Timeouts do not get this far. A zero-byte return appears to mean that the
3117 TLS session has been closed down, not that the socket itself has been closed
3118 down. Revert to non-TLS handling. */
3119
3120 if (sigalrm_seen)
3121 {
3122 DEBUG(D_tls) debug_printf("Got tls read timeout\n");
3123 state->xfer_error = TRUE;
3124 return FALSE;
3125 }
3126
3127 else if (inbytes == 0)
3128 {
3129 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
3130 tls_close(NULL, TLS_NO_SHUTDOWN);
3131 return FALSE;
3132 }
3133
3134 /* Handle genuine errors */
3135
3136 else if (inbytes < 0)
3137 {
3138 DEBUG(D_tls) debug_printf("%s: err from gnutls_record_recv\n", __FUNCTION__);
3139 record_io_error(state, (int) inbytes, US"recv", NULL);
3140 state->xfer_error = TRUE;
3141 return FALSE;
3142 }
3143 #ifndef DISABLE_DKIM
3144 dkim_exim_verify_feed(state->xfer_buffer, inbytes);
3145 #endif
3146 state->xfer_buffer_hwm = (int) inbytes;
3147 state->xfer_buffer_lwm = 0;
3148 return TRUE;
3149 }
3150
3151 /*************************************************
3152 * TLS version of getc *
3153 *************************************************/
3154
3155 /* This gets the next byte from the TLS input buffer. If the buffer is empty,
3156 it refills the buffer via the GnuTLS reading function.
3157 Only used by the server-side TLS.
3158
3159 This feeds DKIM and should be used for all message-body reads.
3160
3161 Arguments: lim Maximum amount to read/buffer
3162 Returns: the next character or EOF
3163 */
3164
3165 int
3166 tls_getc(unsigned lim)
3167 {
3168 exim_gnutls_state_st * state = &state_server;
3169
3170 if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
3171 if (!tls_refill(lim))
3172 return state->xfer_error ? EOF : smtp_getc(lim);
3173
3174 /* Something in the buffer; return next uschar */
3175
3176 return state->xfer_buffer[state->xfer_buffer_lwm++];
3177 }
3178
3179 uschar *
3180 tls_getbuf(unsigned * len)
3181 {
3182 exim_gnutls_state_st * state = &state_server;
3183 unsigned size;
3184 uschar * buf;
3185
3186 if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
3187 if (!tls_refill(*len))
3188 {
3189 if (!state->xfer_error) return smtp_getbuf(len);
3190 *len = 0;
3191 return NULL;
3192 }
3193
3194 if ((size = state->xfer_buffer_hwm - state->xfer_buffer_lwm) > *len)
3195 size = *len;
3196 buf = &state->xfer_buffer[state->xfer_buffer_lwm];
3197 state->xfer_buffer_lwm += size;
3198 *len = size;
3199 return buf;
3200 }
3201
3202
3203 void
3204 tls_get_cache()
3205 {
3206 #ifndef DISABLE_DKIM
3207 exim_gnutls_state_st * state = &state_server;
3208 int n = state->xfer_buffer_hwm - state->xfer_buffer_lwm;
3209 if (n > 0)
3210 dkim_exim_verify_feed(state->xfer_buffer+state->xfer_buffer_lwm, n);
3211 #endif
3212 }
3213
3214
3215 BOOL
3216 tls_could_read(void)
3217 {
3218 return state_server.xfer_buffer_lwm < state_server.xfer_buffer_hwm
3219 || gnutls_record_check_pending(state_server.session) > 0;
3220 }
3221
3222
3223
3224
3225 /*************************************************
3226 * Read bytes from TLS channel *
3227 *************************************************/
3228
3229 /* This does not feed DKIM, so if the caller uses this for reading message body,
3230 then the caller must feed DKIM.
3231
3232 Arguments:
3233 ct_ctx client context pointer, or NULL for the one global server context
3234 buff buffer of data
3235 len size of buffer
3236
3237 Returns: the number of bytes read
3238 -1 after a failed read, including EOF
3239 */
3240
3241 int
3242 tls_read(void * ct_ctx, uschar *buff, size_t len)
3243 {
3244 exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
3245 ssize_t inbytes;
3246
3247 if (len > INT_MAX)
3248 len = INT_MAX;
3249
3250 if (state->xfer_buffer_lwm < state->xfer_buffer_hwm)
3251 DEBUG(D_tls)
3252 debug_printf("*** PROBABLY A BUG *** " \
3253 "tls_read() called with data in the tls_getc() buffer, %d ignored\n",
3254 state->xfer_buffer_hwm - state->xfer_buffer_lwm);
3255
3256 DEBUG(D_tls)
3257 debug_printf("Calling gnutls_record_recv(%p, %p, " SIZE_T_FMT ")\n",
3258 state->session, buff, len);
3259
3260 do
3261 inbytes = gnutls_record_recv(state->session, buff, len);
3262 while (inbytes == GNUTLS_E_AGAIN);
3263
3264 if (inbytes > 0) return inbytes;
3265 if (inbytes == 0)
3266 {
3267 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
3268 }
3269 else
3270 {
3271 DEBUG(D_tls) debug_printf("%s: err from gnutls_record_recv\n", __FUNCTION__);
3272 record_io_error(state, (int)inbytes, US"recv", NULL);
3273 }
3274
3275 return -1;
3276 }
3277
3278
3279
3280
3281 /*************************************************
3282 * Write bytes down TLS channel *
3283 *************************************************/
3284
3285 /*
3286 Arguments:
3287 ct_ctx client context pointer, or NULL for the one global server context
3288 buff buffer of data
3289 len number of bytes
3290 more more data expected soon
3291
3292 Returns: the number of bytes after a successful write,
3293 -1 after a failed write
3294 */
3295
3296 int
3297 tls_write(void * ct_ctx, const uschar * buff, size_t len, BOOL more)
3298 {
3299 ssize_t outbytes;
3300 size_t left = len;
3301 exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
3302 #ifdef SUPPORT_CORK
3303 static BOOL corked = FALSE;
3304
3305 if (more && !corked) gnutls_record_cork(state->session);
3306 #endif
3307
3308 DEBUG(D_tls) debug_printf("%s(%p, " SIZE_T_FMT "%s)\n", __FUNCTION__,
3309 buff, left, more ? ", more" : "");
3310
3311 while (left > 0)
3312 {
3313 DEBUG(D_tls) debug_printf("gnutls_record_send(SSL, %p, " SIZE_T_FMT ")\n",
3314 buff, left);
3315
3316 do
3317 outbytes = gnutls_record_send(state->session, buff, left);
3318 while (outbytes == GNUTLS_E_AGAIN);
3319
3320 DEBUG(D_tls) debug_printf("outbytes=" SSIZE_T_FMT "\n", outbytes);
3321 if (outbytes < 0)
3322 {
3323 DEBUG(D_tls) debug_printf("%s: gnutls_record_send err\n", __FUNCTION__);
3324 record_io_error(state, outbytes, US"send", NULL);
3325 return -1;
3326 }
3327 if (outbytes == 0)
3328 {
3329 record_io_error(state, 0, US"send", US"TLS channel closed on write");
3330 return -1;
3331 }
3332
3333 left -= outbytes;
3334 buff += outbytes;
3335 }
3336
3337 if (len > INT_MAX)
3338 {
3339 DEBUG(D_tls)
3340 debug_printf("Whoops! Wrote more bytes (" SIZE_T_FMT ") than INT_MAX\n",
3341 len);
3342 len = INT_MAX;
3343 }
3344
3345 #ifdef SUPPORT_CORK
3346 if (more != corked)
3347 {
3348 if (!more) (void) gnutls_record_uncork(state->session, 0);
3349 corked = more;
3350 }
3351 #endif
3352
3353 return (int) len;
3354 }
3355
3356
3357
3358
3359 /*************************************************
3360 * Random number generation *
3361 *************************************************/
3362
3363 /* Pseudo-random number generation. The result is not expected to be
3364 cryptographically strong but not so weak that someone will shoot themselves
3365 in the foot using it as a nonce in input in some email header scheme or
3366 whatever weirdness they'll twist this into. The result should handle fork()
3367 and avoid repeating sequences. OpenSSL handles that for us.
3368
3369 Arguments:
3370 max range maximum
3371 Returns a random number in range [0, max-1]
3372 */
3373
3374 #ifdef HAVE_GNUTLS_RND
3375 int
3376 vaguely_random_number(int max)
3377 {
3378 unsigned int r;
3379 int i, needed_len;
3380 uschar smallbuf[sizeof(r)];
3381
3382 if (max <= 1)
3383 return 0;
3384
3385 needed_len = sizeof(r);
3386 /* Don't take 8 times more entropy than needed if int is 8 octets and we were
3387 asked for a number less than 10. */
3388
3389 for (r = max, i = 0; r; ++i)
3390 r >>= 1;
3391 i = (i + 7) / 8;
3392 if (i < needed_len)
3393 needed_len = i;
3394
3395 i = gnutls_rnd(GNUTLS_RND_NONCE, smallbuf, needed_len);
3396 if (i < 0)
3397 {
3398 DEBUG(D_all) debug_printf("gnutls_rnd() failed, using fallback.\n");
3399 return vaguely_random_number_fallback(max);
3400 }
3401 r = 0;
3402 for (uschar * p = smallbuf; needed_len; --needed_len, ++p)
3403 r = r * 256 + *p;
3404
3405 /* We don't particularly care about weighted results; if someone wants
3406 * smooth distribution and cares enough then they should submit a patch then. */
3407 return r % max;
3408 }
3409 #else /* HAVE_GNUTLS_RND */
3410 int
3411 vaguely_random_number(int max)
3412 {
3413 return vaguely_random_number_fallback(max);
3414 }
3415 #endif /* HAVE_GNUTLS_RND */
3416
3417
3418
3419
3420 /*************************************************
3421 * Let tls_require_ciphers be checked at startup *
3422 *************************************************/
3423
3424 /* The tls_require_ciphers option, if set, must be something which the
3425 library can parse.
3426
3427 Returns: NULL on success, or error message
3428 */
3429
3430 uschar *
3431 tls_validate_require_cipher(void)
3432 {
3433 int rc;
3434 uschar *expciphers = NULL;
3435 gnutls_priority_t priority_cache;
3436 const char *errpos;
3437 uschar * dummy_errstr;
3438
3439 #ifdef GNUTLS_AUTO_GLOBAL_INIT
3440 # define validate_check_rc(Label) do { \
3441 if (rc != GNUTLS_E_SUCCESS) { if (exim_gnutls_base_init_done) \
3442 return string_sprintf("%s failed: %s", (Label), gnutls_strerror(rc)); } } while (0)
3443 # define return_deinit(Label) do { return (Label); } while (0)
3444 #else
3445 # define validate_check_rc(Label) do { \
3446 if (rc != GNUTLS_E_SUCCESS) { if (exim_gnutls_base_init_done) gnutls_global_deinit(); \
3447 return string_sprintf("%s failed: %s", (Label), gnutls_strerror(rc)); } } while (0)
3448 # define return_deinit(Label) do { gnutls_global_deinit(); return (Label); } while (0)
3449 #endif
3450
3451 if (exim_gnutls_base_init_done)
3452 log_write(0, LOG_MAIN|LOG_PANIC,
3453 "already initialised GnuTLS, Exim developer bug");
3454
3455 #if defined(HAVE_GNUTLS_PKCS11) && !defined(GNUTLS_AUTO_PKCS11_MANUAL)
3456 if (!gnutls_allow_auto_pkcs11)
3457 {
3458 rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
3459 validate_check_rc(US"gnutls_pkcs11_init");
3460 }
3461 #endif
3462 #ifndef GNUTLS_AUTO_GLOBAL_INIT
3463 rc = gnutls_global_init();
3464 validate_check_rc(US"gnutls_global_init()");
3465 #endif
3466 exim_gnutls_base_init_done = TRUE;
3467
3468 if (!(tls_require_ciphers && *tls_require_ciphers))
3469 return_deinit(NULL);
3470
3471 if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers,
3472 &dummy_errstr))
3473 return_deinit(US"failed to expand tls_require_ciphers");
3474
3475 if (!(expciphers && *expciphers))
3476 return_deinit(NULL);
3477
3478 DEBUG(D_tls)
3479 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
3480
3481 rc = gnutls_priority_init(&priority_cache, CS expciphers, &errpos);
3482 validate_check_rc(string_sprintf(
3483 "gnutls_priority_init(%s) failed at offset %ld, \"%.8s..\"",
3484 expciphers, errpos - CS expciphers, errpos));
3485
3486 #undef return_deinit
3487 #undef validate_check_rc
3488 #ifndef GNUTLS_AUTO_GLOBAL_INIT
3489 gnutls_global_deinit();
3490 #endif
3491
3492 return NULL;
3493 }
3494
3495
3496
3497
3498 /*************************************************
3499 * Report the library versions. *
3500 *************************************************/
3501
3502 /* See a description in tls-openssl.c for an explanation of why this exists.
3503
3504 Arguments: a FILE* to print the results to
3505 Returns: nothing
3506 */
3507
3508 void
3509 tls_version_report(FILE *f)
3510 {
3511 fprintf(f, "Library version: GnuTLS: Compile: %s\n"
3512 " Runtime: %s\n",
3513 LIBGNUTLS_VERSION,
3514 gnutls_check_version(NULL));
3515 }
3516
3517 #endif /*!MACRO_PREDEF*/
3518 /* vi: aw ai sw=2
3519 */
3520 /* End of tls-gnu.c */
Unnamed repository; edit this file 'description' to name the repository.