projects / exim.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
DANE: fix build under GnuTLS to properly fail. Bug 1812
[exim.git] / src / src / tls-gnu.c
1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4
5 /* Copyright (c) University of Cambridge 1995 - 2015 */
6 /* See the file NOTICE for conditions of use and distribution. */
7
8 /* Copyright (c) Phil Pennock 2012 */
9
10 /* This file provides TLS/SSL support for Exim using the GnuTLS library,
11 one of the available supported implementations. This file is #included into
12 tls.c when USE_GNUTLS has been set.
13
14 The code herein is a revamp of GnuTLS integration using the current APIs; the
15 original tls-gnu.c was based on a patch which was contributed by Nikos
16 Mavroyanopoulos. The revamp is partially a rewrite, partially cut&paste as
17 appropriate.
18
19 APIs current as of GnuTLS 2.12.18; note that the GnuTLS manual is for GnuTLS 3,
20 which is not widely deployed by OS vendors. Will note issues below, which may
21 assist in updating the code in the future. Another sources of hints is
22 mod_gnutls for Apache (SNI callback registration and handling).
23
24 Keeping client and server variables more split than before and is currently
25 the norm, in anticipation of TLS in ACL callouts.
26
27 I wanted to switch to gnutls_certificate_set_verify_function() so that
28 certificate rejection could happen during handshake where it belongs, rather
29 than being dropped afterwards, but that was introduced in 2.10.0 and Debian
30 (6.0.5) is still on 2.8.6. So for now we have to stick with sub-par behaviour.
31
32 (I wasn't looking for libraries quite that old, when updating to get rid of
33 compiler warnings of deprecated APIs. If it turns out that a lot of the rest
34 require current GnuTLS, then we'll drop support for the ancient libraries).
35 */
36
37 #include <gnutls/gnutls.h>
38 /* needed for cert checks in verification and DN extraction: */
39 #include <gnutls/x509.h>
40 /* man-page is incorrect, gnutls_rnd() is not in gnutls.h: */
41 #include <gnutls/crypto.h>
42 /* needed to disable PKCS11 autoload unless requested */
43 #if GNUTLS_VERSION_NUMBER >= 0x020c00
44 # include <gnutls/pkcs11.h>
45 #endif
46 #if GNUTLS_VERSION_NUMBER < 0x030103 && !defined(DISABLE_OCSP)
47 # warning "GnuTLS library version too old; define DISABLE_OCSP in Makefile"
48 # define DISABLE_OCSP
49 #endif
50 #if GNUTLS_VERSION_NUMBER < 0x020a00 && !defined(DISABLE_EVENT)
51 # warning "GnuTLS library version too old; tls:cert event unsupported"
52 # define DISABLE_EVENT
53 #endif
54 #if GNUTLS_VERSION_NUMBER >= 0x030306
55 # define SUPPORT_CA_DIR
56 #else
57 # undef SUPPORT_CA_DIR
58 #endif
59 #if GNUTLS_VERSION_NUMBER >= 0x030014
60 # define SUPPORT_SYSDEFAULT_CABUNDLE
61 #endif
62
63 #ifndef DISABLE_OCSP
64 # include <gnutls/ocsp.h>
65 #endif
66
67 /* GnuTLS 2 vs 3
68
69 GnuTLS 3 only:
70 gnutls_global_set_audit_log_function()
71
72 Changes:
73 gnutls_certificate_verify_peers2(): is new, drop the 2 for old version
74 */
75
76 /* Local static variables for GnuTLS */
77
78 /* Values for verify_requirement */
79
80 enum peer_verify_requirement
81 { VERIFY_NONE, VERIFY_OPTIONAL, VERIFY_REQUIRED };
82
83 /* This holds most state for server or client; with this, we can set up an
84 outbound TLS-enabled connection in an ACL callout, while not stomping all
85 over the TLS variables available for expansion.
86
87 Some of these correspond to variables in globals.c; those variables will
88 be set to point to content in one of these instances, as appropriate for
89 the stage of the process lifetime.
90
91 Not handled here: global tls_channelbinding_b64.
92 */
93
94 typedef struct exim_gnutls_state {
95 gnutls_session_t session;
96 gnutls_certificate_credentials_t x509_cred;
97 gnutls_priority_t priority_cache;
98 enum peer_verify_requirement verify_requirement;
99 int fd_in;
100 int fd_out;
101 BOOL peer_cert_verified;
102 BOOL trigger_sni_changes;
103 BOOL have_set_peerdn;
104 const struct host_item *host;
105 gnutls_x509_crt_t peercert;
106 uschar *peerdn;
107 uschar *ciphersuite;
108 uschar *received_sni;
109
110 const uschar *tls_certificate;
111 const uschar *tls_privatekey;
112 const uschar *tls_sni; /* client send only, not received */
113 const uschar *tls_verify_certificates;
114 const uschar *tls_crl;
115 const uschar *tls_require_ciphers;
116
117 uschar *exp_tls_certificate;
118 uschar *exp_tls_privatekey;
119 uschar *exp_tls_verify_certificates;
120 uschar *exp_tls_crl;
121 uschar *exp_tls_require_ciphers;
122 uschar *exp_tls_ocsp_file;
123 const uschar *exp_tls_verify_cert_hostnames;
124 #ifndef DISABLE_EVENT
125 uschar *event_action;
126 #endif
127
128 tls_support *tlsp; /* set in tls_init() */
129
130 uschar *xfer_buffer;
131 int xfer_buffer_lwm;
132 int xfer_buffer_hwm;
133 int xfer_eof;
134 int xfer_error;
135 } exim_gnutls_state_st;
136
137 static const exim_gnutls_state_st exim_gnutls_state_init = {
138 NULL, NULL, NULL, VERIFY_NONE, -1, -1, FALSE, FALSE, FALSE,
139 NULL, NULL, NULL, NULL,
140 NULL, NULL, NULL, NULL, NULL, NULL,
141 NULL, NULL, NULL, NULL, NULL, NULL, NULL,
142 NULL,
143 #ifndef DISABLE_EVENT
144 NULL,
145 #endif
146 NULL,
147 NULL, 0, 0, 0, 0,
148 };
149
150 /* Not only do we have our own APIs which don't pass around state, assuming
151 it's held in globals, GnuTLS doesn't appear to let us register callback data
152 for callbacks, or as part of the session, so we have to keep a "this is the
153 context we're currently dealing with" pointer and rely upon being
154 single-threaded to keep from processing data on an inbound TLS connection while
155 talking to another TLS connection for an outbound check. This does mean that
156 there's no way for heart-beats to be responded to, for the duration of the
157 second connection.
158 XXX But see gnutls_session_get_ptr()
159 */
160
161 static exim_gnutls_state_st state_server, state_client;
162
163 /* dh_params are initialised once within the lifetime of a process using TLS;
164 if we used TLS in a long-lived daemon, we'd have to reconsider this. But we
165 don't want to repeat this. */
166
167 static gnutls_dh_params_t dh_server_params = NULL;
168
169 /* No idea how this value was chosen; preserving it. Default is 3600. */
170
171 static const int ssl_session_timeout = 200;
172
173 static const char * const exim_default_gnutls_priority = "NORMAL";
174
175 /* Guard library core initialisation */
176
177 static BOOL exim_gnutls_base_init_done = FALSE;
178
179 #ifndef DISABLE_OCSP
180 static BOOL gnutls_buggy_ocsp = FALSE;
181 #endif
182
183
184 /* ------------------------------------------------------------------------ */
185 /* macros */
186
187 #define MAX_HOST_LEN 255
188
189 /* Set this to control gnutls_global_set_log_level(); values 0 to 9 will setup
190 the library logging; a value less than 0 disables the calls to set up logging
191 callbacks. */
192 #ifndef EXIM_GNUTLS_LIBRARY_LOG_LEVEL
193 # define EXIM_GNUTLS_LIBRARY_LOG_LEVEL -1
194 #endif
195
196 #ifndef EXIM_CLIENT_DH_MIN_BITS
197 # define EXIM_CLIENT_DH_MIN_BITS 1024
198 #endif
199
200 /* With GnuTLS 2.12.x+ we have gnutls_sec_param_to_pk_bits() with which we
201 can ask for a bit-strength. Without that, we stick to the constant we had
202 before, for now. */
203 #ifndef EXIM_SERVER_DH_BITS_PRE2_12
204 # define EXIM_SERVER_DH_BITS_PRE2_12 1024
205 #endif
206
207 #define exim_gnutls_err_check(Label) do { \
208 if (rc != GNUTLS_E_SUCCESS) { return tls_error((Label), gnutls_strerror(rc), host); } } while (0)
209
210 #define expand_check_tlsvar(Varname) expand_check(state->Varname, US #Varname, &state->exp_##Varname)
211
212 #if GNUTLS_VERSION_NUMBER >= 0x020c00
213 # define HAVE_GNUTLS_SESSION_CHANNEL_BINDING
214 # define HAVE_GNUTLS_SEC_PARAM_CONSTANTS
215 # define HAVE_GNUTLS_RND
216 /* The security fix we provide with the gnutls_allow_auto_pkcs11 option
217 * (4.82 PP/09) introduces a compatibility regression. The symbol simply
218 * isn't available sometimes, so this needs to become a conditional
219 * compilation; the sanest way to deal with this being a problem on
220 * older OSes is to block it in the Local/Makefile with this compiler
221 * definition */
222 # ifndef AVOID_GNUTLS_PKCS11
223 # define HAVE_GNUTLS_PKCS11
224 # endif /* AVOID_GNUTLS_PKCS11 */
225 #endif
226
227
228
229
230 /* ------------------------------------------------------------------------ */
231 /* Callback declarations */
232
233 #if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
234 static void exim_gnutls_logger_cb(int level, const char *message);
235 #endif
236
237 static int exim_sni_handling_cb(gnutls_session_t session);
238
239 #ifndef DISABLE_OCSP
240 static int server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
241 gnutls_datum_t * ocsp_response);
242 #endif
243
244
245
246 /* ------------------------------------------------------------------------ */
247 /* Static functions */
248
249 /*************************************************
250 * Handle TLS error *
251 *************************************************/
252
253 /* Called from lots of places when errors occur before actually starting to do
254 the TLS handshake, that is, while the session is still in clear. Always returns
255 DEFER for a server and FAIL for a client so that most calls can use "return
256 tls_error(...)" to do this processing and then give an appropriate return. A
257 single function is used for both server and client, because it is called from
258 some shared functions.
259
260 Argument:
261 prefix text to include in the logged error
262 msg additional error string (may be NULL)
263 usually obtained from gnutls_strerror()
264 host NULL if setting up a server;
265 the connected host if setting up a client
266
267 Returns: OK/DEFER/FAIL
268 */
269
270 static int
271 tls_error(const uschar *prefix, const char *msg, const host_item *host)
272 {
273 if (host)
274 {
275 log_write(0, LOG_MAIN, "H=%s [%s] TLS error on connection (%s)%s%s",
276 host->name, host->address, prefix, msg ? ": " : "", msg ? msg : "");
277 return FAIL;
278 }
279 else
280 {
281 uschar *conn_info = smtp_get_connection_info();
282 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0)
283 conn_info += 5;
284 /* I'd like to get separated H= here, but too hard for now */
285 log_write(0, LOG_MAIN, "TLS error on %s (%s)%s%s",
286 conn_info, prefix, msg ? ": " : "", msg ? msg : "");
287 return DEFER;
288 }
289 }
290
291
292
293
294 /*************************************************
295 * Deal with logging errors during I/O *
296 *************************************************/
297
298 /* We have to get the identity of the peer from saved data.
299
300 Argument:
301 state the current GnuTLS exim state container
302 rc the GnuTLS error code, or 0 if it's a local error
303 when text identifying read or write
304 text local error text when ec is 0
305
306 Returns: nothing
307 */
308
309 static void
310 record_io_error(exim_gnutls_state_st *state, int rc, uschar *when, uschar *text)
311 {
312 const char *msg;
313
314 if (rc == GNUTLS_E_FATAL_ALERT_RECEIVED)
315 msg = CS string_sprintf("%s: %s", US gnutls_strerror(rc),
316 US gnutls_alert_get_name(gnutls_alert_get(state->session)));
317 else
318 msg = gnutls_strerror(rc);
319
320 tls_error(when, msg, state->host);
321 }
322
323
324
325
326 /*************************************************
327 * Set various Exim expansion vars *
328 *************************************************/
329
330 #define exim_gnutls_cert_err(Label) \
331 do \
332 { \
333 if (rc != GNUTLS_E_SUCCESS) \
334 { \
335 DEBUG(D_tls) debug_printf("TLS: cert problem: %s: %s\n", \
336 (Label), gnutls_strerror(rc)); \
337 return rc; \
338 } \
339 } while (0)
340
341 static int
342 import_cert(const gnutls_datum_t * cert, gnutls_x509_crt_t * crtp)
343 {
344 int rc;
345
346 rc = gnutls_x509_crt_init(crtp);
347 exim_gnutls_cert_err(US"gnutls_x509_crt_init (crt)");
348
349 rc = gnutls_x509_crt_import(*crtp, cert, GNUTLS_X509_FMT_DER);
350 exim_gnutls_cert_err(US"failed to import certificate [gnutls_x509_crt_import(cert)]");
351
352 return rc;
353 }
354
355 #undef exim_gnutls_cert_err
356
357
358 /* We set various Exim global variables from the state, once a session has
359 been established. With TLS callouts, may need to change this to stack
360 variables, or just re-call it with the server state after client callout
361 has finished.
362
363 Make sure anything set here is unset in tls_getc().
364
365 Sets:
366 tls_active fd
367 tls_bits strength indicator
368 tls_certificate_verified bool indicator
369 tls_channelbinding_b64 for some SASL mechanisms
370 tls_cipher a string
371 tls_peercert pointer to library internal
372 tls_peerdn a string
373 tls_sni a (UTF-8) string
374 tls_ourcert pointer to library internal
375
376 Argument:
377 state the relevant exim_gnutls_state_st *
378 */
379
380 static void
381 extract_exim_vars_from_tls_state(exim_gnutls_state_st * state)
382 {
383 gnutls_cipher_algorithm_t cipher;
384 #ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
385 int old_pool;
386 int rc;
387 gnutls_datum_t channel;
388 #endif
389 tls_support * tlsp = state->tlsp;
390
391 tlsp->active = state->fd_out;
392
393 cipher = gnutls_cipher_get(state->session);
394 /* returns size in "bytes" */
395 tlsp->bits = gnutls_cipher_get_key_size(cipher) * 8;
396
397 tlsp->cipher = state->ciphersuite;
398
399 DEBUG(D_tls) debug_printf("cipher: %s\n", state->ciphersuite);
400
401 tlsp->certificate_verified = state->peer_cert_verified;
402
403 /* note that tls_channelbinding_b64 is not saved to the spool file, since it's
404 only available for use for authenticators while this TLS session is running. */
405
406 tls_channelbinding_b64 = NULL;
407 #ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
408 channel.data = NULL;
409 channel.size = 0;
410 rc = gnutls_session_channel_binding(state->session, GNUTLS_CB_TLS_UNIQUE, &channel);
411 if (rc) {
412 DEBUG(D_tls) debug_printf("Channel binding error: %s\n", gnutls_strerror(rc));
413 } else {
414 old_pool = store_pool;
415 store_pool = POOL_PERM;
416 tls_channelbinding_b64 = b64encode(channel.data, (int)channel.size);
417 store_pool = old_pool;
418 DEBUG(D_tls) debug_printf("Have channel bindings cached for possible auth usage.\n");
419 }
420 #endif
421
422 /* peercert is set in peer_status() */
423 tlsp->peerdn = state->peerdn;
424 tlsp->sni = state->received_sni;
425
426 /* record our certificate */
427 {
428 const gnutls_datum_t * cert = gnutls_certificate_get_ours(state->session);
429 gnutls_x509_crt_t crt;
430
431 tlsp->ourcert = cert && import_cert(cert, &crt)==0 ? crt : NULL;
432 }
433 }
434
435
436
437
438 /*************************************************
439 * Setup up DH parameters *
440 *************************************************/
441
442 /* Generating the D-H parameters may take a long time. They only need to
443 be re-generated every so often, depending on security policy. What we do is to
444 keep these parameters in a file in the spool directory. If the file does not
445 exist, we generate them. This means that it is easy to cause a regeneration.
446
447 The new file is written as a temporary file and renamed, so that an incomplete
448 file is never present. If two processes both compute some new parameters, you
449 waste a bit of effort, but it doesn't seem worth messing around with locking to
450 prevent this.
451
452 Returns: OK/DEFER/FAIL
453 */
454
455 static int
456 init_server_dh(void)
457 {
458 int fd, rc;
459 unsigned int dh_bits;
460 gnutls_datum_t m;
461 uschar filename_buf[PATH_MAX];
462 uschar *filename = NULL;
463 size_t sz;
464 uschar *exp_tls_dhparam;
465 BOOL use_file_in_spool = FALSE;
466 BOOL use_fixed_file = FALSE;
467 host_item *host = NULL; /* dummy for macros */
468
469 DEBUG(D_tls) debug_printf("Initialising GnuTLS server params.\n");
470
471 rc = gnutls_dh_params_init(&dh_server_params);
472 exim_gnutls_err_check(US"gnutls_dh_params_init");
473
474 m.data = NULL;
475 m.size = 0;
476
477 if (!expand_check(tls_dhparam, US"tls_dhparam", &exp_tls_dhparam))
478 return DEFER;
479
480 if (!exp_tls_dhparam)
481 {
482 DEBUG(D_tls) debug_printf("Loading default hard-coded DH params\n");
483 m.data = US std_dh_prime_default();
484 m.size = Ustrlen(m.data);
485 }
486 else if (Ustrcmp(exp_tls_dhparam, "historic") == 0)
487 use_file_in_spool = TRUE;
488 else if (Ustrcmp(exp_tls_dhparam, "none") == 0)
489 {
490 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
491 return OK;
492 }
493 else if (exp_tls_dhparam[0] != '/')
494 {
495 m.data = US std_dh_prime_named(exp_tls_dhparam);
496 if (m.data == NULL)
497 return tls_error(US"No standard prime named", CS exp_tls_dhparam, NULL);
498 m.size = Ustrlen(m.data);
499 }
500 else
501 {
502 use_fixed_file = TRUE;
503 filename = exp_tls_dhparam;
504 }
505
506 if (m.data)
507 {
508 rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM);
509 exim_gnutls_err_check(US"gnutls_dh_params_import_pkcs3");
510 DEBUG(D_tls) debug_printf("Loaded fixed standard D-H parameters\n");
511 return OK;
512 }
513
514 #ifdef HAVE_GNUTLS_SEC_PARAM_CONSTANTS
515 /* If you change this constant, also change dh_param_fn_ext so that we can use a
516 different filename and ensure we have sufficient bits. */
517 dh_bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL);
518 if (!dh_bits)
519 return tls_error(US"gnutls_sec_param_to_pk_bits() failed", NULL, NULL);
520 DEBUG(D_tls)
521 debug_printf("GnuTLS tells us that for D-H PK, NORMAL is %d bits.\n",
522 dh_bits);
523 #else
524 dh_bits = EXIM_SERVER_DH_BITS_PRE2_12;
525 DEBUG(D_tls)
526 debug_printf("GnuTLS lacks gnutls_sec_param_to_pk_bits(), using %d bits.\n",
527 dh_bits);
528 #endif
529
530 /* Some clients have hard-coded limits. */
531 if (dh_bits > tls_dh_max_bits)
532 {
533 DEBUG(D_tls)
534 debug_printf("tls_dh_max_bits clamping override, using %d bits instead.\n",
535 tls_dh_max_bits);
536 dh_bits = tls_dh_max_bits;
537 }
538
539 if (use_file_in_spool)
540 {
541 if (!string_format(filename_buf, sizeof(filename_buf),
542 "%s/gnutls-params-%d", spool_directory, dh_bits))
543 return tls_error(US"overlong filename", NULL, NULL);
544 filename = filename_buf;
545 }
546
547 /* Open the cache file for reading and if successful, read it and set up the
548 parameters. */
549
550 fd = Uopen(filename, O_RDONLY, 0);
551 if (fd >= 0)
552 {
553 struct stat statbuf;
554 FILE *fp;
555 int saved_errno;
556
557 if (fstat(fd, &statbuf) < 0) /* EIO */
558 {
559 saved_errno = errno;
560 (void)close(fd);
561 return tls_error(US"TLS cache stat failed", strerror(saved_errno), NULL);
562 }
563 if (!S_ISREG(statbuf.st_mode))
564 {
565 (void)close(fd);
566 return tls_error(US"TLS cache not a file", NULL, NULL);
567 }
568 fp = fdopen(fd, "rb");
569 if (!fp)
570 {
571 saved_errno = errno;
572 (void)close(fd);
573 return tls_error(US"fdopen(TLS cache stat fd) failed",
574 strerror(saved_errno), NULL);
575 }
576
577 m.size = statbuf.st_size;
578 m.data = malloc(m.size);
579 if (m.data == NULL)
580 {
581 fclose(fp);
582 return tls_error(US"malloc failed", strerror(errno), NULL);
583 }
584 sz = fread(m.data, m.size, 1, fp);
585 if (!sz)
586 {
587 saved_errno = errno;
588 fclose(fp);
589 free(m.data);
590 return tls_error(US"fread failed", strerror(saved_errno), NULL);
591 }
592 fclose(fp);
593
594 rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM);
595 free(m.data);
596 exim_gnutls_err_check(US"gnutls_dh_params_import_pkcs3");
597 DEBUG(D_tls) debug_printf("read D-H parameters from file \"%s\"\n", filename);
598 }
599
600 /* If the file does not exist, fall through to compute new data and cache it.
601 If there was any other opening error, it is serious. */
602
603 else if (errno == ENOENT)
604 {
605 rc = -1;
606 DEBUG(D_tls)
607 debug_printf("D-H parameter cache file \"%s\" does not exist\n", filename);
608 }
609 else
610 return tls_error(string_open_failed(errno, "\"%s\" for reading", filename),
611 NULL, NULL);
612
613 /* If ret < 0, either the cache file does not exist, or the data it contains
614 is not useful. One particular case of this is when upgrading from an older
615 release of Exim in which the data was stored in a different format. We don't
616 try to be clever and support both formats; we just regenerate new data in this
617 case. */
618
619 if (rc < 0)
620 {
621 uschar *temp_fn;
622 unsigned int dh_bits_gen = dh_bits;
623
624 if ((PATH_MAX - Ustrlen(filename)) < 10)
625 return tls_error(US"Filename too long to generate replacement",
626 CS filename, NULL);
627
628 temp_fn = string_copy(US "%s.XXXXXXX");
629 fd = mkstemp(CS temp_fn); /* modifies temp_fn */
630 if (fd < 0)
631 return tls_error(US"Unable to open temp file", strerror(errno), NULL);
632 (void)fchown(fd, exim_uid, exim_gid); /* Probably not necessary */
633
634 /* GnuTLS overshoots!
635 * If we ask for 2236, we might get 2237 or more.
636 * But there's no way to ask GnuTLS how many bits there really are.
637 * We can ask how many bits were used in a TLS session, but that's it!
638 * The prime itself is hidden behind too much abstraction.
639 * So we ask for less, and proceed on a wing and a prayer.
640 * First attempt, subtracted 3 for 2233 and got 2240.
641 */
642 if (dh_bits >= EXIM_CLIENT_DH_MIN_BITS + 10)
643 {
644 dh_bits_gen = dh_bits - 10;
645 DEBUG(D_tls)
646 debug_printf("being paranoid about DH generation, make it '%d' bits'\n",
647 dh_bits_gen);
648 }
649
650 DEBUG(D_tls)
651 debug_printf("requesting generation of %d bit Diffie-Hellman prime ...\n",
652 dh_bits_gen);
653 rc = gnutls_dh_params_generate2(dh_server_params, dh_bits_gen);
654 exim_gnutls_err_check(US"gnutls_dh_params_generate2");
655
656 /* gnutls_dh_params_export_pkcs3() will tell us the exact size, every time,
657 and I confirmed that a NULL call to get the size first is how the GnuTLS
658 sample apps handle this. */
659
660 sz = 0;
661 m.data = NULL;
662 rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM,
663 m.data, &sz);
664 if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
665 exim_gnutls_err_check(US"gnutls_dh_params_export_pkcs3(NULL) sizing");
666 m.size = sz;
667 m.data = malloc(m.size);
668 if (m.data == NULL)
669 return tls_error(US"memory allocation failed", strerror(errno), NULL);
670 /* this will return a size 1 less than the allocation size above */
671 rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM,
672 m.data, &sz);
673 if (rc != GNUTLS_E_SUCCESS)
674 {
675 free(m.data);
676 exim_gnutls_err_check(US"gnutls_dh_params_export_pkcs3() real");
677 }
678 m.size = sz; /* shrink by 1, probably */
679
680 sz = write_to_fd_buf(fd, m.data, (size_t) m.size);
681 if (sz != m.size)
682 {
683 free(m.data);
684 return tls_error(US"TLS cache write D-H params failed",
685 strerror(errno), NULL);
686 }
687 free(m.data);
688 sz = write_to_fd_buf(fd, US"\n", 1);
689 if (sz != 1)
690 return tls_error(US"TLS cache write D-H params final newline failed",
691 strerror(errno), NULL);
692
693 rc = close(fd);
694 if (rc)
695 return tls_error(US"TLS cache write close() failed",
696 strerror(errno), NULL);
697
698 if (Urename(temp_fn, filename) < 0)
699 return tls_error(string_sprintf("failed to rename \"%s\" as \"%s\"",
700 temp_fn, filename), strerror(errno), NULL);
701
702 DEBUG(D_tls) debug_printf("wrote D-H parameters to file \"%s\"\n", filename);
703 }
704
705 DEBUG(D_tls) debug_printf("initialized server D-H parameters\n");
706 return OK;
707 }
708
709
710
711
712 /*************************************************
713 * Variables re-expanded post-SNI *
714 *************************************************/
715
716 /* Called from both server and client code, via tls_init(), and also from
717 the SNI callback after receiving an SNI, if tls_certificate includes "tls_sni".
718
719 We can tell the two apart by state->received_sni being non-NULL in callback.
720
721 The callback should not call us unless state->trigger_sni_changes is true,
722 which we are responsible for setting on the first pass through.
723
724 Arguments:
725 state exim_gnutls_state_st *
726
727 Returns: OK/DEFER/FAIL
728 */
729
730 static int
731 tls_expand_session_files(exim_gnutls_state_st *state)
732 {
733 struct stat statbuf;
734 int rc;
735 const host_item *host = state->host; /* macro should be reconsidered? */
736 uschar *saved_tls_certificate = NULL;
737 uschar *saved_tls_privatekey = NULL;
738 uschar *saved_tls_verify_certificates = NULL;
739 uschar *saved_tls_crl = NULL;
740 int cert_count;
741
742 /* We check for tls_sni *before* expansion. */
743 if (!host) /* server */
744 {
745 if (!state->received_sni)
746 {
747 if (state->tls_certificate &&
748 (Ustrstr(state->tls_certificate, US"tls_sni") ||
749 Ustrstr(state->tls_certificate, US"tls_in_sni") ||
750 Ustrstr(state->tls_certificate, US"tls_out_sni")
751 ))
752 {
753 DEBUG(D_tls) debug_printf("We will re-expand TLS session files if we receive SNI.\n");
754 state->trigger_sni_changes = TRUE;
755 }
756 }
757 else
758 {
759 /* useful for debugging */
760 saved_tls_certificate = state->exp_tls_certificate;
761 saved_tls_privatekey = state->exp_tls_privatekey;
762 saved_tls_verify_certificates = state->exp_tls_verify_certificates;
763 saved_tls_crl = state->exp_tls_crl;
764 }
765 }
766
767 rc = gnutls_certificate_allocate_credentials(&state->x509_cred);
768 exim_gnutls_err_check(US"gnutls_certificate_allocate_credentials");
769
770 /* remember: expand_check_tlsvar() is expand_check() but fiddling with
771 state members, assuming consistent naming; and expand_check() returns
772 false if expansion failed, unless expansion was forced to fail. */
773
774 /* check if we at least have a certificate, before doing expensive
775 D-H generation. */
776
777 if (!expand_check_tlsvar(tls_certificate))
778 return DEFER;
779
780 /* certificate is mandatory in server, optional in client */
781
782 if ((state->exp_tls_certificate == NULL) ||
783 (*state->exp_tls_certificate == '\0'))
784 {
785 if (!host)
786 return tls_error(US"no TLS server certificate is specified", NULL, NULL);
787 else
788 DEBUG(D_tls) debug_printf("TLS: no client certificate specified; okay\n");
789 }
790
791 if (state->tls_privatekey && !expand_check_tlsvar(tls_privatekey))
792 return DEFER;
793
794 /* tls_privatekey is optional, defaulting to same file as certificate */
795
796 if (state->tls_privatekey == NULL || *state->tls_privatekey == '\0')
797 {
798 state->tls_privatekey = state->tls_certificate;
799 state->exp_tls_privatekey = state->exp_tls_certificate;
800 }
801
802
803 if (state->exp_tls_certificate && *state->exp_tls_certificate)
804 {
805 DEBUG(D_tls) debug_printf("certificate file = %s\nkey file = %s\n",
806 state->exp_tls_certificate, state->exp_tls_privatekey);
807
808 if (state->received_sni)
809 {
810 if ((Ustrcmp(state->exp_tls_certificate, saved_tls_certificate) == 0) &&
811 (Ustrcmp(state->exp_tls_privatekey, saved_tls_privatekey) == 0))
812 {
813 DEBUG(D_tls) debug_printf("TLS SNI: cert and key unchanged\n");
814 }
815 else
816 {
817 DEBUG(D_tls) debug_printf("TLS SNI: have a changed cert/key pair.\n");
818 }
819 }
820
821 rc = gnutls_certificate_set_x509_key_file(state->x509_cred,
822 CS state->exp_tls_certificate, CS state->exp_tls_privatekey,
823 GNUTLS_X509_FMT_PEM);
824 exim_gnutls_err_check(
825 string_sprintf("cert/key setup: cert=%s key=%s",
826 state->exp_tls_certificate, state->exp_tls_privatekey));
827 DEBUG(D_tls) debug_printf("TLS: cert/key registered\n");
828 } /* tls_certificate */
829
830
831 /* Set the OCSP stapling server info */
832
833 #ifndef DISABLE_OCSP
834 if ( !host /* server */
835 && tls_ocsp_file
836 )
837 {
838 if (gnutls_buggy_ocsp)
839 {
840 DEBUG(D_tls) debug_printf("GnuTLS library is buggy for OCSP; avoiding\n");
841 }
842 else
843 {
844 if (!expand_check(tls_ocsp_file, US"tls_ocsp_file",
845 &state->exp_tls_ocsp_file))
846 return DEFER;
847
848 /* Use the full callback method for stapling just to get observability.
849 More efficient would be to read the file once only, if it never changed
850 (due to SNI). Would need restart on file update, or watch datestamp. */
851
852 gnutls_certificate_set_ocsp_status_request_function(state->x509_cred,
853 server_ocsp_stapling_cb, state->exp_tls_ocsp_file);
854
855 DEBUG(D_tls) debug_printf("OCSP response file = %s\n", state->exp_tls_ocsp_file);
856 }
857 }
858 #endif
859
860
861 /* Set the trusted CAs file if one is provided, and then add the CRL if one is
862 provided. Experiment shows that, if the certificate file is empty, an unhelpful
863 error message is provided. However, if we just refrain from setting anything up
864 in that case, certificate verification fails, which seems to be the correct
865 behaviour. */
866
867 if (state->tls_verify_certificates && *state->tls_verify_certificates)
868 {
869 if (!expand_check_tlsvar(tls_verify_certificates))
870 return DEFER;
871 #ifndef SUPPORT_SYSDEFAULT_CABUNDLE
872 if (Ustrcmp(state->exp_tls_verify_certificates, "system") == 0)
873 state->exp_tls_verify_certificates = NULL;
874 #endif
875 if (state->tls_crl && *state->tls_crl)
876 if (!expand_check_tlsvar(tls_crl))
877 return DEFER;
878
879 if (!(state->exp_tls_verify_certificates &&
880 *state->exp_tls_verify_certificates))
881 {
882 DEBUG(D_tls)
883 debug_printf("TLS: tls_verify_certificates expanded empty, ignoring\n");
884 /* With no tls_verify_certificates, we ignore tls_crl too */
885 return OK;
886 }
887 }
888 else
889 {
890 DEBUG(D_tls)
891 debug_printf("TLS: tls_verify_certificates not set or empty, ignoring\n");
892 return OK;
893 }
894
895 #ifdef SUPPORT_SYSDEFAULT_CABUNDLE
896 if (Ustrcmp(state->exp_tls_verify_certificates, "system") == 0)
897 cert_count = gnutls_certificate_set_x509_system_trust(state->x509_cred);
898 else
899 #endif
900 {
901 if (Ustat(state->exp_tls_verify_certificates, &statbuf) < 0)
902 {
903 log_write(0, LOG_MAIN|LOG_PANIC, "could not stat %s "
904 "(tls_verify_certificates): %s", state->exp_tls_verify_certificates,
905 strerror(errno));
906 return DEFER;
907 }
908
909 #ifndef SUPPORT_CA_DIR
910 /* The test suite passes in /dev/null; we could check for that path explicitly,
911 but who knows if someone has some weird FIFO which always dumps some certs, or
912 other weirdness. The thing we really want to check is that it's not a
913 directory, since while OpenSSL supports that, GnuTLS does not.
914 So s/!S_ISREG/S_ISDIR/ and change some messsaging ... */
915 if (S_ISDIR(statbuf.st_mode))
916 {
917 DEBUG(D_tls)
918 debug_printf("verify certificates path is a dir: \"%s\"\n",
919 state->exp_tls_verify_certificates);
920 log_write(0, LOG_MAIN|LOG_PANIC,
921 "tls_verify_certificates \"%s\" is a directory",
922 state->exp_tls_verify_certificates);
923 return DEFER;
924 }
925 #endif
926
927 DEBUG(D_tls) debug_printf("verify certificates = %s size=" OFF_T_FMT "\n",
928 state->exp_tls_verify_certificates, statbuf.st_size);
929
930 if (statbuf.st_size == 0)
931 {
932 DEBUG(D_tls)
933 debug_printf("cert file empty, no certs, no verification, ignoring any CRL\n");
934 return OK;
935 }
936
937 cert_count =
938
939 #ifdef SUPPORT_CA_DIR
940 (statbuf.st_mode & S_IFMT) == S_IFDIR
941 ?
942 gnutls_certificate_set_x509_trust_dir(state->x509_cred,
943 CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM)
944 :
945 #endif
946 gnutls_certificate_set_x509_trust_file(state->x509_cred,
947 CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM);
948 }
949
950 if (cert_count < 0)
951 {
952 rc = cert_count;
953 exim_gnutls_err_check(US"setting certificate trust");
954 }
955 DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n", cert_count);
956
957 if (state->tls_crl && *state->tls_crl &&
958 state->exp_tls_crl && *state->exp_tls_crl)
959 {
960 DEBUG(D_tls) debug_printf("loading CRL file = %s\n", state->exp_tls_crl);
961 cert_count = gnutls_certificate_set_x509_crl_file(state->x509_cred,
962 CS state->exp_tls_crl, GNUTLS_X509_FMT_PEM);
963 if (cert_count < 0)
964 {
965 rc = cert_count;
966 exim_gnutls_err_check(US"gnutls_certificate_set_x509_crl_file");
967 }
968 DEBUG(D_tls) debug_printf("Processed %d CRLs.\n", cert_count);
969 }
970
971 return OK;
972 }
973
974
975
976
977 /*************************************************
978 * Set X.509 state variables *
979 *************************************************/
980
981 /* In GnuTLS, the registered cert/key are not replaced by a later
982 set of a cert/key, so for SNI support we need a whole new x509_cred
983 structure. Which means various other non-re-expanded pieces of state
984 need to be re-set in the new struct, so the setting logic is pulled
985 out to this.
986
987 Arguments:
988 state exim_gnutls_state_st *
989
990 Returns: OK/DEFER/FAIL
991 */
992
993 static int
994 tls_set_remaining_x509(exim_gnutls_state_st *state)
995 {
996 int rc;
997 const host_item *host = state->host; /* macro should be reconsidered? */
998
999 /* Create D-H parameters, or read them from the cache file. This function does
1000 its own SMTP error messaging. This only happens for the server, TLS D-H ignores
1001 client-side params. */
1002
1003 if (!state->host)
1004 {
1005 if (!dh_server_params)
1006 {
1007 rc = init_server_dh();
1008 if (rc != OK) return rc;
1009 }
1010 gnutls_certificate_set_dh_params(state->x509_cred, dh_server_params);
1011 }
1012
1013 /* Link the credentials to the session. */
1014
1015 rc = gnutls_credentials_set(state->session, GNUTLS_CRD_CERTIFICATE, state->x509_cred);
1016 exim_gnutls_err_check(US"gnutls_credentials_set");
1017
1018 return OK;
1019 }
1020
1021 /*************************************************
1022 * Initialize for GnuTLS *
1023 *************************************************/
1024
1025
1026 #ifndef DISABLE_OCSP
1027
1028 static BOOL
1029 tls_is_buggy_ocsp(void)
1030 {
1031 const uschar * s;
1032 uschar maj, mid, mic;
1033
1034 s = CUS gnutls_check_version(NULL);
1035 maj = atoi(CCS s);
1036 if (maj == 3)
1037 {
1038 while (*s && *s != '.') s++;
1039 mid = atoi(CCS ++s);
1040 if (mid <= 2)
1041 return TRUE;
1042 else if (mid >= 5)
1043 return FALSE;
1044 else
1045 {
1046 while (*s && *s != '.') s++;
1047 mic = atoi(CCS ++s);
1048 return mic <= (mid == 3 ? 16 : 3);
1049 }
1050 }
1051 return FALSE;
1052 }
1053
1054 #endif
1055
1056
1057 /* Called from both server and client code. In the case of a server, errors
1058 before actual TLS negotiation return DEFER.
1059
1060 Arguments:
1061 host connected host, if client; NULL if server
1062 certificate certificate file
1063 privatekey private key file
1064 sni TLS SNI to send, sometimes when client; else NULL
1065 cas CA certs file
1066 crl CRL file
1067 require_ciphers tls_require_ciphers setting
1068 caller_state returned state-info structure
1069
1070 Returns: OK/DEFER/FAIL
1071 */
1072
1073 static int
1074 tls_init(
1075 const host_item *host,
1076 const uschar *certificate,
1077 const uschar *privatekey,
1078 const uschar *sni,
1079 const uschar *cas,
1080 const uschar *crl,
1081 const uschar *require_ciphers,
1082 exim_gnutls_state_st **caller_state)
1083 {
1084 exim_gnutls_state_st *state;
1085 int rc;
1086 size_t sz;
1087 const char *errpos;
1088 uschar *p;
1089 BOOL want_default_priorities;
1090
1091 if (!exim_gnutls_base_init_done)
1092 {
1093 DEBUG(D_tls) debug_printf("GnuTLS global init required.\n");
1094
1095 #ifdef HAVE_GNUTLS_PKCS11
1096 /* By default, gnutls_global_init will init PKCS11 support in auto mode,
1097 which loads modules from a config file, which sounds good and may be wanted
1098 by some sysadmin, but also means in common configurations that GNOME keyring
1099 environment variables are used and so breaks for users calling mailq.
1100 To prevent this, we init PKCS11 first, which is the documented approach. */
1101 if (!gnutls_allow_auto_pkcs11)
1102 {
1103 rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
1104 exim_gnutls_err_check(US"gnutls_pkcs11_init");
1105 }
1106 #endif
1107
1108 rc = gnutls_global_init();
1109 exim_gnutls_err_check(US"gnutls_global_init");
1110
1111 #if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
1112 DEBUG(D_tls)
1113 {
1114 gnutls_global_set_log_function(exim_gnutls_logger_cb);
1115 /* arbitrarily chosen level; bump upto 9 for more */
1116 gnutls_global_set_log_level(EXIM_GNUTLS_LIBRARY_LOG_LEVEL);
1117 }
1118 #endif
1119
1120 #ifndef DISABLE_OCSP
1121 if (tls_ocsp_file && (gnutls_buggy_ocsp = tls_is_buggy_ocsp()))
1122 log_write(0, LOG_MAIN, "OCSP unusable with this GnuTLS library version");
1123 #endif
1124
1125 exim_gnutls_base_init_done = TRUE;
1126 }
1127
1128 if (host)
1129 {
1130 state = &state_client;
1131 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
1132 state->tlsp = &tls_out;
1133 DEBUG(D_tls) debug_printf("initialising GnuTLS client session\n");
1134 rc = gnutls_init(&state->session, GNUTLS_CLIENT);
1135 }
1136 else
1137 {
1138 state = &state_server;
1139 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
1140 state->tlsp = &tls_in;
1141 DEBUG(D_tls) debug_printf("initialising GnuTLS server session\n");
1142 rc = gnutls_init(&state->session, GNUTLS_SERVER);
1143 }
1144 exim_gnutls_err_check(US"gnutls_init");
1145
1146 state->host = host;
1147
1148 state->tls_certificate = certificate;
1149 state->tls_privatekey = privatekey;
1150 state->tls_require_ciphers = require_ciphers;
1151 state->tls_sni = sni;
1152 state->tls_verify_certificates = cas;
1153 state->tls_crl = crl;
1154
1155 /* This handles the variables that might get re-expanded after TLS SNI;
1156 that's tls_certificate, tls_privatekey, tls_verify_certificates, tls_crl */
1157
1158 DEBUG(D_tls)
1159 debug_printf("Expanding various TLS configuration options for session credentials.\n");
1160 rc = tls_expand_session_files(state);
1161 if (rc != OK) return rc;
1162
1163 /* These are all other parts of the x509_cred handling, since SNI in GnuTLS
1164 requires a new structure afterwards. */
1165
1166 rc = tls_set_remaining_x509(state);
1167 if (rc != OK) return rc;
1168
1169 /* set SNI in client, only */
1170 if (host)
1171 {
1172 if (!expand_check(sni, US"tls_out_sni", &state->tlsp->sni))
1173 return DEFER;
1174 if (state->tlsp->sni && *state->tlsp->sni)
1175 {
1176 DEBUG(D_tls)
1177 debug_printf("Setting TLS client SNI to \"%s\"\n", state->tlsp->sni);
1178 sz = Ustrlen(state->tlsp->sni);
1179 rc = gnutls_server_name_set(state->session,
1180 GNUTLS_NAME_DNS, state->tlsp->sni, sz);
1181 exim_gnutls_err_check(US"gnutls_server_name_set");
1182 }
1183 }
1184 else if (state->tls_sni)
1185 DEBUG(D_tls) debug_printf("*** PROBABLY A BUG *** " \
1186 "have an SNI set for a client [%s]\n", state->tls_sni);
1187
1188 /* This is the priority string support,
1189 http://www.gnutls.org/manual/html_node/Priority-Strings.html
1190 and replaces gnutls_require_kx, gnutls_require_mac & gnutls_require_protocols.
1191 This was backwards incompatible, but means Exim no longer needs to track
1192 all algorithms and provide string forms for them. */
1193
1194 want_default_priorities = TRUE;
1195
1196 if (state->tls_require_ciphers && *state->tls_require_ciphers)
1197 {
1198 if (!expand_check_tlsvar(tls_require_ciphers))
1199 return DEFER;
1200 if (state->exp_tls_require_ciphers && *state->exp_tls_require_ciphers)
1201 {
1202 DEBUG(D_tls) debug_printf("GnuTLS session cipher/priority \"%s\"\n",
1203 state->exp_tls_require_ciphers);
1204
1205 rc = gnutls_priority_init(&state->priority_cache,
1206 CS state->exp_tls_require_ciphers, &errpos);
1207 want_default_priorities = FALSE;
1208 p = state->exp_tls_require_ciphers;
1209 }
1210 }
1211 if (want_default_priorities)
1212 {
1213 DEBUG(D_tls)
1214 debug_printf("GnuTLS using default session cipher/priority \"%s\"\n",
1215 exim_default_gnutls_priority);
1216 rc = gnutls_priority_init(&state->priority_cache,
1217 exim_default_gnutls_priority, &errpos);
1218 p = US exim_default_gnutls_priority;
1219 }
1220
1221 exim_gnutls_err_check(string_sprintf(
1222 "gnutls_priority_init(%s) failed at offset %ld, \"%.6s..\"",
1223 p, errpos - CS p, errpos));
1224
1225 rc = gnutls_priority_set(state->session, state->priority_cache);
1226 exim_gnutls_err_check(US"gnutls_priority_set");
1227
1228 gnutls_db_set_cache_expiration(state->session, ssl_session_timeout);
1229
1230 /* Reduce security in favour of increased compatibility, if the admin
1231 decides to make that trade-off. */
1232 if (gnutls_compat_mode)
1233 {
1234 #if LIBGNUTLS_VERSION_NUMBER >= 0x020104
1235 DEBUG(D_tls) debug_printf("lowering GnuTLS security, compatibility mode\n");
1236 gnutls_session_enable_compatibility_mode(state->session);
1237 #else
1238 DEBUG(D_tls) debug_printf("Unable to set gnutls_compat_mode - GnuTLS version too old\n");
1239 #endif
1240 }
1241
1242 *caller_state = state;
1243 return OK;
1244 }
1245
1246
1247
1248 /*************************************************
1249 * Extract peer information *
1250 *************************************************/
1251
1252 /* Called from both server and client code.
1253 Only this is allowed to set state->peerdn and state->have_set_peerdn
1254 and we use that to detect double-calls.
1255
1256 NOTE: the state blocks last while the TLS connection is up, which is fine
1257 for logging in the server side, but for the client side, we log after teardown
1258 in src/deliver.c. While the session is up, we can twist about states and
1259 repoint tls_* globals, but those variables used for logging or other variable
1260 expansion that happens _after_ delivery need to have a longer life-time.
1261
1262 So for those, we get the data from POOL_PERM; the re-invoke guard keeps us from
1263 doing this more than once per generation of a state context. We set them in
1264 the state context, and repoint tls_* to them. After the state goes away, the
1265 tls_* copies of the pointers remain valid and client delivery logging is happy.
1266
1267 tls_certificate_verified is a BOOL, so the tls_peerdn and tls_cipher issues
1268 don't apply.
1269
1270 Arguments:
1271 state exim_gnutls_state_st *
1272
1273 Returns: OK/DEFER/FAIL
1274 */
1275
1276 static int
1277 peer_status(exim_gnutls_state_st *state)
1278 {
1279 uschar cipherbuf[256];
1280 const gnutls_datum_t *cert_list;
1281 int old_pool, rc;
1282 unsigned int cert_list_size = 0;
1283 gnutls_protocol_t protocol;
1284 gnutls_cipher_algorithm_t cipher;
1285 gnutls_kx_algorithm_t kx;
1286 gnutls_mac_algorithm_t mac;
1287 gnutls_certificate_type_t ct;
1288 gnutls_x509_crt_t crt;
1289 uschar *p, *dn_buf;
1290 size_t sz;
1291
1292 if (state->have_set_peerdn)
1293 return OK;
1294 state->have_set_peerdn = TRUE;
1295
1296 state->peerdn = NULL;
1297
1298 /* tls_cipher */
1299 cipher = gnutls_cipher_get(state->session);
1300 protocol = gnutls_protocol_get_version(state->session);
1301 mac = gnutls_mac_get(state->session);
1302 kx = gnutls_kx_get(state->session);
1303
1304 string_format(cipherbuf, sizeof(cipherbuf),
1305 "%s:%s:%d",
1306 gnutls_protocol_get_name(protocol),
1307 gnutls_cipher_suite_get_name(kx, cipher, mac),
1308 (int) gnutls_cipher_get_key_size(cipher) * 8);
1309
1310 /* I don't see a way that spaces could occur, in the current GnuTLS
1311 code base, but it was a concern in the old code and perhaps older GnuTLS
1312 releases did return "TLS 1.0"; play it safe, just in case. */
1313 for (p = cipherbuf; *p != '\0'; ++p)
1314 if (isspace(*p))
1315 *p = '-';
1316 old_pool = store_pool;
1317 store_pool = POOL_PERM;
1318 state->ciphersuite = string_copy(cipherbuf);
1319 store_pool = old_pool;
1320 state->tlsp->cipher = state->ciphersuite;
1321
1322 /* tls_peerdn */
1323 cert_list = gnutls_certificate_get_peers(state->session, &cert_list_size);
1324
1325 if (cert_list == NULL || cert_list_size == 0)
1326 {
1327 DEBUG(D_tls) debug_printf("TLS: no certificate from peer (%p & %d)\n",
1328 cert_list, cert_list_size);
1329 if (state->verify_requirement >= VERIFY_REQUIRED)
1330 return tls_error(US"certificate verification failed",
1331 "no certificate received from peer", state->host);
1332 return OK;
1333 }
1334
1335 ct = gnutls_certificate_type_get(state->session);
1336 if (ct != GNUTLS_CRT_X509)
1337 {
1338 const char *ctn = gnutls_certificate_type_get_name(ct);
1339 DEBUG(D_tls)
1340 debug_printf("TLS: peer cert not X.509 but instead \"%s\"\n", ctn);
1341 if (state->verify_requirement >= VERIFY_REQUIRED)
1342 return tls_error(US"certificate verification not possible, unhandled type",
1343 ctn, state->host);
1344 return OK;
1345 }
1346
1347 #define exim_gnutls_peer_err(Label) \
1348 do { \
1349 if (rc != GNUTLS_E_SUCCESS) \
1350 { \
1351 DEBUG(D_tls) debug_printf("TLS: peer cert problem: %s: %s\n", \
1352 (Label), gnutls_strerror(rc)); \
1353 if (state->verify_requirement >= VERIFY_REQUIRED) \
1354 return tls_error((Label), gnutls_strerror(rc), state->host); \
1355 return OK; \
1356 } \
1357 } while (0)
1358
1359 rc = import_cert(&cert_list[0], &crt);
1360 exim_gnutls_peer_err(US"cert 0");
1361
1362 state->tlsp->peercert = state->peercert = crt;
1363
1364 sz = 0;
1365 rc = gnutls_x509_crt_get_dn(crt, NULL, &sz);
1366 if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
1367 {
1368 exim_gnutls_peer_err(US"getting size for cert DN failed");
1369 return FAIL; /* should not happen */
1370 }
1371 dn_buf = store_get_perm(sz);
1372 rc = gnutls_x509_crt_get_dn(crt, CS dn_buf, &sz);
1373 exim_gnutls_peer_err(US"failed to extract certificate DN [gnutls_x509_crt_get_dn(cert 0)]");
1374
1375 state->peerdn = dn_buf;
1376
1377 return OK;
1378 #undef exim_gnutls_peer_err
1379 }
1380
1381
1382
1383
1384 /*************************************************
1385 * Verify peer certificate *
1386 *************************************************/
1387
1388 /* Called from both server and client code.
1389 *Should* be using a callback registered with
1390 gnutls_certificate_set_verify_function() to fail the handshake if we dislike
1391 the peer information, but that's too new for some OSes.
1392
1393 Arguments:
1394 state exim_gnutls_state_st *
1395 error where to put an error message
1396
1397 Returns:
1398 FALSE if the session should be rejected
1399 TRUE if the cert is okay or we just don't care
1400 */
1401
1402 static BOOL
1403 verify_certificate(exim_gnutls_state_st *state, const char **error)
1404 {
1405 int rc;
1406 unsigned int verify;
1407
1408 *error = NULL;
1409
1410 if ((rc = peer_status(state)) != OK)
1411 {
1412 verify = GNUTLS_CERT_INVALID;
1413 *error = "certificate not supplied";
1414 }
1415 else
1416 rc = gnutls_certificate_verify_peers2(state->session, &verify);
1417
1418 /* Handle the result of verification. INVALID seems to be set as well
1419 as REVOKED, but leave the test for both. */
1420
1421 if (rc < 0 ||
1422 verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED)
1423 )
1424 {
1425 state->peer_cert_verified = FALSE;
1426 if (!*error)
1427 *error = verify & GNUTLS_CERT_REVOKED
1428 ? "certificate revoked" : "certificate invalid";
1429
1430 DEBUG(D_tls)
1431 debug_printf("TLS certificate verification failed (%s): peerdn=\"%s\"\n",
1432 *error, state->peerdn ? state->peerdn : US"<unset>");
1433
1434 if (state->verify_requirement >= VERIFY_REQUIRED)
1435 {
1436 gnutls_alert_send(state->session,
1437 GNUTLS_AL_FATAL, GNUTLS_A_BAD_CERTIFICATE);
1438 return FALSE;
1439 }
1440 DEBUG(D_tls)
1441 debug_printf("TLS verify failure overridden (host in tls_try_verify_hosts)\n");
1442 }
1443
1444 else
1445 {
1446 if (state->exp_tls_verify_cert_hostnames)
1447 {
1448 int sep = 0;
1449 const uschar * list = state->exp_tls_verify_cert_hostnames;
1450 uschar * name;
1451 while (name = string_nextinlist(&list, &sep, NULL, 0))
1452 if (gnutls_x509_crt_check_hostname(state->tlsp->peercert, CS name))
1453 break;
1454 if (!name)
1455 {
1456 DEBUG(D_tls)
1457 debug_printf("TLS certificate verification failed: cert name mismatch\n");
1458 if (state->verify_requirement >= VERIFY_REQUIRED)
1459 {
1460 gnutls_alert_send(state->session,
1461 GNUTLS_AL_FATAL, GNUTLS_A_BAD_CERTIFICATE);
1462 return FALSE;
1463 }
1464 return TRUE;
1465 }
1466 }
1467 state->peer_cert_verified = TRUE;
1468 DEBUG(D_tls) debug_printf("TLS certificate verified: peerdn=\"%s\"\n",
1469 state->peerdn ? state->peerdn : US"<unset>");
1470 }
1471
1472 state->tlsp->peerdn = state->peerdn;
1473
1474 return TRUE;
1475 }
1476
1477
1478
1479
1480 /* ------------------------------------------------------------------------ */
1481 /* Callbacks */
1482
1483 /* Logging function which can be registered with
1484 * gnutls_global_set_log_function()
1485 * gnutls_global_set_log_level() 0..9
1486 */
1487 #if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
1488 static void
1489 exim_gnutls_logger_cb(int level, const char *message)
1490 {
1491 size_t len = strlen(message);
1492 if (len < 1)
1493 {
1494 DEBUG(D_tls) debug_printf("GnuTLS<%d> empty debug message\n", level);
1495 return;
1496 }
1497 DEBUG(D_tls) debug_printf("GnuTLS<%d>: %s%s", level, message,
1498 message[len-1] == '\n' ? "" : "\n");
1499 }
1500 #endif
1501
1502
1503 /* Called after client hello, should handle SNI work.
1504 This will always set tls_sni (state->received_sni) if available,
1505 and may trigger presenting different certificates,
1506 if state->trigger_sni_changes is TRUE.
1507
1508 Should be registered with
1509 gnutls_handshake_set_post_client_hello_function()
1510
1511 "This callback must return 0 on success or a gnutls error code to terminate the
1512 handshake.".
1513
1514 For inability to get SNI information, we return 0.
1515 We only return non-zero if re-setup failed.
1516 Only used for server-side TLS.
1517 */
1518
1519 static int
1520 exim_sni_handling_cb(gnutls_session_t session)
1521 {
1522 char sni_name[MAX_HOST_LEN];
1523 size_t data_len = MAX_HOST_LEN;
1524 exim_gnutls_state_st *state = &state_server;
1525 unsigned int sni_type;
1526 int rc, old_pool;
1527
1528 rc = gnutls_server_name_get(session, sni_name, &data_len, &sni_type, 0);
1529 if (rc != GNUTLS_E_SUCCESS)
1530 {
1531 DEBUG(D_tls) {
1532 if (rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
1533 debug_printf("TLS: no SNI presented in handshake.\n");
1534 else
1535 debug_printf("TLS failure: gnutls_server_name_get(): %s [%d]\n",
1536 gnutls_strerror(rc), rc);
1537 };
1538 return 0;
1539 }
1540
1541 if (sni_type != GNUTLS_NAME_DNS)
1542 {
1543 DEBUG(D_tls) debug_printf("TLS: ignoring SNI of unhandled type %u\n", sni_type);
1544 return 0;
1545 }
1546
1547 /* We now have a UTF-8 string in sni_name */
1548 old_pool = store_pool;
1549 store_pool = POOL_PERM;
1550 state->received_sni = string_copyn(US sni_name, data_len);
1551 store_pool = old_pool;
1552
1553 /* We set this one now so that variable expansions below will work */
1554 state->tlsp->sni = state->received_sni;
1555
1556 DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", sni_name,
1557 state->trigger_sni_changes ? "" : " (unused for certificate selection)");
1558
1559 if (!state->trigger_sni_changes)
1560 return 0;
1561
1562 rc = tls_expand_session_files(state);
1563 if (rc != OK)
1564 {
1565 /* If the setup of certs/etc failed before handshake, TLS would not have
1566 been offered. The best we can do now is abort. */
1567 return GNUTLS_E_APPLICATION_ERROR_MIN;
1568 }
1569
1570 rc = tls_set_remaining_x509(state);
1571 if (rc != OK) return GNUTLS_E_APPLICATION_ERROR_MIN;
1572
1573 return 0;
1574 }
1575
1576
1577
1578 #ifndef DISABLE_OCSP
1579
1580 static int
1581 server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
1582 gnutls_datum_t * ocsp_response)
1583 {
1584 int ret;
1585
1586 if ((ret = gnutls_load_file(ptr, ocsp_response)) < 0)
1587 {
1588 DEBUG(D_tls) debug_printf("Failed to load ocsp stapling file %s\n",
1589 (char *)ptr);
1590 tls_in.ocsp = OCSP_NOT_RESP;
1591 return GNUTLS_E_NO_CERTIFICATE_STATUS;
1592 }
1593
1594 tls_in.ocsp = OCSP_VFY_NOT_TRIED;
1595 return 0;
1596 }
1597
1598 #endif
1599
1600
1601 #ifndef DISABLE_EVENT
1602 /*
1603 We use this callback to get observability and detail-level control
1604 for an exim TLS connection (either direction), raising a tls:cert event
1605 for each cert in the chain presented by the peer. Any event
1606 can deny verification.
1607
1608 Return 0 for the handshake to continue or non-zero to terminate.
1609 */
1610
1611 static int
1612 verify_cb(gnutls_session_t session)
1613 {
1614 const gnutls_datum_t * cert_list;
1615 unsigned int cert_list_size = 0;
1616 gnutls_x509_crt_t crt;
1617 int rc;
1618 uschar * yield;
1619 exim_gnutls_state_st * state = gnutls_session_get_ptr(session);
1620
1621 cert_list = gnutls_certificate_get_peers(session, &cert_list_size);
1622 if (cert_list)
1623 while (cert_list_size--)
1624 {
1625 rc = import_cert(&cert_list[cert_list_size], &crt);
1626 if (rc != GNUTLS_E_SUCCESS)
1627 {
1628 DEBUG(D_tls) debug_printf("TLS: peer cert problem: depth %d: %s\n",
1629 cert_list_size, gnutls_strerror(rc));
1630 break;
1631 }
1632
1633 state->tlsp->peercert = crt;
1634 if ((yield = event_raise(state->event_action,
1635 US"tls:cert", string_sprintf("%d", cert_list_size))))
1636 {
1637 log_write(0, LOG_MAIN,
1638 "SSL verify denied by event-action: depth=%d: %s",
1639 cert_list_size, yield);
1640 return 1; /* reject */
1641 }
1642 state->tlsp->peercert = NULL;
1643 }
1644
1645 return 0;
1646 }
1647
1648 #endif
1649
1650
1651
1652 /* ------------------------------------------------------------------------ */
1653 /* Exported functions */
1654
1655
1656
1657
1658 /*************************************************
1659 * Start a TLS session in a server *
1660 *************************************************/
1661
1662 /* This is called when Exim is running as a server, after having received
1663 the STARTTLS command. It must respond to that command, and then negotiate
1664 a TLS session.
1665
1666 Arguments:
1667 require_ciphers list of allowed ciphers or NULL
1668
1669 Returns: OK on success
1670 DEFER for errors before the start of the negotiation
1671 FAIL for errors during the negotation; the server can't
1672 continue running.
1673 */
1674
1675 int
1676 tls_server_start(const uschar *require_ciphers)
1677 {
1678 int rc;
1679 const char *error;
1680 exim_gnutls_state_st *state = NULL;
1681
1682 /* Check for previous activation */
1683 if (tls_in.active >= 0)
1684 {
1685 tls_error(US"STARTTLS received after TLS started", "", NULL);
1686 smtp_printf("554 Already in TLS\r\n");
1687 return FAIL;
1688 }
1689
1690 /* Initialize the library. If it fails, it will already have logged the error
1691 and sent an SMTP response. */
1692
1693 DEBUG(D_tls) debug_printf("initialising GnuTLS as a server\n");
1694
1695 rc = tls_init(NULL, tls_certificate, tls_privatekey,
1696 NULL, tls_verify_certificates, tls_crl,
1697 require_ciphers, &state);
1698 if (rc != OK) return rc;
1699
1700 /* If this is a host for which certificate verification is mandatory or
1701 optional, set up appropriately. */
1702
1703 if (verify_check_host(&tls_verify_hosts) == OK)
1704 {
1705 DEBUG(D_tls)
1706 debug_printf("TLS: a client certificate will be required.\n");
1707 state->verify_requirement = VERIFY_REQUIRED;
1708 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
1709 }
1710 else if (verify_check_host(&tls_try_verify_hosts) == OK)
1711 {
1712 DEBUG(D_tls)
1713 debug_printf("TLS: a client certificate will be requested but not required.\n");
1714 state->verify_requirement = VERIFY_OPTIONAL;
1715 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
1716 }
1717 else
1718 {
1719 DEBUG(D_tls)
1720 debug_printf("TLS: a client certificate will not be requested.\n");
1721 state->verify_requirement = VERIFY_NONE;
1722 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
1723 }
1724
1725 #ifndef DISABLE_EVENT
1726 if (event_action)
1727 {
1728 state->event_action = event_action;
1729 gnutls_session_set_ptr(state->session, state);
1730 gnutls_certificate_set_verify_function(state->x509_cred, verify_cb);
1731 }
1732 #endif
1733
1734 /* Register SNI handling; always, even if not in tls_certificate, so that the
1735 expansion variable $tls_sni is always available. */
1736
1737 gnutls_handshake_set_post_client_hello_function(state->session,
1738 exim_sni_handling_cb);
1739
1740 /* Set context and tell client to go ahead, except in the case of TLS startup
1741 on connection, where outputting anything now upsets the clients and tends to
1742 make them disconnect. We need to have an explicit fflush() here, to force out
1743 the response. Other smtp_printf() calls do not need it, because in non-TLS
1744 mode, the fflush() happens when smtp_getc() is called. */
1745
1746 if (!state->tlsp->on_connect)
1747 {
1748 smtp_printf("220 TLS go ahead\r\n");
1749 fflush(smtp_out);
1750 }
1751
1752 /* Now negotiate the TLS session. We put our own timer on it, since it seems
1753 that the GnuTLS library doesn't. */
1754
1755 gnutls_transport_set_ptr2(state->session,
1756 (gnutls_transport_ptr_t)(long) fileno(smtp_in),
1757 (gnutls_transport_ptr_t)(long) fileno(smtp_out));
1758 state->fd_in = fileno(smtp_in);
1759 state->fd_out = fileno(smtp_out);
1760
1761 sigalrm_seen = FALSE;
1762 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
1763 do
1764 {
1765 rc = gnutls_handshake(state->session);
1766 } while ((rc == GNUTLS_E_AGAIN) ||
1767 (rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen));
1768 alarm(0);
1769
1770 if (rc != GNUTLS_E_SUCCESS)
1771 {
1772 tls_error(US"gnutls_handshake",
1773 sigalrm_seen ? "timed out" : gnutls_strerror(rc), NULL);
1774 /* It seems that, except in the case of a timeout, we have to close the
1775 connection right here; otherwise if the other end is running OpenSSL it hangs
1776 until the server times out. */
1777
1778 if (!sigalrm_seen)
1779 {
1780 (void)fclose(smtp_out);
1781 (void)fclose(smtp_in);
1782 }
1783
1784 return FAIL;
1785 }
1786
1787 DEBUG(D_tls) debug_printf("gnutls_handshake was successful\n");
1788
1789 /* Verify after the fact */
1790
1791 if ( state->verify_requirement != VERIFY_NONE
1792 && !verify_certificate(state, &error))
1793 {
1794 if (state->verify_requirement != VERIFY_OPTIONAL)
1795 {
1796 tls_error(US"certificate verification failed", error, NULL);
1797 return FAIL;
1798 }
1799 DEBUG(D_tls)
1800 debug_printf("TLS: continuing on only because verification was optional, after: %s\n",
1801 error);
1802 }
1803
1804 /* Figure out peer DN, and if authenticated, etc. */
1805
1806 rc = peer_status(state);
1807 if (rc != OK) return rc;
1808
1809 /* Sets various Exim expansion variables; always safe within server */
1810
1811 extract_exim_vars_from_tls_state(state);
1812
1813 /* TLS has been set up. Adjust the input functions to read via TLS,
1814 and initialize appropriately. */
1815
1816 state->xfer_buffer = store_malloc(ssl_xfer_buffer_size);
1817
1818 receive_getc = tls_getc;
1819 receive_ungetc = tls_ungetc;
1820 receive_feof = tls_feof;
1821 receive_ferror = tls_ferror;
1822 receive_smtp_buffered = tls_smtp_buffered;
1823
1824 return OK;
1825 }
1826
1827
1828
1829
1830 static void
1831 tls_client_setup_hostname_checks(host_item * host, exim_gnutls_state_st * state,
1832 smtp_transport_options_block * ob)
1833 {
1834 if (verify_check_given_host(&ob->tls_verify_cert_hostnames, host) == OK)
1835 {
1836 state->exp_tls_verify_cert_hostnames =
1837 #ifdef SUPPORT_I18N
1838 string_domain_utf8_to_alabel(host->name, NULL);
1839 #else
1840 host->name;
1841 #endif
1842 DEBUG(D_tls)
1843 debug_printf("TLS: server cert verification includes hostname: \"%s\".\n",
1844 state->exp_tls_verify_cert_hostnames);
1845 }
1846 }
1847
1848
1849 /*************************************************
1850 * Start a TLS session in a client *
1851 *************************************************/
1852
1853 /* Called from the smtp transport after STARTTLS has been accepted.
1854
1855 Arguments:
1856 fd the fd of the connection
1857 host connected host (for messages)
1858 addr the first address (not used)
1859 tb transport (always smtp)
1860
1861 Returns: OK/DEFER/FAIL (because using common functions),
1862 but for a client, DEFER and FAIL have the same meaning
1863 */
1864
1865 int
1866 tls_client_start(int fd, host_item *host,
1867 address_item *addr ARG_UNUSED,
1868 transport_instance *tb
1869 #ifdef EXPERIMENTAL_DANE
1870 , dns_answer * unused_tlsa_dnsa
1871 #endif
1872 )
1873 {
1874 smtp_transport_options_block *ob =
1875 (smtp_transport_options_block *)tb->options_block;
1876 int rc;
1877 const char *error;
1878 exim_gnutls_state_st *state = NULL;
1879 #ifndef DISABLE_OCSP
1880 BOOL require_ocsp =
1881 verify_check_given_host(&ob->hosts_require_ocsp, host) == OK;
1882 BOOL request_ocsp = require_ocsp ? TRUE
1883 : verify_check_given_host(&ob->hosts_request_ocsp, host) == OK;
1884 #endif
1885
1886 DEBUG(D_tls) debug_printf("initialising GnuTLS as a client on fd %d\n", fd);
1887
1888 if ((rc = tls_init(host, ob->tls_certificate, ob->tls_privatekey,
1889 ob->tls_sni, ob->tls_verify_certificates, ob->tls_crl,
1890 ob->tls_require_ciphers, &state)) != OK)
1891 return rc;
1892
1893 {
1894 int dh_min_bits = ob->tls_dh_min_bits;
1895 if (dh_min_bits < EXIM_CLIENT_DH_MIN_MIN_BITS)
1896 {
1897 DEBUG(D_tls)
1898 debug_printf("WARNING: tls_dh_min_bits far too low,"
1899 " clamping %d up to %d\n",
1900 dh_min_bits, EXIM_CLIENT_DH_MIN_MIN_BITS);
1901 dh_min_bits = EXIM_CLIENT_DH_MIN_MIN_BITS;
1902 }
1903
1904 DEBUG(D_tls) debug_printf("Setting D-H prime minimum"
1905 " acceptable bits to %d\n",
1906 dh_min_bits);
1907 gnutls_dh_set_prime_bits(state->session, dh_min_bits);
1908 }
1909
1910 /* Stick to the old behaviour for compatibility if tls_verify_certificates is
1911 set but both tls_verify_hosts and tls_try_verify_hosts are unset. Check only
1912 the specified host patterns if one of them is defined */
1913
1914 if ( ( state->exp_tls_verify_certificates
1915 && !ob->tls_verify_hosts
1916 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
1917 )
1918 || verify_check_given_host(&ob->tls_verify_hosts, host) == OK
1919 )
1920 {
1921 tls_client_setup_hostname_checks(host, state, ob);
1922 DEBUG(D_tls)
1923 debug_printf("TLS: server certificate verification required.\n");
1924 state->verify_requirement = VERIFY_REQUIRED;
1925 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
1926 }
1927 else if (verify_check_given_host(&ob->tls_try_verify_hosts, host) == OK)
1928 {
1929 tls_client_setup_hostname_checks(host, state, ob);
1930 DEBUG(D_tls)
1931 debug_printf("TLS: server certificate verification optional.\n");
1932 state->verify_requirement = VERIFY_OPTIONAL;
1933 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
1934 }
1935 else
1936 {
1937 DEBUG(D_tls)
1938 debug_printf("TLS: server certificate verification not required.\n");
1939 state->verify_requirement = VERIFY_NONE;
1940 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
1941 }
1942
1943 #ifndef DISABLE_OCSP
1944 /* supported since GnuTLS 3.1.3 */
1945 if (request_ocsp)
1946 {
1947 DEBUG(D_tls) debug_printf("TLS: will request OCSP stapling\n");
1948 if ((rc = gnutls_ocsp_status_request_enable_client(state->session,
1949 NULL, 0, NULL)) != OK)
1950 return tls_error(US"cert-status-req",
1951 gnutls_strerror(rc), state->host);
1952 tls_out.ocsp = OCSP_NOT_RESP;
1953 }
1954 #endif
1955
1956 #ifndef DISABLE_EVENT
1957 if (tb->event_action)
1958 {
1959 state->event_action = tb->event_action;
1960 gnutls_session_set_ptr(state->session, state);
1961 gnutls_certificate_set_verify_function(state->x509_cred, verify_cb);
1962 }
1963 #endif
1964
1965 gnutls_transport_set_ptr(state->session, (gnutls_transport_ptr_t)(long) fd);
1966 state->fd_in = fd;
1967 state->fd_out = fd;
1968
1969 DEBUG(D_tls) debug_printf("about to gnutls_handshake\n");
1970 /* There doesn't seem to be a built-in timeout on connection. */
1971
1972 sigalrm_seen = FALSE;
1973 alarm(ob->command_timeout);
1974 do
1975 {
1976 rc = gnutls_handshake(state->session);
1977 } while ((rc == GNUTLS_E_AGAIN) ||
1978 (rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen));
1979 alarm(0);
1980
1981 if (rc != GNUTLS_E_SUCCESS)
1982 return tls_error(US"gnutls_handshake",
1983 sigalrm_seen ? "timed out" : gnutls_strerror(rc), state->host);
1984
1985 DEBUG(D_tls) debug_printf("gnutls_handshake was successful\n");
1986
1987 /* Verify late */
1988
1989 if (state->verify_requirement != VERIFY_NONE &&
1990 !verify_certificate(state, &error))
1991 return tls_error(US"certificate verification failed", error, state->host);
1992
1993 #ifndef DISABLE_OCSP
1994 if (require_ocsp)
1995 {
1996 DEBUG(D_tls)
1997 {
1998 gnutls_datum_t stapling;
1999 gnutls_ocsp_resp_t resp;
2000 gnutls_datum_t printed;
2001 if ( (rc= gnutls_ocsp_status_request_get(state->session, &stapling)) == 0
2002 && (rc= gnutls_ocsp_resp_init(&resp)) == 0
2003 && (rc= gnutls_ocsp_resp_import(resp, &stapling)) == 0
2004 && (rc= gnutls_ocsp_resp_print(resp, GNUTLS_OCSP_PRINT_FULL, &printed)) == 0
2005 )
2006 {
2007 debug_printf("%.4096s", printed.data);
2008 gnutls_free(printed.data);
2009 }
2010 else
2011 (void) tls_error(US"ocsp decode", gnutls_strerror(rc), state->host);
2012 }
2013
2014 if (gnutls_ocsp_status_request_is_checked(state->session, 0) == 0)
2015 {
2016 tls_out.ocsp = OCSP_FAILED;
2017 return tls_error(US"certificate status check failed", NULL, state->host);
2018 }
2019 DEBUG(D_tls) debug_printf("Passed OCSP checking\n");
2020 tls_out.ocsp = OCSP_VFIED;
2021 }
2022 #endif
2023
2024 /* Figure out peer DN, and if authenticated, etc. */
2025
2026 if ((rc = peer_status(state)) != OK)
2027 return rc;
2028
2029 /* Sets various Exim expansion variables; may need to adjust for ACL callouts */
2030
2031 extract_exim_vars_from_tls_state(state);
2032
2033 return OK;
2034 }
2035
2036
2037
2038
2039 /*************************************************
2040 * Close down a TLS session *
2041 *************************************************/
2042
2043 /* This is also called from within a delivery subprocess forked from the
2044 daemon, to shut down the TLS library, without actually doing a shutdown (which
2045 would tamper with the TLS session in the parent process).
2046
2047 Arguments: TRUE if gnutls_bye is to be called
2048 Returns: nothing
2049 */
2050
2051 void
2052 tls_close(BOOL is_server, BOOL shutdown)
2053 {
2054 exim_gnutls_state_st *state = is_server ? &state_server : &state_client;
2055
2056 if (!state->tlsp || state->tlsp->active < 0) return; /* TLS was not active */
2057
2058 if (shutdown)
2059 {
2060 DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS\n");
2061 gnutls_bye(state->session, GNUTLS_SHUT_WR);
2062 }
2063
2064 gnutls_deinit(state->session);
2065
2066 state->tlsp->active = -1;
2067 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
2068
2069 if ((state_server.session == NULL) && (state_client.session == NULL))
2070 {
2071 gnutls_global_deinit();
2072 exim_gnutls_base_init_done = FALSE;
2073 }
2074
2075 }
2076
2077
2078
2079
2080 /*************************************************
2081 * TLS version of getc *
2082 *************************************************/
2083
2084 /* This gets the next byte from the TLS input buffer. If the buffer is empty,
2085 it refills the buffer via the GnuTLS reading function.
2086 Only used by the server-side TLS.
2087
2088 This feeds DKIM and should be used for all message-body reads.
2089
2090 Arguments: none
2091 Returns: the next character or EOF
2092 */
2093
2094 int
2095 tls_getc(void)
2096 {
2097 exim_gnutls_state_st *state = &state_server;
2098 if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
2099 {
2100 ssize_t inbytes;
2101
2102 DEBUG(D_tls) debug_printf("Calling gnutls_record_recv(%p, %p, %u)\n",
2103 state->session, state->xfer_buffer, ssl_xfer_buffer_size);
2104
2105 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
2106 inbytes = gnutls_record_recv(state->session, state->xfer_buffer,
2107 ssl_xfer_buffer_size);
2108 alarm(0);
2109
2110 /* A zero-byte return appears to mean that the TLS session has been
2111 closed down, not that the socket itself has been closed down. Revert to
2112 non-TLS handling. */
2113
2114 if (inbytes == 0)
2115 {
2116 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
2117
2118 receive_getc = smtp_getc;
2119 receive_ungetc = smtp_ungetc;
2120 receive_feof = smtp_feof;
2121 receive_ferror = smtp_ferror;
2122 receive_smtp_buffered = smtp_buffered;
2123
2124 gnutls_deinit(state->session);
2125 state->session = NULL;
2126 state->tlsp->active = -1;
2127 state->tlsp->bits = 0;
2128 state->tlsp->certificate_verified = FALSE;
2129 tls_channelbinding_b64 = NULL;
2130 state->tlsp->cipher = NULL;
2131 state->tlsp->peercert = NULL;
2132 state->tlsp->peerdn = NULL;
2133
2134 return smtp_getc();
2135 }
2136
2137 /* Handle genuine errors */
2138
2139 else if (inbytes < 0)
2140 {
2141 record_io_error(state, (int) inbytes, US"recv", NULL);
2142 state->xfer_error = 1;
2143 return EOF;
2144 }
2145 #ifndef DISABLE_DKIM
2146 dkim_exim_verify_feed(state->xfer_buffer, inbytes);
2147 #endif
2148 state->xfer_buffer_hwm = (int) inbytes;
2149 state->xfer_buffer_lwm = 0;
2150 }
2151
2152 /* Something in the buffer; return next uschar */
2153
2154 return state->xfer_buffer[state->xfer_buffer_lwm++];
2155 }
2156
2157
2158
2159
2160 /*************************************************
2161 * Read bytes from TLS channel *
2162 *************************************************/
2163
2164 /* This does not feed DKIM, so if the caller uses this for reading message body,
2165 then the caller must feed DKIM.
2166
2167 Arguments:
2168 buff buffer of data
2169 len size of buffer
2170
2171 Returns: the number of bytes read
2172 -1 after a failed read
2173 */
2174
2175 int
2176 tls_read(BOOL is_server, uschar *buff, size_t len)
2177 {
2178 exim_gnutls_state_st *state = is_server ? &state_server : &state_client;
2179 ssize_t inbytes;
2180
2181 if (len > INT_MAX)
2182 len = INT_MAX;
2183
2184 if (state->xfer_buffer_lwm < state->xfer_buffer_hwm)
2185 DEBUG(D_tls)
2186 debug_printf("*** PROBABLY A BUG *** " \
2187 "tls_read() called with data in the tls_getc() buffer, %d ignored\n",
2188 state->xfer_buffer_hwm - state->xfer_buffer_lwm);
2189
2190 DEBUG(D_tls)
2191 debug_printf("Calling gnutls_record_recv(%p, %p, " SIZE_T_FMT ")\n",
2192 state->session, buff, len);
2193
2194 inbytes = gnutls_record_recv(state->session, buff, len);
2195 if (inbytes > 0) return inbytes;
2196 if (inbytes == 0)
2197 {
2198 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
2199 }
2200 else record_io_error(state, (int)inbytes, US"recv", NULL);
2201
2202 return -1;
2203 }
2204
2205
2206
2207
2208 /*************************************************
2209 * Write bytes down TLS channel *
2210 *************************************************/
2211
2212 /*
2213 Arguments:
2214 is_server channel specifier
2215 buff buffer of data
2216 len number of bytes
2217
2218 Returns: the number of bytes after a successful write,
2219 -1 after a failed write
2220 */
2221
2222 int
2223 tls_write(BOOL is_server, const uschar *buff, size_t len)
2224 {
2225 ssize_t outbytes;
2226 size_t left = len;
2227 exim_gnutls_state_st *state = is_server ? &state_server : &state_client;
2228
2229 DEBUG(D_tls) debug_printf("tls_do_write(%p, " SIZE_T_FMT ")\n", buff, left);
2230 while (left > 0)
2231 {
2232 DEBUG(D_tls) debug_printf("gnutls_record_send(SSL, %p, " SIZE_T_FMT ")\n",
2233 buff, left);
2234 outbytes = gnutls_record_send(state->session, buff, left);
2235
2236 DEBUG(D_tls) debug_printf("outbytes=" SSIZE_T_FMT "\n", outbytes);
2237 if (outbytes < 0)
2238 {
2239 record_io_error(state, outbytes, US"send", NULL);
2240 return -1;
2241 }
2242 if (outbytes == 0)
2243 {
2244 record_io_error(state, 0, US"send", US"TLS channel closed on write");
2245 return -1;
2246 }
2247
2248 left -= outbytes;
2249 buff += outbytes;
2250 }
2251
2252 if (len > INT_MAX)
2253 {
2254 DEBUG(D_tls)
2255 debug_printf("Whoops! Wrote more bytes (" SIZE_T_FMT ") than INT_MAX\n",
2256 len);
2257 len = INT_MAX;
2258 }
2259
2260 return (int) len;
2261 }
2262
2263
2264
2265
2266 /*************************************************
2267 * Random number generation *
2268 *************************************************/
2269
2270 /* Pseudo-random number generation. The result is not expected to be
2271 cryptographically strong but not so weak that someone will shoot themselves
2272 in the foot using it as a nonce in input in some email header scheme or
2273 whatever weirdness they'll twist this into. The result should handle fork()
2274 and avoid repeating sequences. OpenSSL handles that for us.
2275
2276 Arguments:
2277 max range maximum
2278 Returns a random number in range [0, max-1]
2279 */
2280
2281 #ifdef HAVE_GNUTLS_RND
2282 int
2283 vaguely_random_number(int max)
2284 {
2285 unsigned int r;
2286 int i, needed_len;
2287 uschar *p;
2288 uschar smallbuf[sizeof(r)];
2289
2290 if (max <= 1)
2291 return 0;
2292
2293 needed_len = sizeof(r);
2294 /* Don't take 8 times more entropy than needed if int is 8 octets and we were
2295 * asked for a number less than 10. */
2296 for (r = max, i = 0; r; ++i)
2297 r >>= 1;
2298 i = (i + 7) / 8;
2299 if (i < needed_len)
2300 needed_len = i;
2301
2302 i = gnutls_rnd(GNUTLS_RND_NONCE, smallbuf, needed_len);
2303 if (i < 0)
2304 {
2305 DEBUG(D_all) debug_printf("gnutls_rnd() failed, using fallback.\n");
2306 return vaguely_random_number_fallback(max);
2307 }
2308 r = 0;
2309 for (p = smallbuf; needed_len; --needed_len, ++p)
2310 {
2311 r *= 256;
2312 r += *p;
2313 }
2314
2315 /* We don't particularly care about weighted results; if someone wants
2316 * smooth distribution and cares enough then they should submit a patch then. */
2317 return r % max;
2318 }
2319 #else /* HAVE_GNUTLS_RND */
2320 int
2321 vaguely_random_number(int max)
2322 {
2323 return vaguely_random_number_fallback(max);
2324 }
2325 #endif /* HAVE_GNUTLS_RND */
2326
2327
2328
2329
2330 /*************************************************
2331 * Let tls_require_ciphers be checked at startup *
2332 *************************************************/
2333
2334 /* The tls_require_ciphers option, if set, must be something which the
2335 library can parse.
2336
2337 Returns: NULL on success, or error message
2338 */
2339
2340 uschar *
2341 tls_validate_require_cipher(void)
2342 {
2343 int rc;
2344 uschar *expciphers = NULL;
2345 gnutls_priority_t priority_cache;
2346 const char *errpos;
2347
2348 #define validate_check_rc(Label) do { \
2349 if (rc != GNUTLS_E_SUCCESS) { if (exim_gnutls_base_init_done) gnutls_global_deinit(); \
2350 return string_sprintf("%s failed: %s", (Label), gnutls_strerror(rc)); } } while (0)
2351 #define return_deinit(Label) do { gnutls_global_deinit(); return (Label); } while (0)
2352
2353 if (exim_gnutls_base_init_done)
2354 log_write(0, LOG_MAIN|LOG_PANIC,
2355 "already initialised GnuTLS, Exim developer bug");
2356
2357 #ifdef HAVE_GNUTLS_PKCS11
2358 if (!gnutls_allow_auto_pkcs11)
2359 {
2360 rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
2361 validate_check_rc(US"gnutls_pkcs11_init");
2362 }
2363 #endif
2364 rc = gnutls_global_init();
2365 validate_check_rc(US"gnutls_global_init()");
2366 exim_gnutls_base_init_done = TRUE;
2367
2368 if (!(tls_require_ciphers && *tls_require_ciphers))
2369 return_deinit(NULL);
2370
2371 if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers))
2372 return_deinit(US"failed to expand tls_require_ciphers");
2373
2374 if (!(expciphers && *expciphers))
2375 return_deinit(NULL);
2376
2377 DEBUG(D_tls)
2378 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
2379
2380 rc = gnutls_priority_init(&priority_cache, CS expciphers, &errpos);
2381 validate_check_rc(string_sprintf(
2382 "gnutls_priority_init(%s) failed at offset %ld, \"%.8s..\"",
2383 expciphers, errpos - CS expciphers, errpos));
2384
2385 #undef return_deinit
2386 #undef validate_check_rc
2387 gnutls_global_deinit();
2388
2389 return NULL;
2390 }
2391
2392
2393
2394
2395 /*************************************************
2396 * Report the library versions. *
2397 *************************************************/
2398
2399 /* See a description in tls-openssl.c for an explanation of why this exists.
2400
2401 Arguments: a FILE* to print the results to
2402 Returns: nothing
2403 */
2404
2405 void
2406 tls_version_report(FILE *f)
2407 {
2408 fprintf(f, "Library version: GnuTLS: Compile: %s\n"
2409 " Runtime: %s\n",
2410 LIBGNUTLS_VERSION,
2411 gnutls_check_version(NULL));
2412 }
2413
2414 /* vi: aw ai sw=2
2415 */
2416 /* End of tls-gnu.c */
Unnamed repository; edit this file 'description' to name the repository.