GnuTLS: Move to more-modern stapling API

[exim.git] / src / src / tls-gnu.c

diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 03002c704522199ee0e37291f729c94b9efb98e9..a45dd65e96b3f744d85bd19719f99fd7f2b0e250 100644 (file)
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -89,6 +89,12 @@ require current GnuTLS, then we'll drop support for the ancient libraries).
 # endif
 #endif
 
+#ifdef EXPERIMENTAL_TLS_RESUME
+# if GNUTLS_VERSION_NUMBER < 0x030603
+#  error GNUTLS version too early for session-resumption
+# endif
+#endif
+
 #ifndef DISABLE_OCSP
 # include <gnutls/ocsp.h>
 #endif
@@ -209,7 +215,7 @@ don't want to repeat this. */
 
 static gnutls_dh_params_t dh_server_params = NULL;
 
-static int ssl_session_timeout = 3600; /* One hour */
+static int ssl_session_timeout = 7200; /* Two hours */
 
 static const uschar * const exim_default_gnutls_priority = US"NORMAL";
 
@@ -219,6 +225,7 @@ static BOOL exim_gnutls_base_init_done = FALSE;
 
 #ifndef DISABLE_OCSP
 static BOOL gnutls_buggy_ocsp = FALSE;
+static BOOL exim_testharness_disable_ocsp_validity_check = FALSE;
 #endif
 
 #ifdef EXPERIMENTAL_TLS_RESUME
@@ -281,11 +288,16 @@ static void exim_gnutls_logger_cb(int level, const char *message);
 
 static int exim_sni_handling_cb(gnutls_session_t session);
 
-#ifndef DISABLE_OCSP
+#if !defined(DISABLE_OCSP)
 static int server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
   gnutls_datum_t * ocsp_response);
 #endif
 
+#ifdef EXPERIMENTAL_TLS_RESUME
+static int
+tls_server_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
+  unsigned incoming, const gnutls_datum_t * msg);
+#endif
 
 
 /* Daemon one-time initialisation */
@@ -642,7 +654,7 @@ if ((fd = Uopen(filename, O_RDONLY, 0)) >= 0)
     }
 
   m.size = statbuf.st_size;
-  if (!(m.data = malloc(m.size)))
+  if (!(m.data = store_malloc(m.size)))
     {
     fclose(fp);
     return tls_error_sys(US"malloc failed", errno, NULL, errstr);
@@ -651,13 +663,13 @@ if ((fd = Uopen(filename, O_RDONLY, 0)) >= 0)
     {
     saved_errno = errno;
     fclose(fp);
-    free(m.data);
+    store_free(m.data);
     return tls_error_sys(US"fread failed", saved_errno, NULL, errstr);
     }
   fclose(fp);
 
   rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM);
-  free(m.data);
+  store_free(m.data);
   if (rc)
     return tls_error_gnu(US"gnutls_dh_params_import_pkcs3", rc, host, errstr);
   DEBUG(D_tls) debug_printf("read D-H parameters from file \"%s\"\n", filename);
@@ -730,25 +742,25 @@ if (rc < 0)
     return tls_error_gnu(US"gnutls_dh_params_export_pkcs3(NULL) sizing",
              rc, host, errstr);
   m.size = sz;
-  if (!(m.data = malloc(m.size)))
+  if (!(m.data = store_malloc(m.size)))
     return tls_error_sys(US"memory allocation failed", errno, NULL, errstr);
 
   /* this will return a size 1 less than the allocation size above */
   if ((rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM,
       m.data, &sz)))
     {
-    free(m.data);
+    store_free(m.data);
     return tls_error_gnu(US"gnutls_dh_params_export_pkcs3() real", rc, host, errstr);
     }
   m.size = sz; /* shrink by 1, probably */
 
   if ((sz = write_to_fd_buf(fd, m.data, (size_t) m.size)) != m.size)
     {
-    free(m.data);
+    store_free(m.data);
     return tls_error_sys(US"TLS cache write D-H params failed",
         errno, NULL, errstr);
     }
-  free(m.data);
+  store_free(m.data);
   if ((sz = write_to_fd_buf(fd, US"\n", 1)) != 1)
     return tls_error_sys(US"TLS cache write D-H params final newline failed",
         errno, NULL, errstr);
@@ -852,6 +864,9 @@ static int
 tls_add_certfile(exim_gnutls_state_st * state, const host_item * host,
   uschar * certfile, uschar * keyfile, uschar ** errstr)
 {
+/*XXX returns certs index for gnutls_certificate_set_x509_key_file(),
+given suitable flags set */
+
 int rc = gnutls_certificate_set_x509_key_file(state->x509_cred,
     CS certfile, CS keyfile, GNUTLS_X509_FMT_PEM);
 if (rc < 0)
@@ -862,6 +877,78 @@ return -rc;
 }
 
 
+/* Make a note that we saw a status-request */
+static int
+tls_server_clienthello_ext(void * ctx, unsigned tls_id,
+  const unsigned char *data, unsigned size)
+{
+/* https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml */
+if (tls_id == 5)       /* status_request */
+  {
+  DEBUG(D_tls) debug_printf("Seen status_request extension\n");
+  tls_in.ocsp = OCSP_NOT_RESP;
+  }
+return 0;
+}
+
+/* Callback for client-hello, on server, if we think we might serve stapled-OCSP */
+static int
+tls_server_clienthello_cb(gnutls_session_t session, unsigned int htype,
+  unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
+{
+/* Call fn for each extension seen.  3.6.3 onwards */
+return gnutls_ext_raw_parse(NULL, tls_server_clienthello_ext, msg,
+                          GNUTLS_EXT_RAW_FLAG_TLS_CLIENT_HELLO);
+}
+
+/* Callback for certificate-status, on server. We sent stapled OCSP. */
+static int
+tls_server_certstatus_cb(gnutls_session_t session, unsigned int htype,
+  unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
+{
+DEBUG(D_tls) debug_printf("Sending certificate-status\n");
+#ifdef SUPPORT_SRV_OCSP_STACK
+tls_in.ocsp = exim_testharness_disable_ocsp_validity_check
+  ? OCSP_VFY_NOT_TRIED : OCSP_VFIED;   /* We know that GnuTLS verifies responses */
+#else
+tls_in.ocsp = OCSP_VFY_NOT_TRIED;
+#endif
+return 0;
+}
+
+/* Callback for handshake messages, on server */
+static int
+tls_server_hook_cb(gnutls_session_t sess, u_int htype, unsigned when,
+  unsigned incoming, const gnutls_datum_t * msg)
+{
+switch (htype)
+  {
+  case GNUTLS_HANDSHAKE_CLIENT_HELLO:
+    return tls_server_clienthello_cb(sess, htype, when, incoming, msg);
+  case GNUTLS_HANDSHAKE_CERTIFICATE_STATUS:
+    return tls_server_certstatus_cb(sess, htype, when, incoming, msg);
+#ifdef EXPERIMENTAL_TLS_RESUME
+  case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET:
+    return tls_server_ticket_cb(sess, htype, when, incoming, msg);
+#endif
+  default:
+    return 0;
+  }
+}
+
+
+static void
+tls_server_testharness_ocsp_fiddle(void)
+{
+extern char ** environ;
+if (environ) for (uschar ** p = USS environ; *p; p++)
+  if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
+    {
+    DEBUG(D_tls) debug_printf("Permitting known bad OCSP response\n");
+    exim_testharness_disable_ocsp_validity_check = TRUE;
+    }
+}
+
 /*************************************************
 *       Variables re-expanded post-SNI           *
 *************************************************/
@@ -996,12 +1083,13 @@ if (state->exp_tls_certificate && *state->exp_tls_certificate)
       else
        {
        int gnutls_cert_index = -rc;
-       DEBUG(D_tls) debug_printf("TLS: cert/key %s registered\n", cfile);
+       DEBUG(D_tls) debug_printf("TLS: cert/key %d %s registered\n", gnutls_cert_index, cfile);
 
        /* Set the OCSP stapling server info */
 
 #ifndef DISABLE_OCSP
        if (tls_ocsp_file)
+         {
          if (gnutls_buggy_ocsp)
            {
            DEBUG(D_tls)
@@ -1009,37 +1097,45 @@ if (state->exp_tls_certificate && *state->exp_tls_certificate)
            }
          else if ((ofile = string_nextinlist(&olist, &osep, NULL, 0)))
            {
-           /* Use the full callback method for stapling just to get
-           observability.  More efficient would be to read the file once only,
-           if it never changed (due to SNI). Would need restart on file update,
-           or watch datestamp.  */
+           DEBUG(D_tls) debug_printf("OCSP response file = %s\n", ofile);
 
 # ifdef SUPPORT_SRV_OCSP_STACK
-           if ((rc = gnutls_certificate_set_ocsp_status_request_function2(
-                       state->x509_cred, gnutls_cert_index,
-                       server_ocsp_stapling_cb, ofile)))
-             return tls_error_gnu(
-                     US"gnutls_certificate_set_ocsp_status_request_function2",
-                     rc, host, errstr);
-# else
-           if (cnt++ > 0)
+           if (f.running_in_test_harness) tls_server_testharness_ocsp_fiddle();
+
+           if (!exim_testharness_disable_ocsp_validity_check)
              {
-             DEBUG(D_tls)
-               debug_printf("oops; multiple OCSP files not supported\n");
-             break;
+             if  ((rc = gnutls_certificate_set_ocsp_status_request_file2(
+                         state->x509_cred, CCS ofile, gnutls_cert_index,
+                         GNUTLS_X509_FMT_DER)) < 0)
+               return tls_error_gnu(
+                       US"gnutls_certificate_set_ocsp_status_request_file2",
+                       rc, host, errstr);
+
+             /* Arrange callbacks for OCSP request observability */
+
+             gnutls_handshake_set_hook_function(state->session,
+               GNUTLS_HANDSHAKE_ANY, GNUTLS_HOOK_POST, tls_server_hook_cb);
              }
-             gnutls_certificate_set_ocsp_status_request_function(
-               state->x509_cred, server_ocsp_stapling_cb, ofile);
+           else
 # endif
-
-           DEBUG(D_tls) debug_printf("OCSP response file = %s\n", ofile);
+             {
+             if (cnt++ > 0)
+               {
+               DEBUG(D_tls)
+                 debug_printf("oops; multiple OCSP files not supported\n");
+               break;
+               }
+               gnutls_certificate_set_ocsp_status_request_function(
+                 state->x509_cred, server_ocsp_stapling_cb, ofile);
+             }
            }
          else
            DEBUG(D_tls) debug_printf("ran out of OCSP response files in list\n");
 #endif
+         }
        }
     }
-  else
+  else /* client */
     {
     if (0 < (rc = tls_add_certfile(state, host,
                state->exp_tls_certificate, state->exp_tls_privatekey, errstr)))
@@ -1137,6 +1233,14 @@ else
 #endif
     gnutls_certificate_set_x509_trust_file(state->x509_cred,
       CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM);
+
+#ifdef SUPPORT_CA_DIR
+  /* Mimic the behaviour with OpenSSL of not advertising a usable-cert list
+  when using the directory-of-certs config model. */
+
+  if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
+    gnutls_certificate_send_x509_rdn_sequence(state->session, 1);
+#endif
   }
 
 if (cert_count < 0)
@@ -1318,7 +1422,7 @@ if (host)
   several in parallel. */
   int old_pool = store_pool;
   store_pool = POOL_PERM;
-  state = store_get(sizeof(exim_gnutls_state_st));
+  state = store_get(sizeof(exim_gnutls_state_st), FALSE);
   store_pool = old_pool;
 
   memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
@@ -1615,7 +1719,7 @@ if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
   exim_gnutls_peer_err(US"getting size for cert DN failed");
   return FAIL; /* should not happen */
   }
-dn_buf = store_get_perm(sz);
+dn_buf = store_get_perm(sz, TRUE);     /* tainted */
 rc = gnutls_x509_crt_get_dn(crt, CS dn_buf, &sz);
 exim_gnutls_peer_err(US"failed to extract certificate DN [gnutls_x509_crt_get_dn(cert 0)]");
 
@@ -1695,8 +1799,8 @@ else
       for(nrec = 0; state->dane_data_len[nrec]; ) nrec++;
       nrec++;
 
-      dd = store_get(nrec * sizeof(uschar *));
-      ddl = store_get(nrec * sizeof(int));
+      dd = store_get(nrec * sizeof(uschar *), FALSE);
+      ddl = store_get(nrec * sizeof(int), FALSE);
       nrec--;
 
       if ((rc = dane_state_init(&s, 0)))
@@ -1924,13 +2028,12 @@ uschar * dummy_errstr;
 rc = gnutls_server_name_get(session, sni_name, &data_len, &sni_type, 0);
 if (rc != GNUTLS_E_SUCCESS)
   {
-  DEBUG(D_tls) {
+  DEBUG(D_tls)
     if (rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
       debug_printf("TLS: no SNI presented in handshake.\n");
     else
       debug_printf("TLS failure: gnutls_server_name_get(): %s [%d]\n",
         gnutls_strerror(rc), rc);
-    }
   return 0;
   }
 
@@ -1943,7 +2046,7 @@ if (sni_type != GNUTLS_NAME_DNS)
 /* We now have a UTF-8 string in sni_name */
 old_pool = store_pool;
 store_pool = POOL_PERM;
-state->received_sni = string_copyn(US sni_name, data_len);
+state->received_sni = string_copy_taint(US sni_name, TRUE);
 store_pool = old_pool;
 
 /* We set this one now so that variable expansions below will work */
@@ -1970,7 +2073,7 @@ return 0;
 
 
 
-#ifndef DISABLE_OCSP
+#if !defined(DISABLE_OCSP)
 
 static int
 server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
@@ -2120,7 +2223,7 @@ if (verify_check_host(&tls_resumption_hosts) == OK)
 
   /* Try to tell if we see a ticket request */
   gnutls_handshake_set_hook_function(state->session,
-    GNUTLS_HANDSHAKE_NEW_SESSION_TICKET, GNUTLS_HOOK_POST, tls_server_ticket_cb);
+    GNUTLS_HANDSHAKE_ANY, GNUTLS_HOOK_POST, tls_server_hook_cb);
   }
 }
 
@@ -2378,8 +2481,8 @@ for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
      rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
     ) if (rr->type == T_TLSA) i++;
 
-dane_data = store_get(i * sizeof(uschar *));
-dane_data_len = store_get(i * sizeof(int));
+dane_data = store_get(i * sizeof(uschar *), FALSE);
+dane_data_len = store_get(i * sizeof(int), FALSE);
 
 i = 0;
 for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
@@ -2387,6 +2490,7 @@ for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
     ) if (rr->type == T_TLSA && rr->size > 3)
   {
   const uschar * p = rr->data;
+/*XXX need somehow to mark rr and its data as tainted.  Doues this mean copying it? */
   uint8_t usage = p[0], sel = p[1], type = p[2];
 
   DEBUG(D_tls)
@@ -2451,7 +2555,9 @@ if (verify_check_given_host(CUSS &ob->tls_resumption_hosts, host) == OK)
   tlsp->resumption |= RESUME_CLIENT_REQUESTED;
   if ((dbm_file = dbfn_open(US"tls", O_RDONLY, &dbblock, FALSE, FALSE)))
     {
-    /* key for the db is the IP */
+    /* Key for the db is the IP.  We'd like to filter the retrieved session
+    for ticket advisory expiry, but 3.6.1 seems to give no access to that */
+
     if ((dt = dbfn_read_with_length(dbm_file, host->address, &len)))
       if (!(rc = gnutls_session_set_data(session,
                    CUS dt->session, (size_t)len - sizeof(dbdata_tls_session))))
@@ -2475,7 +2581,6 @@ but this flag is not set until the second.  TLS 1.3 it's the other way about.
 Keep both calls as the session data cannot be extracted before handshake
 completes. */
 
-#ifdef GNUTLS_SFLAGS_SESSION_TICKET
 if (gnutls_session_get_flags(session) & GNUTLS_SFLAGS_SESSION_TICKET)
   {
   gnutls_datum_t tkt;
@@ -2490,7 +2595,7 @@ if (gnutls_session_get_flags(session) & GNUTLS_SFLAGS_SESSION_TICKET)
       {
       open_db dbblock, * dbm_file;
       int dlen = sizeof(dbdata_tls_session) + tkt.size;
-      dbdata_tls_session * dt = store_get(dlen);
+      dbdata_tls_session * dt = store_get(dlen, TRUE);
 
       DEBUG(D_tls) debug_printf("session data size %u\n", (unsigned)tkt.size);
       memcpy(dt->session, tkt.data, tkt.size);
@@ -2510,7 +2615,6 @@ if (gnutls_session_get_flags(session) & GNUTLS_SFLAGS_SESSION_TICKET)
     else DEBUG(D_tls)
       debug_printf("extract session data: %s\n", US gnutls_strerror(rc));
   }
-#endif
 }
 
 
@@ -2751,7 +2855,7 @@ if (!verify_certificate(state, errstr))
   }
 
 #ifndef DISABLE_OCSP
-if (require_ocsp)
+if (request_ocsp)
   {
   DEBUG(D_tls)
     {
@@ -2775,10 +2879,14 @@ if (require_ocsp)
     {
     tlsp->ocsp = OCSP_FAILED;
     tls_error(US"certificate status check failed", NULL, state->host, errstr);
-    return FALSE;
+    if (require_ocsp)
+      return FALSE;
+    }
+  else
+    {
+    DEBUG(D_tls) debug_printf("Passed OCSP checking\n");
+    tlsp->ocsp = OCSP_VFIED;
     }
-  DEBUG(D_tls) debug_printf("Passed OCSP checking\n");
-  tlsp->ocsp = OCSP_VFIED;
   }
 #endif
 
@@ -2817,8 +2925,9 @@ void
 tls_close(void * ct_ctx, int shutdown)
 {
 exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
+tls_support * tlsp = state->tlsp;
 
-if (!state->tlsp || state->tlsp->active.sock < 0) return;  /* TLS was not active */
+if (!tlsp || tlsp->active.sock < 0) return;  /* TLS was not active */
 
 if (shutdown)
   {
@@ -2830,12 +2939,26 @@ if (shutdown)
   ALARM_CLR(0);
   }
 
+if (!ct_ctx)   /* server */
+  {
+  receive_getc =       smtp_getc;
+  receive_getbuf =     smtp_getbuf;
+  receive_get_cache =  smtp_get_cache;
+  receive_ungetc =     smtp_ungetc;
+  receive_feof =       smtp_feof;
+  receive_ferror =     smtp_ferror;
+  receive_smtp_buffered = smtp_buffered;
+  }
+
 gnutls_deinit(state->session);
 gnutls_certificate_free_credentials(state->x509_cred);
 
+tlsp->active.sock = -1;
+tlsp->active.tls_ctx = NULL;
+/* Leave bits, peercert, cipher, peerdn, certificate_verified set, for logging */
+tls_channelbinding_b64 = NULL;
+
 
-state->tlsp->active.sock = -1;
-state->tlsp->active.tls_ctx = NULL;
 if (state->xfer_buffer) store_free(state->xfer_buffer);
 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
 }
@@ -2885,28 +3008,7 @@ if (sigalrm_seen)
 else if (inbytes == 0)
   {
   DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
-
-  receive_getc = smtp_getc;
-  receive_getbuf = smtp_getbuf;
-  receive_get_cache = smtp_get_cache;
-  receive_ungetc = smtp_ungetc;
-  receive_feof = smtp_feof;
-  receive_ferror = smtp_ferror;
-  receive_smtp_buffered = smtp_buffered;
-
-  gnutls_deinit(state->session);
-  gnutls_certificate_free_credentials(state->x509_cred);
-
-  state->session = NULL;
-  state->tlsp->active.sock = -1;
-  state->tlsp->active.tls_ctx = NULL;
-  state->tlsp->bits = 0;
-  state->tlsp->certificate_verified = FALSE;
-  tls_channelbinding_b64 = NULL;
-  state->tlsp->cipher = NULL;
-  state->tlsp->peercert = NULL;
-  state->tlsp->peerdn = NULL;
-
+  tls_close(NULL, TLS_NO_SHUTDOWN);
   return FALSE;
   }