projects / exim.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
GnuTLS: fix build on intermediate-age libraries
[exim.git] / src / src / tls-gnu.c
1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4
5 /* Copyright (c) University of Cambridge 1995 - 2018 */
6 /* See the file NOTICE for conditions of use and distribution. */
7
8 /* Copyright (c) Phil Pennock 2012 */
9
10 /* This file provides TLS/SSL support for Exim using the GnuTLS library,
11 one of the available supported implementations. This file is #included into
12 tls.c when USE_GNUTLS has been set.
13
14 The code herein is a revamp of GnuTLS integration using the current APIs; the
15 original tls-gnu.c was based on a patch which was contributed by Nikos
16 Mavrogiannopoulos. The revamp is partially a rewrite, partially cut&paste as
17 appropriate.
18
19 APIs current as of GnuTLS 2.12.18; note that the GnuTLS manual is for GnuTLS 3,
20 which is not widely deployed by OS vendors. Will note issues below, which may
21 assist in updating the code in the future. Another sources of hints is
22 mod_gnutls for Apache (SNI callback registration and handling).
23
24 Keeping client and server variables more split than before and is currently
25 the norm, in anticipation of TLS in ACL callouts.
26
27 I wanted to switch to gnutls_certificate_set_verify_function() so that
28 certificate rejection could happen during handshake where it belongs, rather
29 than being dropped afterwards, but that was introduced in 2.10.0 and Debian
30 (6.0.5) is still on 2.8.6. So for now we have to stick with sub-par behaviour.
31
32 (I wasn't looking for libraries quite that old, when updating to get rid of
33 compiler warnings of deprecated APIs. If it turns out that a lot of the rest
34 require current GnuTLS, then we'll drop support for the ancient libraries).
35 */
36
37 #include <gnutls/gnutls.h>
38 /* needed for cert checks in verification and DN extraction: */
39 #include <gnutls/x509.h>
40 /* man-page is incorrect, gnutls_rnd() is not in gnutls.h: */
41 #include <gnutls/crypto.h>
42
43 /* needed to disable PKCS11 autoload unless requested */
44 #if GNUTLS_VERSION_NUMBER >= 0x020c00
45 # include <gnutls/pkcs11.h>
46 # define SUPPORT_PARAM_TO_PK_BITS
47 #endif
48 #if GNUTLS_VERSION_NUMBER < 0x030103 && !defined(DISABLE_OCSP)
49 # warning "GnuTLS library version too old; define DISABLE_OCSP in Makefile"
50 # define DISABLE_OCSP
51 #endif
52 #if GNUTLS_VERSION_NUMBER < 0x020a00 && !defined(DISABLE_EVENT)
53 # warning "GnuTLS library version too old; tls:cert event unsupported"
54 # define DISABLE_EVENT
55 #endif
56 #if GNUTLS_VERSION_NUMBER >= 0x030306
57 # define SUPPORT_CA_DIR
58 #else
59 # undef SUPPORT_CA_DIR
60 #endif
61 #if GNUTLS_VERSION_NUMBER >= 0x030014
62 # define SUPPORT_SYSDEFAULT_CABUNDLE
63 #endif
64 #if GNUTLS_VERSION_NUMBER >= 0x030104
65 # define GNUTLS_CERT_VFY_STATUS_PRINT
66 #endif
67 #if GNUTLS_VERSION_NUMBER >= 0x030109
68 # define SUPPORT_CORK
69 #endif
70 #if GNUTLS_VERSION_NUMBER >= 0x03010a
71 # define SUPPORT_GNUTLS_SESS_DESC
72 #endif
73 #if GNUTLS_VERSION_NUMBER >= 0x030500
74 # define SUPPORT_GNUTLS_KEYLOG
75 #endif
76 #if GNUTLS_VERSION_NUMBER >= 0x030506 && !defined(DISABLE_OCSP)
77 # define SUPPORT_SRV_OCSP_STACK
78 #endif
79 #if GNUTLS_VERSION_NUMBER >= 0x030603
80 # define SUPPORT_GNUTLS_EXT_RAW_PARSE
81 #endif
82
83 #ifdef SUPPORT_DANE
84 # if GNUTLS_VERSION_NUMBER >= 0x030000
85 # define DANESSL_USAGE_DANE_TA 2
86 # define DANESSL_USAGE_DANE_EE 3
87 # else
88 # error GnuTLS version too early for DANE
89 # endif
90 # if GNUTLS_VERSION_NUMBER < 0x999999
91 # define GNUTLS_BROKEN_DANE_VALIDATION
92 # endif
93 #endif
94
95 #ifdef EXPERIMENTAL_TLS_RESUME
96 # if GNUTLS_VERSION_NUMBER < 0x030603
97 # error GNUTLS version too early for session-resumption
98 # endif
99 #endif
100
101 #ifndef DISABLE_OCSP
102 # include <gnutls/ocsp.h>
103 #endif
104 #ifdef SUPPORT_DANE
105 # include <gnutls/dane.h>
106 #endif
107
108 #include "tls-cipher-stdname.c"
109
110
111 #ifdef MACRO_PREDEF
112 void
113 options_tls(void)
114 {
115 # ifdef EXPERIMENTAL_TLS_RESUME
116 builtin_macro_create_var(US"_RESUME_DECODE", RESUME_DECODE_STRING );
117 # endif
118 }
119 #else
120
121
122 /* GnuTLS 2 vs 3
123
124 GnuTLS 3 only:
125 gnutls_global_set_audit_log_function()
126
127 Changes:
128 gnutls_certificate_verify_peers2(): is new, drop the 2 for old version
129 */
130
131 /* Local static variables for GnuTLS */
132
133 /* Values for verify_requirement */
134
135 enum peer_verify_requirement
136 { VERIFY_NONE, VERIFY_OPTIONAL, VERIFY_REQUIRED, VERIFY_DANE };
137
138 /* This holds most state for server or client; with this, we can set up an
139 outbound TLS-enabled connection in an ACL callout, while not stomping all
140 over the TLS variables available for expansion.
141
142 Some of these correspond to variables in globals.c; those variables will
143 be set to point to content in one of these instances, as appropriate for
144 the stage of the process lifetime.
145
146 Not handled here: global tls_channelbinding_b64.
147 */
148
149 typedef struct exim_gnutls_state {
150 gnutls_session_t session;
151 gnutls_certificate_credentials_t x509_cred;
152 gnutls_priority_t priority_cache;
153 enum peer_verify_requirement verify_requirement;
154 int fd_in;
155 int fd_out;
156 BOOL peer_cert_verified;
157 BOOL peer_dane_verified;
158 BOOL trigger_sni_changes;
159 BOOL have_set_peerdn;
160 const struct host_item *host; /* NULL if server */
161 gnutls_x509_crt_t peercert;
162 uschar *peerdn;
163 uschar *ciphersuite;
164 uschar *received_sni;
165
166 const uschar *tls_certificate;
167 const uschar *tls_privatekey;
168 const uschar *tls_sni; /* client send only, not received */
169 const uschar *tls_verify_certificates;
170 const uschar *tls_crl;
171 const uschar *tls_require_ciphers;
172
173 uschar *exp_tls_certificate;
174 uschar *exp_tls_privatekey;
175 uschar *exp_tls_verify_certificates;
176 uschar *exp_tls_crl;
177 uschar *exp_tls_require_ciphers;
178 const uschar *exp_tls_verify_cert_hostnames;
179 #ifndef DISABLE_EVENT
180 uschar *event_action;
181 #endif
182 #ifdef SUPPORT_DANE
183 char * const * dane_data;
184 const int * dane_data_len;
185 #endif
186
187 tls_support *tlsp; /* set in tls_init() */
188
189 uschar *xfer_buffer;
190 int xfer_buffer_lwm;
191 int xfer_buffer_hwm;
192 BOOL xfer_eof; /*XXX never gets set! */
193 BOOL xfer_error;
194 } exim_gnutls_state_st;
195
196 static const exim_gnutls_state_st exim_gnutls_state_init = {
197 /* all elements not explicitly intialised here get 0/NULL/FALSE */
198 .fd_in = -1,
199 .fd_out = -1,
200 };
201
202 /* Not only do we have our own APIs which don't pass around state, assuming
203 it's held in globals, GnuTLS doesn't appear to let us register callback data
204 for callbacks, or as part of the session, so we have to keep a "this is the
205 context we're currently dealing with" pointer and rely upon being
206 single-threaded to keep from processing data on an inbound TLS connection while
207 talking to another TLS connection for an outbound check. This does mean that
208 there's no way for heart-beats to be responded to, for the duration of the
209 second connection.
210 XXX But see gnutls_session_get_ptr()
211 */
212
213 static exim_gnutls_state_st state_server;
214
215 /* dh_params are initialised once within the lifetime of a process using TLS;
216 if we used TLS in a long-lived daemon, we'd have to reconsider this. But we
217 don't want to repeat this. */
218
219 static gnutls_dh_params_t dh_server_params = NULL;
220
221 static int ssl_session_timeout = 7200; /* Two hours */
222
223 static const uschar * const exim_default_gnutls_priority = US"NORMAL";
224
225 /* Guard library core initialisation */
226
227 static BOOL exim_gnutls_base_init_done = FALSE;
228
229 #ifndef DISABLE_OCSP
230 static BOOL gnutls_buggy_ocsp = FALSE;
231 static BOOL exim_testharness_disable_ocsp_validity_check = FALSE;
232 #endif
233
234 #ifdef EXPERIMENTAL_TLS_RESUME
235 static gnutls_datum_t server_sessticket_key;
236 #endif
237
238 /* ------------------------------------------------------------------------ */
239 /* macros */
240
241 #define MAX_HOST_LEN 255
242
243 /* Set this to control gnutls_global_set_log_level(); values 0 to 9 will setup
244 the library logging; a value less than 0 disables the calls to set up logging
245 callbacks. GNuTLS also looks for an environment variable - except not for
246 setuid binaries, making it useless - "GNUTLS_DEBUG_LEVEL".
247 Allegedly the testscript line "GNUTLS_DEBUG_LEVEL=9 sudo exim ..." would work,
248 but the env var must be added to /etc/sudoers too. */
249 #ifndef EXIM_GNUTLS_LIBRARY_LOG_LEVEL
250 # define EXIM_GNUTLS_LIBRARY_LOG_LEVEL -1
251 #endif
252
253 #ifndef EXIM_CLIENT_DH_MIN_BITS
254 # define EXIM_CLIENT_DH_MIN_BITS 1024
255 #endif
256
257 /* With GnuTLS 2.12.x+ we have gnutls_sec_param_to_pk_bits() with which we
258 can ask for a bit-strength. Without that, we stick to the constant we had
259 before, for now. */
260 #ifndef EXIM_SERVER_DH_BITS_PRE2_12
261 # define EXIM_SERVER_DH_BITS_PRE2_12 1024
262 #endif
263
264 #define expand_check_tlsvar(Varname, errstr) \
265 expand_check(state->Varname, US #Varname, &state->exp_##Varname, errstr)
266
267 #if GNUTLS_VERSION_NUMBER >= 0x020c00
268 # define HAVE_GNUTLS_SESSION_CHANNEL_BINDING
269 # define HAVE_GNUTLS_SEC_PARAM_CONSTANTS
270 # define HAVE_GNUTLS_RND
271 /* The security fix we provide with the gnutls_allow_auto_pkcs11 option
272 * (4.82 PP/09) introduces a compatibility regression. The symbol simply
273 * isn't available sometimes, so this needs to become a conditional
274 * compilation; the sanest way to deal with this being a problem on
275 * older OSes is to block it in the Local/Makefile with this compiler
276 * definition */
277 # ifndef AVOID_GNUTLS_PKCS11
278 # define HAVE_GNUTLS_PKCS11
279 # endif /* AVOID_GNUTLS_PKCS11 */
280 #endif
281
282
283
284
285 /* ------------------------------------------------------------------------ */
286 /* Callback declarations */
287
288 #if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
289 static void exim_gnutls_logger_cb(int level, const char *message);
290 #endif
291
292 static int exim_sni_handling_cb(gnutls_session_t session);
293
294 #if !defined(DISABLE_OCSP)
295 static int server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
296 gnutls_datum_t * ocsp_response);
297 #endif
298
299 #ifdef EXPERIMENTAL_TLS_RESUME
300 static int
301 tls_server_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
302 unsigned incoming, const gnutls_datum_t * msg);
303 #endif
304
305
306 /* Daemon one-time initialisation */
307 void
308 tls_daemon_init(void)
309 {
310 #ifdef EXPERIMENTAL_TLS_RESUME
311 /* We are dependent on the GnuTLS implementation of the Session Ticket
312 encryption; both the strength and the key rotation period. We hope that
313 the strength at least matches that of the ciphersuite (but GnuTLS does not
314 document this). */
315
316 static BOOL once = FALSE;
317 if (once) return;
318 once = TRUE;
319 gnutls_session_ticket_key_generate(&server_sessticket_key); /* >= 2.10.0 */
320 if (f.running_in_test_harness) ssl_session_timeout = 6;
321 #endif
322 }
323
324 /* ------------------------------------------------------------------------ */
325 /* Static functions */
326
327 /*************************************************
328 * Handle TLS error *
329 *************************************************/
330
331 /* Called from lots of places when errors occur before actually starting to do
332 the TLS handshake, that is, while the session is still in clear. Always returns
333 DEFER for a server and FAIL for a client so that most calls can use "return
334 tls_error(...)" to do this processing and then give an appropriate return. A
335 single function is used for both server and client, because it is called from
336 some shared functions.
337
338 Argument:
339 prefix text to include in the logged error
340 msg additional error string (may be NULL)
341 usually obtained from gnutls_strerror()
342 host NULL if setting up a server;
343 the connected host if setting up a client
344 errstr pointer to returned error string
345
346 Returns: OK/DEFER/FAIL
347 */
348
349 static int
350 tls_error(const uschar *prefix, const uschar *msg, const host_item *host,
351 uschar ** errstr)
352 {
353 if (errstr)
354 *errstr = string_sprintf("(%s)%s%s", prefix, msg ? ": " : "", msg ? msg : US"");
355 return host ? FAIL : DEFER;
356 }
357
358
359 static int
360 tls_error_gnu(const uschar *prefix, int err, const host_item *host,
361 uschar ** errstr)
362 {
363 return tls_error(prefix, US gnutls_strerror(err), host, errstr);
364 }
365
366 static int
367 tls_error_sys(const uschar *prefix, int err, const host_item *host,
368 uschar ** errstr)
369 {
370 return tls_error(prefix, US strerror(err), host, errstr);
371 }
372
373
374 /*************************************************
375 * Deal with logging errors during I/O *
376 *************************************************/
377
378 /* We have to get the identity of the peer from saved data.
379
380 Argument:
381 state the current GnuTLS exim state container
382 rc the GnuTLS error code, or 0 if it's a local error
383 when text identifying read or write
384 text local error text when rc is 0
385
386 Returns: nothing
387 */
388
389 static void
390 record_io_error(exim_gnutls_state_st *state, int rc, uschar *when, uschar *text)
391 {
392 const uschar * msg;
393 uschar * errstr;
394
395 if (rc == GNUTLS_E_FATAL_ALERT_RECEIVED)
396 msg = string_sprintf("A TLS fatal alert has been received: %s",
397 US gnutls_alert_get_name(gnutls_alert_get(state->session)));
398 else
399 msg = US gnutls_strerror(rc);
400
401 (void) tls_error(when, msg, state->host, &errstr);
402
403 if (state->host)
404 log_write(0, LOG_MAIN, "H=%s [%s] TLS error on connection %s",
405 state->host->name, state->host->address, errstr);
406 else
407 {
408 uschar * conn_info = smtp_get_connection_info();
409 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0) conn_info += 5;
410 /* I'd like to get separated H= here, but too hard for now */
411 log_write(0, LOG_MAIN, "TLS error on %s %s", conn_info, errstr);
412 }
413 }
414
415
416
417
418 /*************************************************
419 * Set various Exim expansion vars *
420 *************************************************/
421
422 #define exim_gnutls_cert_err(Label) \
423 do \
424 { \
425 if (rc != GNUTLS_E_SUCCESS) \
426 { \
427 DEBUG(D_tls) debug_printf("TLS: cert problem: %s: %s\n", \
428 (Label), gnutls_strerror(rc)); \
429 return rc; \
430 } \
431 } while (0)
432
433 static int
434 import_cert(const gnutls_datum_t * cert, gnutls_x509_crt_t * crtp)
435 {
436 int rc;
437
438 rc = gnutls_x509_crt_init(crtp);
439 exim_gnutls_cert_err(US"gnutls_x509_crt_init (crt)");
440
441 rc = gnutls_x509_crt_import(*crtp, cert, GNUTLS_X509_FMT_DER);
442 exim_gnutls_cert_err(US"failed to import certificate [gnutls_x509_crt_import(cert)]");
443
444 return rc;
445 }
446
447 #undef exim_gnutls_cert_err
448
449
450 /* We set various Exim global variables from the state, once a session has
451 been established. With TLS callouts, may need to change this to stack
452 variables, or just re-call it with the server state after client callout
453 has finished.
454
455 Make sure anything set here is unset in tls_getc().
456
457 Sets:
458 tls_active fd
459 tls_bits strength indicator
460 tls_certificate_verified bool indicator
461 tls_channelbinding_b64 for some SASL mechanisms
462 tls_cipher a string
463 tls_peercert pointer to library internal
464 tls_peerdn a string
465 tls_sni a (UTF-8) string
466 tls_ourcert pointer to library internal
467
468 Argument:
469 state the relevant exim_gnutls_state_st *
470 */
471
472 static void
473 extract_exim_vars_from_tls_state(exim_gnutls_state_st * state)
474 {
475 #ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
476 int old_pool;
477 int rc;
478 gnutls_datum_t channel;
479 #endif
480 tls_support * tlsp = state->tlsp;
481
482 tlsp->active.sock = state->fd_out;
483 tlsp->active.tls_ctx = state;
484
485 DEBUG(D_tls) debug_printf("cipher: %s\n", state->ciphersuite);
486
487 tlsp->certificate_verified = state->peer_cert_verified;
488 #ifdef SUPPORT_DANE
489 tlsp->dane_verified = state->peer_dane_verified;
490 #endif
491
492 /* note that tls_channelbinding_b64 is not saved to the spool file, since it's
493 only available for use for authenticators while this TLS session is running. */
494
495 tls_channelbinding_b64 = NULL;
496 #ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
497 channel.data = NULL;
498 channel.size = 0;
499 if ((rc = gnutls_session_channel_binding(state->session, GNUTLS_CB_TLS_UNIQUE, &channel)))
500 { DEBUG(D_tls) debug_printf("Channel binding error: %s\n", gnutls_strerror(rc)); }
501 else
502 {
503 old_pool = store_pool;
504 store_pool = POOL_PERM;
505 tls_channelbinding_b64 = b64encode(CUS channel.data, (int)channel.size);
506 store_pool = old_pool;
507 DEBUG(D_tls) debug_printf("Have channel bindings cached for possible auth usage.\n");
508 }
509 #endif
510
511 /* peercert is set in peer_status() */
512 tlsp->peerdn = state->peerdn;
513 tlsp->sni = state->received_sni;
514
515 /* record our certificate */
516 {
517 const gnutls_datum_t * cert = gnutls_certificate_get_ours(state->session);
518 gnutls_x509_crt_t crt;
519
520 tlsp->ourcert = cert && import_cert(cert, &crt)==0 ? crt : NULL;
521 }
522 }
523
524
525
526
527 /*************************************************
528 * Setup up DH parameters *
529 *************************************************/
530
531 /* Generating the D-H parameters may take a long time. They only need to
532 be re-generated every so often, depending on security policy. What we do is to
533 keep these parameters in a file in the spool directory. If the file does not
534 exist, we generate them. This means that it is easy to cause a regeneration.
535
536 The new file is written as a temporary file and renamed, so that an incomplete
537 file is never present. If two processes both compute some new parameters, you
538 waste a bit of effort, but it doesn't seem worth messing around with locking to
539 prevent this.
540
541 Returns: OK/DEFER/FAIL
542 */
543
544 static int
545 init_server_dh(uschar ** errstr)
546 {
547 int fd, rc;
548 unsigned int dh_bits;
549 gnutls_datum_t m;
550 uschar filename_buf[PATH_MAX];
551 uschar *filename = NULL;
552 size_t sz;
553 uschar *exp_tls_dhparam;
554 BOOL use_file_in_spool = FALSE;
555 host_item *host = NULL; /* dummy for macros */
556
557 DEBUG(D_tls) debug_printf("Initialising GnuTLS server params.\n");
558
559 if ((rc = gnutls_dh_params_init(&dh_server_params)))
560 return tls_error_gnu(US"gnutls_dh_params_init", rc, host, errstr);
561
562 m.data = NULL;
563 m.size = 0;
564
565 if (!expand_check(tls_dhparam, US"tls_dhparam", &exp_tls_dhparam, errstr))
566 return DEFER;
567
568 if (!exp_tls_dhparam)
569 {
570 DEBUG(D_tls) debug_printf("Loading default hard-coded DH params\n");
571 m.data = US std_dh_prime_default();
572 m.size = Ustrlen(m.data);
573 }
574 else if (Ustrcmp(exp_tls_dhparam, "historic") == 0)
575 use_file_in_spool = TRUE;
576 else if (Ustrcmp(exp_tls_dhparam, "none") == 0)
577 {
578 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
579 return OK;
580 }
581 else if (exp_tls_dhparam[0] != '/')
582 {
583 if (!(m.data = US std_dh_prime_named(exp_tls_dhparam)))
584 return tls_error(US"No standard prime named", exp_tls_dhparam, NULL, errstr);
585 m.size = Ustrlen(m.data);
586 }
587 else
588 filename = exp_tls_dhparam;
589
590 if (m.data)
591 {
592 if ((rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM)))
593 return tls_error_gnu(US"gnutls_dh_params_import_pkcs3", rc, host, errstr);
594 DEBUG(D_tls) debug_printf("Loaded fixed standard D-H parameters\n");
595 return OK;
596 }
597
598 #ifdef HAVE_GNUTLS_SEC_PARAM_CONSTANTS
599 /* If you change this constant, also change dh_param_fn_ext so that we can use a
600 different filename and ensure we have sufficient bits. */
601
602 if (!(dh_bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL)))
603 return tls_error(US"gnutls_sec_param_to_pk_bits() failed", NULL, NULL, errstr);
604 DEBUG(D_tls)
605 debug_printf("GnuTLS tells us that for D-H PK, NORMAL is %d bits.\n",
606 dh_bits);
607 #else
608 dh_bits = EXIM_SERVER_DH_BITS_PRE2_12;
609 DEBUG(D_tls)
610 debug_printf("GnuTLS lacks gnutls_sec_param_to_pk_bits(), using %d bits.\n",
611 dh_bits);
612 #endif
613
614 /* Some clients have hard-coded limits. */
615 if (dh_bits > tls_dh_max_bits)
616 {
617 DEBUG(D_tls)
618 debug_printf("tls_dh_max_bits clamping override, using %d bits instead.\n",
619 tls_dh_max_bits);
620 dh_bits = tls_dh_max_bits;
621 }
622
623 if (use_file_in_spool)
624 {
625 if (!string_format(filename_buf, sizeof(filename_buf),
626 "%s/gnutls-params-%d", spool_directory, dh_bits))
627 return tls_error(US"overlong filename", NULL, NULL, errstr);
628 filename = filename_buf;
629 }
630
631 /* Open the cache file for reading and if successful, read it and set up the
632 parameters. */
633
634 if ((fd = Uopen(filename, O_RDONLY, 0)) >= 0)
635 {
636 struct stat statbuf;
637 FILE *fp;
638 int saved_errno;
639
640 if (fstat(fd, &statbuf) < 0) /* EIO */
641 {
642 saved_errno = errno;
643 (void)close(fd);
644 return tls_error_sys(US"TLS cache stat failed", saved_errno, NULL, errstr);
645 }
646 if (!S_ISREG(statbuf.st_mode))
647 {
648 (void)close(fd);
649 return tls_error(US"TLS cache not a file", NULL, NULL, errstr);
650 }
651 if (!(fp = fdopen(fd, "rb")))
652 {
653 saved_errno = errno;
654 (void)close(fd);
655 return tls_error_sys(US"fdopen(TLS cache stat fd) failed",
656 saved_errno, NULL, errstr);
657 }
658
659 m.size = statbuf.st_size;
660 if (!(m.data = store_malloc(m.size)))
661 {
662 fclose(fp);
663 return tls_error_sys(US"malloc failed", errno, NULL, errstr);
664 }
665 if (!(sz = fread(m.data, m.size, 1, fp)))
666 {
667 saved_errno = errno;
668 fclose(fp);
669 store_free(m.data);
670 return tls_error_sys(US"fread failed", saved_errno, NULL, errstr);
671 }
672 fclose(fp);
673
674 rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM);
675 store_free(m.data);
676 if (rc)
677 return tls_error_gnu(US"gnutls_dh_params_import_pkcs3", rc, host, errstr);
678 DEBUG(D_tls) debug_printf("read D-H parameters from file \"%s\"\n", filename);
679 }
680
681 /* If the file does not exist, fall through to compute new data and cache it.
682 If there was any other opening error, it is serious. */
683
684 else if (errno == ENOENT)
685 {
686 rc = -1;
687 DEBUG(D_tls)
688 debug_printf("D-H parameter cache file \"%s\" does not exist\n", filename);
689 }
690 else
691 return tls_error(string_open_failed(errno, "\"%s\" for reading", filename),
692 NULL, NULL, errstr);
693
694 /* If ret < 0, either the cache file does not exist, or the data it contains
695 is not useful. One particular case of this is when upgrading from an older
696 release of Exim in which the data was stored in a different format. We don't
697 try to be clever and support both formats; we just regenerate new data in this
698 case. */
699
700 if (rc < 0)
701 {
702 uschar *temp_fn;
703 unsigned int dh_bits_gen = dh_bits;
704
705 if ((PATH_MAX - Ustrlen(filename)) < 10)
706 return tls_error(US"Filename too long to generate replacement",
707 filename, NULL, errstr);
708
709 temp_fn = string_copy(US"%s.XXXXXXX");
710 if ((fd = mkstemp(CS temp_fn)) < 0) /* modifies temp_fn */
711 return tls_error_sys(US"Unable to open temp file", errno, NULL, errstr);
712 (void)exim_chown(temp_fn, exim_uid, exim_gid); /* Probably not necessary */
713
714 /* GnuTLS overshoots!
715 * If we ask for 2236, we might get 2237 or more.
716 * But there's no way to ask GnuTLS how many bits there really are.
717 * We can ask how many bits were used in a TLS session, but that's it!
718 * The prime itself is hidden behind too much abstraction.
719 * So we ask for less, and proceed on a wing and a prayer.
720 * First attempt, subtracted 3 for 2233 and got 2240.
721 */
722 if (dh_bits >= EXIM_CLIENT_DH_MIN_BITS + 10)
723 {
724 dh_bits_gen = dh_bits - 10;
725 DEBUG(D_tls)
726 debug_printf("being paranoid about DH generation, make it '%d' bits'\n",
727 dh_bits_gen);
728 }
729
730 DEBUG(D_tls)
731 debug_printf("requesting generation of %d bit Diffie-Hellman prime ...\n",
732 dh_bits_gen);
733 if ((rc = gnutls_dh_params_generate2(dh_server_params, dh_bits_gen)))
734 return tls_error_gnu(US"gnutls_dh_params_generate2", rc, host, errstr);
735
736 /* gnutls_dh_params_export_pkcs3() will tell us the exact size, every time,
737 and I confirmed that a NULL call to get the size first is how the GnuTLS
738 sample apps handle this. */
739
740 sz = 0;
741 m.data = NULL;
742 if ( (rc = gnutls_dh_params_export_pkcs3(dh_server_params,
743 GNUTLS_X509_FMT_PEM, m.data, &sz))
744 && rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
745 return tls_error_gnu(US"gnutls_dh_params_export_pkcs3(NULL) sizing",
746 rc, host, errstr);
747 m.size = sz;
748 if (!(m.data = store_malloc(m.size)))
749 return tls_error_sys(US"memory allocation failed", errno, NULL, errstr);
750
751 /* this will return a size 1 less than the allocation size above */
752 if ((rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM,
753 m.data, &sz)))
754 {
755 store_free(m.data);
756 return tls_error_gnu(US"gnutls_dh_params_export_pkcs3() real", rc, host, errstr);
757 }
758 m.size = sz; /* shrink by 1, probably */
759
760 if ((sz = write_to_fd_buf(fd, m.data, (size_t) m.size)) != m.size)
761 {
762 store_free(m.data);
763 return tls_error_sys(US"TLS cache write D-H params failed",
764 errno, NULL, errstr);
765 }
766 store_free(m.data);
767 if ((sz = write_to_fd_buf(fd, US"\n", 1)) != 1)
768 return tls_error_sys(US"TLS cache write D-H params final newline failed",
769 errno, NULL, errstr);
770
771 if ((rc = close(fd)))
772 return tls_error_sys(US"TLS cache write close() failed", errno, NULL, errstr);
773
774 if (Urename(temp_fn, filename) < 0)
775 return tls_error_sys(string_sprintf("failed to rename \"%s\" as \"%s\"",
776 temp_fn, filename), errno, NULL, errstr);
777
778 DEBUG(D_tls) debug_printf("wrote D-H parameters to file \"%s\"\n", filename);
779 }
780
781 DEBUG(D_tls) debug_printf("initialized server D-H parameters\n");
782 return OK;
783 }
784
785
786
787
788 /* Create and install a selfsigned certificate, for use in server mode */
789
790 static int
791 tls_install_selfsign(exim_gnutls_state_st * state, uschar ** errstr)
792 {
793 gnutls_x509_crt_t cert = NULL;
794 time_t now;
795 gnutls_x509_privkey_t pkey = NULL;
796 const uschar * where;
797 int rc;
798
799 where = US"initialising pkey";
800 if ((rc = gnutls_x509_privkey_init(&pkey))) goto err;
801
802 where = US"initialising cert";
803 if ((rc = gnutls_x509_crt_init(&cert))) goto err;
804
805 where = US"generating pkey";
806 if ((rc = gnutls_x509_privkey_generate(pkey, GNUTLS_PK_RSA,
807 #ifdef SUPPORT_PARAM_TO_PK_BITS
808 # ifndef GNUTLS_SEC_PARAM_MEDIUM
809 # define GNUTLS_SEC_PARAM_MEDIUM GNUTLS_SEC_PARAM_HIGH
810 # endif
811 gnutls_sec_param_to_pk_bits(GNUTLS_PK_RSA, GNUTLS_SEC_PARAM_MEDIUM),
812 #else
813 2048,
814 #endif
815 0)))
816 goto err;
817
818 where = US"configuring cert";
819 now = 1;
820 if ( (rc = gnutls_x509_crt_set_version(cert, 3))
821 || (rc = gnutls_x509_crt_set_serial(cert, &now, sizeof(now)))
822 || (rc = gnutls_x509_crt_set_activation_time(cert, now = time(NULL)))
823 || (rc = gnutls_x509_crt_set_expiration_time(cert, now + 60 * 60)) /* 1 hr */
824 || (rc = gnutls_x509_crt_set_key(cert, pkey))
825
826 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
827 GNUTLS_OID_X520_COUNTRY_NAME, 0, "UK", 2))
828 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
829 GNUTLS_OID_X520_ORGANIZATION_NAME, 0, "Exim Developers", 15))
830 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
831 GNUTLS_OID_X520_COMMON_NAME, 0,
832 smtp_active_hostname, Ustrlen(smtp_active_hostname)))
833 )
834 goto err;
835
836 where = US"signing cert";
837 if ((rc = gnutls_x509_crt_sign(cert, cert, pkey))) goto err;
838
839 where = US"installing selfsign cert";
840 /* Since: 2.4.0 */
841 if ((rc = gnutls_certificate_set_x509_key(state->x509_cred, &cert, 1, pkey)))
842 goto err;
843
844 rc = OK;
845
846 out:
847 if (cert) gnutls_x509_crt_deinit(cert);
848 if (pkey) gnutls_x509_privkey_deinit(pkey);
849 return rc;
850
851 err:
852 rc = tls_error_gnu(where, rc, NULL, errstr);
853 goto out;
854 }
855
856
857
858
859 /* Add certificate and key, from files.
860
861 Return:
862 Zero or negative: good. Negate value for certificate index if < 0.
863 Greater than zero: FAIL or DEFER code.
864 */
865
866 static int
867 tls_add_certfile(exim_gnutls_state_st * state, const host_item * host,
868 uschar * certfile, uschar * keyfile, uschar ** errstr)
869 {
870 int rc = gnutls_certificate_set_x509_key_file(state->x509_cred,
871 CS certfile, CS keyfile, GNUTLS_X509_FMT_PEM);
872 if (rc < 0)
873 return tls_error_gnu(
874 string_sprintf("cert/key setup: cert=%s key=%s", certfile, keyfile),
875 rc, host, errstr);
876 return -rc;
877 }
878
879
880 #ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
881 /* Make a note that we saw a status-request */
882 static int
883 tls_server_clienthello_ext(void * ctx, unsigned tls_id,
884 const unsigned char *data, unsigned size)
885 {
886 /* https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml */
887 if (tls_id == 5) /* status_request */
888 {
889 DEBUG(D_tls) debug_printf("Seen status_request extension\n");
890 tls_in.ocsp = OCSP_NOT_RESP;
891 }
892 return 0;
893 }
894
895 /* Callback for client-hello, on server, if we think we might serve stapled-OCSP */
896 static int
897 tls_server_clienthello_cb(gnutls_session_t session, unsigned int htype,
898 unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
899 {
900 /* Call fn for each extension seen. 3.6.3 onwards */
901 return gnutls_ext_raw_parse(NULL, tls_server_clienthello_ext, msg,
902 GNUTLS_EXT_RAW_FLAG_TLS_CLIENT_HELLO);
903 }
904 #endif
905
906 /* Callback for certificate-status, on server. We sent stapled OCSP. */
907 static int
908 tls_server_certstatus_cb(gnutls_session_t session, unsigned int htype,
909 unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
910 {
911 DEBUG(D_tls) debug_printf("Sending certificate-status\n");
912 #ifdef SUPPORT_SRV_OCSP_STACK
913 tls_in.ocsp = exim_testharness_disable_ocsp_validity_check
914 ? OCSP_VFY_NOT_TRIED : OCSP_VFIED; /* We know that GnuTLS verifies responses */
915 #else
916 tls_in.ocsp = OCSP_VFY_NOT_TRIED;
917 #endif
918 return 0;
919 }
920
921 /* Callback for handshake messages, on server */
922 static int
923 tls_server_hook_cb(gnutls_session_t sess, u_int htype, unsigned when,
924 unsigned incoming, const gnutls_datum_t * msg)
925 {
926 switch (htype)
927 {
928 #ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
929 case GNUTLS_HANDSHAKE_CLIENT_HELLO:
930 return tls_server_clienthello_cb(sess, htype, when, incoming, msg);
931 #endif
932 case GNUTLS_HANDSHAKE_CERTIFICATE_STATUS:
933 return tls_server_certstatus_cb(sess, htype, when, incoming, msg);
934 #ifdef EXPERIMENTAL_TLS_RESUME
935 case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET:
936 return tls_server_ticket_cb(sess, htype, when, incoming, msg);
937 #endif
938 default:
939 return 0;
940 }
941 }
942
943
944 static void
945 tls_server_testharness_ocsp_fiddle(void)
946 {
947 extern char ** environ;
948 if (environ) for (uschar ** p = USS environ; *p; p++)
949 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
950 {
951 DEBUG(D_tls) debug_printf("Permitting known bad OCSP response\n");
952 exim_testharness_disable_ocsp_validity_check = TRUE;
953 }
954 }
955
956 /*************************************************
957 * Variables re-expanded post-SNI *
958 *************************************************/
959
960 /* Called from both server and client code, via tls_init(), and also from
961 the SNI callback after receiving an SNI, if tls_certificate includes "tls_sni".
962
963 We can tell the two apart by state->received_sni being non-NULL in callback.
964
965 The callback should not call us unless state->trigger_sni_changes is true,
966 which we are responsible for setting on the first pass through.
967
968 Arguments:
969 state exim_gnutls_state_st *
970 errstr error string pointer
971
972 Returns: OK/DEFER/FAIL
973 */
974
975 static int
976 tls_expand_session_files(exim_gnutls_state_st * state, uschar ** errstr)
977 {
978 struct stat statbuf;
979 int rc;
980 const host_item *host = state->host; /* macro should be reconsidered? */
981 uschar *saved_tls_certificate = NULL;
982 uschar *saved_tls_privatekey = NULL;
983 uschar *saved_tls_verify_certificates = NULL;
984 uschar *saved_tls_crl = NULL;
985 int cert_count;
986
987 /* We check for tls_sni *before* expansion. */
988 if (!host) /* server */
989 if (!state->received_sni)
990 {
991 if ( state->tls_certificate
992 && ( Ustrstr(state->tls_certificate, US"tls_sni")
993 || Ustrstr(state->tls_certificate, US"tls_in_sni")
994 || Ustrstr(state->tls_certificate, US"tls_out_sni")
995 ) )
996 {
997 DEBUG(D_tls) debug_printf("We will re-expand TLS session files if we receive SNI.\n");
998 state->trigger_sni_changes = TRUE;
999 }
1000 }
1001 else
1002 {
1003 /* useful for debugging */
1004 saved_tls_certificate = state->exp_tls_certificate;
1005 saved_tls_privatekey = state->exp_tls_privatekey;
1006 saved_tls_verify_certificates = state->exp_tls_verify_certificates;
1007 saved_tls_crl = state->exp_tls_crl;
1008 }
1009
1010 if ((rc = gnutls_certificate_allocate_credentials(&state->x509_cred)))
1011 return tls_error_gnu(US"gnutls_certificate_allocate_credentials",
1012 rc, host, errstr);
1013
1014 #ifdef SUPPORT_SRV_OCSP_STACK
1015 gnutls_certificate_set_flags(state->x509_cred, GNUTLS_CERTIFICATE_API_V2);
1016 #endif
1017
1018 /* remember: expand_check_tlsvar() is expand_check() but fiddling with
1019 state members, assuming consistent naming; and expand_check() returns
1020 false if expansion failed, unless expansion was forced to fail. */
1021
1022 /* check if we at least have a certificate, before doing expensive
1023 D-H generation. */
1024
1025 if (!expand_check_tlsvar(tls_certificate, errstr))
1026 return DEFER;
1027
1028 /* certificate is mandatory in server, optional in client */
1029
1030 if ( !state->exp_tls_certificate
1031 || !*state->exp_tls_certificate
1032 )
1033 if (!host)
1034 return tls_install_selfsign(state, errstr);
1035 else
1036 DEBUG(D_tls) debug_printf("TLS: no client certificate specified; okay\n");
1037
1038 if (state->tls_privatekey && !expand_check_tlsvar(tls_privatekey, errstr))
1039 return DEFER;
1040
1041 /* tls_privatekey is optional, defaulting to same file as certificate */
1042
1043 if (state->tls_privatekey == NULL || *state->tls_privatekey == '\0')
1044 {
1045 state->tls_privatekey = state->tls_certificate;
1046 state->exp_tls_privatekey = state->exp_tls_certificate;
1047 }
1048
1049
1050 if (state->exp_tls_certificate && *state->exp_tls_certificate)
1051 {
1052 DEBUG(D_tls) debug_printf("certificate file = %s\nkey file = %s\n",
1053 state->exp_tls_certificate, state->exp_tls_privatekey);
1054
1055 if (state->received_sni)
1056 if ( Ustrcmp(state->exp_tls_certificate, saved_tls_certificate) == 0
1057 && Ustrcmp(state->exp_tls_privatekey, saved_tls_privatekey) == 0
1058 )
1059 {
1060 DEBUG(D_tls) debug_printf("TLS SNI: cert and key unchanged\n");
1061 }
1062 else
1063 {
1064 DEBUG(D_tls) debug_printf("TLS SNI: have a changed cert/key pair.\n");
1065 }
1066
1067 if (!host) /* server */
1068 {
1069 const uschar * clist = state->exp_tls_certificate;
1070 const uschar * klist = state->exp_tls_privatekey;
1071 const uschar * olist;
1072 int csep = 0, ksep = 0, osep = 0, cnt = 0;
1073 uschar * cfile, * kfile, * ofile;
1074
1075 #ifndef DISABLE_OCSP
1076 if (!expand_check(tls_ocsp_file, US"tls_ocsp_file", &ofile, errstr))
1077 return DEFER;
1078 olist = ofile;
1079 #endif
1080
1081 while (cfile = string_nextinlist(&clist, &csep, NULL, 0))
1082
1083 if (!(kfile = string_nextinlist(&klist, &ksep, NULL, 0)))
1084 return tls_error(US"cert/key setup: out of keys", NULL, host, errstr);
1085 else if (0 < (rc = tls_add_certfile(state, host, cfile, kfile, errstr)))
1086 return rc;
1087 else
1088 {
1089 int gnutls_cert_index = -rc;
1090 DEBUG(D_tls) debug_printf("TLS: cert/key %d %s registered\n", gnutls_cert_index, cfile);
1091
1092 /* Set the OCSP stapling server info */
1093
1094 #ifndef DISABLE_OCSP
1095 if (tls_ocsp_file)
1096 {
1097 if (gnutls_buggy_ocsp)
1098 {
1099 DEBUG(D_tls)
1100 debug_printf("GnuTLS library is buggy for OCSP; avoiding\n");
1101 }
1102 else if ((ofile = string_nextinlist(&olist, &osep, NULL, 0)))
1103 {
1104 DEBUG(D_tls) debug_printf("OCSP response file = %s\n", ofile);
1105
1106 # ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
1107 if (f.running_in_test_harness) tls_server_testharness_ocsp_fiddle();
1108
1109 if (!exim_testharness_disable_ocsp_validity_check)
1110 {
1111 if ((rc = gnutls_certificate_set_ocsp_status_request_file2(
1112 state->x509_cred, CCS ofile, gnutls_cert_index,
1113 GNUTLS_X509_FMT_DER)) < 0)
1114 return tls_error_gnu(
1115 US"gnutls_certificate_set_ocsp_status_request_file2",
1116 rc, host, errstr);
1117
1118 /* Arrange callbacks for OCSP request observability */
1119
1120 gnutls_handshake_set_hook_function(state->session,
1121 GNUTLS_HANDSHAKE_ANY, GNUTLS_HOOK_POST, tls_server_hook_cb);
1122 }
1123 else
1124 # elif defined(SUPPORT_SRV_OCSP_STACK)
1125 if ((rc = gnutls_certificate_set_ocsp_status_request_function2(
1126 state->x509_cred, gnutls_cert_index,
1127 server_ocsp_stapling_cb, ofile)))
1128 return tls_error_gnu(
1129 US"gnutls_certificate_set_ocsp_status_request_function2",
1130 rc, host, errstr);
1131 else
1132 # endif
1133 {
1134 if (cnt++ > 0)
1135 {
1136 DEBUG(D_tls)
1137 debug_printf("oops; multiple OCSP files not supported\n");
1138 break;
1139 }
1140 gnutls_certificate_set_ocsp_status_request_function(
1141 state->x509_cred, server_ocsp_stapling_cb, ofile);
1142 }
1143 }
1144 else
1145 DEBUG(D_tls) debug_printf("ran out of OCSP response files in list\n");
1146 }
1147 #endif /* DISABLE_OCSP */
1148 }
1149 }
1150 else /* client */
1151 {
1152 if (0 < (rc = tls_add_certfile(state, host,
1153 state->exp_tls_certificate, state->exp_tls_privatekey, errstr)))
1154 return rc;
1155 DEBUG(D_tls) debug_printf("TLS: cert/key registered\n");
1156 }
1157
1158 } /* tls_certificate */
1159
1160
1161 /* Set the trusted CAs file if one is provided, and then add the CRL if one is
1162 provided. Experiment shows that, if the certificate file is empty, an unhelpful
1163 error message is provided. However, if we just refrain from setting anything up
1164 in that case, certificate verification fails, which seems to be the correct
1165 behaviour. */
1166
1167 if (state->tls_verify_certificates && *state->tls_verify_certificates)
1168 {
1169 if (!expand_check_tlsvar(tls_verify_certificates, errstr))
1170 return DEFER;
1171 #ifndef SUPPORT_SYSDEFAULT_CABUNDLE
1172 if (Ustrcmp(state->exp_tls_verify_certificates, "system") == 0)
1173 state->exp_tls_verify_certificates = NULL;
1174 #endif
1175 if (state->tls_crl && *state->tls_crl)
1176 if (!expand_check_tlsvar(tls_crl, errstr))
1177 return DEFER;
1178
1179 if (!(state->exp_tls_verify_certificates &&
1180 *state->exp_tls_verify_certificates))
1181 {
1182 DEBUG(D_tls)
1183 debug_printf("TLS: tls_verify_certificates expanded empty, ignoring\n");
1184 /* With no tls_verify_certificates, we ignore tls_crl too */
1185 return OK;
1186 }
1187 }
1188 else
1189 {
1190 DEBUG(D_tls)
1191 debug_printf("TLS: tls_verify_certificates not set or empty, ignoring\n");
1192 return OK;
1193 }
1194
1195 #ifdef SUPPORT_SYSDEFAULT_CABUNDLE
1196 if (Ustrcmp(state->exp_tls_verify_certificates, "system") == 0)
1197 cert_count = gnutls_certificate_set_x509_system_trust(state->x509_cred);
1198 else
1199 #endif
1200 {
1201 if (Ustat(state->exp_tls_verify_certificates, &statbuf) < 0)
1202 {
1203 log_write(0, LOG_MAIN|LOG_PANIC, "could not stat %s "
1204 "(tls_verify_certificates): %s", state->exp_tls_verify_certificates,
1205 strerror(errno));
1206 return DEFER;
1207 }
1208
1209 #ifndef SUPPORT_CA_DIR
1210 /* The test suite passes in /dev/null; we could check for that path explicitly,
1211 but who knows if someone has some weird FIFO which always dumps some certs, or
1212 other weirdness. The thing we really want to check is that it's not a
1213 directory, since while OpenSSL supports that, GnuTLS does not.
1214 So s/!S_ISREG/S_ISDIR/ and change some messaging ... */
1215 if (S_ISDIR(statbuf.st_mode))
1216 {
1217 DEBUG(D_tls)
1218 debug_printf("verify certificates path is a dir: \"%s\"\n",
1219 state->exp_tls_verify_certificates);
1220 log_write(0, LOG_MAIN|LOG_PANIC,
1221 "tls_verify_certificates \"%s\" is a directory",
1222 state->exp_tls_verify_certificates);
1223 return DEFER;
1224 }
1225 #endif
1226
1227 DEBUG(D_tls) debug_printf("verify certificates = %s size=" OFF_T_FMT "\n",
1228 state->exp_tls_verify_certificates, statbuf.st_size);
1229
1230 if (statbuf.st_size == 0)
1231 {
1232 DEBUG(D_tls)
1233 debug_printf("cert file empty, no certs, no verification, ignoring any CRL\n");
1234 return OK;
1235 }
1236
1237 cert_count =
1238
1239 #ifdef SUPPORT_CA_DIR
1240 (statbuf.st_mode & S_IFMT) == S_IFDIR
1241 ?
1242 gnutls_certificate_set_x509_trust_dir(state->x509_cred,
1243 CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM)
1244 :
1245 #endif
1246 gnutls_certificate_set_x509_trust_file(state->x509_cred,
1247 CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM);
1248
1249 #ifdef SUPPORT_CA_DIR
1250 /* Mimic the behaviour with OpenSSL of not advertising a usable-cert list
1251 when using the directory-of-certs config model. */
1252
1253 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
1254 gnutls_certificate_send_x509_rdn_sequence(state->session, 1);
1255 #endif
1256 }
1257
1258 if (cert_count < 0)
1259 return tls_error_gnu(US"setting certificate trust", cert_count, host, errstr);
1260 DEBUG(D_tls)
1261 debug_printf("Added %d certificate authorities.\n", cert_count);
1262
1263 if (state->tls_crl && *state->tls_crl &&
1264 state->exp_tls_crl && *state->exp_tls_crl)
1265 {
1266 DEBUG(D_tls) debug_printf("loading CRL file = %s\n", state->exp_tls_crl);
1267 if ((cert_count = gnutls_certificate_set_x509_crl_file(state->x509_cred,
1268 CS state->exp_tls_crl, GNUTLS_X509_FMT_PEM)) < 0)
1269 return tls_error_gnu(US"gnutls_certificate_set_x509_crl_file",
1270 cert_count, host, errstr);
1271
1272 DEBUG(D_tls) debug_printf("Processed %d CRLs.\n", cert_count);
1273 }
1274
1275 return OK;
1276 }
1277
1278
1279
1280
1281 /*************************************************
1282 * Set X.509 state variables *
1283 *************************************************/
1284
1285 /* In GnuTLS, the registered cert/key are not replaced by a later
1286 set of a cert/key, so for SNI support we need a whole new x509_cred
1287 structure. Which means various other non-re-expanded pieces of state
1288 need to be re-set in the new struct, so the setting logic is pulled
1289 out to this.
1290
1291 Arguments:
1292 state exim_gnutls_state_st *
1293 errstr error string pointer
1294
1295 Returns: OK/DEFER/FAIL
1296 */
1297
1298 static int
1299 tls_set_remaining_x509(exim_gnutls_state_st *state, uschar ** errstr)
1300 {
1301 int rc;
1302 const host_item *host = state->host; /* macro should be reconsidered? */
1303
1304 /* Create D-H parameters, or read them from the cache file. This function does
1305 its own SMTP error messaging. This only happens for the server, TLS D-H ignores
1306 client-side params. */
1307
1308 if (!state->host)
1309 {
1310 if (!dh_server_params)
1311 if ((rc = init_server_dh(errstr)) != OK) return rc;
1312 gnutls_certificate_set_dh_params(state->x509_cred, dh_server_params);
1313 }
1314
1315 /* Link the credentials to the session. */
1316
1317 if ((rc = gnutls_credentials_set(state->session,
1318 GNUTLS_CRD_CERTIFICATE, state->x509_cred)))
1319 return tls_error_gnu(US"gnutls_credentials_set", rc, host, errstr);
1320
1321 return OK;
1322 }
1323
1324 /*************************************************
1325 * Initialize for GnuTLS *
1326 *************************************************/
1327
1328
1329 #ifndef DISABLE_OCSP
1330
1331 static BOOL
1332 tls_is_buggy_ocsp(void)
1333 {
1334 const uschar * s;
1335 uschar maj, mid, mic;
1336
1337 s = CUS gnutls_check_version(NULL);
1338 maj = atoi(CCS s);
1339 if (maj == 3)
1340 {
1341 while (*s && *s != '.') s++;
1342 mid = atoi(CCS ++s);
1343 if (mid <= 2)
1344 return TRUE;
1345 else if (mid >= 5)
1346 return FALSE;
1347 else
1348 {
1349 while (*s && *s != '.') s++;
1350 mic = atoi(CCS ++s);
1351 return mic <= (mid == 3 ? 16 : 3);
1352 }
1353 }
1354 return FALSE;
1355 }
1356
1357 #endif
1358
1359
1360 /* Called from both server and client code. In the case of a server, errors
1361 before actual TLS negotiation return DEFER.
1362
1363 Arguments:
1364 host connected host, if client; NULL if server
1365 certificate certificate file
1366 privatekey private key file
1367 sni TLS SNI to send, sometimes when client; else NULL
1368 cas CA certs file
1369 crl CRL file
1370 require_ciphers tls_require_ciphers setting
1371 caller_state returned state-info structure
1372 errstr error string pointer
1373
1374 Returns: OK/DEFER/FAIL
1375 */
1376
1377 static int
1378 tls_init(
1379 const host_item *host,
1380 const uschar *certificate,
1381 const uschar *privatekey,
1382 const uschar *sni,
1383 const uschar *cas,
1384 const uschar *crl,
1385 const uschar *require_ciphers,
1386 exim_gnutls_state_st **caller_state,
1387 tls_support * tlsp,
1388 uschar ** errstr)
1389 {
1390 exim_gnutls_state_st * state;
1391 int rc;
1392 size_t sz;
1393 const char * errpos;
1394 const uschar * p;
1395
1396 if (!exim_gnutls_base_init_done)
1397 {
1398 DEBUG(D_tls) debug_printf("GnuTLS global init required.\n");
1399
1400 #ifdef HAVE_GNUTLS_PKCS11
1401 /* By default, gnutls_global_init will init PKCS11 support in auto mode,
1402 which loads modules from a config file, which sounds good and may be wanted
1403 by some sysadmin, but also means in common configurations that GNOME keyring
1404 environment variables are used and so breaks for users calling mailq.
1405 To prevent this, we init PKCS11 first, which is the documented approach. */
1406 if (!gnutls_allow_auto_pkcs11)
1407 if ((rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL)))
1408 return tls_error_gnu(US"gnutls_pkcs11_init", rc, host, errstr);
1409 #endif
1410
1411 if ((rc = gnutls_global_init()))
1412 return tls_error_gnu(US"gnutls_global_init", rc, host, errstr);
1413
1414 #if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
1415 DEBUG(D_tls)
1416 {
1417 gnutls_global_set_log_function(exim_gnutls_logger_cb);
1418 /* arbitrarily chosen level; bump up to 9 for more */
1419 gnutls_global_set_log_level(EXIM_GNUTLS_LIBRARY_LOG_LEVEL);
1420 }
1421 #endif
1422
1423 #ifndef DISABLE_OCSP
1424 if (tls_ocsp_file && (gnutls_buggy_ocsp = tls_is_buggy_ocsp()))
1425 log_write(0, LOG_MAIN, "OCSP unusable with this GnuTLS library version");
1426 #endif
1427
1428 exim_gnutls_base_init_done = TRUE;
1429 }
1430
1431 if (host)
1432 {
1433 /* For client-side sessions we allocate a context. This lets us run
1434 several in parallel. */
1435 int old_pool = store_pool;
1436 store_pool = POOL_PERM;
1437 state = store_get(sizeof(exim_gnutls_state_st), FALSE);
1438 store_pool = old_pool;
1439
1440 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
1441 state->tlsp = tlsp;
1442 DEBUG(D_tls) debug_printf("initialising GnuTLS client session\n");
1443 rc = gnutls_init(&state->session, GNUTLS_CLIENT);
1444 }
1445 else
1446 {
1447 state = &state_server;
1448 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
1449 state->tlsp = tlsp;
1450 DEBUG(D_tls) debug_printf("initialising GnuTLS server session\n");
1451 rc = gnutls_init(&state->session, GNUTLS_SERVER);
1452 }
1453 if (rc)
1454 return tls_error_gnu(US"gnutls_init", rc, host, errstr);
1455
1456 state->host = host;
1457
1458 state->tls_certificate = certificate;
1459 state->tls_privatekey = privatekey;
1460 state->tls_require_ciphers = require_ciphers;
1461 state->tls_sni = sni;
1462 state->tls_verify_certificates = cas;
1463 state->tls_crl = crl;
1464
1465 /* This handles the variables that might get re-expanded after TLS SNI;
1466 that's tls_certificate, tls_privatekey, tls_verify_certificates, tls_crl */
1467
1468 DEBUG(D_tls)
1469 debug_printf("Expanding various TLS configuration options for session credentials.\n");
1470 if ((rc = tls_expand_session_files(state, errstr)) != OK) return rc;
1471
1472 /* These are all other parts of the x509_cred handling, since SNI in GnuTLS
1473 requires a new structure afterwards. */
1474
1475 if ((rc = tls_set_remaining_x509(state, errstr)) != OK) return rc;
1476
1477 /* set SNI in client, only */
1478 if (host)
1479 {
1480 if (!expand_check(sni, US"tls_out_sni", &state->tlsp->sni, errstr))
1481 return DEFER;
1482 if (state->tlsp->sni && *state->tlsp->sni)
1483 {
1484 DEBUG(D_tls)
1485 debug_printf("Setting TLS client SNI to \"%s\"\n", state->tlsp->sni);
1486 sz = Ustrlen(state->tlsp->sni);
1487 if ((rc = gnutls_server_name_set(state->session,
1488 GNUTLS_NAME_DNS, state->tlsp->sni, sz)))
1489 return tls_error_gnu(US"gnutls_server_name_set", rc, host, errstr);
1490 }
1491 }
1492 else if (state->tls_sni)
1493 DEBUG(D_tls) debug_printf("*** PROBABLY A BUG *** " \
1494 "have an SNI set for a server [%s]\n", state->tls_sni);
1495
1496 /* This is the priority string support,
1497 http://www.gnutls.org/manual/html_node/Priority-Strings.html
1498 and replaces gnutls_require_kx, gnutls_require_mac & gnutls_require_protocols.
1499 This was backwards incompatible, but means Exim no longer needs to track
1500 all algorithms and provide string forms for them. */
1501
1502 p = NULL;
1503 if (state->tls_require_ciphers && *state->tls_require_ciphers)
1504 {
1505 if (!expand_check_tlsvar(tls_require_ciphers, errstr))
1506 return DEFER;
1507 if (state->exp_tls_require_ciphers && *state->exp_tls_require_ciphers)
1508 {
1509 p = state->exp_tls_require_ciphers;
1510 DEBUG(D_tls) debug_printf("GnuTLS session cipher/priority \"%s\"\n", p);
1511 }
1512 }
1513 if (!p)
1514 {
1515 p = exim_default_gnutls_priority;
1516 DEBUG(D_tls)
1517 debug_printf("GnuTLS using default session cipher/priority \"%s\"\n", p);
1518 }
1519
1520 if ((rc = gnutls_priority_init(&state->priority_cache, CCS p, &errpos)))
1521 return tls_error_gnu(string_sprintf(
1522 "gnutls_priority_init(%s) failed at offset %ld, \"%.6s..\"",
1523 p, errpos - CS p, errpos),
1524 rc, host, errstr);
1525
1526 if ((rc = gnutls_priority_set(state->session, state->priority_cache)))
1527 return tls_error_gnu(US"gnutls_priority_set", rc, host, errstr);
1528
1529 /* This also sets the server ticket expiration time to the same, and
1530 the STEK rotation time to 3x. */
1531
1532 gnutls_db_set_cache_expiration(state->session, ssl_session_timeout);
1533
1534 /* Reduce security in favour of increased compatibility, if the admin
1535 decides to make that trade-off. */
1536 if (gnutls_compat_mode)
1537 {
1538 #if LIBGNUTLS_VERSION_NUMBER >= 0x020104
1539 DEBUG(D_tls) debug_printf("lowering GnuTLS security, compatibility mode\n");
1540 gnutls_session_enable_compatibility_mode(state->session);
1541 #else
1542 DEBUG(D_tls) debug_printf("Unable to set gnutls_compat_mode - GnuTLS version too old\n");
1543 #endif
1544 }
1545
1546 *caller_state = state;
1547 return OK;
1548 }
1549
1550
1551
1552 /*************************************************
1553 * Extract peer information *
1554 *************************************************/
1555
1556 static const uschar *
1557 cipher_stdname_kcm(gnutls_kx_algorithm_t kx, gnutls_cipher_algorithm_t cipher,
1558 gnutls_mac_algorithm_t mac)
1559 {
1560 uschar cs_id[2];
1561 gnutls_kx_algorithm_t kx_i;
1562 gnutls_cipher_algorithm_t cipher_i;
1563 gnutls_mac_algorithm_t mac_i;
1564
1565 for (size_t i = 0;
1566 gnutls_cipher_suite_info(i, cs_id, &kx_i, &cipher_i, &mac_i, NULL);
1567 i++)
1568 if (kx_i == kx && cipher_i == cipher && mac_i == mac)
1569 return cipher_stdname(cs_id[0], cs_id[1]);
1570 return NULL;
1571 }
1572
1573
1574
1575 /* Called from both server and client code.
1576 Only this is allowed to set state->peerdn and state->have_set_peerdn
1577 and we use that to detect double-calls.
1578
1579 NOTE: the state blocks last while the TLS connection is up, which is fine
1580 for logging in the server side, but for the client side, we log after teardown
1581 in src/deliver.c. While the session is up, we can twist about states and
1582 repoint tls_* globals, but those variables used for logging or other variable
1583 expansion that happens _after_ delivery need to have a longer life-time.
1584
1585 So for those, we get the data from POOL_PERM; the re-invoke guard keeps us from
1586 doing this more than once per generation of a state context. We set them in
1587 the state context, and repoint tls_* to them. After the state goes away, the
1588 tls_* copies of the pointers remain valid and client delivery logging is happy.
1589
1590 tls_certificate_verified is a BOOL, so the tls_peerdn and tls_cipher issues
1591 don't apply.
1592
1593 Arguments:
1594 state exim_gnutls_state_st *
1595 errstr pointer to error string
1596
1597 Returns: OK/DEFER/FAIL
1598 */
1599
1600 static int
1601 peer_status(exim_gnutls_state_st * state, uschar ** errstr)
1602 {
1603 gnutls_session_t session = state->session;
1604 const gnutls_datum_t * cert_list;
1605 int old_pool, rc;
1606 unsigned int cert_list_size = 0;
1607 gnutls_protocol_t protocol;
1608 gnutls_cipher_algorithm_t cipher;
1609 gnutls_kx_algorithm_t kx;
1610 gnutls_mac_algorithm_t mac;
1611 gnutls_certificate_type_t ct;
1612 gnutls_x509_crt_t crt;
1613 uschar * dn_buf;
1614 size_t sz;
1615
1616 if (state->have_set_peerdn)
1617 return OK;
1618 state->have_set_peerdn = TRUE;
1619
1620 state->peerdn = NULL;
1621
1622 /* tls_cipher */
1623 cipher = gnutls_cipher_get(session);
1624 protocol = gnutls_protocol_get_version(session);
1625 mac = gnutls_mac_get(session);
1626 kx =
1627 #ifdef GNUTLS_TLS1_3
1628 protocol >= GNUTLS_TLS1_3 ? 0 :
1629 #endif
1630 gnutls_kx_get(session);
1631
1632 old_pool = store_pool;
1633 {
1634 tls_support * tlsp = state->tlsp;
1635 store_pool = POOL_PERM;
1636
1637 #ifdef SUPPORT_GNUTLS_SESS_DESC
1638 {
1639 gstring * g = NULL;
1640 uschar * s = US gnutls_session_get_desc(session), c;
1641
1642 /* Nikos M suggests we use this by preference. It returns like:
1643 (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
1644
1645 For partial back-compat, put a colon after the TLS version, replace the
1646 )-( grouping with __, replace in-group - with _ and append the :keysize. */
1647
1648 /* debug_printf("peer_status: gnutls_session_get_desc %s\n", s); */
1649
1650 for (s++; (c = *s) && c != ')'; s++) g = string_catn(g, s, 1);
1651 g = string_catn(g, US":", 1);
1652 if (*s) s++; /* now on _ between groups */
1653 while ((c = *s))
1654 {
1655 for (*++s && ++s; (c = *s) && c != ')'; s++) g = string_catn(g, c == '-' ? US"_" : s, 1);
1656 /* now on ) closing group */
1657 if ((c = *s) && *++s == '-') g = string_catn(g, US"__", 2);
1658 /* now on _ between groups */
1659 }
1660 g = string_catn(g, US":", 1);
1661 g = string_cat(g, string_sprintf("%d", (int) gnutls_cipher_get_key_size(cipher) * 8));
1662 state->ciphersuite = string_from_gstring(g);
1663 }
1664 #else
1665 state->ciphersuite = string_sprintf("%s:%s:%d",
1666 gnutls_protocol_get_name(protocol),
1667 gnutls_cipher_suite_get_name(kx, cipher, mac),
1668 (int) gnutls_cipher_get_key_size(cipher) * 8);
1669
1670 /* I don't see a way that spaces could occur, in the current GnuTLS
1671 code base, but it was a concern in the old code and perhaps older GnuTLS
1672 releases did return "TLS 1.0"; play it safe, just in case. */
1673
1674 for (uschar * p = state->ciphersuite; *p; p++) if (isspace(*p)) *p = '-';
1675 #endif
1676
1677 /* debug_printf("peer_status: ciphersuite %s\n", state->ciphersuite); */
1678
1679 tlsp->cipher = state->ciphersuite;
1680 tlsp->bits = gnutls_cipher_get_key_size(cipher) * 8;
1681
1682 tlsp->cipher_stdname = cipher_stdname_kcm(kx, cipher, mac);
1683 }
1684 store_pool = old_pool;
1685
1686 /* tls_peerdn */
1687 cert_list = gnutls_certificate_get_peers(session, &cert_list_size);
1688
1689 if (!cert_list || cert_list_size == 0)
1690 {
1691 DEBUG(D_tls) debug_printf("TLS: no certificate from peer (%p & %d)\n",
1692 cert_list, cert_list_size);
1693 if (state->verify_requirement >= VERIFY_REQUIRED)
1694 return tls_error(US"certificate verification failed",
1695 US"no certificate received from peer", state->host, errstr);
1696 return OK;
1697 }
1698
1699 if ((ct = gnutls_certificate_type_get(session)) != GNUTLS_CRT_X509)
1700 {
1701 const uschar * ctn = US gnutls_certificate_type_get_name(ct);
1702 DEBUG(D_tls)
1703 debug_printf("TLS: peer cert not X.509 but instead \"%s\"\n", ctn);
1704 if (state->verify_requirement >= VERIFY_REQUIRED)
1705 return tls_error(US"certificate verification not possible, unhandled type",
1706 ctn, state->host, errstr);
1707 return OK;
1708 }
1709
1710 #define exim_gnutls_peer_err(Label) \
1711 do { \
1712 if (rc != GNUTLS_E_SUCCESS) \
1713 { \
1714 DEBUG(D_tls) debug_printf("TLS: peer cert problem: %s: %s\n", \
1715 (Label), gnutls_strerror(rc)); \
1716 if (state->verify_requirement >= VERIFY_REQUIRED) \
1717 return tls_error_gnu((Label), rc, state->host, errstr); \
1718 return OK; \
1719 } \
1720 } while (0)
1721
1722 rc = import_cert(&cert_list[0], &crt);
1723 exim_gnutls_peer_err(US"cert 0");
1724
1725 state->tlsp->peercert = state->peercert = crt;
1726
1727 sz = 0;
1728 rc = gnutls_x509_crt_get_dn(crt, NULL, &sz);
1729 if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
1730 {
1731 exim_gnutls_peer_err(US"getting size for cert DN failed");
1732 return FAIL; /* should not happen */
1733 }
1734 dn_buf = store_get_perm(sz, TRUE); /* tainted */
1735 rc = gnutls_x509_crt_get_dn(crt, CS dn_buf, &sz);
1736 exim_gnutls_peer_err(US"failed to extract certificate DN [gnutls_x509_crt_get_dn(cert 0)]");
1737
1738 state->peerdn = dn_buf;
1739
1740 return OK;
1741 #undef exim_gnutls_peer_err
1742 }
1743
1744
1745
1746
1747 /*************************************************
1748 * Verify peer certificate *
1749 *************************************************/
1750
1751 /* Called from both server and client code.
1752 *Should* be using a callback registered with
1753 gnutls_certificate_set_verify_function() to fail the handshake if we dislike
1754 the peer information, but that's too new for some OSes.
1755
1756 Arguments:
1757 state exim_gnutls_state_st *
1758 errstr where to put an error message
1759
1760 Returns:
1761 FALSE if the session should be rejected
1762 TRUE if the cert is okay or we just don't care
1763 */
1764
1765 static BOOL
1766 verify_certificate(exim_gnutls_state_st * state, uschar ** errstr)
1767 {
1768 int rc;
1769 uint verify;
1770
1771 DEBUG(D_tls) debug_printf("TLS: checking peer certificate\n");
1772 *errstr = NULL;
1773 rc = peer_status(state, errstr);
1774
1775 if (state->verify_requirement == VERIFY_NONE)
1776 return TRUE;
1777
1778 if (rc != OK || !state->peerdn)
1779 {
1780 verify = GNUTLS_CERT_INVALID;
1781 *errstr = US"certificate not supplied";
1782 }
1783 else
1784
1785 {
1786 #ifdef SUPPORT_DANE
1787 if (state->verify_requirement == VERIFY_DANE && state->host)
1788 {
1789 /* Using dane_verify_session_crt() would be easy, as it does it all for us
1790 including talking to a DNS resolver. But we want to do that bit ourselves
1791 as the testsuite intercepts and fakes its own DNS environment. */
1792
1793 dane_state_t s;
1794 dane_query_t r;
1795 uint lsize;
1796 const gnutls_datum_t * certlist =
1797 gnutls_certificate_get_peers(state->session, &lsize);
1798 int usage = tls_out.tlsa_usage;
1799
1800 # ifdef GNUTLS_BROKEN_DANE_VALIDATION
1801 /* Split the TLSA records into two sets, TA and EE selectors. Run the
1802 dane-verification separately so that we know which selector verified;
1803 then we know whether to do name-verification (needed for TA but not EE). */
1804
1805 if (usage == ((1<<DANESSL_USAGE_DANE_TA) | (1<<DANESSL_USAGE_DANE_EE)))
1806 { /* a mixed-usage bundle */
1807 int i, j, nrec;
1808 const char ** dd;
1809 int * ddl;
1810
1811 for(nrec = 0; state->dane_data_len[nrec]; ) nrec++;
1812 nrec++;
1813
1814 dd = store_get(nrec * sizeof(uschar *), FALSE);
1815 ddl = store_get(nrec * sizeof(int), FALSE);
1816 nrec--;
1817
1818 if ((rc = dane_state_init(&s, 0)))
1819 goto tlsa_prob;
1820
1821 for (usage = DANESSL_USAGE_DANE_EE;
1822 usage >= DANESSL_USAGE_DANE_TA; usage--)
1823 { /* take records with this usage */
1824 for (j = i = 0; i < nrec; i++)
1825 if (state->dane_data[i][0] == usage)
1826 {
1827 dd[j] = state->dane_data[i];
1828 ddl[j++] = state->dane_data_len[i];
1829 }
1830 if (j)
1831 {
1832 dd[j] = NULL;
1833 ddl[j] = 0;
1834
1835 if ((rc = dane_raw_tlsa(s, &r, (char * const *)dd, ddl, 1, 0)))
1836 goto tlsa_prob;
1837
1838 if ((rc = dane_verify_crt_raw(s, certlist, lsize,
1839 gnutls_certificate_type_get(state->session),
1840 r, 0,
1841 usage == DANESSL_USAGE_DANE_EE
1842 ? DANE_VFLAG_ONLY_CHECK_EE_USAGE : 0,
1843 &verify)))
1844 {
1845 DEBUG(D_tls)
1846 debug_printf("TLSA record problem: %s\n", dane_strerror(rc));
1847 }
1848 else if (verify == 0) /* verification passed */
1849 {
1850 usage = 1 << usage;
1851 break;
1852 }
1853 }
1854 }
1855
1856 if (rc) goto tlsa_prob;
1857 }
1858 else
1859 # endif
1860 {
1861 if ( (rc = dane_state_init(&s, 0))
1862 || (rc = dane_raw_tlsa(s, &r, state->dane_data, state->dane_data_len,
1863 1, 0))
1864 || (rc = dane_verify_crt_raw(s, certlist, lsize,
1865 gnutls_certificate_type_get(state->session),
1866 r, 0,
1867 # ifdef GNUTLS_BROKEN_DANE_VALIDATION
1868 usage == (1 << DANESSL_USAGE_DANE_EE)
1869 ? DANE_VFLAG_ONLY_CHECK_EE_USAGE : 0,
1870 # else
1871 0,
1872 # endif
1873 &verify))
1874 )
1875 goto tlsa_prob;
1876 }
1877
1878 if (verify != 0) /* verification failed */
1879 {
1880 gnutls_datum_t str;
1881 (void) dane_verification_status_print(verify, &str, 0);
1882 *errstr = US str.data; /* don't bother to free */
1883 goto badcert;
1884 }
1885
1886 # ifdef GNUTLS_BROKEN_DANE_VALIDATION
1887 /* If a TA-mode TLSA record was used for verification we must additionally
1888 verify the cert name (but not the CA chain). For EE-mode, skip it. */
1889
1890 if (usage & (1 << DANESSL_USAGE_DANE_EE))
1891 # endif
1892 {
1893 state->peer_dane_verified = state->peer_cert_verified = TRUE;
1894 goto goodcert;
1895 }
1896 # ifdef GNUTLS_BROKEN_DANE_VALIDATION
1897 /* Assume that the name on the A-record is the one that should be matching
1898 the cert. An alternate view is that the domain part of the email address
1899 is also permissible. */
1900
1901 if (gnutls_x509_crt_check_hostname(state->tlsp->peercert,
1902 CS state->host->name))
1903 {
1904 state->peer_dane_verified = state->peer_cert_verified = TRUE;
1905 goto goodcert;
1906 }
1907 # endif
1908 }
1909 #endif /*SUPPORT_DANE*/
1910
1911 rc = gnutls_certificate_verify_peers2(state->session, &verify);
1912 }
1913
1914 /* Handle the result of verification. INVALID is set if any others are. */
1915
1916 if (rc < 0 || verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED))
1917 {
1918 state->peer_cert_verified = FALSE;
1919 if (!*errstr)
1920 {
1921 #ifdef GNUTLS_CERT_VFY_STATUS_PRINT
1922 DEBUG(D_tls)
1923 {
1924 gnutls_datum_t txt;
1925
1926 if (gnutls_certificate_verification_status_print(verify,
1927 gnutls_certificate_type_get(state->session), &txt, 0)
1928 == GNUTLS_E_SUCCESS)
1929 {
1930 debug_printf("%s\n", txt.data);
1931 gnutls_free(txt.data);
1932 }
1933 }
1934 #endif
1935 *errstr = verify & GNUTLS_CERT_REVOKED
1936 ? US"certificate revoked" : US"certificate invalid";
1937 }
1938
1939 DEBUG(D_tls)
1940 debug_printf("TLS certificate verification failed (%s): peerdn=\"%s\"\n",
1941 *errstr, state->peerdn ? state->peerdn : US"<unset>");
1942
1943 if (state->verify_requirement >= VERIFY_REQUIRED)
1944 goto badcert;
1945 DEBUG(D_tls)
1946 debug_printf("TLS verify failure overridden (host in tls_try_verify_hosts)\n");
1947 }
1948
1949 else
1950 {
1951 /* Client side, check the server's certificate name versus the name on the
1952 A-record for the connection we made. What to do for server side - what name
1953 to use for client? We document that there is no such checking for server
1954 side. */
1955
1956 if ( state->exp_tls_verify_cert_hostnames
1957 && !gnutls_x509_crt_check_hostname(state->tlsp->peercert,
1958 CS state->exp_tls_verify_cert_hostnames)
1959 )
1960 {
1961 DEBUG(D_tls)
1962 debug_printf("TLS certificate verification failed: cert name mismatch\n");
1963 if (state->verify_requirement >= VERIFY_REQUIRED)
1964 goto badcert;
1965 return TRUE;
1966 }
1967
1968 state->peer_cert_verified = TRUE;
1969 DEBUG(D_tls) debug_printf("TLS certificate verified: peerdn=\"%s\"\n",
1970 state->peerdn ? state->peerdn : US"<unset>");
1971 }
1972
1973 goodcert:
1974 state->tlsp->peerdn = state->peerdn;
1975 return TRUE;
1976
1977 #ifdef SUPPORT_DANE
1978 tlsa_prob:
1979 *errstr = string_sprintf("TLSA record problem: %s",
1980 rc == DANE_E_REQUESTED_DATA_NOT_AVAILABLE ? "none usable" : dane_strerror(rc));
1981 #endif
1982
1983 badcert:
1984 gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_BAD_CERTIFICATE);
1985 return FALSE;
1986 }
1987
1988
1989
1990
1991 /* ------------------------------------------------------------------------ */
1992 /* Callbacks */
1993
1994 /* Logging function which can be registered with
1995 * gnutls_global_set_log_function()
1996 * gnutls_global_set_log_level() 0..9
1997 */
1998 #if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
1999 static void
2000 exim_gnutls_logger_cb(int level, const char *message)
2001 {
2002 size_t len = strlen(message);
2003 if (len < 1)
2004 {
2005 DEBUG(D_tls) debug_printf("GnuTLS<%d> empty debug message\n", level);
2006 return;
2007 }
2008 DEBUG(D_tls) debug_printf("GnuTLS<%d>: %s%s", level, message,
2009 message[len-1] == '\n' ? "" : "\n");
2010 }
2011 #endif
2012
2013
2014 /* Called after client hello, should handle SNI work.
2015 This will always set tls_sni (state->received_sni) if available,
2016 and may trigger presenting different certificates,
2017 if state->trigger_sni_changes is TRUE.
2018
2019 Should be registered with
2020 gnutls_handshake_set_post_client_hello_function()
2021
2022 "This callback must return 0 on success or a gnutls error code to terminate the
2023 handshake.".
2024
2025 For inability to get SNI information, we return 0.
2026 We only return non-zero if re-setup failed.
2027 Only used for server-side TLS.
2028 */
2029
2030 static int
2031 exim_sni_handling_cb(gnutls_session_t session)
2032 {
2033 char sni_name[MAX_HOST_LEN];
2034 size_t data_len = MAX_HOST_LEN;
2035 exim_gnutls_state_st *state = &state_server;
2036 unsigned int sni_type;
2037 int rc, old_pool;
2038 uschar * dummy_errstr;
2039
2040 rc = gnutls_server_name_get(session, sni_name, &data_len, &sni_type, 0);
2041 if (rc != GNUTLS_E_SUCCESS)
2042 {
2043 DEBUG(D_tls)
2044 if (rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
2045 debug_printf("TLS: no SNI presented in handshake.\n");
2046 else
2047 debug_printf("TLS failure: gnutls_server_name_get(): %s [%d]\n",
2048 gnutls_strerror(rc), rc);
2049 return 0;
2050 }
2051
2052 if (sni_type != GNUTLS_NAME_DNS)
2053 {
2054 DEBUG(D_tls) debug_printf("TLS: ignoring SNI of unhandled type %u\n", sni_type);
2055 return 0;
2056 }
2057
2058 /* We now have a UTF-8 string in sni_name */
2059 old_pool = store_pool;
2060 store_pool = POOL_PERM;
2061 state->received_sni = string_copy_taint(US sni_name, TRUE);
2062 store_pool = old_pool;
2063
2064 /* We set this one now so that variable expansions below will work */
2065 state->tlsp->sni = state->received_sni;
2066
2067 DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", sni_name,
2068 state->trigger_sni_changes ? "" : " (unused for certificate selection)");
2069
2070 if (!state->trigger_sni_changes)
2071 return 0;
2072
2073 if ((rc = tls_expand_session_files(state, &dummy_errstr)) != OK)
2074 {
2075 /* If the setup of certs/etc failed before handshake, TLS would not have
2076 been offered. The best we can do now is abort. */
2077 return GNUTLS_E_APPLICATION_ERROR_MIN;
2078 }
2079
2080 rc = tls_set_remaining_x509(state, &dummy_errstr);
2081 if (rc != OK) return GNUTLS_E_APPLICATION_ERROR_MIN;
2082
2083 return 0;
2084 }
2085
2086
2087
2088 #if !defined(DISABLE_OCSP)
2089
2090 static int
2091 server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
2092 gnutls_datum_t * ocsp_response)
2093 {
2094 int ret;
2095 DEBUG(D_tls) debug_printf("OCSP stapling callback: %s\n", US ptr);
2096
2097 if ((ret = gnutls_load_file(ptr, ocsp_response)) < 0)
2098 {
2099 DEBUG(D_tls) debug_printf("Failed to load ocsp stapling file %s\n",
2100 CS ptr);
2101 tls_in.ocsp = OCSP_NOT_RESP;
2102 return GNUTLS_E_NO_CERTIFICATE_STATUS;
2103 }
2104
2105 tls_in.ocsp = OCSP_VFY_NOT_TRIED;
2106 return 0;
2107 }
2108
2109 #endif
2110
2111
2112 #ifndef DISABLE_EVENT
2113 /*
2114 We use this callback to get observability and detail-level control
2115 for an exim TLS connection (either direction), raising a tls:cert event
2116 for each cert in the chain presented by the peer. Any event
2117 can deny verification.
2118
2119 Return 0 for the handshake to continue or non-zero to terminate.
2120 */
2121
2122 static int
2123 verify_cb(gnutls_session_t session)
2124 {
2125 const gnutls_datum_t * cert_list;
2126 unsigned int cert_list_size = 0;
2127 gnutls_x509_crt_t crt;
2128 int rc;
2129 uschar * yield;
2130 exim_gnutls_state_st * state = gnutls_session_get_ptr(session);
2131
2132 if ((cert_list = gnutls_certificate_get_peers(session, &cert_list_size)))
2133 while (cert_list_size--)
2134 {
2135 if ((rc = import_cert(&cert_list[cert_list_size], &crt)) != GNUTLS_E_SUCCESS)
2136 {
2137 DEBUG(D_tls) debug_printf("TLS: peer cert problem: depth %d: %s\n",
2138 cert_list_size, gnutls_strerror(rc));
2139 break;
2140 }
2141
2142 state->tlsp->peercert = crt;
2143 if ((yield = event_raise(state->event_action,
2144 US"tls:cert", string_sprintf("%d", cert_list_size))))
2145 {
2146 log_write(0, LOG_MAIN,
2147 "SSL verify denied by event-action: depth=%d: %s",
2148 cert_list_size, yield);
2149 return 1; /* reject */
2150 }
2151 state->tlsp->peercert = NULL;
2152 }
2153
2154 return 0;
2155 }
2156
2157 #endif
2158
2159
2160 static gstring *
2161 ddump(gnutls_datum_t * d)
2162 {
2163 gstring * g = string_get((d->size+1) * 2);
2164 uschar * s = d->data;
2165 for (unsigned i = d->size; i > 0; i--, s++)
2166 {
2167 g = string_catn(g, US "0123456789abcdef" + (*s >> 4), 1);
2168 g = string_catn(g, US "0123456789abcdef" + (*s & 0xf), 1);
2169 }
2170 return g;
2171 }
2172
2173 static void
2174 post_handshake_debug(exim_gnutls_state_st * state)
2175 {
2176 #ifdef SUPPORT_GNUTLS_SESS_DESC
2177 debug_printf("%s\n", gnutls_session_get_desc(state->session));
2178 #endif
2179 #ifdef SUPPORT_GNUTLS_KEYLOG
2180 # ifdef GNUTLS_TLS1_3
2181 if (gnutls_protocol_get_version(state->session) < GNUTLS_TLS1_3)
2182 #else
2183 if (TRUE)
2184 #endif
2185 {
2186 gnutls_datum_t c, s;
2187 gstring * gc, * gs;
2188 /* we only want the client random and the master secret */
2189 gnutls_session_get_random(state->session, &c, &s);
2190 gnutls_session_get_master_secret(state->session, &s);
2191 gc = ddump(&c);
2192 gs = ddump(&s);
2193 debug_printf("CLIENT_RANDOM %.*s %.*s\n", (int)gc->ptr, gc->s, (int)gs->ptr, gs->s);
2194 }
2195 else
2196 debug_printf("To get keying info for TLS1.3 is hard:\n"
2197 " set environment variable SSLKEYLOGFILE to a filename writable by uid exim\n"
2198 " add SSLKEYLOGFILE to keep_environment in the exim config\n"
2199 " run exim as root\n"
2200 " if using sudo, add SSLKEYLOGFILE to env_keep in /etc/sudoers\n");
2201 #endif
2202 }
2203
2204
2205 #ifdef EXPERIMENTAL_TLS_RESUME
2206 static int
2207 tls_server_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
2208 unsigned incoming, const gnutls_datum_t * msg)
2209 {
2210 DEBUG(D_tls) debug_printf("newticket cb\n");
2211 tls_in.resumption |= RESUME_CLIENT_REQUESTED;
2212 return 0;
2213 }
2214
2215 static void
2216 tls_server_resume_prehandshake(exim_gnutls_state_st * state)
2217 {
2218 /* Should the server offer session resumption? */
2219 tls_in.resumption = RESUME_SUPPORTED;
2220 if (verify_check_host(&tls_resumption_hosts) == OK)
2221 {
2222 int rc;
2223 /* GnuTLS appears to not do ticket overlap, but does emit a fresh ticket when
2224 an offered resumption is unacceptable. We lose one resumption per ticket
2225 lifetime, and sessions cannot be indefinitely re-used. There seems to be no
2226 way (3.6.7) of changing the default number of 2 TLS1.3 tickets issued, but at
2227 least they go out in a single packet. */
2228
2229 if (!(rc = gnutls_session_ticket_enable_server(state->session,
2230 &server_sessticket_key)))
2231 tls_in.resumption |= RESUME_SERVER_TICKET;
2232 else
2233 DEBUG(D_tls)
2234 debug_printf("enabling session tickets: %s\n", US gnutls_strerror(rc));
2235
2236 /* Try to tell if we see a ticket request */
2237 gnutls_handshake_set_hook_function(state->session,
2238 GNUTLS_HANDSHAKE_ANY, GNUTLS_HOOK_POST, tls_server_hook_cb);
2239 }
2240 }
2241
2242 static void
2243 tls_server_resume_posthandshake(exim_gnutls_state_st * state)
2244 {
2245 if (gnutls_session_resumption_requested(state->session))
2246 {
2247 /* This tells us the client sent a full ticket. We use a
2248 callback on session-ticket request, elsewhere, to tell
2249 if a client asked for a ticket. */
2250
2251 tls_in.resumption |= RESUME_CLIENT_SUGGESTED;
2252 DEBUG(D_tls) debug_printf("client requested resumption\n");
2253 }
2254 if (gnutls_session_is_resumed(state->session))
2255 {
2256 tls_in.resumption |= RESUME_USED;
2257 DEBUG(D_tls) debug_printf("Session resumed\n");
2258 }
2259 }
2260 #endif
2261 /* ------------------------------------------------------------------------ */
2262 /* Exported functions */
2263
2264
2265
2266
2267 /*************************************************
2268 * Start a TLS session in a server *
2269 *************************************************/
2270
2271 /* This is called when Exim is running as a server, after having received
2272 the STARTTLS command. It must respond to that command, and then negotiate
2273 a TLS session.
2274
2275 Arguments:
2276 require_ciphers list of allowed ciphers or NULL
2277 errstr pointer to error string
2278
2279 Returns: OK on success
2280 DEFER for errors before the start of the negotiation
2281 FAIL for errors during the negotiation; the server can't
2282 continue running.
2283 */
2284
2285 int
2286 tls_server_start(const uschar * require_ciphers, uschar ** errstr)
2287 {
2288 int rc;
2289 exim_gnutls_state_st * state = NULL;
2290
2291 /* Check for previous activation */
2292 if (tls_in.active.sock >= 0)
2293 {
2294 tls_error(US"STARTTLS received after TLS started", US "", NULL, errstr);
2295 smtp_printf("554 Already in TLS\r\n", FALSE);
2296 return FAIL;
2297 }
2298
2299 /* Initialize the library. If it fails, it will already have logged the error
2300 and sent an SMTP response. */
2301
2302 DEBUG(D_tls) debug_printf("initialising GnuTLS as a server\n");
2303
2304 if ((rc = tls_init(NULL, tls_certificate, tls_privatekey,
2305 NULL, tls_verify_certificates, tls_crl,
2306 require_ciphers, &state, &tls_in, errstr)) != OK) return rc;
2307
2308 #ifdef EXPERIMENTAL_TLS_RESUME
2309 tls_server_resume_prehandshake(state);
2310 #endif
2311
2312 /* If this is a host for which certificate verification is mandatory or
2313 optional, set up appropriately. */
2314
2315 if (verify_check_host(&tls_verify_hosts) == OK)
2316 {
2317 DEBUG(D_tls)
2318 debug_printf("TLS: a client certificate will be required.\n");
2319 state->verify_requirement = VERIFY_REQUIRED;
2320 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
2321 }
2322 else if (verify_check_host(&tls_try_verify_hosts) == OK)
2323 {
2324 DEBUG(D_tls)
2325 debug_printf("TLS: a client certificate will be requested but not required.\n");
2326 state->verify_requirement = VERIFY_OPTIONAL;
2327 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
2328 }
2329 else
2330 {
2331 DEBUG(D_tls)
2332 debug_printf("TLS: a client certificate will not be requested.\n");
2333 state->verify_requirement = VERIFY_NONE;
2334 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
2335 }
2336
2337 #ifndef DISABLE_EVENT
2338 if (event_action)
2339 {
2340 state->event_action = event_action;
2341 gnutls_session_set_ptr(state->session, state);
2342 gnutls_certificate_set_verify_function(state->x509_cred, verify_cb);
2343 }
2344 #endif
2345
2346 /* Register SNI handling; always, even if not in tls_certificate, so that the
2347 expansion variable $tls_sni is always available. */
2348
2349 gnutls_handshake_set_post_client_hello_function(state->session,
2350 exim_sni_handling_cb);
2351
2352 /* Set context and tell client to go ahead, except in the case of TLS startup
2353 on connection, where outputting anything now upsets the clients and tends to
2354 make them disconnect. We need to have an explicit fflush() here, to force out
2355 the response. Other smtp_printf() calls do not need it, because in non-TLS
2356 mode, the fflush() happens when smtp_getc() is called. */
2357
2358 if (!state->tlsp->on_connect)
2359 {
2360 smtp_printf("220 TLS go ahead\r\n", FALSE);
2361 fflush(smtp_out);
2362 }
2363
2364 /* Now negotiate the TLS session. We put our own timer on it, since it seems
2365 that the GnuTLS library doesn't.
2366 From 3.1.0 there is gnutls_handshake_set_timeout() - but it requires you
2367 to set (and clear down afterwards) up a pull-timeout callback function that does
2368 a select, so we're no better off unless avoiding signals becomes an issue. */
2369
2370 gnutls_transport_set_ptr2(state->session,
2371 (gnutls_transport_ptr_t)(long) fileno(smtp_in),
2372 (gnutls_transport_ptr_t)(long) fileno(smtp_out));
2373 state->fd_in = fileno(smtp_in);
2374 state->fd_out = fileno(smtp_out);
2375
2376 sigalrm_seen = FALSE;
2377 if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
2378 do
2379 rc = gnutls_handshake(state->session);
2380 while (rc == GNUTLS_E_AGAIN || rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen);
2381 ALARM_CLR(0);
2382
2383 if (rc != GNUTLS_E_SUCCESS)
2384 {
2385 /* It seems that, except in the case of a timeout, we have to close the
2386 connection right here; otherwise if the other end is running OpenSSL it hangs
2387 until the server times out. */
2388
2389 if (sigalrm_seen)
2390 {
2391 tls_error(US"gnutls_handshake", US"timed out", NULL, errstr);
2392 gnutls_db_remove_session(state->session);
2393 }
2394 else
2395 {
2396 tls_error_gnu(US"gnutls_handshake", rc, NULL, errstr);
2397 (void) gnutls_alert_send_appropriate(state->session, rc);
2398 gnutls_deinit(state->session);
2399 gnutls_certificate_free_credentials(state->x509_cred);
2400 millisleep(500);
2401 shutdown(state->fd_out, SHUT_WR);
2402 for (int i = 1024; fgetc(smtp_in) != EOF && i > 0; ) i--; /* drain skt */
2403 (void)fclose(smtp_out);
2404 (void)fclose(smtp_in);
2405 smtp_out = smtp_in = NULL;
2406 }
2407
2408 return FAIL;
2409 }
2410
2411 #ifdef EXPERIMENTAL_TLS_RESUME
2412 tls_server_resume_posthandshake(state);
2413 #endif
2414
2415 DEBUG(D_tls) post_handshake_debug(state);
2416
2417 /* Verify after the fact */
2418
2419 if (!verify_certificate(state, errstr))
2420 {
2421 if (state->verify_requirement != VERIFY_OPTIONAL)
2422 {
2423 (void) tls_error(US"certificate verification failed", *errstr, NULL, errstr);
2424 return FAIL;
2425 }
2426 DEBUG(D_tls)
2427 debug_printf("TLS: continuing on only because verification was optional, after: %s\n",
2428 *errstr);
2429 }
2430
2431 /* Sets various Exim expansion variables; always safe within server */
2432
2433 extract_exim_vars_from_tls_state(state);
2434
2435 /* TLS has been set up. Adjust the input functions to read via TLS,
2436 and initialize appropriately. */
2437
2438 state->xfer_buffer = store_malloc(ssl_xfer_buffer_size);
2439
2440 receive_getc = tls_getc;
2441 receive_getbuf = tls_getbuf;
2442 receive_get_cache = tls_get_cache;
2443 receive_ungetc = tls_ungetc;
2444 receive_feof = tls_feof;
2445 receive_ferror = tls_ferror;
2446 receive_smtp_buffered = tls_smtp_buffered;
2447
2448 return OK;
2449 }
2450
2451
2452
2453
2454 static void
2455 tls_client_setup_hostname_checks(host_item * host, exim_gnutls_state_st * state,
2456 smtp_transport_options_block * ob)
2457 {
2458 if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
2459 {
2460 state->exp_tls_verify_cert_hostnames =
2461 #ifdef SUPPORT_I18N
2462 string_domain_utf8_to_alabel(host->name, NULL);
2463 #else
2464 host->name;
2465 #endif
2466 DEBUG(D_tls)
2467 debug_printf("TLS: server cert verification includes hostname: \"%s\".\n",
2468 state->exp_tls_verify_cert_hostnames);
2469 }
2470 }
2471
2472
2473
2474
2475 #ifdef SUPPORT_DANE
2476 /* Given our list of RRs from the TLSA lookup, build a lookup block in
2477 GnuTLS-DANE's preferred format. Hang it on the state str for later
2478 use in DANE verification.
2479
2480 We point at the dnsa data not copy it, so it must remain valid until
2481 after verification is done.*/
2482
2483 static BOOL
2484 dane_tlsa_load(exim_gnutls_state_st * state, dns_answer * dnsa)
2485 {
2486 dns_scan dnss;
2487 int i;
2488 const char ** dane_data;
2489 int * dane_data_len;
2490
2491 i = 1;
2492 for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
2493 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
2494 ) if (rr->type == T_TLSA) i++;
2495
2496 dane_data = store_get(i * sizeof(uschar *), FALSE);
2497 dane_data_len = store_get(i * sizeof(int), FALSE);
2498
2499 i = 0;
2500 for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
2501 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
2502 ) if (rr->type == T_TLSA && rr->size > 3)
2503 {
2504 const uschar * p = rr->data;
2505 /*XXX need somehow to mark rr and its data as tainted. Doues this mean copying it? */
2506 uint8_t usage = p[0], sel = p[1], type = p[2];
2507
2508 DEBUG(D_tls)
2509 debug_printf("TLSA: %d %d %d size %d\n", usage, sel, type, rr->size);
2510
2511 if ( (usage != DANESSL_USAGE_DANE_TA && usage != DANESSL_USAGE_DANE_EE)
2512 || (sel != 0 && sel != 1)
2513 )
2514 continue;
2515 switch(type)
2516 {
2517 case 0: /* Full: cannot check at present */
2518 break;
2519 case 1: if (rr->size != 3 + 256/8) continue; /* sha2-256 */
2520 break;
2521 case 2: if (rr->size != 3 + 512/8) continue; /* sha2-512 */
2522 break;
2523 default: continue;
2524 }
2525
2526 tls_out.tlsa_usage |= 1<<usage;
2527 dane_data[i] = CS p;
2528 dane_data_len[i++] = rr->size;
2529 }
2530
2531 if (!i) return FALSE;
2532
2533 dane_data[i] = NULL;
2534 dane_data_len[i] = 0;
2535
2536 state->dane_data = (char * const *)dane_data;
2537 state->dane_data_len = dane_data_len;
2538 return TRUE;
2539 }
2540 #endif
2541
2542
2543
2544 #ifdef EXPERIMENTAL_TLS_RESUME
2545 /* On the client, get any stashed session for the given IP from hints db
2546 and apply it to the ssl-connection for attempted resumption. Although
2547 there is a gnutls_session_ticket_enable_client() interface it is
2548 documented as unnecessary (as of 3.6.7) as "session tickets are emabled
2549 by deafult". There seems to be no way to disable them, so even hosts not
2550 enabled by the transport option will be sent a ticket request. We will
2551 however avoid storing and retrieving session information. */
2552
2553 static void
2554 tls_retrieve_session(tls_support * tlsp, gnutls_session_t session,
2555 host_item * host, smtp_transport_options_block * ob)
2556 {
2557 tlsp->resumption = RESUME_SUPPORTED;
2558 if (verify_check_given_host(CUSS &ob->tls_resumption_hosts, host) == OK)
2559 {
2560 dbdata_tls_session * dt;
2561 int len, rc;
2562 open_db dbblock, * dbm_file;
2563
2564 DEBUG(D_tls)
2565 debug_printf("check for resumable session for %s\n", host->address);
2566 tlsp->host_resumable = TRUE;
2567 tlsp->resumption |= RESUME_CLIENT_REQUESTED;
2568 if ((dbm_file = dbfn_open(US"tls", O_RDONLY, &dbblock, FALSE, FALSE)))
2569 {
2570 /* Key for the db is the IP. We'd like to filter the retrieved session
2571 for ticket advisory expiry, but 3.6.1 seems to give no access to that */
2572
2573 if ((dt = dbfn_read_with_length(dbm_file, host->address, &len)))
2574 if (!(rc = gnutls_session_set_data(session,
2575 CUS dt->session, (size_t)len - sizeof(dbdata_tls_session))))
2576 {
2577 DEBUG(D_tls) debug_printf("good session\n");
2578 tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
2579 }
2580 else DEBUG(D_tls) debug_printf("setting session resumption data: %s\n",
2581 US gnutls_strerror(rc));
2582 dbfn_close(dbm_file);
2583 }
2584 }
2585 }
2586
2587
2588 static void
2589 tls_save_session(tls_support * tlsp, gnutls_session_t session, const host_item * host)
2590 {
2591 /* TLS 1.2 - we get both the callback and the direct posthandshake call,
2592 but this flag is not set until the second. TLS 1.3 it's the other way about.
2593 Keep both calls as the session data cannot be extracted before handshake
2594 completes. */
2595
2596 if (gnutls_session_get_flags(session) & GNUTLS_SFLAGS_SESSION_TICKET)
2597 {
2598 gnutls_datum_t tkt;
2599 int rc;
2600
2601 DEBUG(D_tls) debug_printf("server offered session ticket\n");
2602 tlsp->ticket_received = TRUE;
2603 tlsp->resumption |= RESUME_SERVER_TICKET;
2604
2605 if (tlsp->host_resumable)
2606 if (!(rc = gnutls_session_get_data2(session, &tkt)))
2607 {
2608 open_db dbblock, * dbm_file;
2609 int dlen = sizeof(dbdata_tls_session) + tkt.size;
2610 dbdata_tls_session * dt = store_get(dlen, TRUE);
2611
2612 DEBUG(D_tls) debug_printf("session data size %u\n", (unsigned)tkt.size);
2613 memcpy(dt->session, tkt.data, tkt.size);
2614 gnutls_free(tkt.data);
2615
2616 if ((dbm_file = dbfn_open(US"tls", O_RDWR, &dbblock, FALSE, FALSE)))
2617 {
2618 /* key for the db is the IP */
2619 dbfn_delete(dbm_file, host->address);
2620 dbfn_write(dbm_file, host->address, dt, dlen);
2621 dbfn_close(dbm_file);
2622
2623 DEBUG(D_tls)
2624 debug_printf("wrote session db (len %u)\n", (unsigned)dlen);
2625 }
2626 }
2627 else DEBUG(D_tls)
2628 debug_printf("extract session data: %s\n", US gnutls_strerror(rc));
2629 }
2630 }
2631
2632
2633 /* With a TLS1.3 session, the ticket(s) are not seen until
2634 the first data read is attempted. And there's often two of them.
2635 Pick them up with this callback. We are also called for 1.2
2636 but we do nothing.
2637 */
2638 static int
2639 tls_client_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
2640 unsigned incoming, const gnutls_datum_t * msg)
2641 {
2642 exim_gnutls_state_st * state = gnutls_session_get_ptr(sess);
2643 tls_support * tlsp = state->tlsp;
2644
2645 DEBUG(D_tls) debug_printf("newticket cb\n");
2646
2647 if (!tlsp->ticket_received)
2648 tls_save_session(tlsp, sess, state->host);
2649 return 0;
2650 }
2651
2652
2653 static void
2654 tls_client_resume_prehandshake(exim_gnutls_state_st * state,
2655 tls_support * tlsp, host_item * host,
2656 smtp_transport_options_block * ob)
2657 {
2658 gnutls_session_set_ptr(state->session, state);
2659 gnutls_handshake_set_hook_function(state->session,
2660 GNUTLS_HANDSHAKE_NEW_SESSION_TICKET, GNUTLS_HOOK_POST, tls_client_ticket_cb);
2661
2662 tls_retrieve_session(tlsp, state->session, host, ob);
2663 }
2664
2665 static void
2666 tls_client_resume_posthandshake(exim_gnutls_state_st * state,
2667 tls_support * tlsp, host_item * host)
2668 {
2669 if (gnutls_session_is_resumed(state->session))
2670 {
2671 DEBUG(D_tls) debug_printf("Session resumed\n");
2672 tlsp->resumption |= RESUME_USED;
2673 }
2674
2675 tls_save_session(tlsp, state->session, host);
2676 }
2677 #endif /* EXPERIMENTAL_TLS_RESUME */
2678
2679
2680 /*************************************************
2681 * Start a TLS session in a client *
2682 *************************************************/
2683
2684 /* Called from the smtp transport after STARTTLS has been accepted.
2685
2686 Arguments:
2687 cctx connection context
2688 conn_args connection details
2689 cookie datum for randomness (not used)
2690 tlsp record details of channel configuration here; must be non-NULL
2691 errstr error string pointer
2692
2693 Returns: TRUE for success with TLS session context set in smtp context,
2694 FALSE on error
2695 */
2696
2697 BOOL
2698 tls_client_start(client_conn_ctx * cctx, smtp_connect_args * conn_args,
2699 void * cookie ARG_UNUSED,
2700 tls_support * tlsp, uschar ** errstr)
2701 {
2702 host_item * host = conn_args->host; /* for msgs and option-tests */
2703 transport_instance * tb = conn_args->tblock; /* always smtp or NULL */
2704 smtp_transport_options_block * ob = tb
2705 ? (smtp_transport_options_block *)tb->options_block
2706 : &smtp_transport_option_defaults;
2707 int rc;
2708 exim_gnutls_state_st * state = NULL;
2709 uschar * cipher_list = NULL;
2710
2711 #ifndef DISABLE_OCSP
2712 BOOL require_ocsp =
2713 verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK;
2714 BOOL request_ocsp = require_ocsp ? TRUE
2715 : verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
2716 #endif
2717
2718 DEBUG(D_tls) debug_printf("initialising GnuTLS as a client on fd %d\n", cctx->sock);
2719
2720 #ifdef SUPPORT_DANE
2721 /* If dane is flagged, have either request or require dane for this host, and
2722 a TLSA record found. Therefore, dane verify required. Which implies cert must
2723 be requested and supplied, dane verify must pass, and cert verify irrelevant
2724 (incl. hostnames), and (caller handled) require_tls */
2725
2726 if (conn_args->dane && ob->dane_require_tls_ciphers)
2727 {
2728 /* not using expand_check_tlsvar because not yet in state */
2729 if (!expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
2730 &cipher_list, errstr))
2731 return FALSE;
2732 cipher_list = cipher_list && *cipher_list
2733 ? ob->dane_require_tls_ciphers : ob->tls_require_ciphers;
2734 }
2735 #endif
2736
2737 if (!cipher_list)
2738 cipher_list = ob->tls_require_ciphers;
2739
2740 if (tls_init(host, ob->tls_certificate, ob->tls_privatekey,
2741 ob->tls_sni, ob->tls_verify_certificates, ob->tls_crl,
2742 cipher_list, &state, tlsp, errstr) != OK)
2743 return FALSE;
2744
2745 {
2746 int dh_min_bits = ob->tls_dh_min_bits;
2747 if (dh_min_bits < EXIM_CLIENT_DH_MIN_MIN_BITS)
2748 {
2749 DEBUG(D_tls)
2750 debug_printf("WARNING: tls_dh_min_bits far too low,"
2751 " clamping %d up to %d\n",
2752 dh_min_bits, EXIM_CLIENT_DH_MIN_MIN_BITS);
2753 dh_min_bits = EXIM_CLIENT_DH_MIN_MIN_BITS;
2754 }
2755
2756 DEBUG(D_tls) debug_printf("Setting D-H prime minimum"
2757 " acceptable bits to %d\n",
2758 dh_min_bits);
2759 gnutls_dh_set_prime_bits(state->session, dh_min_bits);
2760 }
2761
2762 /* Stick to the old behaviour for compatibility if tls_verify_certificates is
2763 set but both tls_verify_hosts and tls_try_verify_hosts are unset. Check only
2764 the specified host patterns if one of them is defined */
2765
2766 #ifdef SUPPORT_DANE
2767 if (conn_args->dane && dane_tlsa_load(state, &conn_args->tlsa_dnsa))
2768 {
2769 DEBUG(D_tls)
2770 debug_printf("TLS: server certificate DANE required.\n");
2771 state->verify_requirement = VERIFY_DANE;
2772 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
2773 }
2774 else
2775 #endif
2776 if ( ( state->exp_tls_verify_certificates
2777 && !ob->tls_verify_hosts
2778 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
2779 )
2780 || verify_check_given_host(CUSS &ob->tls_verify_hosts, host) == OK
2781 )
2782 {
2783 tls_client_setup_hostname_checks(host, state, ob);
2784 DEBUG(D_tls)
2785 debug_printf("TLS: server certificate verification required.\n");
2786 state->verify_requirement = VERIFY_REQUIRED;
2787 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
2788 }
2789 else if (verify_check_given_host(CUSS &ob->tls_try_verify_hosts, host) == OK)
2790 {
2791 tls_client_setup_hostname_checks(host, state, ob);
2792 DEBUG(D_tls)
2793 debug_printf("TLS: server certificate verification optional.\n");
2794 state->verify_requirement = VERIFY_OPTIONAL;
2795 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
2796 }
2797 else
2798 {
2799 DEBUG(D_tls)
2800 debug_printf("TLS: server certificate verification not required.\n");
2801 state->verify_requirement = VERIFY_NONE;
2802 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
2803 }
2804
2805 #ifndef DISABLE_OCSP
2806 /* supported since GnuTLS 3.1.3 */
2807 if (request_ocsp)
2808 {
2809 DEBUG(D_tls) debug_printf("TLS: will request OCSP stapling\n");
2810 if ((rc = gnutls_ocsp_status_request_enable_client(state->session,
2811 NULL, 0, NULL)) != OK)
2812 {
2813 tls_error_gnu(US"cert-status-req", rc, state->host, errstr);
2814 return FALSE;
2815 }
2816 tlsp->ocsp = OCSP_NOT_RESP;
2817 }
2818 #endif
2819
2820 #ifdef EXPERIMENTAL_TLS_RESUME
2821 tls_client_resume_prehandshake(state, tlsp, host, ob);
2822 #endif
2823
2824 #ifndef DISABLE_EVENT
2825 if (tb && tb->event_action)
2826 {
2827 state->event_action = tb->event_action;
2828 gnutls_session_set_ptr(state->session, state);
2829 gnutls_certificate_set_verify_function(state->x509_cred, verify_cb);
2830 }
2831 #endif
2832
2833 gnutls_transport_set_ptr(state->session, (gnutls_transport_ptr_t)(long) cctx->sock);
2834 state->fd_in = cctx->sock;
2835 state->fd_out = cctx->sock;
2836
2837 DEBUG(D_tls) debug_printf("about to gnutls_handshake\n");
2838 /* There doesn't seem to be a built-in timeout on connection. */
2839
2840 sigalrm_seen = FALSE;
2841 ALARM(ob->command_timeout);
2842 do
2843 rc = gnutls_handshake(state->session);
2844 while (rc == GNUTLS_E_AGAIN || rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen);
2845 ALARM_CLR(0);
2846
2847 if (rc != GNUTLS_E_SUCCESS)
2848 {
2849 if (sigalrm_seen)
2850 {
2851 gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_USER_CANCELED);
2852 tls_error(US"gnutls_handshake", US"timed out", state->host, errstr);
2853 }
2854 else
2855 tls_error_gnu(US"gnutls_handshake", rc, state->host, errstr);
2856 return FALSE;
2857 }
2858
2859 DEBUG(D_tls) post_handshake_debug(state);
2860
2861 /* Verify late */
2862
2863 if (!verify_certificate(state, errstr))
2864 {
2865 tls_error(US"certificate verification failed", *errstr, state->host, errstr);
2866 return FALSE;
2867 }
2868
2869 #ifndef DISABLE_OCSP
2870 if (request_ocsp)
2871 {
2872 DEBUG(D_tls)
2873 {
2874 gnutls_datum_t stapling;
2875 gnutls_ocsp_resp_t resp;
2876 gnutls_datum_t printed;
2877 if ( (rc= gnutls_ocsp_status_request_get(state->session, &stapling)) == 0
2878 && (rc= gnutls_ocsp_resp_init(&resp)) == 0
2879 && (rc= gnutls_ocsp_resp_import(resp, &stapling)) == 0
2880 && (rc= gnutls_ocsp_resp_print(resp, GNUTLS_OCSP_PRINT_FULL, &printed)) == 0
2881 )
2882 {
2883 debug_printf("%.4096s", printed.data);
2884 gnutls_free(printed.data);
2885 }
2886 else
2887 (void) tls_error_gnu(US"ocsp decode", rc, state->host, errstr);
2888 }
2889
2890 if (gnutls_ocsp_status_request_is_checked(state->session, 0) == 0)
2891 {
2892 tlsp->ocsp = OCSP_FAILED;
2893 tls_error(US"certificate status check failed", NULL, state->host, errstr);
2894 if (require_ocsp)
2895 return FALSE;
2896 }
2897 else
2898 {
2899 DEBUG(D_tls) debug_printf("Passed OCSP checking\n");
2900 tlsp->ocsp = OCSP_VFIED;
2901 }
2902 }
2903 #endif
2904
2905 #ifdef EXPERIMENTAL_TLS_RESUME
2906 tls_client_resume_posthandshake(state, tlsp, host);
2907 #endif
2908
2909 /* Sets various Exim expansion variables; may need to adjust for ACL callouts */
2910
2911 extract_exim_vars_from_tls_state(state);
2912
2913 cctx->tls_ctx = state;
2914 return TRUE;
2915 }
2916
2917
2918
2919
2920 /*************************************************
2921 * Close down a TLS session *
2922 *************************************************/
2923
2924 /* This is also called from within a delivery subprocess forked from the
2925 daemon, to shut down the TLS library, without actually doing a shutdown (which
2926 would tamper with the TLS session in the parent process).
2927
2928 Arguments:
2929 ct_ctx client context pointer, or NULL for the one global server context
2930 shutdown 1 if TLS close-alert is to be sent,
2931 2 if also response to be waited for
2932
2933 Returns: nothing
2934 */
2935
2936 void
2937 tls_close(void * ct_ctx, int shutdown)
2938 {
2939 exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
2940 tls_support * tlsp = state->tlsp;
2941
2942 if (!tlsp || tlsp->active.sock < 0) return; /* TLS was not active */
2943
2944 if (shutdown)
2945 {
2946 DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS%s\n",
2947 shutdown > 1 ? " (with response-wait)" : "");
2948
2949 ALARM(2);
2950 gnutls_bye(state->session, shutdown > 1 ? GNUTLS_SHUT_RDWR : GNUTLS_SHUT_WR);
2951 ALARM_CLR(0);
2952 }
2953
2954 if (!ct_ctx) /* server */
2955 {
2956 receive_getc = smtp_getc;
2957 receive_getbuf = smtp_getbuf;
2958 receive_get_cache = smtp_get_cache;
2959 receive_ungetc = smtp_ungetc;
2960 receive_feof = smtp_feof;
2961 receive_ferror = smtp_ferror;
2962 receive_smtp_buffered = smtp_buffered;
2963 }
2964
2965 gnutls_deinit(state->session);
2966 gnutls_certificate_free_credentials(state->x509_cred);
2967
2968 tlsp->active.sock = -1;
2969 tlsp->active.tls_ctx = NULL;
2970 /* Leave bits, peercert, cipher, peerdn, certificate_verified set, for logging */
2971 tls_channelbinding_b64 = NULL;
2972
2973
2974 if (state->xfer_buffer) store_free(state->xfer_buffer);
2975 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
2976 }
2977
2978
2979
2980
2981 static BOOL
2982 tls_refill(unsigned lim)
2983 {
2984 exim_gnutls_state_st * state = &state_server;
2985 ssize_t inbytes;
2986
2987 DEBUG(D_tls) debug_printf("Calling gnutls_record_recv(%p, %p, %u)\n",
2988 state->session, state->xfer_buffer, ssl_xfer_buffer_size);
2989
2990 sigalrm_seen = FALSE;
2991 if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
2992
2993 do
2994 inbytes = gnutls_record_recv(state->session, state->xfer_buffer,
2995 MIN(ssl_xfer_buffer_size, lim));
2996 while (inbytes == GNUTLS_E_AGAIN);
2997
2998 if (smtp_receive_timeout > 0) ALARM_CLR(0);
2999
3000 if (had_command_timeout) /* set by signal handler */
3001 smtp_command_timeout_exit(); /* does not return */
3002 if (had_command_sigterm)
3003 smtp_command_sigterm_exit();
3004 if (had_data_timeout)
3005 smtp_data_timeout_exit();
3006 if (had_data_sigint)
3007 smtp_data_sigint_exit();
3008
3009 /* Timeouts do not get this far. A zero-byte return appears to mean that the
3010 TLS session has been closed down, not that the socket itself has been closed
3011 down. Revert to non-TLS handling. */
3012
3013 if (sigalrm_seen)
3014 {
3015 DEBUG(D_tls) debug_printf("Got tls read timeout\n");
3016 state->xfer_error = TRUE;
3017 return FALSE;
3018 }
3019
3020 else if (inbytes == 0)
3021 {
3022 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
3023 tls_close(NULL, TLS_NO_SHUTDOWN);
3024 return FALSE;
3025 }
3026
3027 /* Handle genuine errors */
3028
3029 else if (inbytes < 0)
3030 {
3031 DEBUG(D_tls) debug_printf("%s: err from gnutls_record_recv\n", __FUNCTION__);
3032 record_io_error(state, (int) inbytes, US"recv", NULL);
3033 state->xfer_error = TRUE;
3034 return FALSE;
3035 }
3036 #ifndef DISABLE_DKIM
3037 dkim_exim_verify_feed(state->xfer_buffer, inbytes);
3038 #endif
3039 state->xfer_buffer_hwm = (int) inbytes;
3040 state->xfer_buffer_lwm = 0;
3041 return TRUE;
3042 }
3043
3044 /*************************************************
3045 * TLS version of getc *
3046 *************************************************/
3047
3048 /* This gets the next byte from the TLS input buffer. If the buffer is empty,
3049 it refills the buffer via the GnuTLS reading function.
3050 Only used by the server-side TLS.
3051
3052 This feeds DKIM and should be used for all message-body reads.
3053
3054 Arguments: lim Maximum amount to read/buffer
3055 Returns: the next character or EOF
3056 */
3057
3058 int
3059 tls_getc(unsigned lim)
3060 {
3061 exim_gnutls_state_st * state = &state_server;
3062
3063 if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
3064 if (!tls_refill(lim))
3065 return state->xfer_error ? EOF : smtp_getc(lim);
3066
3067 /* Something in the buffer; return next uschar */
3068
3069 return state->xfer_buffer[state->xfer_buffer_lwm++];
3070 }
3071
3072 uschar *
3073 tls_getbuf(unsigned * len)
3074 {
3075 exim_gnutls_state_st * state = &state_server;
3076 unsigned size;
3077 uschar * buf;
3078
3079 if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
3080 if (!tls_refill(*len))
3081 {
3082 if (!state->xfer_error) return smtp_getbuf(len);
3083 *len = 0;
3084 return NULL;
3085 }
3086
3087 if ((size = state->xfer_buffer_hwm - state->xfer_buffer_lwm) > *len)
3088 size = *len;
3089 buf = &state->xfer_buffer[state->xfer_buffer_lwm];
3090 state->xfer_buffer_lwm += size;
3091 *len = size;
3092 return buf;
3093 }
3094
3095
3096 void
3097 tls_get_cache()
3098 {
3099 #ifndef DISABLE_DKIM
3100 exim_gnutls_state_st * state = &state_server;
3101 int n = state->xfer_buffer_hwm - state->xfer_buffer_lwm;
3102 if (n > 0)
3103 dkim_exim_verify_feed(state->xfer_buffer+state->xfer_buffer_lwm, n);
3104 #endif
3105 }
3106
3107
3108 BOOL
3109 tls_could_read(void)
3110 {
3111 return state_server.xfer_buffer_lwm < state_server.xfer_buffer_hwm
3112 || gnutls_record_check_pending(state_server.session) > 0;
3113 }
3114
3115
3116
3117
3118 /*************************************************
3119 * Read bytes from TLS channel *
3120 *************************************************/
3121
3122 /* This does not feed DKIM, so if the caller uses this for reading message body,
3123 then the caller must feed DKIM.
3124
3125 Arguments:
3126 ct_ctx client context pointer, or NULL for the one global server context
3127 buff buffer of data
3128 len size of buffer
3129
3130 Returns: the number of bytes read
3131 -1 after a failed read, including EOF
3132 */
3133
3134 int
3135 tls_read(void * ct_ctx, uschar *buff, size_t len)
3136 {
3137 exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
3138 ssize_t inbytes;
3139
3140 if (len > INT_MAX)
3141 len = INT_MAX;
3142
3143 if (state->xfer_buffer_lwm < state->xfer_buffer_hwm)
3144 DEBUG(D_tls)
3145 debug_printf("*** PROBABLY A BUG *** " \
3146 "tls_read() called with data in the tls_getc() buffer, %d ignored\n",
3147 state->xfer_buffer_hwm - state->xfer_buffer_lwm);
3148
3149 DEBUG(D_tls)
3150 debug_printf("Calling gnutls_record_recv(%p, %p, " SIZE_T_FMT ")\n",
3151 state->session, buff, len);
3152
3153 do
3154 inbytes = gnutls_record_recv(state->session, buff, len);
3155 while (inbytes == GNUTLS_E_AGAIN);
3156
3157 if (inbytes > 0) return inbytes;
3158 if (inbytes == 0)
3159 {
3160 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
3161 }
3162 else
3163 {
3164 DEBUG(D_tls) debug_printf("%s: err from gnutls_record_recv\n", __FUNCTION__);
3165 record_io_error(state, (int)inbytes, US"recv", NULL);
3166 }
3167
3168 return -1;
3169 }
3170
3171
3172
3173
3174 /*************************************************
3175 * Write bytes down TLS channel *
3176 *************************************************/
3177
3178 /*
3179 Arguments:
3180 ct_ctx client context pointer, or NULL for the one global server context
3181 buff buffer of data
3182 len number of bytes
3183 more more data expected soon
3184
3185 Returns: the number of bytes after a successful write,
3186 -1 after a failed write
3187 */
3188
3189 int
3190 tls_write(void * ct_ctx, const uschar * buff, size_t len, BOOL more)
3191 {
3192 ssize_t outbytes;
3193 size_t left = len;
3194 exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
3195 #ifdef SUPPORT_CORK
3196 static BOOL corked = FALSE;
3197
3198 if (more && !corked) gnutls_record_cork(state->session);
3199 #endif
3200
3201 DEBUG(D_tls) debug_printf("%s(%p, " SIZE_T_FMT "%s)\n", __FUNCTION__,
3202 buff, left, more ? ", more" : "");
3203
3204 while (left > 0)
3205 {
3206 DEBUG(D_tls) debug_printf("gnutls_record_send(SSL, %p, " SIZE_T_FMT ")\n",
3207 buff, left);
3208
3209 do
3210 outbytes = gnutls_record_send(state->session, buff, left);
3211 while (outbytes == GNUTLS_E_AGAIN);
3212
3213 DEBUG(D_tls) debug_printf("outbytes=" SSIZE_T_FMT "\n", outbytes);
3214 if (outbytes < 0)
3215 {
3216 DEBUG(D_tls) debug_printf("%s: gnutls_record_send err\n", __FUNCTION__);
3217 record_io_error(state, outbytes, US"send", NULL);
3218 return -1;
3219 }
3220 if (outbytes == 0)
3221 {
3222 record_io_error(state, 0, US"send", US"TLS channel closed on write");
3223 return -1;
3224 }
3225
3226 left -= outbytes;
3227 buff += outbytes;
3228 }
3229
3230 if (len > INT_MAX)
3231 {
3232 DEBUG(D_tls)
3233 debug_printf("Whoops! Wrote more bytes (" SIZE_T_FMT ") than INT_MAX\n",
3234 len);
3235 len = INT_MAX;
3236 }
3237
3238 #ifdef SUPPORT_CORK
3239 if (more != corked)
3240 {
3241 if (!more) (void) gnutls_record_uncork(state->session, 0);
3242 corked = more;
3243 }
3244 #endif
3245
3246 return (int) len;
3247 }
3248
3249
3250
3251
3252 /*************************************************
3253 * Random number generation *
3254 *************************************************/
3255
3256 /* Pseudo-random number generation. The result is not expected to be
3257 cryptographically strong but not so weak that someone will shoot themselves
3258 in the foot using it as a nonce in input in some email header scheme or
3259 whatever weirdness they'll twist this into. The result should handle fork()
3260 and avoid repeating sequences. OpenSSL handles that for us.
3261
3262 Arguments:
3263 max range maximum
3264 Returns a random number in range [0, max-1]
3265 */
3266
3267 #ifdef HAVE_GNUTLS_RND
3268 int
3269 vaguely_random_number(int max)
3270 {
3271 unsigned int r;
3272 int i, needed_len;
3273 uschar smallbuf[sizeof(r)];
3274
3275 if (max <= 1)
3276 return 0;
3277
3278 needed_len = sizeof(r);
3279 /* Don't take 8 times more entropy than needed if int is 8 octets and we were
3280 asked for a number less than 10. */
3281
3282 for (r = max, i = 0; r; ++i)
3283 r >>= 1;
3284 i = (i + 7) / 8;
3285 if (i < needed_len)
3286 needed_len = i;
3287
3288 i = gnutls_rnd(GNUTLS_RND_NONCE, smallbuf, needed_len);
3289 if (i < 0)
3290 {
3291 DEBUG(D_all) debug_printf("gnutls_rnd() failed, using fallback.\n");
3292 return vaguely_random_number_fallback(max);
3293 }
3294 r = 0;
3295 for (uschar * p = smallbuf; needed_len; --needed_len, ++p)
3296 r = r * 256 + *p;
3297
3298 /* We don't particularly care about weighted results; if someone wants
3299 * smooth distribution and cares enough then they should submit a patch then. */
3300 return r % max;
3301 }
3302 #else /* HAVE_GNUTLS_RND */
3303 int
3304 vaguely_random_number(int max)
3305 {
3306 return vaguely_random_number_fallback(max);
3307 }
3308 #endif /* HAVE_GNUTLS_RND */
3309
3310
3311
3312
3313 /*************************************************
3314 * Let tls_require_ciphers be checked at startup *
3315 *************************************************/
3316
3317 /* The tls_require_ciphers option, if set, must be something which the
3318 library can parse.
3319
3320 Returns: NULL on success, or error message
3321 */
3322
3323 uschar *
3324 tls_validate_require_cipher(void)
3325 {
3326 int rc;
3327 uschar *expciphers = NULL;
3328 gnutls_priority_t priority_cache;
3329 const char *errpos;
3330 uschar * dummy_errstr;
3331
3332 #define validate_check_rc(Label) do { \
3333 if (rc != GNUTLS_E_SUCCESS) { if (exim_gnutls_base_init_done) gnutls_global_deinit(); \
3334 return string_sprintf("%s failed: %s", (Label), gnutls_strerror(rc)); } } while (0)
3335 #define return_deinit(Label) do { gnutls_global_deinit(); return (Label); } while (0)
3336
3337 if (exim_gnutls_base_init_done)
3338 log_write(0, LOG_MAIN|LOG_PANIC,
3339 "already initialised GnuTLS, Exim developer bug");
3340
3341 #ifdef HAVE_GNUTLS_PKCS11
3342 if (!gnutls_allow_auto_pkcs11)
3343 {
3344 rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
3345 validate_check_rc(US"gnutls_pkcs11_init");
3346 }
3347 #endif
3348 rc = gnutls_global_init();
3349 validate_check_rc(US"gnutls_global_init()");
3350 exim_gnutls_base_init_done = TRUE;
3351
3352 if (!(tls_require_ciphers && *tls_require_ciphers))
3353 return_deinit(NULL);
3354
3355 if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers,
3356 &dummy_errstr))
3357 return_deinit(US"failed to expand tls_require_ciphers");
3358
3359 if (!(expciphers && *expciphers))
3360 return_deinit(NULL);
3361
3362 DEBUG(D_tls)
3363 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
3364
3365 rc = gnutls_priority_init(&priority_cache, CS expciphers, &errpos);
3366 validate_check_rc(string_sprintf(
3367 "gnutls_priority_init(%s) failed at offset %ld, \"%.8s..\"",
3368 expciphers, errpos - CS expciphers, errpos));
3369
3370 #undef return_deinit
3371 #undef validate_check_rc
3372 gnutls_global_deinit();
3373
3374 return NULL;
3375 }
3376
3377
3378
3379
3380 /*************************************************
3381 * Report the library versions. *
3382 *************************************************/
3383
3384 /* See a description in tls-openssl.c for an explanation of why this exists.
3385
3386 Arguments: a FILE* to print the results to
3387 Returns: nothing
3388 */
3389
3390 void
3391 tls_version_report(FILE *f)
3392 {
3393 fprintf(f, "Library version: GnuTLS: Compile: %s\n"
3394 " Runtime: %s\n",
3395 LIBGNUTLS_VERSION,
3396 gnutls_check_version(NULL));
3397 }
3398
3399 #endif /*!MACRO_PREDEF*/
3400 /* vi: aw ai sw=2
3401 */
3402 /* End of tls-gnu.c */
Unnamed repository; edit this file 'description' to name the repository.