projects / exim.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Refactor tls_client_init interface
[exim.git] / src / src / tls-gnu.c
1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4
5 /* Copyright (c) University of Cambridge 1995 - 2014 */
6 /* See the file NOTICE for conditions of use and distribution. */
7
8 /* Copyright (c) Phil Pennock 2012 */
9
10 /* This file provides TLS/SSL support for Exim using the GnuTLS library,
11 one of the available supported implementations. This file is #included into
12 tls.c when USE_GNUTLS has been set.
13
14 The code herein is a revamp of GnuTLS integration using the current APIs; the
15 original tls-gnu.c was based on a patch which was contributed by Nikos
16 Mavroyanopoulos. The revamp is partially a rewrite, partially cut&paste as
17 appropriate.
18
19 APIs current as of GnuTLS 2.12.18; note that the GnuTLS manual is for GnuTLS 3,
20 which is not widely deployed by OS vendors. Will note issues below, which may
21 assist in updating the code in the future. Another sources of hints is
22 mod_gnutls for Apache (SNI callback registration and handling).
23
24 Keeping client and server variables more split than before and is currently
25 the norm, in anticipation of TLS in ACL callouts.
26
27 I wanted to switch to gnutls_certificate_set_verify_function() so that
28 certificate rejection could happen during handshake where it belongs, rather
29 than being dropped afterwards, but that was introduced in 2.10.0 and Debian
30 (6.0.5) is still on 2.8.6. So for now we have to stick with sub-par behaviour.
31
32 (I wasn't looking for libraries quite that old, when updating to get rid of
33 compiler warnings of deprecated APIs. If it turns out that a lot of the rest
34 require current GnuTLS, then we'll drop support for the ancient libraries).
35 */
36
37 #include <gnutls/gnutls.h>
38 /* needed for cert checks in verification and DN extraction: */
39 #include <gnutls/x509.h>
40 /* man-page is incorrect, gnutls_rnd() is not in gnutls.h: */
41 #include <gnutls/crypto.h>
42 /* needed to disable PKCS11 autoload unless requested */
43 #if GNUTLS_VERSION_NUMBER >= 0x020c00
44 # include <gnutls/pkcs11.h>
45 #endif
46 #ifdef EXPERIMENTAL_OCSP
47 # include <gnutls/ocsp.h>
48 #endif
49
50 /* GnuTLS 2 vs 3
51
52 GnuTLS 3 only:
53 gnutls_global_set_audit_log_function()
54
55 Changes:
56 gnutls_certificate_verify_peers2(): is new, drop the 2 for old version
57 */
58
59 /* Local static variables for GnuTLS */
60
61 /* Values for verify_requirement */
62
63 enum peer_verify_requirement { VERIFY_NONE, VERIFY_OPTIONAL, VERIFY_REQUIRED };
64
65 /* This holds most state for server or client; with this, we can set up an
66 outbound TLS-enabled connection in an ACL callout, while not stomping all
67 over the TLS variables available for expansion.
68
69 Some of these correspond to variables in globals.c; those variables will
70 be set to point to content in one of these instances, as appropriate for
71 the stage of the process lifetime.
72
73 Not handled here: global tls_channelbinding_b64.
74 */
75
76 typedef struct exim_gnutls_state {
77 gnutls_session_t session;
78 gnutls_certificate_credentials_t x509_cred;
79 gnutls_priority_t priority_cache;
80 enum peer_verify_requirement verify_requirement;
81 int fd_in;
82 int fd_out;
83 BOOL peer_cert_verified;
84 BOOL trigger_sni_changes;
85 BOOL have_set_peerdn;
86 const struct host_item *host;
87 gnutls_x509_crt_t peercert;
88 uschar *peerdn;
89 uschar *ciphersuite;
90 uschar *received_sni;
91
92 const uschar *tls_certificate;
93 const uschar *tls_privatekey;
94 const uschar *tls_sni; /* client send only, not received */
95 const uschar *tls_verify_certificates;
96 const uschar *tls_crl;
97 const uschar *tls_require_ciphers;
98 uschar *exp_tls_certificate;
99 uschar *exp_tls_privatekey;
100 uschar *exp_tls_sni;
101 uschar *exp_tls_verify_certificates;
102 uschar *exp_tls_crl;
103 uschar *exp_tls_require_ciphers;
104
105 tls_support *tlsp; /* set in tls_init() */
106
107 uschar *xfer_buffer;
108 int xfer_buffer_lwm;
109 int xfer_buffer_hwm;
110 int xfer_eof;
111 int xfer_error;
112 } exim_gnutls_state_st;
113
114 static const exim_gnutls_state_st exim_gnutls_state_init = {
115 NULL, NULL, NULL, VERIFY_NONE, -1, -1, FALSE, FALSE, FALSE,
116 NULL, NULL, NULL, NULL,
117 NULL, NULL, NULL, NULL, NULL, NULL,
118 NULL, NULL, NULL, NULL, NULL, NULL,
119 NULL,
120 NULL, 0, 0, 0, 0,
121 };
122
123 /* Not only do we have our own APIs which don't pass around state, assuming
124 it's held in globals, GnuTLS doesn't appear to let us register callback data
125 for callbacks, or as part of the session, so we have to keep a "this is the
126 context we're currently dealing with" pointer and rely upon being
127 single-threaded to keep from processing data on an inbound TLS connection while
128 talking to another TLS connection for an outbound check. This does mean that
129 there's no way for heart-beats to be responded to, for the duration of the
130 second connection. */
131
132 static exim_gnutls_state_st state_server, state_client;
133
134 /* dh_params are initialised once within the lifetime of a process using TLS;
135 if we used TLS in a long-lived daemon, we'd have to reconsider this. But we
136 don't want to repeat this. */
137
138 static gnutls_dh_params_t dh_server_params = NULL;
139
140 /* No idea how this value was chosen; preserving it. Default is 3600. */
141
142 static const int ssl_session_timeout = 200;
143
144 static const char * const exim_default_gnutls_priority = "NORMAL";
145
146 /* Guard library core initialisation */
147
148 static BOOL exim_gnutls_base_init_done = FALSE;
149
150
151 /* ------------------------------------------------------------------------ */
152 /* macros */
153
154 #define MAX_HOST_LEN 255
155
156 /* Set this to control gnutls_global_set_log_level(); values 0 to 9 will setup
157 the library logging; a value less than 0 disables the calls to set up logging
158 callbacks. */
159 #ifndef EXIM_GNUTLS_LIBRARY_LOG_LEVEL
160 #define EXIM_GNUTLS_LIBRARY_LOG_LEVEL -1
161 #endif
162
163 #ifndef EXIM_CLIENT_DH_MIN_BITS
164 #define EXIM_CLIENT_DH_MIN_BITS 1024
165 #endif
166
167 /* With GnuTLS 2.12.x+ we have gnutls_sec_param_to_pk_bits() with which we
168 can ask for a bit-strength. Without that, we stick to the constant we had
169 before, for now. */
170 #ifndef EXIM_SERVER_DH_BITS_PRE2_12
171 #define EXIM_SERVER_DH_BITS_PRE2_12 1024
172 #endif
173
174 #define exim_gnutls_err_check(Label) do { \
175 if (rc != GNUTLS_E_SUCCESS) { return tls_error((Label), gnutls_strerror(rc), host); } } while (0)
176
177 #define expand_check_tlsvar(Varname) expand_check(state->Varname, US #Varname, &state->exp_##Varname)
178
179 #if GNUTLS_VERSION_NUMBER >= 0x020c00
180 #define HAVE_GNUTLS_SESSION_CHANNEL_BINDING
181 #define HAVE_GNUTLS_SEC_PARAM_CONSTANTS
182 #define HAVE_GNUTLS_RND
183 /* The security fix we provide with the gnutls_allow_auto_pkcs11 option
184 * (4.82 PP/09) introduces a compatibility regression. The symbol simply
185 * isn't available sometimes, so this needs to become a conditional
186 * compilation; the sanest way to deal with this being a problem on
187 * older OSes is to block it in the Local/Makefile with this compiler
188 * definition */
189 #ifndef AVOID_GNUTLS_PKCS11
190 #define HAVE_GNUTLS_PKCS11
191 #endif /* AVOID_GNUTLS_PKCS11 */
192 #endif
193
194
195
196
197 /* ------------------------------------------------------------------------ */
198 /* Callback declarations */
199
200 #if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
201 static void exim_gnutls_logger_cb(int level, const char *message);
202 #endif
203
204 static int exim_sni_handling_cb(gnutls_session_t session);
205
206
207
208
209 /* ------------------------------------------------------------------------ */
210 /* Static functions */
211
212 /*************************************************
213 * Handle TLS error *
214 *************************************************/
215
216 /* Called from lots of places when errors occur before actually starting to do
217 the TLS handshake, that is, while the session is still in clear. Always returns
218 DEFER for a server and FAIL for a client so that most calls can use "return
219 tls_error(...)" to do this processing and then give an appropriate return. A
220 single function is used for both server and client, because it is called from
221 some shared functions.
222
223 Argument:
224 prefix text to include in the logged error
225 msg additional error string (may be NULL)
226 usually obtained from gnutls_strerror()
227 host NULL if setting up a server;
228 the connected host if setting up a client
229
230 Returns: OK/DEFER/FAIL
231 */
232
233 static int
234 tls_error(const uschar *prefix, const char *msg, const host_item *host)
235 {
236 if (host)
237 {
238 log_write(0, LOG_MAIN, "TLS error on connection to %s [%s] (%s)%s%s",
239 host->name, host->address, prefix, msg ? ": " : "", msg ? msg : "");
240 return FAIL;
241 }
242 else
243 {
244 uschar *conn_info = smtp_get_connection_info();
245 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0)
246 conn_info += 5;
247 log_write(0, LOG_MAIN, "TLS error on %s (%s)%s%s",
248 conn_info, prefix, msg ? ": " : "", msg ? msg : "");
249 return DEFER;
250 }
251 }
252
253
254
255
256 /*************************************************
257 * Deal with logging errors during I/O *
258 *************************************************/
259
260 /* We have to get the identity of the peer from saved data.
261
262 Argument:
263 state the current GnuTLS exim state container
264 rc the GnuTLS error code, or 0 if it's a local error
265 when text identifying read or write
266 text local error text when ec is 0
267
268 Returns: nothing
269 */
270
271 static void
272 record_io_error(exim_gnutls_state_st *state, int rc, uschar *when, uschar *text)
273 {
274 const char *msg;
275
276 if (rc == GNUTLS_E_FATAL_ALERT_RECEIVED)
277 msg = CS string_sprintf("%s: %s", US gnutls_strerror(rc),
278 US gnutls_alert_get_name(gnutls_alert_get(state->session)));
279 else
280 msg = gnutls_strerror(rc);
281
282 tls_error(when, msg, state->host);
283 }
284
285
286
287
288 /*************************************************
289 * Set various Exim expansion vars *
290 *************************************************/
291
292 #define exim_gnutls_cert_err(Label) do { \
293 if (rc != GNUTLS_E_SUCCESS) { \
294 DEBUG(D_tls) debug_printf("TLS: cert problem: %s: %s\n", (Label), gnutls_strerror(rc)); \
295 return rc; } } while (0)
296
297 static int
298 import_cert(const gnutls_datum * cert, gnutls_x509_crt_t * crtp)
299 {
300 int rc;
301
302 rc = gnutls_x509_crt_init(crtp);
303 exim_gnutls_cert_err(US"gnutls_x509_crt_init (crt)");
304
305 rc = gnutls_x509_crt_import(*crtp, cert, GNUTLS_X509_FMT_DER);
306 exim_gnutls_cert_err(US"failed to import certificate [gnutls_x509_crt_import(cert)]");
307
308 return rc;
309 }
310
311 #undef exim_gnutls_cert_err
312
313
314 /* We set various Exim global variables from the state, once a session has
315 been established. With TLS callouts, may need to change this to stack
316 variables, or just re-call it with the server state after client callout
317 has finished.
318
319 Make sure anything set here is unset in tls_getc().
320
321 Sets:
322 tls_active fd
323 tls_bits strength indicator
324 tls_certificate_verified bool indicator
325 tls_channelbinding_b64 for some SASL mechanisms
326 tls_cipher a string
327 tls_peercert pointer to library internal
328 tls_peerdn a string
329 tls_sni a (UTF-8) string
330 tls_ourcert pointer to library internal
331
332 Argument:
333 state the relevant exim_gnutls_state_st *
334 */
335
336 static void
337 extract_exim_vars_from_tls_state(exim_gnutls_state_st * state)
338 {
339 gnutls_cipher_algorithm_t cipher;
340 #ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
341 int old_pool;
342 int rc;
343 gnutls_datum_t channel;
344 #endif
345 tls_support * tlsp = state->tlsp;
346
347 tlsp->active = state->fd_out;
348
349 cipher = gnutls_cipher_get(state->session);
350 /* returns size in "bytes" */
351 tlsp->bits = gnutls_cipher_get_key_size(cipher) * 8;
352
353 tlsp->cipher = state->ciphersuite;
354
355 DEBUG(D_tls) debug_printf("cipher: %s\n", state->ciphersuite);
356
357 tlsp->certificate_verified = state->peer_cert_verified;
358
359 /* note that tls_channelbinding_b64 is not saved to the spool file, since it's
360 only available for use for authenticators while this TLS session is running. */
361
362 tls_channelbinding_b64 = NULL;
363 #ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
364 channel.data = NULL;
365 channel.size = 0;
366 rc = gnutls_session_channel_binding(state->session, GNUTLS_CB_TLS_UNIQUE, &channel);
367 if (rc) {
368 DEBUG(D_tls) debug_printf("Channel binding error: %s\n", gnutls_strerror(rc));
369 } else {
370 old_pool = store_pool;
371 store_pool = POOL_PERM;
372 tls_channelbinding_b64 = auth_b64encode(channel.data, (int)channel.size);
373 store_pool = old_pool;
374 DEBUG(D_tls) debug_printf("Have channel bindings cached for possible auth usage.\n");
375 }
376 #endif
377
378 /* peercert is set in peer_status() */
379 tlsp->peerdn = state->peerdn;
380 tlsp->sni = state->received_sni;
381
382 /* record our certificate */
383 {
384 const gnutls_datum * cert = gnutls_certificate_get_ours(state->session);
385 gnutls_x509_crt_t crt;
386
387 tlsp->ourcert = cert && import_cert(cert, &crt)==0 ? crt : NULL;
388 }
389 }
390
391
392
393
394 /*************************************************
395 * Setup up DH parameters *
396 *************************************************/
397
398 /* Generating the D-H parameters may take a long time. They only need to
399 be re-generated every so often, depending on security policy. What we do is to
400 keep these parameters in a file in the spool directory. If the file does not
401 exist, we generate them. This means that it is easy to cause a regeneration.
402
403 The new file is written as a temporary file and renamed, so that an incomplete
404 file is never present. If two processes both compute some new parameters, you
405 waste a bit of effort, but it doesn't seem worth messing around with locking to
406 prevent this.
407
408 Returns: OK/DEFER/FAIL
409 */
410
411 static int
412 init_server_dh(void)
413 {
414 int fd, rc;
415 unsigned int dh_bits;
416 gnutls_datum m;
417 uschar filename_buf[PATH_MAX];
418 uschar *filename = NULL;
419 size_t sz;
420 uschar *exp_tls_dhparam;
421 BOOL use_file_in_spool = FALSE;
422 BOOL use_fixed_file = FALSE;
423 host_item *host = NULL; /* dummy for macros */
424
425 DEBUG(D_tls) debug_printf("Initialising GnuTLS server params.\n");
426
427 rc = gnutls_dh_params_init(&dh_server_params);
428 exim_gnutls_err_check(US"gnutls_dh_params_init");
429
430 m.data = NULL;
431 m.size = 0;
432
433 if (!expand_check(tls_dhparam, US"tls_dhparam", &exp_tls_dhparam))
434 return DEFER;
435
436 if (!exp_tls_dhparam)
437 {
438 DEBUG(D_tls) debug_printf("Loading default hard-coded DH params\n");
439 m.data = US std_dh_prime_default();
440 m.size = Ustrlen(m.data);
441 }
442 else if (Ustrcmp(exp_tls_dhparam, "historic") == 0)
443 use_file_in_spool = TRUE;
444 else if (Ustrcmp(exp_tls_dhparam, "none") == 0)
445 {
446 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
447 return OK;
448 }
449 else if (exp_tls_dhparam[0] != '/')
450 {
451 m.data = US std_dh_prime_named(exp_tls_dhparam);
452 if (m.data == NULL)
453 return tls_error(US"No standard prime named", CS exp_tls_dhparam, NULL);
454 m.size = Ustrlen(m.data);
455 }
456 else
457 {
458 use_fixed_file = TRUE;
459 filename = exp_tls_dhparam;
460 }
461
462 if (m.data)
463 {
464 rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM);
465 exim_gnutls_err_check(US"gnutls_dh_params_import_pkcs3");
466 DEBUG(D_tls) debug_printf("Loaded fixed standard D-H parameters\n");
467 return OK;
468 }
469
470 #ifdef HAVE_GNUTLS_SEC_PARAM_CONSTANTS
471 /* If you change this constant, also change dh_param_fn_ext so that we can use a
472 different filename and ensure we have sufficient bits. */
473 dh_bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL);
474 if (!dh_bits)
475 return tls_error(US"gnutls_sec_param_to_pk_bits() failed", NULL, NULL);
476 DEBUG(D_tls)
477 debug_printf("GnuTLS tells us that for D-H PK, NORMAL is %d bits.\n",
478 dh_bits);
479 #else
480 dh_bits = EXIM_SERVER_DH_BITS_PRE2_12;
481 DEBUG(D_tls)
482 debug_printf("GnuTLS lacks gnutls_sec_param_to_pk_bits(), using %d bits.\n",
483 dh_bits);
484 #endif
485
486 /* Some clients have hard-coded limits. */
487 if (dh_bits > tls_dh_max_bits)
488 {
489 DEBUG(D_tls)
490 debug_printf("tls_dh_max_bits clamping override, using %d bits instead.\n",
491 tls_dh_max_bits);
492 dh_bits = tls_dh_max_bits;
493 }
494
495 if (use_file_in_spool)
496 {
497 if (!string_format(filename_buf, sizeof(filename_buf),
498 "%s/gnutls-params-%d", spool_directory, dh_bits))
499 return tls_error(US"overlong filename", NULL, NULL);
500 filename = filename_buf;
501 }
502
503 /* Open the cache file for reading and if successful, read it and set up the
504 parameters. */
505
506 fd = Uopen(filename, O_RDONLY, 0);
507 if (fd >= 0)
508 {
509 struct stat statbuf;
510 FILE *fp;
511 int saved_errno;
512
513 if (fstat(fd, &statbuf) < 0) /* EIO */
514 {
515 saved_errno = errno;
516 (void)close(fd);
517 return tls_error(US"TLS cache stat failed", strerror(saved_errno), NULL);
518 }
519 if (!S_ISREG(statbuf.st_mode))
520 {
521 (void)close(fd);
522 return tls_error(US"TLS cache not a file", NULL, NULL);
523 }
524 fp = fdopen(fd, "rb");
525 if (!fp)
526 {
527 saved_errno = errno;
528 (void)close(fd);
529 return tls_error(US"fdopen(TLS cache stat fd) failed",
530 strerror(saved_errno), NULL);
531 }
532
533 m.size = statbuf.st_size;
534 m.data = malloc(m.size);
535 if (m.data == NULL)
536 {
537 fclose(fp);
538 return tls_error(US"malloc failed", strerror(errno), NULL);
539 }
540 sz = fread(m.data, m.size, 1, fp);
541 if (!sz)
542 {
543 saved_errno = errno;
544 fclose(fp);
545 free(m.data);
546 return tls_error(US"fread failed", strerror(saved_errno), NULL);
547 }
548 fclose(fp);
549
550 rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM);
551 free(m.data);
552 exim_gnutls_err_check(US"gnutls_dh_params_import_pkcs3");
553 DEBUG(D_tls) debug_printf("read D-H parameters from file \"%s\"\n", filename);
554 }
555
556 /* If the file does not exist, fall through to compute new data and cache it.
557 If there was any other opening error, it is serious. */
558
559 else if (errno == ENOENT)
560 {
561 rc = -1;
562 DEBUG(D_tls)
563 debug_printf("D-H parameter cache file \"%s\" does not exist\n", filename);
564 }
565 else
566 return tls_error(string_open_failed(errno, "\"%s\" for reading", filename),
567 NULL, NULL);
568
569 /* If ret < 0, either the cache file does not exist, or the data it contains
570 is not useful. One particular case of this is when upgrading from an older
571 release of Exim in which the data was stored in a different format. We don't
572 try to be clever and support both formats; we just regenerate new data in this
573 case. */
574
575 if (rc < 0)
576 {
577 uschar *temp_fn;
578 unsigned int dh_bits_gen = dh_bits;
579
580 if ((PATH_MAX - Ustrlen(filename)) < 10)
581 return tls_error(US"Filename too long to generate replacement",
582 CS filename, NULL);
583
584 temp_fn = string_copy(US "%s.XXXXXXX");
585 fd = mkstemp(CS temp_fn); /* modifies temp_fn */
586 if (fd < 0)
587 return tls_error(US"Unable to open temp file", strerror(errno), NULL);
588 (void)fchown(fd, exim_uid, exim_gid); /* Probably not necessary */
589
590 /* GnuTLS overshoots!
591 * If we ask for 2236, we might get 2237 or more.
592 * But there's no way to ask GnuTLS how many bits there really are.
593 * We can ask how many bits were used in a TLS session, but that's it!
594 * The prime itself is hidden behind too much abstraction.
595 * So we ask for less, and proceed on a wing and a prayer.
596 * First attempt, subtracted 3 for 2233 and got 2240.
597 */
598 if (dh_bits >= EXIM_CLIENT_DH_MIN_BITS + 10)
599 {
600 dh_bits_gen = dh_bits - 10;
601 DEBUG(D_tls)
602 debug_printf("being paranoid about DH generation, make it '%d' bits'\n",
603 dh_bits_gen);
604 }
605
606 DEBUG(D_tls)
607 debug_printf("requesting generation of %d bit Diffie-Hellman prime ...\n",
608 dh_bits_gen);
609 rc = gnutls_dh_params_generate2(dh_server_params, dh_bits_gen);
610 exim_gnutls_err_check(US"gnutls_dh_params_generate2");
611
612 /* gnutls_dh_params_export_pkcs3() will tell us the exact size, every time,
613 and I confirmed that a NULL call to get the size first is how the GnuTLS
614 sample apps handle this. */
615
616 sz = 0;
617 m.data = NULL;
618 rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM,
619 m.data, &sz);
620 if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
621 exim_gnutls_err_check(US"gnutls_dh_params_export_pkcs3(NULL) sizing");
622 m.size = sz;
623 m.data = malloc(m.size);
624 if (m.data == NULL)
625 return tls_error(US"memory allocation failed", strerror(errno), NULL);
626 /* this will return a size 1 less than the allocation size above */
627 rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM,
628 m.data, &sz);
629 if (rc != GNUTLS_E_SUCCESS)
630 {
631 free(m.data);
632 exim_gnutls_err_check(US"gnutls_dh_params_export_pkcs3() real");
633 }
634 m.size = sz; /* shrink by 1, probably */
635
636 sz = write_to_fd_buf(fd, m.data, (size_t) m.size);
637 if (sz != m.size)
638 {
639 free(m.data);
640 return tls_error(US"TLS cache write D-H params failed",
641 strerror(errno), NULL);
642 }
643 free(m.data);
644 sz = write_to_fd_buf(fd, US"\n", 1);
645 if (sz != 1)
646 return tls_error(US"TLS cache write D-H params final newline failed",
647 strerror(errno), NULL);
648
649 rc = close(fd);
650 if (rc)
651 return tls_error(US"TLS cache write close() failed",
652 strerror(errno), NULL);
653
654 if (Urename(temp_fn, filename) < 0)
655 return tls_error(string_sprintf("failed to rename \"%s\" as \"%s\"",
656 temp_fn, filename), strerror(errno), NULL);
657
658 DEBUG(D_tls) debug_printf("wrote D-H parameters to file \"%s\"\n", filename);
659 }
660
661 DEBUG(D_tls) debug_printf("initialized server D-H parameters\n");
662 return OK;
663 }
664
665
666
667
668 /*************************************************
669 * Variables re-expanded post-SNI *
670 *************************************************/
671
672 /* Called from both server and client code, via tls_init(), and also from
673 the SNI callback after receiving an SNI, if tls_certificate includes "tls_sni".
674
675 We can tell the two apart by state->received_sni being non-NULL in callback.
676
677 The callback should not call us unless state->trigger_sni_changes is true,
678 which we are responsible for setting on the first pass through.
679
680 Arguments:
681 state exim_gnutls_state_st *
682
683 Returns: OK/DEFER/FAIL
684 */
685
686 static int
687 tls_expand_session_files(exim_gnutls_state_st *state)
688 {
689 struct stat statbuf;
690 int rc;
691 const host_item *host = state->host; /* macro should be reconsidered? */
692 uschar *saved_tls_certificate = NULL;
693 uschar *saved_tls_privatekey = NULL;
694 uschar *saved_tls_verify_certificates = NULL;
695 uschar *saved_tls_crl = NULL;
696 int cert_count;
697
698 /* We check for tls_sni *before* expansion. */
699 if (!host) /* server */
700 {
701 if (!state->received_sni)
702 {
703 if (state->tls_certificate &&
704 (Ustrstr(state->tls_certificate, US"tls_sni") ||
705 Ustrstr(state->tls_certificate, US"tls_in_sni") ||
706 Ustrstr(state->tls_certificate, US"tls_out_sni")
707 ))
708 {
709 DEBUG(D_tls) debug_printf("We will re-expand TLS session files if we receive SNI.\n");
710 state->trigger_sni_changes = TRUE;
711 }
712 }
713 else
714 {
715 /* useful for debugging */
716 saved_tls_certificate = state->exp_tls_certificate;
717 saved_tls_privatekey = state->exp_tls_privatekey;
718 saved_tls_verify_certificates = state->exp_tls_verify_certificates;
719 saved_tls_crl = state->exp_tls_crl;
720 }
721 }
722
723 rc = gnutls_certificate_allocate_credentials(&state->x509_cred);
724 exim_gnutls_err_check(US"gnutls_certificate_allocate_credentials");
725
726 /* remember: expand_check_tlsvar() is expand_check() but fiddling with
727 state members, assuming consistent naming; and expand_check() returns
728 false if expansion failed, unless expansion was forced to fail. */
729
730 /* check if we at least have a certificate, before doing expensive
731 D-H generation. */
732
733 if (!expand_check_tlsvar(tls_certificate))
734 return DEFER;
735
736 /* certificate is mandatory in server, optional in client */
737
738 if ((state->exp_tls_certificate == NULL) ||
739 (*state->exp_tls_certificate == '\0'))
740 {
741 if (!host)
742 return tls_error(US"no TLS server certificate is specified", NULL, NULL);
743 else
744 DEBUG(D_tls) debug_printf("TLS: no client certificate specified; okay\n");
745 }
746
747 if (state->tls_privatekey && !expand_check_tlsvar(tls_privatekey))
748 return DEFER;
749
750 /* tls_privatekey is optional, defaulting to same file as certificate */
751
752 if (state->tls_privatekey == NULL || *state->tls_privatekey == '\0')
753 {
754 state->tls_privatekey = state->tls_certificate;
755 state->exp_tls_privatekey = state->exp_tls_certificate;
756 }
757
758
759 if (state->exp_tls_certificate && *state->exp_tls_certificate)
760 {
761 DEBUG(D_tls) debug_printf("certificate file = %s\nkey file = %s\n",
762 state->exp_tls_certificate, state->exp_tls_privatekey);
763
764 if (state->received_sni)
765 {
766 if ((Ustrcmp(state->exp_tls_certificate, saved_tls_certificate) == 0) &&
767 (Ustrcmp(state->exp_tls_privatekey, saved_tls_privatekey) == 0))
768 {
769 DEBUG(D_tls) debug_printf("TLS SNI: cert and key unchanged\n");
770 }
771 else
772 {
773 DEBUG(D_tls) debug_printf("TLS SNI: have a changed cert/key pair.\n");
774 }
775 }
776
777 rc = gnutls_certificate_set_x509_key_file(state->x509_cred,
778 CS state->exp_tls_certificate, CS state->exp_tls_privatekey,
779 GNUTLS_X509_FMT_PEM);
780 exim_gnutls_err_check(
781 string_sprintf("cert/key setup: cert=%s key=%s",
782 state->exp_tls_certificate, state->exp_tls_privatekey));
783 DEBUG(D_tls) debug_printf("TLS: cert/key registered\n");
784 } /* tls_certificate */
785
786
787 /* Set the OCSP stapling server info */
788
789 #ifdef EXPERIMENTAL_OCSP
790 if ( !host /* server */
791 && tls_ocsp_file
792 )
793 {
794 uschar * expanded;
795 int rc;
796
797 if (!expand_check(tls_ocsp_file, US"tls_ocsp_file", &expanded))
798 return DEFER;
799
800 /* Lazy way; would like callback to emit debug on actual response */
801
802 rc = gnutls_certificate_set_ocsp_status_request_file(state->x509_cred,
803 expanded, 0);
804 exim_gnutls_err_check(US"gnutls_certificate_set_ocsp_status_request_file");
805 DEBUG(D_tls) debug_printf("Set OCSP response file %s\n", expanded);
806 }
807 #endif
808
809
810 /* Set the trusted CAs file if one is provided, and then add the CRL if one is
811 provided. Experiment shows that, if the certificate file is empty, an unhelpful
812 error message is provided. However, if we just refrain from setting anything up
813 in that case, certificate verification fails, which seems to be the correct
814 behaviour. */
815
816 if (state->tls_verify_certificates && *state->tls_verify_certificates)
817 {
818 if (!expand_check_tlsvar(tls_verify_certificates))
819 return DEFER;
820 if (state->tls_crl && *state->tls_crl)
821 if (!expand_check_tlsvar(tls_crl))
822 return DEFER;
823
824 if (!(state->exp_tls_verify_certificates &&
825 *state->exp_tls_verify_certificates))
826 {
827 DEBUG(D_tls)
828 debug_printf("TLS: tls_verify_certificates expanded empty, ignoring\n");
829 /* With no tls_verify_certificates, we ignore tls_crl too */
830 return OK;
831 }
832 }
833 else
834 {
835 DEBUG(D_tls)
836 debug_printf("TLS: tls_verify_certificates not set or empty, ignoring\n");
837 return OK;
838 }
839
840 if (Ustat(state->exp_tls_verify_certificates, &statbuf) < 0)
841 {
842 log_write(0, LOG_MAIN|LOG_PANIC, "could not stat %s "
843 "(tls_verify_certificates): %s", state->exp_tls_verify_certificates,
844 strerror(errno));
845 return DEFER;
846 }
847
848 /* The test suite passes in /dev/null; we could check for that path explicitly,
849 but who knows if someone has some weird FIFO which always dumps some certs, or
850 other weirdness. The thing we really want to check is that it's not a
851 directory, since while OpenSSL supports that, GnuTLS does not.
852 So s/!S_ISREG/S_ISDIR/ and change some messsaging ... */
853 if (S_ISDIR(statbuf.st_mode))
854 {
855 DEBUG(D_tls)
856 debug_printf("verify certificates path is a dir: \"%s\"\n",
857 state->exp_tls_verify_certificates);
858 log_write(0, LOG_MAIN|LOG_PANIC,
859 "tls_verify_certificates \"%s\" is a directory",
860 state->exp_tls_verify_certificates);
861 return DEFER;
862 }
863
864 DEBUG(D_tls) debug_printf("verify certificates = %s size=" OFF_T_FMT "\n",
865 state->exp_tls_verify_certificates, statbuf.st_size);
866
867 if (statbuf.st_size == 0)
868 {
869 DEBUG(D_tls)
870 debug_printf("cert file empty, no certs, no verification, ignoring any CRL\n");
871 return OK;
872 }
873
874 cert_count = gnutls_certificate_set_x509_trust_file(state->x509_cred,
875 CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM);
876 if (cert_count < 0)
877 {
878 rc = cert_count;
879 exim_gnutls_err_check(US"gnutls_certificate_set_x509_trust_file");
880 }
881 DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n", cert_count);
882
883 if (state->tls_crl && *state->tls_crl &&
884 state->exp_tls_crl && *state->exp_tls_crl)
885 {
886 DEBUG(D_tls) debug_printf("loading CRL file = %s\n", state->exp_tls_crl);
887 cert_count = gnutls_certificate_set_x509_crl_file(state->x509_cred,
888 CS state->exp_tls_crl, GNUTLS_X509_FMT_PEM);
889 if (cert_count < 0)
890 {
891 rc = cert_count;
892 exim_gnutls_err_check(US"gnutls_certificate_set_x509_crl_file");
893 }
894 DEBUG(D_tls) debug_printf("Processed %d CRLs.\n", cert_count);
895 }
896
897 return OK;
898 }
899
900
901
902
903 /*************************************************
904 * Set X.509 state variables *
905 *************************************************/
906
907 /* In GnuTLS, the registered cert/key are not replaced by a later
908 set of a cert/key, so for SNI support we need a whole new x509_cred
909 structure. Which means various other non-re-expanded pieces of state
910 need to be re-set in the new struct, so the setting logic is pulled
911 out to this.
912
913 Arguments:
914 state exim_gnutls_state_st *
915
916 Returns: OK/DEFER/FAIL
917 */
918
919 static int
920 tls_set_remaining_x509(exim_gnutls_state_st *state)
921 {
922 int rc;
923 const host_item *host = state->host; /* macro should be reconsidered? */
924
925 /* Create D-H parameters, or read them from the cache file. This function does
926 its own SMTP error messaging. This only happens for the server, TLS D-H ignores
927 client-side params. */
928
929 if (!state->host)
930 {
931 if (!dh_server_params)
932 {
933 rc = init_server_dh();
934 if (rc != OK) return rc;
935 }
936 gnutls_certificate_set_dh_params(state->x509_cred, dh_server_params);
937 }
938
939 /* Link the credentials to the session. */
940
941 rc = gnutls_credentials_set(state->session, GNUTLS_CRD_CERTIFICATE, state->x509_cred);
942 exim_gnutls_err_check(US"gnutls_credentials_set");
943
944 return OK;
945 }
946
947 /*************************************************
948 * Initialize for GnuTLS *
949 *************************************************/
950
951 /* Called from both server and client code. In the case of a server, errors
952 before actual TLS negotiation return DEFER.
953
954 Arguments:
955 host connected host, if client; NULL if server
956 certificate certificate file
957 privatekey private key file
958 sni TLS SNI to send, sometimes when client; else NULL
959 cas CA certs file
960 crl CRL file
961 require_ciphers tls_require_ciphers setting
962 caller_state returned state-info structure
963
964 Returns: OK/DEFER/FAIL
965 */
966
967 static int
968 tls_init(
969 const host_item *host,
970 const uschar *certificate,
971 const uschar *privatekey,
972 const uschar *sni,
973 const uschar *cas,
974 const uschar *crl,
975 const uschar *require_ciphers,
976 exim_gnutls_state_st **caller_state)
977 {
978 exim_gnutls_state_st *state;
979 int rc;
980 size_t sz;
981 const char *errpos;
982 uschar *p;
983 BOOL want_default_priorities;
984
985 if (!exim_gnutls_base_init_done)
986 {
987 DEBUG(D_tls) debug_printf("GnuTLS global init required.\n");
988
989 #ifdef HAVE_GNUTLS_PKCS11
990 /* By default, gnutls_global_init will init PKCS11 support in auto mode,
991 which loads modules from a config file, which sounds good and may be wanted
992 by some sysadmin, but also means in common configurations that GNOME keyring
993 environment variables are used and so breaks for users calling mailq.
994 To prevent this, we init PKCS11 first, which is the documented approach. */
995 if (!gnutls_allow_auto_pkcs11)
996 {
997 rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
998 exim_gnutls_err_check(US"gnutls_pkcs11_init");
999 }
1000 #endif
1001
1002 rc = gnutls_global_init();
1003 exim_gnutls_err_check(US"gnutls_global_init");
1004
1005 #if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
1006 DEBUG(D_tls)
1007 {
1008 gnutls_global_set_log_function(exim_gnutls_logger_cb);
1009 /* arbitrarily chosen level; bump upto 9 for more */
1010 gnutls_global_set_log_level(EXIM_GNUTLS_LIBRARY_LOG_LEVEL);
1011 }
1012 #endif
1013
1014 exim_gnutls_base_init_done = TRUE;
1015 }
1016
1017 if (host)
1018 {
1019 state = &state_client;
1020 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
1021 state->tlsp = &tls_out;
1022 DEBUG(D_tls) debug_printf("initialising GnuTLS client session\n");
1023 rc = gnutls_init(&state->session, GNUTLS_CLIENT);
1024 }
1025 else
1026 {
1027 state = &state_server;
1028 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
1029 state->tlsp = &tls_in;
1030 DEBUG(D_tls) debug_printf("initialising GnuTLS server session\n");
1031 rc = gnutls_init(&state->session, GNUTLS_SERVER);
1032 }
1033 exim_gnutls_err_check(US"gnutls_init");
1034
1035 state->host = host;
1036
1037 state->tls_certificate = certificate;
1038 state->tls_privatekey = privatekey;
1039 state->tls_require_ciphers = require_ciphers;
1040 state->tls_sni = sni;
1041 state->tls_verify_certificates = cas;
1042 state->tls_crl = crl;
1043
1044 /* This handles the variables that might get re-expanded after TLS SNI;
1045 that's tls_certificate, tls_privatekey, tls_verify_certificates, tls_crl */
1046
1047 DEBUG(D_tls)
1048 debug_printf("Expanding various TLS configuration options for session credentials.\n");
1049 rc = tls_expand_session_files(state);
1050 if (rc != OK) return rc;
1051
1052 /* These are all other parts of the x509_cred handling, since SNI in GnuTLS
1053 requires a new structure afterwards. */
1054
1055 rc = tls_set_remaining_x509(state);
1056 if (rc != OK) return rc;
1057
1058 /* set SNI in client, only */
1059 if (host)
1060 {
1061 if (!expand_check(state->tlsp->sni, US"tls_out_sni", &state->exp_tls_sni))
1062 return DEFER;
1063 if (state->exp_tls_sni && *state->exp_tls_sni)
1064 {
1065 DEBUG(D_tls)
1066 debug_printf("Setting TLS client SNI to \"%s\"\n", state->exp_tls_sni);
1067 sz = Ustrlen(state->exp_tls_sni);
1068 rc = gnutls_server_name_set(state->session,
1069 GNUTLS_NAME_DNS, state->exp_tls_sni, sz);
1070 exim_gnutls_err_check(US"gnutls_server_name_set");
1071 }
1072 }
1073 else if (state->tls_sni)
1074 DEBUG(D_tls) debug_printf("*** PROBABLY A BUG *** " \
1075 "have an SNI set for a client [%s]\n", state->tls_sni);
1076
1077 /* This is the priority string support,
1078 http://www.gnutls.org/manual/html_node/Priority-Strings.html
1079 and replaces gnutls_require_kx, gnutls_require_mac & gnutls_require_protocols.
1080 This was backwards incompatible, but means Exim no longer needs to track
1081 all algorithms and provide string forms for them. */
1082
1083 want_default_priorities = TRUE;
1084
1085 if (state->tls_require_ciphers && *state->tls_require_ciphers)
1086 {
1087 if (!expand_check_tlsvar(tls_require_ciphers))
1088 return DEFER;
1089 if (state->exp_tls_require_ciphers && *state->exp_tls_require_ciphers)
1090 {
1091 DEBUG(D_tls) debug_printf("GnuTLS session cipher/priority \"%s\"\n",
1092 state->exp_tls_require_ciphers);
1093
1094 rc = gnutls_priority_init(&state->priority_cache,
1095 CS state->exp_tls_require_ciphers, &errpos);
1096 want_default_priorities = FALSE;
1097 p = state->exp_tls_require_ciphers;
1098 }
1099 }
1100 if (want_default_priorities)
1101 {
1102 DEBUG(D_tls)
1103 debug_printf("GnuTLS using default session cipher/priority \"%s\"\n",
1104 exim_default_gnutls_priority);
1105 rc = gnutls_priority_init(&state->priority_cache,
1106 exim_default_gnutls_priority, &errpos);
1107 p = US exim_default_gnutls_priority;
1108 }
1109
1110 exim_gnutls_err_check(string_sprintf(
1111 "gnutls_priority_init(%s) failed at offset %ld, \"%.6s..\"",
1112 p, errpos - CS p, errpos));
1113
1114 rc = gnutls_priority_set(state->session, state->priority_cache);
1115 exim_gnutls_err_check(US"gnutls_priority_set");
1116
1117 gnutls_db_set_cache_expiration(state->session, ssl_session_timeout);
1118
1119 /* Reduce security in favour of increased compatibility, if the admin
1120 decides to make that trade-off. */
1121 if (gnutls_compat_mode)
1122 {
1123 #if LIBGNUTLS_VERSION_NUMBER >= 0x020104
1124 DEBUG(D_tls) debug_printf("lowering GnuTLS security, compatibility mode\n");
1125 gnutls_session_enable_compatibility_mode(state->session);
1126 #else
1127 DEBUG(D_tls) debug_printf("Unable to set gnutls_compat_mode - GnuTLS version too old\n");
1128 #endif
1129 }
1130
1131 *caller_state = state;
1132 return OK;
1133 }
1134
1135
1136
1137 /*************************************************
1138 * Extract peer information *
1139 *************************************************/
1140
1141 /* Called from both server and client code.
1142 Only this is allowed to set state->peerdn and state->have_set_peerdn
1143 and we use that to detect double-calls.
1144
1145 NOTE: the state blocks last while the TLS connection is up, which is fine
1146 for logging in the server side, but for the client side, we log after teardown
1147 in src/deliver.c. While the session is up, we can twist about states and
1148 repoint tls_* globals, but those variables used for logging or other variable
1149 expansion that happens _after_ delivery need to have a longer life-time.
1150
1151 So for those, we get the data from POOL_PERM; the re-invoke guard keeps us from
1152 doing this more than once per generation of a state context. We set them in
1153 the state context, and repoint tls_* to them. After the state goes away, the
1154 tls_* copies of the pointers remain valid and client delivery logging is happy.
1155
1156 tls_certificate_verified is a BOOL, so the tls_peerdn and tls_cipher issues
1157 don't apply.
1158
1159 Arguments:
1160 state exim_gnutls_state_st *
1161
1162 Returns: OK/DEFER/FAIL
1163 */
1164
1165 static int
1166 peer_status(exim_gnutls_state_st *state)
1167 {
1168 uschar cipherbuf[256];
1169 const gnutls_datum *cert_list;
1170 int old_pool, rc;
1171 unsigned int cert_list_size = 0;
1172 gnutls_protocol_t protocol;
1173 gnutls_cipher_algorithm_t cipher;
1174 gnutls_kx_algorithm_t kx;
1175 gnutls_mac_algorithm_t mac;
1176 gnutls_certificate_type_t ct;
1177 gnutls_x509_crt_t crt;
1178 uschar *p, *dn_buf;
1179 size_t sz;
1180
1181 if (state->have_set_peerdn)
1182 return OK;
1183 state->have_set_peerdn = TRUE;
1184
1185 state->peerdn = NULL;
1186
1187 /* tls_cipher */
1188 cipher = gnutls_cipher_get(state->session);
1189 protocol = gnutls_protocol_get_version(state->session);
1190 mac = gnutls_mac_get(state->session);
1191 kx = gnutls_kx_get(state->session);
1192
1193 string_format(cipherbuf, sizeof(cipherbuf),
1194 "%s:%s:%d",
1195 gnutls_protocol_get_name(protocol),
1196 gnutls_cipher_suite_get_name(kx, cipher, mac),
1197 (int) gnutls_cipher_get_key_size(cipher) * 8);
1198
1199 /* I don't see a way that spaces could occur, in the current GnuTLS
1200 code base, but it was a concern in the old code and perhaps older GnuTLS
1201 releases did return "TLS 1.0"; play it safe, just in case. */
1202 for (p = cipherbuf; *p != '\0'; ++p)
1203 if (isspace(*p))
1204 *p = '-';
1205 old_pool = store_pool;
1206 store_pool = POOL_PERM;
1207 state->ciphersuite = string_copy(cipherbuf);
1208 store_pool = old_pool;
1209 state->tlsp->cipher = state->ciphersuite;
1210
1211 /* tls_peerdn */
1212 cert_list = gnutls_certificate_get_peers(state->session, &cert_list_size);
1213
1214 if (cert_list == NULL || cert_list_size == 0)
1215 {
1216 DEBUG(D_tls) debug_printf("TLS: no certificate from peer (%p & %d)\n",
1217 cert_list, cert_list_size);
1218 if (state->verify_requirement == VERIFY_REQUIRED)
1219 return tls_error(US"certificate verification failed",
1220 "no certificate received from peer", state->host);
1221 return OK;
1222 }
1223
1224 ct = gnutls_certificate_type_get(state->session);
1225 if (ct != GNUTLS_CRT_X509)
1226 {
1227 const char *ctn = gnutls_certificate_type_get_name(ct);
1228 DEBUG(D_tls)
1229 debug_printf("TLS: peer cert not X.509 but instead \"%s\"\n", ctn);
1230 if (state->verify_requirement == VERIFY_REQUIRED)
1231 return tls_error(US"certificate verification not possible, unhandled type",
1232 ctn, state->host);
1233 return OK;
1234 }
1235
1236 #define exim_gnutls_peer_err(Label) do { \
1237 if (rc != GNUTLS_E_SUCCESS) { \
1238 DEBUG(D_tls) debug_printf("TLS: peer cert problem: %s: %s\n", (Label), gnutls_strerror(rc)); \
1239 if (state->verify_requirement == VERIFY_REQUIRED) { return tls_error((Label), gnutls_strerror(rc), state->host); } \
1240 return OK; } } while (0)
1241
1242 rc = import_cert(&cert_list[0], &crt);
1243 exim_gnutls_peer_err(US"cert 0");
1244
1245 state->tlsp->peercert = state->peercert = crt;
1246
1247 sz = 0;
1248 rc = gnutls_x509_crt_get_dn(crt, NULL, &sz);
1249 if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
1250 {
1251 exim_gnutls_peer_err(US"getting size for cert DN failed");
1252 return FAIL; /* should not happen */
1253 }
1254 dn_buf = store_get_perm(sz);
1255 rc = gnutls_x509_crt_get_dn(crt, CS dn_buf, &sz);
1256 exim_gnutls_peer_err(US"failed to extract certificate DN [gnutls_x509_crt_get_dn(cert 0)]");
1257
1258 state->peerdn = dn_buf;
1259
1260 return OK;
1261 #undef exim_gnutls_peer_err
1262 }
1263
1264
1265
1266
1267 /*************************************************
1268 * Verify peer certificate *
1269 *************************************************/
1270
1271 /* Called from both server and client code.
1272 *Should* be using a callback registered with
1273 gnutls_certificate_set_verify_function() to fail the handshake if we dislike
1274 the peer information, but that's too new for some OSes.
1275
1276 Arguments:
1277 state exim_gnutls_state_st *
1278 error where to put an error message
1279
1280 Returns:
1281 FALSE if the session should be rejected
1282 TRUE if the cert is okay or we just don't care
1283 */
1284
1285 static BOOL
1286 verify_certificate(exim_gnutls_state_st *state, const char **error)
1287 {
1288 int rc;
1289 unsigned int verify;
1290
1291 *error = NULL;
1292
1293 if ((rc = peer_status(state)) != OK)
1294 {
1295 verify = GNUTLS_CERT_INVALID;
1296 *error = "certificate not supplied";
1297 }
1298 else
1299 rc = gnutls_certificate_verify_peers2(state->session, &verify);
1300
1301 /* Handle the result of verification. INVALID seems to be set as well
1302 as REVOKED, but leave the test for both. */
1303
1304 if (rc < 0 || verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED))
1305 {
1306 state->peer_cert_verified = FALSE;
1307 if (!*error)
1308 *error = verify & GNUTLS_CERT_REVOKED
1309 ? "certificate revoked" : "certificate invalid";
1310
1311 DEBUG(D_tls)
1312 debug_printf("TLS certificate verification failed (%s): peerdn=%s\n",
1313 *error, state->peerdn ? state->peerdn : US"<unset>");
1314
1315 if (state->verify_requirement == VERIFY_REQUIRED)
1316 {
1317 gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_BAD_CERTIFICATE);
1318 return FALSE;
1319 }
1320 DEBUG(D_tls)
1321 debug_printf("TLS verify failure overridden (host in tls_try_verify_hosts)\n");
1322 }
1323 else
1324 {
1325 state->peer_cert_verified = TRUE;
1326 DEBUG(D_tls) debug_printf("TLS certificate verified: peerdn=%s\n",
1327 state->peerdn ? state->peerdn : US"<unset>");
1328 }
1329
1330 state->tlsp->peerdn = state->peerdn;
1331
1332 return TRUE;
1333 }
1334
1335
1336
1337
1338 /* ------------------------------------------------------------------------ */
1339 /* Callbacks */
1340
1341 /* Logging function which can be registered with
1342 * gnutls_global_set_log_function()
1343 * gnutls_global_set_log_level() 0..9
1344 */
1345 #if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
1346 static void
1347 exim_gnutls_logger_cb(int level, const char *message)
1348 {
1349 size_t len = strlen(message);
1350 if (len < 1)
1351 {
1352 DEBUG(D_tls) debug_printf("GnuTLS<%d> empty debug message\n", level);
1353 return;
1354 }
1355 DEBUG(D_tls) debug_printf("GnuTLS<%d>: %s%s", level, message,
1356 message[len-1] == '\n' ? "" : "\n");
1357 }
1358 #endif
1359
1360
1361 /* Called after client hello, should handle SNI work.
1362 This will always set tls_sni (state->received_sni) if available,
1363 and may trigger presenting different certificates,
1364 if state->trigger_sni_changes is TRUE.
1365
1366 Should be registered with
1367 gnutls_handshake_set_post_client_hello_function()
1368
1369 "This callback must return 0 on success or a gnutls error code to terminate the
1370 handshake.".
1371
1372 For inability to get SNI information, we return 0.
1373 We only return non-zero if re-setup failed.
1374 Only used for server-side TLS.
1375 */
1376
1377 static int
1378 exim_sni_handling_cb(gnutls_session_t session)
1379 {
1380 char sni_name[MAX_HOST_LEN];
1381 size_t data_len = MAX_HOST_LEN;
1382 exim_gnutls_state_st *state = &state_server;
1383 unsigned int sni_type;
1384 int rc, old_pool;
1385
1386 rc = gnutls_server_name_get(session, sni_name, &data_len, &sni_type, 0);
1387 if (rc != GNUTLS_E_SUCCESS)
1388 {
1389 DEBUG(D_tls) {
1390 if (rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
1391 debug_printf("TLS: no SNI presented in handshake.\n");
1392 else
1393 debug_printf("TLS failure: gnutls_server_name_get(): %s [%d]\n",
1394 gnutls_strerror(rc), rc);
1395 };
1396 return 0;
1397 }
1398
1399 if (sni_type != GNUTLS_NAME_DNS)
1400 {
1401 DEBUG(D_tls) debug_printf("TLS: ignoring SNI of unhandled type %u\n", sni_type);
1402 return 0;
1403 }
1404
1405 /* We now have a UTF-8 string in sni_name */
1406 old_pool = store_pool;
1407 store_pool = POOL_PERM;
1408 state->received_sni = string_copyn(US sni_name, data_len);
1409 store_pool = old_pool;
1410
1411 /* We set this one now so that variable expansions below will work */
1412 state->tlsp->sni = state->received_sni;
1413
1414 DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", sni_name,
1415 state->trigger_sni_changes ? "" : " (unused for certificate selection)");
1416
1417 if (!state->trigger_sni_changes)
1418 return 0;
1419
1420 rc = tls_expand_session_files(state);
1421 if (rc != OK)
1422 {
1423 /* If the setup of certs/etc failed before handshake, TLS would not have
1424 been offered. The best we can do now is abort. */
1425 return GNUTLS_E_APPLICATION_ERROR_MIN;
1426 }
1427
1428 rc = tls_set_remaining_x509(state);
1429 if (rc != OK) return GNUTLS_E_APPLICATION_ERROR_MIN;
1430
1431 return 0;
1432 }
1433
1434
1435
1436
1437 /* ------------------------------------------------------------------------ */
1438 /* Exported functions */
1439
1440
1441
1442
1443 /*************************************************
1444 * Start a TLS session in a server *
1445 *************************************************/
1446
1447 /* This is called when Exim is running as a server, after having received
1448 the STARTTLS command. It must respond to that command, and then negotiate
1449 a TLS session.
1450
1451 Arguments:
1452 require_ciphers list of allowed ciphers or NULL
1453
1454 Returns: OK on success
1455 DEFER for errors before the start of the negotiation
1456 FAIL for errors during the negotation; the server can't
1457 continue running.
1458 */
1459
1460 int
1461 tls_server_start(const uschar *require_ciphers)
1462 {
1463 int rc;
1464 const char *error;
1465 exim_gnutls_state_st *state = NULL;
1466
1467 /* Check for previous activation */
1468 if (tls_in.active >= 0)
1469 {
1470 tls_error(US"STARTTLS received after TLS started", "", NULL);
1471 smtp_printf("554 Already in TLS\r\n");
1472 return FAIL;
1473 }
1474
1475 /* Initialize the library. If it fails, it will already have logged the error
1476 and sent an SMTP response. */
1477
1478 DEBUG(D_tls) debug_printf("initialising GnuTLS as a server\n");
1479
1480 rc = tls_init(NULL, tls_certificate, tls_privatekey,
1481 NULL, tls_verify_certificates, tls_crl,
1482 require_ciphers, &state);
1483 if (rc != OK) return rc;
1484
1485 /* If this is a host for which certificate verification is mandatory or
1486 optional, set up appropriately. */
1487
1488 if (verify_check_host(&tls_verify_hosts) == OK)
1489 {
1490 DEBUG(D_tls) debug_printf("TLS: a client certificate will be required.\n");
1491 state->verify_requirement = VERIFY_REQUIRED;
1492 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
1493 }
1494 else if (verify_check_host(&tls_try_verify_hosts) == OK)
1495 {
1496 DEBUG(D_tls) debug_printf("TLS: a client certificate will be requested but not required.\n");
1497 state->verify_requirement = VERIFY_OPTIONAL;
1498 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
1499 }
1500 else
1501 {
1502 DEBUG(D_tls) debug_printf("TLS: a client certificate will not be requested.\n");
1503 state->verify_requirement = VERIFY_NONE;
1504 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
1505 }
1506
1507 /* Register SNI handling; always, even if not in tls_certificate, so that the
1508 expansion variable $tls_sni is always available. */
1509
1510 gnutls_handshake_set_post_client_hello_function(state->session,
1511 exim_sni_handling_cb);
1512
1513 /* Set context and tell client to go ahead, except in the case of TLS startup
1514 on connection, where outputting anything now upsets the clients and tends to
1515 make them disconnect. We need to have an explicit fflush() here, to force out
1516 the response. Other smtp_printf() calls do not need it, because in non-TLS
1517 mode, the fflush() happens when smtp_getc() is called. */
1518
1519 if (!state->tlsp->on_connect)
1520 {
1521 smtp_printf("220 TLS go ahead\r\n");
1522 fflush(smtp_out);
1523 }
1524
1525 /* Now negotiate the TLS session. We put our own timer on it, since it seems
1526 that the GnuTLS library doesn't. */
1527
1528 gnutls_transport_set_ptr2(state->session,
1529 (gnutls_transport_ptr)fileno(smtp_in),
1530 (gnutls_transport_ptr)fileno(smtp_out));
1531 state->fd_in = fileno(smtp_in);
1532 state->fd_out = fileno(smtp_out);
1533
1534 sigalrm_seen = FALSE;
1535 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
1536 do
1537 {
1538 rc = gnutls_handshake(state->session);
1539 } while ((rc == GNUTLS_E_AGAIN) ||
1540 (rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen));
1541 alarm(0);
1542
1543 if (rc != GNUTLS_E_SUCCESS)
1544 {
1545 tls_error(US"gnutls_handshake",
1546 sigalrm_seen ? "timed out" : gnutls_strerror(rc), NULL);
1547 /* It seems that, except in the case of a timeout, we have to close the
1548 connection right here; otherwise if the other end is running OpenSSL it hangs
1549 until the server times out. */
1550
1551 if (!sigalrm_seen)
1552 {
1553 (void)fclose(smtp_out);
1554 (void)fclose(smtp_in);
1555 }
1556
1557 return FAIL;
1558 }
1559
1560 DEBUG(D_tls) debug_printf("gnutls_handshake was successful\n");
1561
1562 /* Verify after the fact */
1563
1564 if ( state->verify_requirement != VERIFY_NONE
1565 && !verify_certificate(state, &error))
1566 {
1567 if (state->verify_requirement != VERIFY_OPTIONAL)
1568 {
1569 tls_error(US"certificate verification failed", error, NULL);
1570 return FAIL;
1571 }
1572 DEBUG(D_tls)
1573 debug_printf("TLS: continuing on only because verification was optional, after: %s\n",
1574 error);
1575 }
1576
1577 /* Figure out peer DN, and if authenticated, etc. */
1578
1579 rc = peer_status(state);
1580 if (rc != OK) return rc;
1581
1582 /* Sets various Exim expansion variables; always safe within server */
1583
1584 extract_exim_vars_from_tls_state(state);
1585
1586 /* TLS has been set up. Adjust the input functions to read via TLS,
1587 and initialize appropriately. */
1588
1589 state->xfer_buffer = store_malloc(ssl_xfer_buffer_size);
1590
1591 receive_getc = tls_getc;
1592 receive_ungetc = tls_ungetc;
1593 receive_feof = tls_feof;
1594 receive_ferror = tls_ferror;
1595 receive_smtp_buffered = tls_smtp_buffered;
1596
1597 return OK;
1598 }
1599
1600
1601
1602
1603 /*************************************************
1604 * Start a TLS session in a client *
1605 *************************************************/
1606
1607 /* Called from the smtp transport after STARTTLS has been accepted.
1608
1609 Arguments:
1610 fd the fd of the connection
1611 host connected host (for messages)
1612 addr the first address (not used)
1613 ob smtp transport options
1614
1615 Returns: OK/DEFER/FAIL (because using common functions),
1616 but for a client, DEFER and FAIL have the same meaning
1617 */
1618
1619 int
1620 tls_client_start(int fd, host_item *host,
1621 address_item *addr ARG_UNUSED,
1622 void *v_ob)
1623 {
1624 smtp_transport_options_block *ob = v_ob;
1625 int rc;
1626 const char *error;
1627 exim_gnutls_state_st *state = NULL;
1628 #ifdef EXPERIMENTAL_OCSP
1629 BOOL require_ocsp = verify_check_this_host(&ob->hosts_require_ocsp,
1630 NULL, host->name, host->address, NULL) == OK;
1631 #endif
1632
1633 DEBUG(D_tls) debug_printf("initialising GnuTLS as a client on fd %d\n", fd);
1634
1635 if ((rc = tls_init(host, ob->tls_certificate, ob->tls_privatekey,
1636 ob->tls_sni, ob->tls_verify_certificates, ob->tls_crl,
1637 ob->tls_require_ciphers, &state)) != OK)
1638 return rc;
1639
1640 {
1641 int dh_min_bits = ob->tls_dh_min_bits;
1642 if (dh_min_bits < EXIM_CLIENT_DH_MIN_MIN_BITS)
1643 {
1644 DEBUG(D_tls)
1645 debug_printf("WARNING: tls_dh_min_bits far too low,"
1646 " clamping %d up to %d\n",
1647 dh_min_bits, EXIM_CLIENT_DH_MIN_MIN_BITS);
1648 dh_min_bits = EXIM_CLIENT_DH_MIN_MIN_BITS;
1649 }
1650
1651 DEBUG(D_tls) debug_printf("Setting D-H prime minimum"
1652 " acceptable bits to %d\n",
1653 dh_min_bits);
1654 gnutls_dh_set_prime_bits(state->session, dh_min_bits);
1655 }
1656
1657 /* Stick to the old behaviour for compatibility if tls_verify_certificates is
1658 set but both tls_verify_hosts and tls_try_verify_hosts are unset. Check only
1659 the specified host patterns if one of them is defined */
1660
1661 if (( state->exp_tls_verify_certificates
1662 && !ob->tls_verify_hosts
1663 && !ob->tls_try_verify_hosts
1664 )
1665 ||
1666 verify_check_host(&ob->tls_verify_hosts) == OK
1667 )
1668 {
1669 DEBUG(D_tls) debug_printf("TLS: server certificate verification required.\n");
1670 state->verify_requirement = VERIFY_REQUIRED;
1671 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
1672 }
1673 else if (verify_check_host(&ob->tls_try_verify_hosts) == OK)
1674 {
1675 DEBUG(D_tls) debug_printf("TLS: server certificate verification optional.\n");
1676 state->verify_requirement = VERIFY_OPTIONAL;
1677 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
1678 }
1679 else
1680 {
1681 DEBUG(D_tls) debug_printf("TLS: server certificate verification not required.\n");
1682 state->verify_requirement = VERIFY_NONE;
1683 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
1684 }
1685
1686 #ifdef EXPERIMENTAL_OCSP /* since GnuTLS 3.1.3 */
1687 if (require_ocsp)
1688 {
1689 DEBUG(D_tls) debug_printf("TLS: will request OCSP stapling\n");
1690 if ((rc = gnutls_ocsp_status_request_enable_client(state->session,
1691 NULL, 0, NULL)) != OK)
1692 return tls_error(US"cert-status-req",
1693 gnutls_strerror(rc), state->host);
1694 }
1695 #endif
1696
1697 gnutls_transport_set_ptr(state->session, (gnutls_transport_ptr)fd);
1698 state->fd_in = fd;
1699 state->fd_out = fd;
1700
1701 DEBUG(D_tls) debug_printf("about to gnutls_handshake\n");
1702 /* There doesn't seem to be a built-in timeout on connection. */
1703
1704 sigalrm_seen = FALSE;
1705 alarm(ob->command_timeout);
1706 do
1707 {
1708 rc = gnutls_handshake(state->session);
1709 } while ((rc == GNUTLS_E_AGAIN) ||
1710 (rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen));
1711 alarm(0);
1712
1713 if (rc != GNUTLS_E_SUCCESS)
1714 return tls_error(US"gnutls_handshake",
1715 sigalrm_seen ? "timed out" : gnutls_strerror(rc), state->host);
1716
1717 DEBUG(D_tls) debug_printf("gnutls_handshake was successful\n");
1718
1719 /* Verify late */
1720
1721 if (state->verify_requirement != VERIFY_NONE &&
1722 !verify_certificate(state, &error))
1723 return tls_error(US"certificate verification failed", error, state->host);
1724
1725 #ifdef EXPERIMENTAL_OCSP
1726 if (require_ocsp)
1727 {
1728 DEBUG(D_tls)
1729 {
1730 gnutls_datum_t stapling;
1731 gnutls_ocsp_resp_t resp;
1732 gnutls_datum_t printed;
1733 if ( (rc= gnutls_ocsp_status_request_get(state->session, &stapling)) == 0
1734 && (rc= gnutls_ocsp_resp_init(&resp)) == 0
1735 && (rc= gnutls_ocsp_resp_import(resp, &stapling)) == 0
1736 && (rc= gnutls_ocsp_resp_print(resp, GNUTLS_OCSP_PRINT_FULL, &printed)) == 0
1737 )
1738 {
1739 debug_printf("%.4096s", printed.data);
1740 gnutls_free(printed.data);
1741 }
1742 else
1743 (void) tls_error(US"ocsp decode", gnutls_strerror(rc), state->host);
1744 }
1745
1746 if (gnutls_ocsp_status_request_is_checked(state->session, 0) == 0)
1747 return tls_error(US"certificate status check failed", NULL, state->host);
1748 DEBUG(D_tls) debug_printf("Passed OCSP checking\n");
1749 }
1750 #endif
1751
1752 /* Figure out peer DN, and if authenticated, etc. */
1753
1754 if ((rc = peer_status(state)) != OK)
1755 return rc;
1756
1757 /* Sets various Exim expansion variables; may need to adjust for ACL callouts */
1758
1759 extract_exim_vars_from_tls_state(state);
1760
1761 return OK;
1762 }
1763
1764
1765
1766
1767 /*************************************************
1768 * Close down a TLS session *
1769 *************************************************/
1770
1771 /* This is also called from within a delivery subprocess forked from the
1772 daemon, to shut down the TLS library, without actually doing a shutdown (which
1773 would tamper with the TLS session in the parent process).
1774
1775 Arguments: TRUE if gnutls_bye is to be called
1776 Returns: nothing
1777 */
1778
1779 void
1780 tls_close(BOOL is_server, BOOL shutdown)
1781 {
1782 exim_gnutls_state_st *state = is_server ? &state_server : &state_client;
1783
1784 if (!state->tlsp || state->tlsp->active < 0) return; /* TLS was not active */
1785
1786 if (shutdown)
1787 {
1788 DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS\n");
1789 gnutls_bye(state->session, GNUTLS_SHUT_WR);
1790 }
1791
1792 gnutls_deinit(state->session);
1793
1794 state->tlsp->active = -1;
1795 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
1796
1797 if ((state_server.session == NULL) && (state_client.session == NULL))
1798 {
1799 gnutls_global_deinit();
1800 exim_gnutls_base_init_done = FALSE;
1801 }
1802
1803 }
1804
1805
1806
1807
1808 /*************************************************
1809 * TLS version of getc *
1810 *************************************************/
1811
1812 /* This gets the next byte from the TLS input buffer. If the buffer is empty,
1813 it refills the buffer via the GnuTLS reading function.
1814 Only used by the server-side TLS.
1815
1816 This feeds DKIM and should be used for all message-body reads.
1817
1818 Arguments: none
1819 Returns: the next character or EOF
1820 */
1821
1822 int
1823 tls_getc(void)
1824 {
1825 exim_gnutls_state_st *state = &state_server;
1826 if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
1827 {
1828 ssize_t inbytes;
1829
1830 DEBUG(D_tls) debug_printf("Calling gnutls_record_recv(%p, %p, %u)\n",
1831 state->session, state->xfer_buffer, ssl_xfer_buffer_size);
1832
1833 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
1834 inbytes = gnutls_record_recv(state->session, state->xfer_buffer,
1835 ssl_xfer_buffer_size);
1836 alarm(0);
1837
1838 /* A zero-byte return appears to mean that the TLS session has been
1839 closed down, not that the socket itself has been closed down. Revert to
1840 non-TLS handling. */
1841
1842 if (inbytes == 0)
1843 {
1844 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
1845
1846 receive_getc = smtp_getc;
1847 receive_ungetc = smtp_ungetc;
1848 receive_feof = smtp_feof;
1849 receive_ferror = smtp_ferror;
1850 receive_smtp_buffered = smtp_buffered;
1851
1852 gnutls_deinit(state->session);
1853 state->session = NULL;
1854 state->tlsp->active = -1;
1855 state->tlsp->bits = 0;
1856 state->tlsp->certificate_verified = FALSE;
1857 tls_channelbinding_b64 = NULL;
1858 state->tlsp->cipher = NULL;
1859 state->tlsp->peercert = NULL;
1860 state->tlsp->peerdn = NULL;
1861
1862 return smtp_getc();
1863 }
1864
1865 /* Handle genuine errors */
1866
1867 else if (inbytes < 0)
1868 {
1869 record_io_error(state, (int) inbytes, US"recv", NULL);
1870 state->xfer_error = 1;
1871 return EOF;
1872 }
1873 #ifndef DISABLE_DKIM
1874 dkim_exim_verify_feed(state->xfer_buffer, inbytes);
1875 #endif
1876 state->xfer_buffer_hwm = (int) inbytes;
1877 state->xfer_buffer_lwm = 0;
1878 }
1879
1880 /* Something in the buffer; return next uschar */
1881
1882 return state->xfer_buffer[state->xfer_buffer_lwm++];
1883 }
1884
1885
1886
1887
1888 /*************************************************
1889 * Read bytes from TLS channel *
1890 *************************************************/
1891
1892 /* This does not feed DKIM, so if the caller uses this for reading message body,
1893 then the caller must feed DKIM.
1894
1895 Arguments:
1896 buff buffer of data
1897 len size of buffer
1898
1899 Returns: the number of bytes read
1900 -1 after a failed read
1901 */
1902
1903 int
1904 tls_read(BOOL is_server, uschar *buff, size_t len)
1905 {
1906 exim_gnutls_state_st *state = is_server ? &state_server : &state_client;
1907 ssize_t inbytes;
1908
1909 if (len > INT_MAX)
1910 len = INT_MAX;
1911
1912 if (state->xfer_buffer_lwm < state->xfer_buffer_hwm)
1913 DEBUG(D_tls)
1914 debug_printf("*** PROBABLY A BUG *** " \
1915 "tls_read() called with data in the tls_getc() buffer, %d ignored\n",
1916 state->xfer_buffer_hwm - state->xfer_buffer_lwm);
1917
1918 DEBUG(D_tls)
1919 debug_printf("Calling gnutls_record_recv(%p, %p, " SIZE_T_FMT ")\n",
1920 state->session, buff, len);
1921
1922 inbytes = gnutls_record_recv(state->session, buff, len);
1923 if (inbytes > 0) return inbytes;
1924 if (inbytes == 0)
1925 {
1926 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
1927 }
1928 else record_io_error(state, (int)inbytes, US"recv", NULL);
1929
1930 return -1;
1931 }
1932
1933
1934
1935
1936 /*************************************************
1937 * Write bytes down TLS channel *
1938 *************************************************/
1939
1940 /*
1941 Arguments:
1942 is_server channel specifier
1943 buff buffer of data
1944 len number of bytes
1945
1946 Returns: the number of bytes after a successful write,
1947 -1 after a failed write
1948 */
1949
1950 int
1951 tls_write(BOOL is_server, const uschar *buff, size_t len)
1952 {
1953 ssize_t outbytes;
1954 size_t left = len;
1955 exim_gnutls_state_st *state = is_server ? &state_server : &state_client;
1956
1957 DEBUG(D_tls) debug_printf("tls_do_write(%p, " SIZE_T_FMT ")\n", buff, left);
1958 while (left > 0)
1959 {
1960 DEBUG(D_tls) debug_printf("gnutls_record_send(SSL, %p, " SIZE_T_FMT ")\n",
1961 buff, left);
1962 outbytes = gnutls_record_send(state->session, buff, left);
1963
1964 DEBUG(D_tls) debug_printf("outbytes=" SSIZE_T_FMT "\n", outbytes);
1965 if (outbytes < 0)
1966 {
1967 record_io_error(state, outbytes, US"send", NULL);
1968 return -1;
1969 }
1970 if (outbytes == 0)
1971 {
1972 record_io_error(state, 0, US"send", US"TLS channel closed on write");
1973 return -1;
1974 }
1975
1976 left -= outbytes;
1977 buff += outbytes;
1978 }
1979
1980 if (len > INT_MAX)
1981 {
1982 DEBUG(D_tls)
1983 debug_printf("Whoops! Wrote more bytes (" SIZE_T_FMT ") than INT_MAX\n",
1984 len);
1985 len = INT_MAX;
1986 }
1987
1988 return (int) len;
1989 }
1990
1991
1992
1993
1994 /*************************************************
1995 * Random number generation *
1996 *************************************************/
1997
1998 /* Pseudo-random number generation. The result is not expected to be
1999 cryptographically strong but not so weak that someone will shoot themselves
2000 in the foot using it as a nonce in input in some email header scheme or
2001 whatever weirdness they'll twist this into. The result should handle fork()
2002 and avoid repeating sequences. OpenSSL handles that for us.
2003
2004 Arguments:
2005 max range maximum
2006 Returns a random number in range [0, max-1]
2007 */
2008
2009 #ifdef HAVE_GNUTLS_RND
2010 int
2011 vaguely_random_number(int max)
2012 {
2013 unsigned int r;
2014 int i, needed_len;
2015 uschar *p;
2016 uschar smallbuf[sizeof(r)];
2017
2018 if (max <= 1)
2019 return 0;
2020
2021 needed_len = sizeof(r);
2022 /* Don't take 8 times more entropy than needed if int is 8 octets and we were
2023 * asked for a number less than 10. */
2024 for (r = max, i = 0; r; ++i)
2025 r >>= 1;
2026 i = (i + 7) / 8;
2027 if (i < needed_len)
2028 needed_len = i;
2029
2030 i = gnutls_rnd(GNUTLS_RND_NONCE, smallbuf, needed_len);
2031 if (i < 0)
2032 {
2033 DEBUG(D_all) debug_printf("gnutls_rnd() failed, using fallback.\n");
2034 return vaguely_random_number_fallback(max);
2035 }
2036 r = 0;
2037 for (p = smallbuf; needed_len; --needed_len, ++p)
2038 {
2039 r *= 256;
2040 r += *p;
2041 }
2042
2043 /* We don't particularly care about weighted results; if someone wants
2044 * smooth distribution and cares enough then they should submit a patch then. */
2045 return r % max;
2046 }
2047 #else /* HAVE_GNUTLS_RND */
2048 int
2049 vaguely_random_number(int max)
2050 {
2051 return vaguely_random_number_fallback(max);
2052 }
2053 #endif /* HAVE_GNUTLS_RND */
2054
2055
2056
2057
2058 /*************************************************
2059 * Let tls_require_ciphers be checked at startup *
2060 *************************************************/
2061
2062 /* The tls_require_ciphers option, if set, must be something which the
2063 library can parse.
2064
2065 Returns: NULL on success, or error message
2066 */
2067
2068 uschar *
2069 tls_validate_require_cipher(void)
2070 {
2071 int rc;
2072 uschar *expciphers = NULL;
2073 gnutls_priority_t priority_cache;
2074 const char *errpos;
2075
2076 #define validate_check_rc(Label) do { \
2077 if (rc != GNUTLS_E_SUCCESS) { if (exim_gnutls_base_init_done) gnutls_global_deinit(); \
2078 return string_sprintf("%s failed: %s", (Label), gnutls_strerror(rc)); } } while (0)
2079 #define return_deinit(Label) do { gnutls_global_deinit(); return (Label); } while (0)
2080
2081 if (exim_gnutls_base_init_done)
2082 log_write(0, LOG_MAIN|LOG_PANIC,
2083 "already initialised GnuTLS, Exim developer bug");
2084
2085 #ifdef HAVE_GNUTLS_PKCS11
2086 if (!gnutls_allow_auto_pkcs11)
2087 {
2088 rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
2089 validate_check_rc(US"gnutls_pkcs11_init");
2090 }
2091 #endif
2092 rc = gnutls_global_init();
2093 validate_check_rc(US"gnutls_global_init()");
2094 exim_gnutls_base_init_done = TRUE;
2095
2096 if (!(tls_require_ciphers && *tls_require_ciphers))
2097 return_deinit(NULL);
2098
2099 if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers))
2100 return_deinit(US"failed to expand tls_require_ciphers");
2101
2102 if (!(expciphers && *expciphers))
2103 return_deinit(NULL);
2104
2105 DEBUG(D_tls)
2106 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
2107
2108 rc = gnutls_priority_init(&priority_cache, CS expciphers, &errpos);
2109 validate_check_rc(string_sprintf(
2110 "gnutls_priority_init(%s) failed at offset %ld, \"%.8s..\"",
2111 expciphers, errpos - CS expciphers, errpos));
2112
2113 #undef return_deinit
2114 #undef validate_check_rc
2115 gnutls_global_deinit();
2116
2117 return NULL;
2118 }
2119
2120
2121
2122
2123 /*************************************************
2124 * Report the library versions. *
2125 *************************************************/
2126
2127 /* See a description in tls-openssl.c for an explanation of why this exists.
2128
2129 Arguments: a FILE* to print the results to
2130 Returns: nothing
2131 */
2132
2133 void
2134 tls_version_report(FILE *f)
2135 {
2136 fprintf(f, "Library version: GnuTLS: Compile: %s\n"
2137 " Runtime: %s\n",
2138 LIBGNUTLS_VERSION,
2139 gnutls_check_version(NULL));
2140 }
2141
2142 /* vi: aw ai sw=2
2143 */
2144 /* End of tls-gnu.c */
Unnamed repository; edit this file 'description' to name the repository.