projects / exim.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Add GnuTLS version check
[exim.git] / src / src / tls-gnu.c
1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4
5 /* Copyright (c) University of Cambridge 1995 - 2014 */
6 /* See the file NOTICE for conditions of use and distribution. */
7
8 /* Copyright (c) Phil Pennock 2012 */
9
10 /* This file provides TLS/SSL support for Exim using the GnuTLS library,
11 one of the available supported implementations. This file is #included into
12 tls.c when USE_GNUTLS has been set.
13
14 The code herein is a revamp of GnuTLS integration using the current APIs; the
15 original tls-gnu.c was based on a patch which was contributed by Nikos
16 Mavroyanopoulos. The revamp is partially a rewrite, partially cut&paste as
17 appropriate.
18
19 APIs current as of GnuTLS 2.12.18; note that the GnuTLS manual is for GnuTLS 3,
20 which is not widely deployed by OS vendors. Will note issues below, which may
21 assist in updating the code in the future. Another sources of hints is
22 mod_gnutls for Apache (SNI callback registration and handling).
23
24 Keeping client and server variables more split than before and is currently
25 the norm, in anticipation of TLS in ACL callouts.
26
27 I wanted to switch to gnutls_certificate_set_verify_function() so that
28 certificate rejection could happen during handshake where it belongs, rather
29 than being dropped afterwards, but that was introduced in 2.10.0 and Debian
30 (6.0.5) is still on 2.8.6. So for now we have to stick with sub-par behaviour.
31
32 (I wasn't looking for libraries quite that old, when updating to get rid of
33 compiler warnings of deprecated APIs. If it turns out that a lot of the rest
34 require current GnuTLS, then we'll drop support for the ancient libraries).
35 */
36
37 #include <gnutls/gnutls.h>
38 /* needed for cert checks in verification and DN extraction: */
39 #include <gnutls/x509.h>
40 /* man-page is incorrect, gnutls_rnd() is not in gnutls.h: */
41 #include <gnutls/crypto.h>
42 /* needed to disable PKCS11 autoload unless requested */
43 #if GNUTLS_VERSION_NUMBER >= 0x020c00
44 # include <gnutls/pkcs11.h>
45 #endif
46 #if GNUTLS_VERSION_NUMBER < 0x030103 && !defined(DISABLE_OCSP)
47 # warning "GnuTLS library version too old; define DISABLE_OCSP in Makefile"
48 # define DISABLE_OCSP
49 #endif
50
51 #ifndef DISABLE_OCSP
52 # include <gnutls/ocsp.h>
53 #endif
54
55 /* GnuTLS 2 vs 3
56
57 GnuTLS 3 only:
58 gnutls_global_set_audit_log_function()
59
60 Changes:
61 gnutls_certificate_verify_peers2(): is new, drop the 2 for old version
62 */
63
64 /* Local static variables for GnuTLS */
65
66 /* Values for verify_requirement */
67
68 enum peer_verify_requirement
69 { VERIFY_NONE, VERIFY_OPTIONAL, VERIFY_REQUIRED
70 #ifdef EXPERIMENTAL_CERTNAMES
71 ,VERIFY_WITHHOST
72 #endif
73 };
74
75 /* This holds most state for server or client; with this, we can set up an
76 outbound TLS-enabled connection in an ACL callout, while not stomping all
77 over the TLS variables available for expansion.
78
79 Some of these correspond to variables in globals.c; those variables will
80 be set to point to content in one of these instances, as appropriate for
81 the stage of the process lifetime.
82
83 Not handled here: global tls_channelbinding_b64.
84 */
85
86 typedef struct exim_gnutls_state {
87 gnutls_session_t session;
88 gnutls_certificate_credentials_t x509_cred;
89 gnutls_priority_t priority_cache;
90 enum peer_verify_requirement verify_requirement;
91 int fd_in;
92 int fd_out;
93 BOOL peer_cert_verified;
94 BOOL trigger_sni_changes;
95 BOOL have_set_peerdn;
96 const struct host_item *host;
97 gnutls_x509_crt_t peercert;
98 uschar *peerdn;
99 uschar *ciphersuite;
100 uschar *received_sni;
101
102 const uschar *tls_certificate;
103 const uschar *tls_privatekey;
104 const uschar *tls_sni; /* client send only, not received */
105 const uschar *tls_verify_certificates;
106 const uschar *tls_crl;
107 const uschar *tls_require_ciphers;
108
109 uschar *exp_tls_certificate;
110 uschar *exp_tls_privatekey;
111 uschar *exp_tls_sni;
112 uschar *exp_tls_verify_certificates;
113 uschar *exp_tls_crl;
114 uschar *exp_tls_require_ciphers;
115 uschar *exp_tls_ocsp_file;
116 #ifdef EXPERIMENTAL_CERTNAMES
117 uschar *exp_tls_verify_cert_hostnames;
118 #endif
119
120 tls_support *tlsp; /* set in tls_init() */
121
122 uschar *xfer_buffer;
123 int xfer_buffer_lwm;
124 int xfer_buffer_hwm;
125 int xfer_eof;
126 int xfer_error;
127 } exim_gnutls_state_st;
128
129 static const exim_gnutls_state_st exim_gnutls_state_init = {
130 NULL, NULL, NULL, VERIFY_NONE, -1, -1, FALSE, FALSE, FALSE,
131 NULL, NULL, NULL, NULL,
132 NULL, NULL, NULL, NULL, NULL, NULL,
133 NULL, NULL, NULL, NULL, NULL, NULL, NULL,
134 #ifdef EXPERIMENTAL_CERTNAMES
135 NULL,
136 #endif
137 NULL,
138 NULL, 0, 0, 0, 0,
139 };
140
141 /* Not only do we have our own APIs which don't pass around state, assuming
142 it's held in globals, GnuTLS doesn't appear to let us register callback data
143 for callbacks, or as part of the session, so we have to keep a "this is the
144 context we're currently dealing with" pointer and rely upon being
145 single-threaded to keep from processing data on an inbound TLS connection while
146 talking to another TLS connection for an outbound check. This does mean that
147 there's no way for heart-beats to be responded to, for the duration of the
148 second connection. */
149
150 static exim_gnutls_state_st state_server, state_client;
151
152 /* dh_params are initialised once within the lifetime of a process using TLS;
153 if we used TLS in a long-lived daemon, we'd have to reconsider this. But we
154 don't want to repeat this. */
155
156 static gnutls_dh_params_t dh_server_params = NULL;
157
158 /* No idea how this value was chosen; preserving it. Default is 3600. */
159
160 static const int ssl_session_timeout = 200;
161
162 static const char * const exim_default_gnutls_priority = "NORMAL";
163
164 /* Guard library core initialisation */
165
166 static BOOL exim_gnutls_base_init_done = FALSE;
167
168
169 /* ------------------------------------------------------------------------ */
170 /* macros */
171
172 #define MAX_HOST_LEN 255
173
174 /* Set this to control gnutls_global_set_log_level(); values 0 to 9 will setup
175 the library logging; a value less than 0 disables the calls to set up logging
176 callbacks. */
177 #ifndef EXIM_GNUTLS_LIBRARY_LOG_LEVEL
178 #define EXIM_GNUTLS_LIBRARY_LOG_LEVEL -1
179 #endif
180
181 #ifndef EXIM_CLIENT_DH_MIN_BITS
182 #define EXIM_CLIENT_DH_MIN_BITS 1024
183 #endif
184
185 /* With GnuTLS 2.12.x+ we have gnutls_sec_param_to_pk_bits() with which we
186 can ask for a bit-strength. Without that, we stick to the constant we had
187 before, for now. */
188 #ifndef EXIM_SERVER_DH_BITS_PRE2_12
189 #define EXIM_SERVER_DH_BITS_PRE2_12 1024
190 #endif
191
192 #define exim_gnutls_err_check(Label) do { \
193 if (rc != GNUTLS_E_SUCCESS) { return tls_error((Label), gnutls_strerror(rc), host); } } while (0)
194
195 #define expand_check_tlsvar(Varname) expand_check(state->Varname, US #Varname, &state->exp_##Varname)
196
197 #if GNUTLS_VERSION_NUMBER >= 0x020c00
198 # define HAVE_GNUTLS_SESSION_CHANNEL_BINDING
199 # define HAVE_GNUTLS_SEC_PARAM_CONSTANTS
200 # define HAVE_GNUTLS_RND
201 /* The security fix we provide with the gnutls_allow_auto_pkcs11 option
202 * (4.82 PP/09) introduces a compatibility regression. The symbol simply
203 * isn't available sometimes, so this needs to become a conditional
204 * compilation; the sanest way to deal with this being a problem on
205 * older OSes is to block it in the Local/Makefile with this compiler
206 * definition */
207 # ifndef AVOID_GNUTLS_PKCS11
208 # define HAVE_GNUTLS_PKCS11
209 # endif /* AVOID_GNUTLS_PKCS11 */
210 #endif
211
212
213
214
215 /* ------------------------------------------------------------------------ */
216 /* Callback declarations */
217
218 #if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
219 static void exim_gnutls_logger_cb(int level, const char *message);
220 #endif
221
222 static int exim_sni_handling_cb(gnutls_session_t session);
223
224 #ifndef DISABLE_OCSP
225 static int server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
226 gnutls_datum_t * ocsp_response);
227 #endif
228
229
230
231 /* ------------------------------------------------------------------------ */
232 /* Static functions */
233
234 /*************************************************
235 * Handle TLS error *
236 *************************************************/
237
238 /* Called from lots of places when errors occur before actually starting to do
239 the TLS handshake, that is, while the session is still in clear. Always returns
240 DEFER for a server and FAIL for a client so that most calls can use "return
241 tls_error(...)" to do this processing and then give an appropriate return. A
242 single function is used for both server and client, because it is called from
243 some shared functions.
244
245 Argument:
246 prefix text to include in the logged error
247 msg additional error string (may be NULL)
248 usually obtained from gnutls_strerror()
249 host NULL if setting up a server;
250 the connected host if setting up a client
251
252 Returns: OK/DEFER/FAIL
253 */
254
255 static int
256 tls_error(const uschar *prefix, const char *msg, const host_item *host)
257 {
258 if (host)
259 {
260 log_write(0, LOG_MAIN, "TLS error on connection to %s [%s] (%s)%s%s",
261 host->name, host->address, prefix, msg ? ": " : "", msg ? msg : "");
262 return FAIL;
263 }
264 else
265 {
266 uschar *conn_info = smtp_get_connection_info();
267 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0)
268 conn_info += 5;
269 log_write(0, LOG_MAIN, "TLS error on %s (%s)%s%s",
270 conn_info, prefix, msg ? ": " : "", msg ? msg : "");
271 return DEFER;
272 }
273 }
274
275
276
277
278 /*************************************************
279 * Deal with logging errors during I/O *
280 *************************************************/
281
282 /* We have to get the identity of the peer from saved data.
283
284 Argument:
285 state the current GnuTLS exim state container
286 rc the GnuTLS error code, or 0 if it's a local error
287 when text identifying read or write
288 text local error text when ec is 0
289
290 Returns: nothing
291 */
292
293 static void
294 record_io_error(exim_gnutls_state_st *state, int rc, uschar *when, uschar *text)
295 {
296 const char *msg;
297
298 if (rc == GNUTLS_E_FATAL_ALERT_RECEIVED)
299 msg = CS string_sprintf("%s: %s", US gnutls_strerror(rc),
300 US gnutls_alert_get_name(gnutls_alert_get(state->session)));
301 else
302 msg = gnutls_strerror(rc);
303
304 tls_error(when, msg, state->host);
305 }
306
307
308
309
310 /*************************************************
311 * Set various Exim expansion vars *
312 *************************************************/
313
314 #define exim_gnutls_cert_err(Label) \
315 do \
316 { \
317 if (rc != GNUTLS_E_SUCCESS) \
318 { \
319 DEBUG(D_tls) debug_printf("TLS: cert problem: %s: %s\n", \
320 (Label), gnutls_strerror(rc)); \
321 return rc; \
322 } \
323 } while (0)
324
325 static int
326 import_cert(const gnutls_datum * cert, gnutls_x509_crt_t * crtp)
327 {
328 int rc;
329
330 rc = gnutls_x509_crt_init(crtp);
331 exim_gnutls_cert_err(US"gnutls_x509_crt_init (crt)");
332
333 rc = gnutls_x509_crt_import(*crtp, cert, GNUTLS_X509_FMT_DER);
334 exim_gnutls_cert_err(US"failed to import certificate [gnutls_x509_crt_import(cert)]");
335
336 return rc;
337 }
338
339 #undef exim_gnutls_cert_err
340
341
342 /* We set various Exim global variables from the state, once a session has
343 been established. With TLS callouts, may need to change this to stack
344 variables, or just re-call it with the server state after client callout
345 has finished.
346
347 Make sure anything set here is unset in tls_getc().
348
349 Sets:
350 tls_active fd
351 tls_bits strength indicator
352 tls_certificate_verified bool indicator
353 tls_channelbinding_b64 for some SASL mechanisms
354 tls_cipher a string
355 tls_peercert pointer to library internal
356 tls_peerdn a string
357 tls_sni a (UTF-8) string
358 tls_ourcert pointer to library internal
359
360 Argument:
361 state the relevant exim_gnutls_state_st *
362 */
363
364 static void
365 extract_exim_vars_from_tls_state(exim_gnutls_state_st * state)
366 {
367 gnutls_cipher_algorithm_t cipher;
368 #ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
369 int old_pool;
370 int rc;
371 gnutls_datum_t channel;
372 #endif
373 tls_support * tlsp = state->tlsp;
374
375 tlsp->active = state->fd_out;
376
377 cipher = gnutls_cipher_get(state->session);
378 /* returns size in "bytes" */
379 tlsp->bits = gnutls_cipher_get_key_size(cipher) * 8;
380
381 tlsp->cipher = state->ciphersuite;
382
383 DEBUG(D_tls) debug_printf("cipher: %s\n", state->ciphersuite);
384
385 tlsp->certificate_verified = state->peer_cert_verified;
386
387 /* note that tls_channelbinding_b64 is not saved to the spool file, since it's
388 only available for use for authenticators while this TLS session is running. */
389
390 tls_channelbinding_b64 = NULL;
391 #ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
392 channel.data = NULL;
393 channel.size = 0;
394 rc = gnutls_session_channel_binding(state->session, GNUTLS_CB_TLS_UNIQUE, &channel);
395 if (rc) {
396 DEBUG(D_tls) debug_printf("Channel binding error: %s\n", gnutls_strerror(rc));
397 } else {
398 old_pool = store_pool;
399 store_pool = POOL_PERM;
400 tls_channelbinding_b64 = auth_b64encode(channel.data, (int)channel.size);
401 store_pool = old_pool;
402 DEBUG(D_tls) debug_printf("Have channel bindings cached for possible auth usage.\n");
403 }
404 #endif
405
406 /* peercert is set in peer_status() */
407 tlsp->peerdn = state->peerdn;
408 tlsp->sni = state->received_sni;
409
410 /* record our certificate */
411 {
412 const gnutls_datum * cert = gnutls_certificate_get_ours(state->session);
413 gnutls_x509_crt_t crt;
414
415 tlsp->ourcert = cert && import_cert(cert, &crt)==0 ? crt : NULL;
416 }
417 }
418
419
420
421
422 /*************************************************
423 * Setup up DH parameters *
424 *************************************************/
425
426 /* Generating the D-H parameters may take a long time. They only need to
427 be re-generated every so often, depending on security policy. What we do is to
428 keep these parameters in a file in the spool directory. If the file does not
429 exist, we generate them. This means that it is easy to cause a regeneration.
430
431 The new file is written as a temporary file and renamed, so that an incomplete
432 file is never present. If two processes both compute some new parameters, you
433 waste a bit of effort, but it doesn't seem worth messing around with locking to
434 prevent this.
435
436 Returns: OK/DEFER/FAIL
437 */
438
439 static int
440 init_server_dh(void)
441 {
442 int fd, rc;
443 unsigned int dh_bits;
444 gnutls_datum m;
445 uschar filename_buf[PATH_MAX];
446 uschar *filename = NULL;
447 size_t sz;
448 uschar *exp_tls_dhparam;
449 BOOL use_file_in_spool = FALSE;
450 BOOL use_fixed_file = FALSE;
451 host_item *host = NULL; /* dummy for macros */
452
453 DEBUG(D_tls) debug_printf("Initialising GnuTLS server params.\n");
454
455 rc = gnutls_dh_params_init(&dh_server_params);
456 exim_gnutls_err_check(US"gnutls_dh_params_init");
457
458 m.data = NULL;
459 m.size = 0;
460
461 if (!expand_check(tls_dhparam, US"tls_dhparam", &exp_tls_dhparam))
462 return DEFER;
463
464 if (!exp_tls_dhparam)
465 {
466 DEBUG(D_tls) debug_printf("Loading default hard-coded DH params\n");
467 m.data = US std_dh_prime_default();
468 m.size = Ustrlen(m.data);
469 }
470 else if (Ustrcmp(exp_tls_dhparam, "historic") == 0)
471 use_file_in_spool = TRUE;
472 else if (Ustrcmp(exp_tls_dhparam, "none") == 0)
473 {
474 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
475 return OK;
476 }
477 else if (exp_tls_dhparam[0] != '/')
478 {
479 m.data = US std_dh_prime_named(exp_tls_dhparam);
480 if (m.data == NULL)
481 return tls_error(US"No standard prime named", CS exp_tls_dhparam, NULL);
482 m.size = Ustrlen(m.data);
483 }
484 else
485 {
486 use_fixed_file = TRUE;
487 filename = exp_tls_dhparam;
488 }
489
490 if (m.data)
491 {
492 rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM);
493 exim_gnutls_err_check(US"gnutls_dh_params_import_pkcs3");
494 DEBUG(D_tls) debug_printf("Loaded fixed standard D-H parameters\n");
495 return OK;
496 }
497
498 #ifdef HAVE_GNUTLS_SEC_PARAM_CONSTANTS
499 /* If you change this constant, also change dh_param_fn_ext so that we can use a
500 different filename and ensure we have sufficient bits. */
501 dh_bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL);
502 if (!dh_bits)
503 return tls_error(US"gnutls_sec_param_to_pk_bits() failed", NULL, NULL);
504 DEBUG(D_tls)
505 debug_printf("GnuTLS tells us that for D-H PK, NORMAL is %d bits.\n",
506 dh_bits);
507 #else
508 dh_bits = EXIM_SERVER_DH_BITS_PRE2_12;
509 DEBUG(D_tls)
510 debug_printf("GnuTLS lacks gnutls_sec_param_to_pk_bits(), using %d bits.\n",
511 dh_bits);
512 #endif
513
514 /* Some clients have hard-coded limits. */
515 if (dh_bits > tls_dh_max_bits)
516 {
517 DEBUG(D_tls)
518 debug_printf("tls_dh_max_bits clamping override, using %d bits instead.\n",
519 tls_dh_max_bits);
520 dh_bits = tls_dh_max_bits;
521 }
522
523 if (use_file_in_spool)
524 {
525 if (!string_format(filename_buf, sizeof(filename_buf),
526 "%s/gnutls-params-%d", spool_directory, dh_bits))
527 return tls_error(US"overlong filename", NULL, NULL);
528 filename = filename_buf;
529 }
530
531 /* Open the cache file for reading and if successful, read it and set up the
532 parameters. */
533
534 fd = Uopen(filename, O_RDONLY, 0);
535 if (fd >= 0)
536 {
537 struct stat statbuf;
538 FILE *fp;
539 int saved_errno;
540
541 if (fstat(fd, &statbuf) < 0) /* EIO */
542 {
543 saved_errno = errno;
544 (void)close(fd);
545 return tls_error(US"TLS cache stat failed", strerror(saved_errno), NULL);
546 }
547 if (!S_ISREG(statbuf.st_mode))
548 {
549 (void)close(fd);
550 return tls_error(US"TLS cache not a file", NULL, NULL);
551 }
552 fp = fdopen(fd, "rb");
553 if (!fp)
554 {
555 saved_errno = errno;
556 (void)close(fd);
557 return tls_error(US"fdopen(TLS cache stat fd) failed",
558 strerror(saved_errno), NULL);
559 }
560
561 m.size = statbuf.st_size;
562 m.data = malloc(m.size);
563 if (m.data == NULL)
564 {
565 fclose(fp);
566 return tls_error(US"malloc failed", strerror(errno), NULL);
567 }
568 sz = fread(m.data, m.size, 1, fp);
569 if (!sz)
570 {
571 saved_errno = errno;
572 fclose(fp);
573 free(m.data);
574 return tls_error(US"fread failed", strerror(saved_errno), NULL);
575 }
576 fclose(fp);
577
578 rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM);
579 free(m.data);
580 exim_gnutls_err_check(US"gnutls_dh_params_import_pkcs3");
581 DEBUG(D_tls) debug_printf("read D-H parameters from file \"%s\"\n", filename);
582 }
583
584 /* If the file does not exist, fall through to compute new data and cache it.
585 If there was any other opening error, it is serious. */
586
587 else if (errno == ENOENT)
588 {
589 rc = -1;
590 DEBUG(D_tls)
591 debug_printf("D-H parameter cache file \"%s\" does not exist\n", filename);
592 }
593 else
594 return tls_error(string_open_failed(errno, "\"%s\" for reading", filename),
595 NULL, NULL);
596
597 /* If ret < 0, either the cache file does not exist, or the data it contains
598 is not useful. One particular case of this is when upgrading from an older
599 release of Exim in which the data was stored in a different format. We don't
600 try to be clever and support both formats; we just regenerate new data in this
601 case. */
602
603 if (rc < 0)
604 {
605 uschar *temp_fn;
606 unsigned int dh_bits_gen = dh_bits;
607
608 if ((PATH_MAX - Ustrlen(filename)) < 10)
609 return tls_error(US"Filename too long to generate replacement",
610 CS filename, NULL);
611
612 temp_fn = string_copy(US "%s.XXXXXXX");
613 fd = mkstemp(CS temp_fn); /* modifies temp_fn */
614 if (fd < 0)
615 return tls_error(US"Unable to open temp file", strerror(errno), NULL);
616 (void)fchown(fd, exim_uid, exim_gid); /* Probably not necessary */
617
618 /* GnuTLS overshoots!
619 * If we ask for 2236, we might get 2237 or more.
620 * But there's no way to ask GnuTLS how many bits there really are.
621 * We can ask how many bits were used in a TLS session, but that's it!
622 * The prime itself is hidden behind too much abstraction.
623 * So we ask for less, and proceed on a wing and a prayer.
624 * First attempt, subtracted 3 for 2233 and got 2240.
625 */
626 if (dh_bits >= EXIM_CLIENT_DH_MIN_BITS + 10)
627 {
628 dh_bits_gen = dh_bits - 10;
629 DEBUG(D_tls)
630 debug_printf("being paranoid about DH generation, make it '%d' bits'\n",
631 dh_bits_gen);
632 }
633
634 DEBUG(D_tls)
635 debug_printf("requesting generation of %d bit Diffie-Hellman prime ...\n",
636 dh_bits_gen);
637 rc = gnutls_dh_params_generate2(dh_server_params, dh_bits_gen);
638 exim_gnutls_err_check(US"gnutls_dh_params_generate2");
639
640 /* gnutls_dh_params_export_pkcs3() will tell us the exact size, every time,
641 and I confirmed that a NULL call to get the size first is how the GnuTLS
642 sample apps handle this. */
643
644 sz = 0;
645 m.data = NULL;
646 rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM,
647 m.data, &sz);
648 if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
649 exim_gnutls_err_check(US"gnutls_dh_params_export_pkcs3(NULL) sizing");
650 m.size = sz;
651 m.data = malloc(m.size);
652 if (m.data == NULL)
653 return tls_error(US"memory allocation failed", strerror(errno), NULL);
654 /* this will return a size 1 less than the allocation size above */
655 rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM,
656 m.data, &sz);
657 if (rc != GNUTLS_E_SUCCESS)
658 {
659 free(m.data);
660 exim_gnutls_err_check(US"gnutls_dh_params_export_pkcs3() real");
661 }
662 m.size = sz; /* shrink by 1, probably */
663
664 sz = write_to_fd_buf(fd, m.data, (size_t) m.size);
665 if (sz != m.size)
666 {
667 free(m.data);
668 return tls_error(US"TLS cache write D-H params failed",
669 strerror(errno), NULL);
670 }
671 free(m.data);
672 sz = write_to_fd_buf(fd, US"\n", 1);
673 if (sz != 1)
674 return tls_error(US"TLS cache write D-H params final newline failed",
675 strerror(errno), NULL);
676
677 rc = close(fd);
678 if (rc)
679 return tls_error(US"TLS cache write close() failed",
680 strerror(errno), NULL);
681
682 if (Urename(temp_fn, filename) < 0)
683 return tls_error(string_sprintf("failed to rename \"%s\" as \"%s\"",
684 temp_fn, filename), strerror(errno), NULL);
685
686 DEBUG(D_tls) debug_printf("wrote D-H parameters to file \"%s\"\n", filename);
687 }
688
689 DEBUG(D_tls) debug_printf("initialized server D-H parameters\n");
690 return OK;
691 }
692
693
694
695
696 /*************************************************
697 * Variables re-expanded post-SNI *
698 *************************************************/
699
700 /* Called from both server and client code, via tls_init(), and also from
701 the SNI callback after receiving an SNI, if tls_certificate includes "tls_sni".
702
703 We can tell the two apart by state->received_sni being non-NULL in callback.
704
705 The callback should not call us unless state->trigger_sni_changes is true,
706 which we are responsible for setting on the first pass through.
707
708 Arguments:
709 state exim_gnutls_state_st *
710
711 Returns: OK/DEFER/FAIL
712 */
713
714 static int
715 tls_expand_session_files(exim_gnutls_state_st *state)
716 {
717 struct stat statbuf;
718 int rc;
719 const host_item *host = state->host; /* macro should be reconsidered? */
720 uschar *saved_tls_certificate = NULL;
721 uschar *saved_tls_privatekey = NULL;
722 uschar *saved_tls_verify_certificates = NULL;
723 uschar *saved_tls_crl = NULL;
724 int cert_count;
725
726 /* We check for tls_sni *before* expansion. */
727 if (!host) /* server */
728 {
729 if (!state->received_sni)
730 {
731 if (state->tls_certificate &&
732 (Ustrstr(state->tls_certificate, US"tls_sni") ||
733 Ustrstr(state->tls_certificate, US"tls_in_sni") ||
734 Ustrstr(state->tls_certificate, US"tls_out_sni")
735 ))
736 {
737 DEBUG(D_tls) debug_printf("We will re-expand TLS session files if we receive SNI.\n");
738 state->trigger_sni_changes = TRUE;
739 }
740 }
741 else
742 {
743 /* useful for debugging */
744 saved_tls_certificate = state->exp_tls_certificate;
745 saved_tls_privatekey = state->exp_tls_privatekey;
746 saved_tls_verify_certificates = state->exp_tls_verify_certificates;
747 saved_tls_crl = state->exp_tls_crl;
748 }
749 }
750
751 rc = gnutls_certificate_allocate_credentials(&state->x509_cred);
752 exim_gnutls_err_check(US"gnutls_certificate_allocate_credentials");
753
754 /* remember: expand_check_tlsvar() is expand_check() but fiddling with
755 state members, assuming consistent naming; and expand_check() returns
756 false if expansion failed, unless expansion was forced to fail. */
757
758 /* check if we at least have a certificate, before doing expensive
759 D-H generation. */
760
761 if (!expand_check_tlsvar(tls_certificate))
762 return DEFER;
763
764 /* certificate is mandatory in server, optional in client */
765
766 if ((state->exp_tls_certificate == NULL) ||
767 (*state->exp_tls_certificate == '\0'))
768 {
769 if (!host)
770 return tls_error(US"no TLS server certificate is specified", NULL, NULL);
771 else
772 DEBUG(D_tls) debug_printf("TLS: no client certificate specified; okay\n");
773 }
774
775 if (state->tls_privatekey && !expand_check_tlsvar(tls_privatekey))
776 return DEFER;
777
778 /* tls_privatekey is optional, defaulting to same file as certificate */
779
780 if (state->tls_privatekey == NULL || *state->tls_privatekey == '\0')
781 {
782 state->tls_privatekey = state->tls_certificate;
783 state->exp_tls_privatekey = state->exp_tls_certificate;
784 }
785
786
787 if (state->exp_tls_certificate && *state->exp_tls_certificate)
788 {
789 DEBUG(D_tls) debug_printf("certificate file = %s\nkey file = %s\n",
790 state->exp_tls_certificate, state->exp_tls_privatekey);
791
792 if (state->received_sni)
793 {
794 if ((Ustrcmp(state->exp_tls_certificate, saved_tls_certificate) == 0) &&
795 (Ustrcmp(state->exp_tls_privatekey, saved_tls_privatekey) == 0))
796 {
797 DEBUG(D_tls) debug_printf("TLS SNI: cert and key unchanged\n");
798 }
799 else
800 {
801 DEBUG(D_tls) debug_printf("TLS SNI: have a changed cert/key pair.\n");
802 }
803 }
804
805 rc = gnutls_certificate_set_x509_key_file(state->x509_cred,
806 CS state->exp_tls_certificate, CS state->exp_tls_privatekey,
807 GNUTLS_X509_FMT_PEM);
808 exim_gnutls_err_check(
809 string_sprintf("cert/key setup: cert=%s key=%s",
810 state->exp_tls_certificate, state->exp_tls_privatekey));
811 DEBUG(D_tls) debug_printf("TLS: cert/key registered\n");
812 } /* tls_certificate */
813
814
815 /* Set the OCSP stapling server info */
816
817 #ifndef DISABLE_OCSP
818 if ( !host /* server */
819 && tls_ocsp_file
820 )
821 {
822 if (!expand_check(tls_ocsp_file, US"tls_ocsp_file",
823 &state->exp_tls_ocsp_file))
824 return DEFER;
825
826 /* Use the full callback method for stapling just to get observability.
827 More efficient would be to read the file once only, if it never changed
828 (due to SNI). Would need restart on file update, or watch datestamp. */
829
830 gnutls_certificate_set_ocsp_status_request_function(state->x509_cred,
831 server_ocsp_stapling_cb, state->exp_tls_ocsp_file);
832
833 DEBUG(D_tls) debug_printf("Set OCSP response file %s\n", &state->exp_tls_ocsp_file);
834 }
835 #endif
836
837
838 /* Set the trusted CAs file if one is provided, and then add the CRL if one is
839 provided. Experiment shows that, if the certificate file is empty, an unhelpful
840 error message is provided. However, if we just refrain from setting anything up
841 in that case, certificate verification fails, which seems to be the correct
842 behaviour. */
843
844 if (state->tls_verify_certificates && *state->tls_verify_certificates)
845 {
846 if (!expand_check_tlsvar(tls_verify_certificates))
847 return DEFER;
848 if (state->tls_crl && *state->tls_crl)
849 if (!expand_check_tlsvar(tls_crl))
850 return DEFER;
851
852 if (!(state->exp_tls_verify_certificates &&
853 *state->exp_tls_verify_certificates))
854 {
855 DEBUG(D_tls)
856 debug_printf("TLS: tls_verify_certificates expanded empty, ignoring\n");
857 /* With no tls_verify_certificates, we ignore tls_crl too */
858 return OK;
859 }
860 }
861 else
862 {
863 DEBUG(D_tls)
864 debug_printf("TLS: tls_verify_certificates not set or empty, ignoring\n");
865 return OK;
866 }
867
868 if (Ustat(state->exp_tls_verify_certificates, &statbuf) < 0)
869 {
870 log_write(0, LOG_MAIN|LOG_PANIC, "could not stat %s "
871 "(tls_verify_certificates): %s", state->exp_tls_verify_certificates,
872 strerror(errno));
873 return DEFER;
874 }
875
876 /* The test suite passes in /dev/null; we could check for that path explicitly,
877 but who knows if someone has some weird FIFO which always dumps some certs, or
878 other weirdness. The thing we really want to check is that it's not a
879 directory, since while OpenSSL supports that, GnuTLS does not.
880 So s/!S_ISREG/S_ISDIR/ and change some messsaging ... */
881 if (S_ISDIR(statbuf.st_mode))
882 {
883 DEBUG(D_tls)
884 debug_printf("verify certificates path is a dir: \"%s\"\n",
885 state->exp_tls_verify_certificates);
886 log_write(0, LOG_MAIN|LOG_PANIC,
887 "tls_verify_certificates \"%s\" is a directory",
888 state->exp_tls_verify_certificates);
889 return DEFER;
890 }
891
892 DEBUG(D_tls) debug_printf("verify certificates = %s size=" OFF_T_FMT "\n",
893 state->exp_tls_verify_certificates, statbuf.st_size);
894
895 if (statbuf.st_size == 0)
896 {
897 DEBUG(D_tls)
898 debug_printf("cert file empty, no certs, no verification, ignoring any CRL\n");
899 return OK;
900 }
901
902 cert_count = gnutls_certificate_set_x509_trust_file(state->x509_cred,
903 CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM);
904 if (cert_count < 0)
905 {
906 rc = cert_count;
907 exim_gnutls_err_check(US"gnutls_certificate_set_x509_trust_file");
908 }
909 DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n", cert_count);
910
911 if (state->tls_crl && *state->tls_crl &&
912 state->exp_tls_crl && *state->exp_tls_crl)
913 {
914 DEBUG(D_tls) debug_printf("loading CRL file = %s\n", state->exp_tls_crl);
915 cert_count = gnutls_certificate_set_x509_crl_file(state->x509_cred,
916 CS state->exp_tls_crl, GNUTLS_X509_FMT_PEM);
917 if (cert_count < 0)
918 {
919 rc = cert_count;
920 exim_gnutls_err_check(US"gnutls_certificate_set_x509_crl_file");
921 }
922 DEBUG(D_tls) debug_printf("Processed %d CRLs.\n", cert_count);
923 }
924
925 return OK;
926 }
927
928
929
930
931 /*************************************************
932 * Set X.509 state variables *
933 *************************************************/
934
935 /* In GnuTLS, the registered cert/key are not replaced by a later
936 set of a cert/key, so for SNI support we need a whole new x509_cred
937 structure. Which means various other non-re-expanded pieces of state
938 need to be re-set in the new struct, so the setting logic is pulled
939 out to this.
940
941 Arguments:
942 state exim_gnutls_state_st *
943
944 Returns: OK/DEFER/FAIL
945 */
946
947 static int
948 tls_set_remaining_x509(exim_gnutls_state_st *state)
949 {
950 int rc;
951 const host_item *host = state->host; /* macro should be reconsidered? */
952
953 /* Create D-H parameters, or read them from the cache file. This function does
954 its own SMTP error messaging. This only happens for the server, TLS D-H ignores
955 client-side params. */
956
957 if (!state->host)
958 {
959 if (!dh_server_params)
960 {
961 rc = init_server_dh();
962 if (rc != OK) return rc;
963 }
964 gnutls_certificate_set_dh_params(state->x509_cred, dh_server_params);
965 }
966
967 /* Link the credentials to the session. */
968
969 rc = gnutls_credentials_set(state->session, GNUTLS_CRD_CERTIFICATE, state->x509_cred);
970 exim_gnutls_err_check(US"gnutls_credentials_set");
971
972 return OK;
973 }
974
975 /*************************************************
976 * Initialize for GnuTLS *
977 *************************************************/
978
979 /* Called from both server and client code. In the case of a server, errors
980 before actual TLS negotiation return DEFER.
981
982 Arguments:
983 host connected host, if client; NULL if server
984 certificate certificate file
985 privatekey private key file
986 sni TLS SNI to send, sometimes when client; else NULL
987 cas CA certs file
988 crl CRL file
989 require_ciphers tls_require_ciphers setting
990 caller_state returned state-info structure
991
992 Returns: OK/DEFER/FAIL
993 */
994
995 static int
996 tls_init(
997 const host_item *host,
998 const uschar *certificate,
999 const uschar *privatekey,
1000 const uschar *sni,
1001 const uschar *cas,
1002 const uschar *crl,
1003 const uschar *require_ciphers,
1004 exim_gnutls_state_st **caller_state)
1005 {
1006 exim_gnutls_state_st *state;
1007 int rc;
1008 size_t sz;
1009 const char *errpos;
1010 uschar *p;
1011 BOOL want_default_priorities;
1012
1013 if (!exim_gnutls_base_init_done)
1014 {
1015 DEBUG(D_tls) debug_printf("GnuTLS global init required.\n");
1016
1017 #ifdef HAVE_GNUTLS_PKCS11
1018 /* By default, gnutls_global_init will init PKCS11 support in auto mode,
1019 which loads modules from a config file, which sounds good and may be wanted
1020 by some sysadmin, but also means in common configurations that GNOME keyring
1021 environment variables are used and so breaks for users calling mailq.
1022 To prevent this, we init PKCS11 first, which is the documented approach. */
1023 if (!gnutls_allow_auto_pkcs11)
1024 {
1025 rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
1026 exim_gnutls_err_check(US"gnutls_pkcs11_init");
1027 }
1028 #endif
1029
1030 rc = gnutls_global_init();
1031 exim_gnutls_err_check(US"gnutls_global_init");
1032
1033 #if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
1034 DEBUG(D_tls)
1035 {
1036 gnutls_global_set_log_function(exim_gnutls_logger_cb);
1037 /* arbitrarily chosen level; bump upto 9 for more */
1038 gnutls_global_set_log_level(EXIM_GNUTLS_LIBRARY_LOG_LEVEL);
1039 }
1040 #endif
1041
1042 exim_gnutls_base_init_done = TRUE;
1043 }
1044
1045 if (host)
1046 {
1047 state = &state_client;
1048 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
1049 state->tlsp = &tls_out;
1050 DEBUG(D_tls) debug_printf("initialising GnuTLS client session\n");
1051 rc = gnutls_init(&state->session, GNUTLS_CLIENT);
1052 }
1053 else
1054 {
1055 state = &state_server;
1056 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
1057 state->tlsp = &tls_in;
1058 DEBUG(D_tls) debug_printf("initialising GnuTLS server session\n");
1059 rc = gnutls_init(&state->session, GNUTLS_SERVER);
1060 }
1061 exim_gnutls_err_check(US"gnutls_init");
1062
1063 state->host = host;
1064
1065 state->tls_certificate = certificate;
1066 state->tls_privatekey = privatekey;
1067 state->tls_require_ciphers = require_ciphers;
1068 state->tls_sni = sni;
1069 state->tls_verify_certificates = cas;
1070 state->tls_crl = crl;
1071
1072 /* This handles the variables that might get re-expanded after TLS SNI;
1073 that's tls_certificate, tls_privatekey, tls_verify_certificates, tls_crl */
1074
1075 DEBUG(D_tls)
1076 debug_printf("Expanding various TLS configuration options for session credentials.\n");
1077 rc = tls_expand_session_files(state);
1078 if (rc != OK) return rc;
1079
1080 /* These are all other parts of the x509_cred handling, since SNI in GnuTLS
1081 requires a new structure afterwards. */
1082
1083 rc = tls_set_remaining_x509(state);
1084 if (rc != OK) return rc;
1085
1086 /* set SNI in client, only */
1087 if (host)
1088 {
1089 if (!expand_check(state->tlsp->sni, US"tls_out_sni", &state->exp_tls_sni))
1090 return DEFER;
1091 if (state->exp_tls_sni && *state->exp_tls_sni)
1092 {
1093 DEBUG(D_tls)
1094 debug_printf("Setting TLS client SNI to \"%s\"\n", state->exp_tls_sni);
1095 sz = Ustrlen(state->exp_tls_sni);
1096 rc = gnutls_server_name_set(state->session,
1097 GNUTLS_NAME_DNS, state->exp_tls_sni, sz);
1098 exim_gnutls_err_check(US"gnutls_server_name_set");
1099 }
1100 }
1101 else if (state->tls_sni)
1102 DEBUG(D_tls) debug_printf("*** PROBABLY A BUG *** " \
1103 "have an SNI set for a client [%s]\n", state->tls_sni);
1104
1105 /* This is the priority string support,
1106 http://www.gnutls.org/manual/html_node/Priority-Strings.html
1107 and replaces gnutls_require_kx, gnutls_require_mac & gnutls_require_protocols.
1108 This was backwards incompatible, but means Exim no longer needs to track
1109 all algorithms and provide string forms for them. */
1110
1111 want_default_priorities = TRUE;
1112
1113 if (state->tls_require_ciphers && *state->tls_require_ciphers)
1114 {
1115 if (!expand_check_tlsvar(tls_require_ciphers))
1116 return DEFER;
1117 if (state->exp_tls_require_ciphers && *state->exp_tls_require_ciphers)
1118 {
1119 DEBUG(D_tls) debug_printf("GnuTLS session cipher/priority \"%s\"\n",
1120 state->exp_tls_require_ciphers);
1121
1122 rc = gnutls_priority_init(&state->priority_cache,
1123 CS state->exp_tls_require_ciphers, &errpos);
1124 want_default_priorities = FALSE;
1125 p = state->exp_tls_require_ciphers;
1126 }
1127 }
1128 if (want_default_priorities)
1129 {
1130 DEBUG(D_tls)
1131 debug_printf("GnuTLS using default session cipher/priority \"%s\"\n",
1132 exim_default_gnutls_priority);
1133 rc = gnutls_priority_init(&state->priority_cache,
1134 exim_default_gnutls_priority, &errpos);
1135 p = US exim_default_gnutls_priority;
1136 }
1137
1138 exim_gnutls_err_check(string_sprintf(
1139 "gnutls_priority_init(%s) failed at offset %ld, \"%.6s..\"",
1140 p, errpos - CS p, errpos));
1141
1142 rc = gnutls_priority_set(state->session, state->priority_cache);
1143 exim_gnutls_err_check(US"gnutls_priority_set");
1144
1145 gnutls_db_set_cache_expiration(state->session, ssl_session_timeout);
1146
1147 /* Reduce security in favour of increased compatibility, if the admin
1148 decides to make that trade-off. */
1149 if (gnutls_compat_mode)
1150 {
1151 #if LIBGNUTLS_VERSION_NUMBER >= 0x020104
1152 DEBUG(D_tls) debug_printf("lowering GnuTLS security, compatibility mode\n");
1153 gnutls_session_enable_compatibility_mode(state->session);
1154 #else
1155 DEBUG(D_tls) debug_printf("Unable to set gnutls_compat_mode - GnuTLS version too old\n");
1156 #endif
1157 }
1158
1159 *caller_state = state;
1160 return OK;
1161 }
1162
1163
1164
1165 /*************************************************
1166 * Extract peer information *
1167 *************************************************/
1168
1169 /* Called from both server and client code.
1170 Only this is allowed to set state->peerdn and state->have_set_peerdn
1171 and we use that to detect double-calls.
1172
1173 NOTE: the state blocks last while the TLS connection is up, which is fine
1174 for logging in the server side, but for the client side, we log after teardown
1175 in src/deliver.c. While the session is up, we can twist about states and
1176 repoint tls_* globals, but those variables used for logging or other variable
1177 expansion that happens _after_ delivery need to have a longer life-time.
1178
1179 So for those, we get the data from POOL_PERM; the re-invoke guard keeps us from
1180 doing this more than once per generation of a state context. We set them in
1181 the state context, and repoint tls_* to them. After the state goes away, the
1182 tls_* copies of the pointers remain valid and client delivery logging is happy.
1183
1184 tls_certificate_verified is a BOOL, so the tls_peerdn and tls_cipher issues
1185 don't apply.
1186
1187 Arguments:
1188 state exim_gnutls_state_st *
1189
1190 Returns: OK/DEFER/FAIL
1191 */
1192
1193 static int
1194 peer_status(exim_gnutls_state_st *state)
1195 {
1196 uschar cipherbuf[256];
1197 const gnutls_datum *cert_list;
1198 int old_pool, rc;
1199 unsigned int cert_list_size = 0;
1200 gnutls_protocol_t protocol;
1201 gnutls_cipher_algorithm_t cipher;
1202 gnutls_kx_algorithm_t kx;
1203 gnutls_mac_algorithm_t mac;
1204 gnutls_certificate_type_t ct;
1205 gnutls_x509_crt_t crt;
1206 uschar *p, *dn_buf;
1207 size_t sz;
1208
1209 if (state->have_set_peerdn)
1210 return OK;
1211 state->have_set_peerdn = TRUE;
1212
1213 state->peerdn = NULL;
1214
1215 /* tls_cipher */
1216 cipher = gnutls_cipher_get(state->session);
1217 protocol = gnutls_protocol_get_version(state->session);
1218 mac = gnutls_mac_get(state->session);
1219 kx = gnutls_kx_get(state->session);
1220
1221 string_format(cipherbuf, sizeof(cipherbuf),
1222 "%s:%s:%d",
1223 gnutls_protocol_get_name(protocol),
1224 gnutls_cipher_suite_get_name(kx, cipher, mac),
1225 (int) gnutls_cipher_get_key_size(cipher) * 8);
1226
1227 /* I don't see a way that spaces could occur, in the current GnuTLS
1228 code base, but it was a concern in the old code and perhaps older GnuTLS
1229 releases did return "TLS 1.0"; play it safe, just in case. */
1230 for (p = cipherbuf; *p != '\0'; ++p)
1231 if (isspace(*p))
1232 *p = '-';
1233 old_pool = store_pool;
1234 store_pool = POOL_PERM;
1235 state->ciphersuite = string_copy(cipherbuf);
1236 store_pool = old_pool;
1237 state->tlsp->cipher = state->ciphersuite;
1238
1239 /* tls_peerdn */
1240 cert_list = gnutls_certificate_get_peers(state->session, &cert_list_size);
1241
1242 if (cert_list == NULL || cert_list_size == 0)
1243 {
1244 DEBUG(D_tls) debug_printf("TLS: no certificate from peer (%p & %d)\n",
1245 cert_list, cert_list_size);
1246 if (state->verify_requirement >= VERIFY_REQUIRED)
1247 return tls_error(US"certificate verification failed",
1248 "no certificate received from peer", state->host);
1249 return OK;
1250 }
1251
1252 ct = gnutls_certificate_type_get(state->session);
1253 if (ct != GNUTLS_CRT_X509)
1254 {
1255 const char *ctn = gnutls_certificate_type_get_name(ct);
1256 DEBUG(D_tls)
1257 debug_printf("TLS: peer cert not X.509 but instead \"%s\"\n", ctn);
1258 if (state->verify_requirement >= VERIFY_REQUIRED)
1259 return tls_error(US"certificate verification not possible, unhandled type",
1260 ctn, state->host);
1261 return OK;
1262 }
1263
1264 #define exim_gnutls_peer_err(Label) \
1265 do { \
1266 if (rc != GNUTLS_E_SUCCESS) \
1267 { \
1268 DEBUG(D_tls) debug_printf("TLS: peer cert problem: %s: %s\n", \
1269 (Label), gnutls_strerror(rc)); \
1270 if (state->verify_requirement >= VERIFY_REQUIRED) \
1271 return tls_error((Label), gnutls_strerror(rc), state->host); \
1272 return OK; \
1273 } \
1274 } while (0)
1275
1276 rc = import_cert(&cert_list[0], &crt);
1277 exim_gnutls_peer_err(US"cert 0");
1278
1279 state->tlsp->peercert = state->peercert = crt;
1280
1281 sz = 0;
1282 rc = gnutls_x509_crt_get_dn(crt, NULL, &sz);
1283 if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
1284 {
1285 exim_gnutls_peer_err(US"getting size for cert DN failed");
1286 return FAIL; /* should not happen */
1287 }
1288 dn_buf = store_get_perm(sz);
1289 rc = gnutls_x509_crt_get_dn(crt, CS dn_buf, &sz);
1290 exim_gnutls_peer_err(US"failed to extract certificate DN [gnutls_x509_crt_get_dn(cert 0)]");
1291
1292 state->peerdn = dn_buf;
1293
1294 return OK;
1295 #undef exim_gnutls_peer_err
1296 }
1297
1298
1299
1300
1301 /*************************************************
1302 * Verify peer certificate *
1303 *************************************************/
1304
1305 /* Called from both server and client code.
1306 *Should* be using a callback registered with
1307 gnutls_certificate_set_verify_function() to fail the handshake if we dislike
1308 the peer information, but that's too new for some OSes.
1309
1310 Arguments:
1311 state exim_gnutls_state_st *
1312 error where to put an error message
1313
1314 Returns:
1315 FALSE if the session should be rejected
1316 TRUE if the cert is okay or we just don't care
1317 */
1318
1319 static BOOL
1320 verify_certificate(exim_gnutls_state_st *state, const char **error)
1321 {
1322 int rc;
1323 unsigned int verify;
1324
1325 *error = NULL;
1326
1327 if ((rc = peer_status(state)) != OK)
1328 {
1329 verify = GNUTLS_CERT_INVALID;
1330 *error = "certificate not supplied";
1331 }
1332 else
1333 rc = gnutls_certificate_verify_peers2(state->session, &verify);
1334
1335 /* Handle the result of verification. INVALID seems to be set as well
1336 as REVOKED, but leave the test for both. */
1337
1338 if (rc < 0 ||
1339 verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED)
1340 )
1341 {
1342 state->peer_cert_verified = FALSE;
1343 if (!*error)
1344 *error = verify & GNUTLS_CERT_REVOKED
1345 ? "certificate revoked" : "certificate invalid";
1346
1347 DEBUG(D_tls)
1348 debug_printf("TLS certificate verification failed (%s): peerdn=\"%s\"\n",
1349 *error, state->peerdn ? state->peerdn : US"<unset>");
1350
1351 if (state->verify_requirement >= VERIFY_REQUIRED)
1352 {
1353 gnutls_alert_send(state->session,
1354 GNUTLS_AL_FATAL, GNUTLS_A_BAD_CERTIFICATE);
1355 return FALSE;
1356 }
1357 DEBUG(D_tls)
1358 debug_printf("TLS verify failure overridden (host in tls_try_verify_hosts)\n");
1359 }
1360
1361 else
1362 {
1363 #ifdef EXPERIMENTAL_CERTNAMES
1364 if (state->verify_requirement == VERIFY_WITHHOST)
1365 {
1366 int sep = 0;
1367 uschar * list = state->exp_tls_verify_cert_hostnames;
1368 uschar * name;
1369 while (name = string_nextinlist(&list, &sep, NULL, 0))
1370 if (gnutls_x509_crt_check_hostname(state->tlsp->peercert, CS name))
1371 break;
1372 if (!name)
1373 {
1374 DEBUG(D_tls)
1375 debug_printf("TLS certificate verification failed: cert name mismatch\n");
1376 gnutls_alert_send(state->session,
1377 GNUTLS_AL_FATAL, GNUTLS_A_BAD_CERTIFICATE);
1378 return FALSE;
1379 }
1380 }
1381 #endif
1382 state->peer_cert_verified = TRUE;
1383 DEBUG(D_tls) debug_printf("TLS certificate verified: peerdn=\"%s\"\n",
1384 state->peerdn ? state->peerdn : US"<unset>");
1385 }
1386
1387 state->tlsp->peerdn = state->peerdn;
1388
1389 return TRUE;
1390 }
1391
1392
1393
1394
1395 /* ------------------------------------------------------------------------ */
1396 /* Callbacks */
1397
1398 /* Logging function which can be registered with
1399 * gnutls_global_set_log_function()
1400 * gnutls_global_set_log_level() 0..9
1401 */
1402 #if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
1403 static void
1404 exim_gnutls_logger_cb(int level, const char *message)
1405 {
1406 size_t len = strlen(message);
1407 if (len < 1)
1408 {
1409 DEBUG(D_tls) debug_printf("GnuTLS<%d> empty debug message\n", level);
1410 return;
1411 }
1412 DEBUG(D_tls) debug_printf("GnuTLS<%d>: %s%s", level, message,
1413 message[len-1] == '\n' ? "" : "\n");
1414 }
1415 #endif
1416
1417
1418 /* Called after client hello, should handle SNI work.
1419 This will always set tls_sni (state->received_sni) if available,
1420 and may trigger presenting different certificates,
1421 if state->trigger_sni_changes is TRUE.
1422
1423 Should be registered with
1424 gnutls_handshake_set_post_client_hello_function()
1425
1426 "This callback must return 0 on success or a gnutls error code to terminate the
1427 handshake.".
1428
1429 For inability to get SNI information, we return 0.
1430 We only return non-zero if re-setup failed.
1431 Only used for server-side TLS.
1432 */
1433
1434 static int
1435 exim_sni_handling_cb(gnutls_session_t session)
1436 {
1437 char sni_name[MAX_HOST_LEN];
1438 size_t data_len = MAX_HOST_LEN;
1439 exim_gnutls_state_st *state = &state_server;
1440 unsigned int sni_type;
1441 int rc, old_pool;
1442
1443 rc = gnutls_server_name_get(session, sni_name, &data_len, &sni_type, 0);
1444 if (rc != GNUTLS_E_SUCCESS)
1445 {
1446 DEBUG(D_tls) {
1447 if (rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
1448 debug_printf("TLS: no SNI presented in handshake.\n");
1449 else
1450 debug_printf("TLS failure: gnutls_server_name_get(): %s [%d]\n",
1451 gnutls_strerror(rc), rc);
1452 };
1453 return 0;
1454 }
1455
1456 if (sni_type != GNUTLS_NAME_DNS)
1457 {
1458 DEBUG(D_tls) debug_printf("TLS: ignoring SNI of unhandled type %u\n", sni_type);
1459 return 0;
1460 }
1461
1462 /* We now have a UTF-8 string in sni_name */
1463 old_pool = store_pool;
1464 store_pool = POOL_PERM;
1465 state->received_sni = string_copyn(US sni_name, data_len);
1466 store_pool = old_pool;
1467
1468 /* We set this one now so that variable expansions below will work */
1469 state->tlsp->sni = state->received_sni;
1470
1471 DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", sni_name,
1472 state->trigger_sni_changes ? "" : " (unused for certificate selection)");
1473
1474 if (!state->trigger_sni_changes)
1475 return 0;
1476
1477 rc = tls_expand_session_files(state);
1478 if (rc != OK)
1479 {
1480 /* If the setup of certs/etc failed before handshake, TLS would not have
1481 been offered. The best we can do now is abort. */
1482 return GNUTLS_E_APPLICATION_ERROR_MIN;
1483 }
1484
1485 rc = tls_set_remaining_x509(state);
1486 if (rc != OK) return GNUTLS_E_APPLICATION_ERROR_MIN;
1487
1488 return 0;
1489 }
1490
1491
1492
1493 #ifndef DISABLE_OCSP
1494
1495 static int
1496 server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
1497 gnutls_datum_t * ocsp_response)
1498 {
1499 int ret;
1500
1501 if ((ret = gnutls_load_file(ptr, ocsp_response)) < 0)
1502 {
1503 DEBUG(D_tls) debug_printf("Failed to load ocsp stapling file %s\n",
1504 (char *)ptr);
1505 tls_in.ocsp = OCSP_NOT_RESP;
1506 return GNUTLS_E_NO_CERTIFICATE_STATUS;
1507 }
1508
1509 tls_in.ocsp = OCSP_VFY_NOT_TRIED;
1510 return 0;
1511 }
1512
1513 #endif
1514
1515
1516
1517
1518
1519 /* ------------------------------------------------------------------------ */
1520 /* Exported functions */
1521
1522
1523
1524
1525 /*************************************************
1526 * Start a TLS session in a server *
1527 *************************************************/
1528
1529 /* This is called when Exim is running as a server, after having received
1530 the STARTTLS command. It must respond to that command, and then negotiate
1531 a TLS session.
1532
1533 Arguments:
1534 require_ciphers list of allowed ciphers or NULL
1535
1536 Returns: OK on success
1537 DEFER for errors before the start of the negotiation
1538 FAIL for errors during the negotation; the server can't
1539 continue running.
1540 */
1541
1542 int
1543 tls_server_start(const uschar *require_ciphers)
1544 {
1545 int rc;
1546 const char *error;
1547 exim_gnutls_state_st *state = NULL;
1548
1549 /* Check for previous activation */
1550 if (tls_in.active >= 0)
1551 {
1552 tls_error(US"STARTTLS received after TLS started", "", NULL);
1553 smtp_printf("554 Already in TLS\r\n");
1554 return FAIL;
1555 }
1556
1557 /* Initialize the library. If it fails, it will already have logged the error
1558 and sent an SMTP response. */
1559
1560 DEBUG(D_tls) debug_printf("initialising GnuTLS as a server\n");
1561
1562 rc = tls_init(NULL, tls_certificate, tls_privatekey,
1563 NULL, tls_verify_certificates, tls_crl,
1564 require_ciphers, &state);
1565 if (rc != OK) return rc;
1566
1567 /* If this is a host for which certificate verification is mandatory or
1568 optional, set up appropriately. */
1569
1570 if (verify_check_host(&tls_verify_hosts) == OK)
1571 {
1572 DEBUG(D_tls)
1573 debug_printf("TLS: a client certificate will be required.\n");
1574 state->verify_requirement = VERIFY_REQUIRED;
1575 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
1576 }
1577 else if (verify_check_host(&tls_try_verify_hosts) == OK)
1578 {
1579 DEBUG(D_tls)
1580 debug_printf("TLS: a client certificate will be requested but not required.\n");
1581 state->verify_requirement = VERIFY_OPTIONAL;
1582 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
1583 }
1584 else
1585 {
1586 DEBUG(D_tls)
1587 debug_printf("TLS: a client certificate will not be requested.\n");
1588 state->verify_requirement = VERIFY_NONE;
1589 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
1590 }
1591
1592 /* Register SNI handling; always, even if not in tls_certificate, so that the
1593 expansion variable $tls_sni is always available. */
1594
1595 gnutls_handshake_set_post_client_hello_function(state->session,
1596 exim_sni_handling_cb);
1597
1598 /* Set context and tell client to go ahead, except in the case of TLS startup
1599 on connection, where outputting anything now upsets the clients and tends to
1600 make them disconnect. We need to have an explicit fflush() here, to force out
1601 the response. Other smtp_printf() calls do not need it, because in non-TLS
1602 mode, the fflush() happens when smtp_getc() is called. */
1603
1604 if (!state->tlsp->on_connect)
1605 {
1606 smtp_printf("220 TLS go ahead\r\n");
1607 fflush(smtp_out);
1608 }
1609
1610 /* Now negotiate the TLS session. We put our own timer on it, since it seems
1611 that the GnuTLS library doesn't. */
1612
1613 gnutls_transport_set_ptr2(state->session,
1614 (gnutls_transport_ptr)(long) fileno(smtp_in),
1615 (gnutls_transport_ptr)(long) fileno(smtp_out));
1616 state->fd_in = fileno(smtp_in);
1617 state->fd_out = fileno(smtp_out);
1618
1619 sigalrm_seen = FALSE;
1620 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
1621 do
1622 {
1623 rc = gnutls_handshake(state->session);
1624 } while ((rc == GNUTLS_E_AGAIN) ||
1625 (rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen));
1626 alarm(0);
1627
1628 if (rc != GNUTLS_E_SUCCESS)
1629 {
1630 tls_error(US"gnutls_handshake",
1631 sigalrm_seen ? "timed out" : gnutls_strerror(rc), NULL);
1632 /* It seems that, except in the case of a timeout, we have to close the
1633 connection right here; otherwise if the other end is running OpenSSL it hangs
1634 until the server times out. */
1635
1636 if (!sigalrm_seen)
1637 {
1638 (void)fclose(smtp_out);
1639 (void)fclose(smtp_in);
1640 }
1641
1642 return FAIL;
1643 }
1644
1645 DEBUG(D_tls) debug_printf("gnutls_handshake was successful\n");
1646
1647 /* Verify after the fact */
1648
1649 if ( state->verify_requirement != VERIFY_NONE
1650 && !verify_certificate(state, &error))
1651 {
1652 if (state->verify_requirement != VERIFY_OPTIONAL)
1653 {
1654 tls_error(US"certificate verification failed", error, NULL);
1655 return FAIL;
1656 }
1657 DEBUG(D_tls)
1658 debug_printf("TLS: continuing on only because verification was optional, after: %s\n",
1659 error);
1660 }
1661
1662 /* Figure out peer DN, and if authenticated, etc. */
1663
1664 rc = peer_status(state);
1665 if (rc != OK) return rc;
1666
1667 /* Sets various Exim expansion variables; always safe within server */
1668
1669 extract_exim_vars_from_tls_state(state);
1670
1671 /* TLS has been set up. Adjust the input functions to read via TLS,
1672 and initialize appropriately. */
1673
1674 state->xfer_buffer = store_malloc(ssl_xfer_buffer_size);
1675
1676 receive_getc = tls_getc;
1677 receive_ungetc = tls_ungetc;
1678 receive_feof = tls_feof;
1679 receive_ferror = tls_ferror;
1680 receive_smtp_buffered = tls_smtp_buffered;
1681
1682 return OK;
1683 }
1684
1685
1686
1687
1688 /*************************************************
1689 * Start a TLS session in a client *
1690 *************************************************/
1691
1692 /* Called from the smtp transport after STARTTLS has been accepted.
1693
1694 Arguments:
1695 fd the fd of the connection
1696 host connected host (for messages)
1697 addr the first address (not used)
1698 ob smtp transport options
1699
1700 Returns: OK/DEFER/FAIL (because using common functions),
1701 but for a client, DEFER and FAIL have the same meaning
1702 */
1703
1704 int
1705 tls_client_start(int fd, host_item *host,
1706 address_item *addr ARG_UNUSED,
1707 void *v_ob)
1708 {
1709 smtp_transport_options_block *ob = v_ob;
1710 int rc;
1711 const char *error;
1712 exim_gnutls_state_st *state = NULL;
1713 #ifndef DISABLE_OCSP
1714 BOOL require_ocsp = verify_check_this_host(&ob->hosts_require_ocsp,
1715 NULL, host->name, host->address, NULL) == OK;
1716 BOOL request_ocsp = require_ocsp ? TRUE
1717 : verify_check_this_host(&ob->hosts_request_ocsp,
1718 NULL, host->name, host->address, NULL) == OK;
1719 #endif
1720
1721 DEBUG(D_tls) debug_printf("initialising GnuTLS as a client on fd %d\n", fd);
1722
1723 if ((rc = tls_init(host, ob->tls_certificate, ob->tls_privatekey,
1724 ob->tls_sni, ob->tls_verify_certificates, ob->tls_crl,
1725 ob->tls_require_ciphers, &state)) != OK)
1726 return rc;
1727
1728 {
1729 int dh_min_bits = ob->tls_dh_min_bits;
1730 if (dh_min_bits < EXIM_CLIENT_DH_MIN_MIN_BITS)
1731 {
1732 DEBUG(D_tls)
1733 debug_printf("WARNING: tls_dh_min_bits far too low,"
1734 " clamping %d up to %d\n",
1735 dh_min_bits, EXIM_CLIENT_DH_MIN_MIN_BITS);
1736 dh_min_bits = EXIM_CLIENT_DH_MIN_MIN_BITS;
1737 }
1738
1739 DEBUG(D_tls) debug_printf("Setting D-H prime minimum"
1740 " acceptable bits to %d\n",
1741 dh_min_bits);
1742 gnutls_dh_set_prime_bits(state->session, dh_min_bits);
1743 }
1744
1745 /* Stick to the old behaviour for compatibility if tls_verify_certificates is
1746 set but both tls_verify_hosts and tls_try_verify_hosts are unset. Check only
1747 the specified host patterns if one of them is defined */
1748
1749 if (( state->exp_tls_verify_certificates
1750 && !ob->tls_verify_hosts
1751 && !ob->tls_try_verify_hosts
1752 )
1753 ||
1754 verify_check_host(&ob->tls_verify_hosts) == OK
1755 )
1756 {
1757 #ifdef EXPERIMENTAL_CERTNAMES
1758 if (ob->tls_verify_cert_hostnames)
1759 {
1760 DEBUG(D_tls)
1761 debug_printf("TLS: server cert incl. hostname verification required.\n");
1762 state->verify_requirement = VERIFY_WITHHOST;
1763 if (!expand_check(ob->tls_verify_cert_hostnames,
1764 US"tls_verify_cert_hostnames",
1765 &state->exp_tls_verify_cert_hostnames))
1766 return FAIL;
1767 if (state->exp_tls_verify_cert_hostnames)
1768 DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
1769 state->exp_tls_verify_cert_hostnames);
1770 }
1771 else
1772 #endif
1773 {
1774 DEBUG(D_tls)
1775 debug_printf("TLS: server certificate verification required.\n");
1776 state->verify_requirement = VERIFY_REQUIRED;
1777 }
1778 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
1779 }
1780 else if (verify_check_host(&ob->tls_try_verify_hosts) == OK)
1781 {
1782 DEBUG(D_tls)
1783 debug_printf("TLS: server certificate verification optional.\n");
1784 state->verify_requirement = VERIFY_OPTIONAL;
1785 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
1786 }
1787 else
1788 {
1789 DEBUG(D_tls)
1790 debug_printf("TLS: server certificate verification not required.\n");
1791 state->verify_requirement = VERIFY_NONE;
1792 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
1793 }
1794
1795 #ifndef DISABLE_OCSP
1796 /* supported since GnuTLS 3.1.3 */
1797 if (request_ocsp)
1798 {
1799 DEBUG(D_tls) debug_printf("TLS: will request OCSP stapling\n");
1800 if ((rc = gnutls_ocsp_status_request_enable_client(state->session,
1801 NULL, 0, NULL)) != OK)
1802 return tls_error(US"cert-status-req",
1803 gnutls_strerror(rc), state->host);
1804 tls_out.ocsp = OCSP_NOT_RESP;
1805 }
1806 #endif
1807
1808 gnutls_transport_set_ptr(state->session, (gnutls_transport_ptr)(long) fd);
1809 state->fd_in = fd;
1810 state->fd_out = fd;
1811
1812 DEBUG(D_tls) debug_printf("about to gnutls_handshake\n");
1813 /* There doesn't seem to be a built-in timeout on connection. */
1814
1815 sigalrm_seen = FALSE;
1816 alarm(ob->command_timeout);
1817 do
1818 {
1819 rc = gnutls_handshake(state->session);
1820 } while ((rc == GNUTLS_E_AGAIN) ||
1821 (rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen));
1822 alarm(0);
1823
1824 if (rc != GNUTLS_E_SUCCESS)
1825 return tls_error(US"gnutls_handshake",
1826 sigalrm_seen ? "timed out" : gnutls_strerror(rc), state->host);
1827
1828 DEBUG(D_tls) debug_printf("gnutls_handshake was successful\n");
1829
1830 /* Verify late */
1831
1832 if (state->verify_requirement != VERIFY_NONE &&
1833 !verify_certificate(state, &error))
1834 return tls_error(US"certificate verification failed", error, state->host);
1835
1836 #ifndef DISABLE_OCSP
1837 if (require_ocsp)
1838 {
1839 DEBUG(D_tls)
1840 {
1841 gnutls_datum_t stapling;
1842 gnutls_ocsp_resp_t resp;
1843 gnutls_datum_t printed;
1844 if ( (rc= gnutls_ocsp_status_request_get(state->session, &stapling)) == 0
1845 && (rc= gnutls_ocsp_resp_init(&resp)) == 0
1846 && (rc= gnutls_ocsp_resp_import(resp, &stapling)) == 0
1847 && (rc= gnutls_ocsp_resp_print(resp, GNUTLS_OCSP_PRINT_FULL, &printed)) == 0
1848 )
1849 {
1850 debug_printf("%.4096s", printed.data);
1851 gnutls_free(printed.data);
1852 }
1853 else
1854 (void) tls_error(US"ocsp decode", gnutls_strerror(rc), state->host);
1855 }
1856
1857 if (gnutls_ocsp_status_request_is_checked(state->session, 0) == 0)
1858 {
1859 tls_out.ocsp = OCSP_FAILED;
1860 return tls_error(US"certificate status check failed", NULL, state->host);
1861 }
1862 DEBUG(D_tls) debug_printf("Passed OCSP checking\n");
1863 tls_out.ocsp = OCSP_VFIED;
1864 }
1865 #endif
1866
1867 /* Figure out peer DN, and if authenticated, etc. */
1868
1869 if ((rc = peer_status(state)) != OK)
1870 return rc;
1871
1872 /* Sets various Exim expansion variables; may need to adjust for ACL callouts */
1873
1874 extract_exim_vars_from_tls_state(state);
1875
1876 return OK;
1877 }
1878
1879
1880
1881
1882 /*************************************************
1883 * Close down a TLS session *
1884 *************************************************/
1885
1886 /* This is also called from within a delivery subprocess forked from the
1887 daemon, to shut down the TLS library, without actually doing a shutdown (which
1888 would tamper with the TLS session in the parent process).
1889
1890 Arguments: TRUE if gnutls_bye is to be called
1891 Returns: nothing
1892 */
1893
1894 void
1895 tls_close(BOOL is_server, BOOL shutdown)
1896 {
1897 exim_gnutls_state_st *state = is_server ? &state_server : &state_client;
1898
1899 if (!state->tlsp || state->tlsp->active < 0) return; /* TLS was not active */
1900
1901 if (shutdown)
1902 {
1903 DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS\n");
1904 gnutls_bye(state->session, GNUTLS_SHUT_WR);
1905 }
1906
1907 gnutls_deinit(state->session);
1908
1909 state->tlsp->active = -1;
1910 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
1911
1912 if ((state_server.session == NULL) && (state_client.session == NULL))
1913 {
1914 gnutls_global_deinit();
1915 exim_gnutls_base_init_done = FALSE;
1916 }
1917
1918 }
1919
1920
1921
1922
1923 /*************************************************
1924 * TLS version of getc *
1925 *************************************************/
1926
1927 /* This gets the next byte from the TLS input buffer. If the buffer is empty,
1928 it refills the buffer via the GnuTLS reading function.
1929 Only used by the server-side TLS.
1930
1931 This feeds DKIM and should be used for all message-body reads.
1932
1933 Arguments: none
1934 Returns: the next character or EOF
1935 */
1936
1937 int
1938 tls_getc(void)
1939 {
1940 exim_gnutls_state_st *state = &state_server;
1941 if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
1942 {
1943 ssize_t inbytes;
1944
1945 DEBUG(D_tls) debug_printf("Calling gnutls_record_recv(%p, %p, %u)\n",
1946 state->session, state->xfer_buffer, ssl_xfer_buffer_size);
1947
1948 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
1949 inbytes = gnutls_record_recv(state->session, state->xfer_buffer,
1950 ssl_xfer_buffer_size);
1951 alarm(0);
1952
1953 /* A zero-byte return appears to mean that the TLS session has been
1954 closed down, not that the socket itself has been closed down. Revert to
1955 non-TLS handling. */
1956
1957 if (inbytes == 0)
1958 {
1959 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
1960
1961 receive_getc = smtp_getc;
1962 receive_ungetc = smtp_ungetc;
1963 receive_feof = smtp_feof;
1964 receive_ferror = smtp_ferror;
1965 receive_smtp_buffered = smtp_buffered;
1966
1967 gnutls_deinit(state->session);
1968 state->session = NULL;
1969 state->tlsp->active = -1;
1970 state->tlsp->bits = 0;
1971 state->tlsp->certificate_verified = FALSE;
1972 tls_channelbinding_b64 = NULL;
1973 state->tlsp->cipher = NULL;
1974 state->tlsp->peercert = NULL;
1975 state->tlsp->peerdn = NULL;
1976
1977 return smtp_getc();
1978 }
1979
1980 /* Handle genuine errors */
1981
1982 else if (inbytes < 0)
1983 {
1984 record_io_error(state, (int) inbytes, US"recv", NULL);
1985 state->xfer_error = 1;
1986 return EOF;
1987 }
1988 #ifndef DISABLE_DKIM
1989 dkim_exim_verify_feed(state->xfer_buffer, inbytes);
1990 #endif
1991 state->xfer_buffer_hwm = (int) inbytes;
1992 state->xfer_buffer_lwm = 0;
1993 }
1994
1995 /* Something in the buffer; return next uschar */
1996
1997 return state->xfer_buffer[state->xfer_buffer_lwm++];
1998 }
1999
2000
2001
2002
2003 /*************************************************
2004 * Read bytes from TLS channel *
2005 *************************************************/
2006
2007 /* This does not feed DKIM, so if the caller uses this for reading message body,
2008 then the caller must feed DKIM.
2009
2010 Arguments:
2011 buff buffer of data
2012 len size of buffer
2013
2014 Returns: the number of bytes read
2015 -1 after a failed read
2016 */
2017
2018 int
2019 tls_read(BOOL is_server, uschar *buff, size_t len)
2020 {
2021 exim_gnutls_state_st *state = is_server ? &state_server : &state_client;
2022 ssize_t inbytes;
2023
2024 if (len > INT_MAX)
2025 len = INT_MAX;
2026
2027 if (state->xfer_buffer_lwm < state->xfer_buffer_hwm)
2028 DEBUG(D_tls)
2029 debug_printf("*** PROBABLY A BUG *** " \
2030 "tls_read() called with data in the tls_getc() buffer, %d ignored\n",
2031 state->xfer_buffer_hwm - state->xfer_buffer_lwm);
2032
2033 DEBUG(D_tls)
2034 debug_printf("Calling gnutls_record_recv(%p, %p, " SIZE_T_FMT ")\n",
2035 state->session, buff, len);
2036
2037 inbytes = gnutls_record_recv(state->session, buff, len);
2038 if (inbytes > 0) return inbytes;
2039 if (inbytes == 0)
2040 {
2041 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
2042 }
2043 else record_io_error(state, (int)inbytes, US"recv", NULL);
2044
2045 return -1;
2046 }
2047
2048
2049
2050
2051 /*************************************************
2052 * Write bytes down TLS channel *
2053 *************************************************/
2054
2055 /*
2056 Arguments:
2057 is_server channel specifier
2058 buff buffer of data
2059 len number of bytes
2060
2061 Returns: the number of bytes after a successful write,
2062 -1 after a failed write
2063 */
2064
2065 int
2066 tls_write(BOOL is_server, const uschar *buff, size_t len)
2067 {
2068 ssize_t outbytes;
2069 size_t left = len;
2070 exim_gnutls_state_st *state = is_server ? &state_server : &state_client;
2071
2072 DEBUG(D_tls) debug_printf("tls_do_write(%p, " SIZE_T_FMT ")\n", buff, left);
2073 while (left > 0)
2074 {
2075 DEBUG(D_tls) debug_printf("gnutls_record_send(SSL, %p, " SIZE_T_FMT ")\n",
2076 buff, left);
2077 outbytes = gnutls_record_send(state->session, buff, left);
2078
2079 DEBUG(D_tls) debug_printf("outbytes=" SSIZE_T_FMT "\n", outbytes);
2080 if (outbytes < 0)
2081 {
2082 record_io_error(state, outbytes, US"send", NULL);
2083 return -1;
2084 }
2085 if (outbytes == 0)
2086 {
2087 record_io_error(state, 0, US"send", US"TLS channel closed on write");
2088 return -1;
2089 }
2090
2091 left -= outbytes;
2092 buff += outbytes;
2093 }
2094
2095 if (len > INT_MAX)
2096 {
2097 DEBUG(D_tls)
2098 debug_printf("Whoops! Wrote more bytes (" SIZE_T_FMT ") than INT_MAX\n",
2099 len);
2100 len = INT_MAX;
2101 }
2102
2103 return (int) len;
2104 }
2105
2106
2107
2108
2109 /*************************************************
2110 * Random number generation *
2111 *************************************************/
2112
2113 /* Pseudo-random number generation. The result is not expected to be
2114 cryptographically strong but not so weak that someone will shoot themselves
2115 in the foot using it as a nonce in input in some email header scheme or
2116 whatever weirdness they'll twist this into. The result should handle fork()
2117 and avoid repeating sequences. OpenSSL handles that for us.
2118
2119 Arguments:
2120 max range maximum
2121 Returns a random number in range [0, max-1]
2122 */
2123
2124 #ifdef HAVE_GNUTLS_RND
2125 int
2126 vaguely_random_number(int max)
2127 {
2128 unsigned int r;
2129 int i, needed_len;
2130 uschar *p;
2131 uschar smallbuf[sizeof(r)];
2132
2133 if (max <= 1)
2134 return 0;
2135
2136 needed_len = sizeof(r);
2137 /* Don't take 8 times more entropy than needed if int is 8 octets and we were
2138 * asked for a number less than 10. */
2139 for (r = max, i = 0; r; ++i)
2140 r >>= 1;
2141 i = (i + 7) / 8;
2142 if (i < needed_len)
2143 needed_len = i;
2144
2145 i = gnutls_rnd(GNUTLS_RND_NONCE, smallbuf, needed_len);
2146 if (i < 0)
2147 {
2148 DEBUG(D_all) debug_printf("gnutls_rnd() failed, using fallback.\n");
2149 return vaguely_random_number_fallback(max);
2150 }
2151 r = 0;
2152 for (p = smallbuf; needed_len; --needed_len, ++p)
2153 {
2154 r *= 256;
2155 r += *p;
2156 }
2157
2158 /* We don't particularly care about weighted results; if someone wants
2159 * smooth distribution and cares enough then they should submit a patch then. */
2160 return r % max;
2161 }
2162 #else /* HAVE_GNUTLS_RND */
2163 int
2164 vaguely_random_number(int max)
2165 {
2166 return vaguely_random_number_fallback(max);
2167 }
2168 #endif /* HAVE_GNUTLS_RND */
2169
2170
2171
2172
2173 /*************************************************
2174 * Let tls_require_ciphers be checked at startup *
2175 *************************************************/
2176
2177 /* The tls_require_ciphers option, if set, must be something which the
2178 library can parse.
2179
2180 Returns: NULL on success, or error message
2181 */
2182
2183 uschar *
2184 tls_validate_require_cipher(void)
2185 {
2186 int rc;
2187 uschar *expciphers = NULL;
2188 gnutls_priority_t priority_cache;
2189 const char *errpos;
2190
2191 #define validate_check_rc(Label) do { \
2192 if (rc != GNUTLS_E_SUCCESS) { if (exim_gnutls_base_init_done) gnutls_global_deinit(); \
2193 return string_sprintf("%s failed: %s", (Label), gnutls_strerror(rc)); } } while (0)
2194 #define return_deinit(Label) do { gnutls_global_deinit(); return (Label); } while (0)
2195
2196 if (exim_gnutls_base_init_done)
2197 log_write(0, LOG_MAIN|LOG_PANIC,
2198 "already initialised GnuTLS, Exim developer bug");
2199
2200 #ifdef HAVE_GNUTLS_PKCS11
2201 if (!gnutls_allow_auto_pkcs11)
2202 {
2203 rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
2204 validate_check_rc(US"gnutls_pkcs11_init");
2205 }
2206 #endif
2207 rc = gnutls_global_init();
2208 validate_check_rc(US"gnutls_global_init()");
2209 exim_gnutls_base_init_done = TRUE;
2210
2211 if (!(tls_require_ciphers && *tls_require_ciphers))
2212 return_deinit(NULL);
2213
2214 if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers))
2215 return_deinit(US"failed to expand tls_require_ciphers");
2216
2217 if (!(expciphers && *expciphers))
2218 return_deinit(NULL);
2219
2220 DEBUG(D_tls)
2221 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
2222
2223 rc = gnutls_priority_init(&priority_cache, CS expciphers, &errpos);
2224 validate_check_rc(string_sprintf(
2225 "gnutls_priority_init(%s) failed at offset %ld, \"%.8s..\"",
2226 expciphers, errpos - CS expciphers, errpos));
2227
2228 #undef return_deinit
2229 #undef validate_check_rc
2230 gnutls_global_deinit();
2231
2232 return NULL;
2233 }
2234
2235
2236
2237
2238 /*************************************************
2239 * Report the library versions. *
2240 *************************************************/
2241
2242 /* See a description in tls-openssl.c for an explanation of why this exists.
2243
2244 Arguments: a FILE* to print the results to
2245 Returns: nothing
2246 */
2247
2248 void
2249 tls_version_report(FILE *f)
2250 {
2251 fprintf(f, "Library version: GnuTLS: Compile: %s\n"
2252 " Runtime: %s\n",
2253 LIBGNUTLS_VERSION,
2254 gnutls_check_version(NULL));
2255 }
2256
2257 /* vi: aw ai sw=2
2258 */
2259 /* End of tls-gnu.c */
Unnamed repository; edit this file 'description' to name the repository.