X-Git-Url: https://vcs.fsf.org/?p=exim.git;a=blobdiff_plain;f=src%2Fsrc%2Ftls-gnu.c;h=dab96974ce8fc2c33dc9810299b1b2d8e707c51b;hp=9f166691a0221e56d4a497046effc87f2d472a63;hb=c0635b6dfe65ee24c2fb8d165beabc608d2fd1a5;hpb=d4fd1b83a197d73cbac114fe53f3448d8b5c7cc2 diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index 9f166691a..dab96974c 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2017 */ +/* Copyright (c) University of Cambridge 1995 - 2018 */ /* See the file NOTICE for conditions of use and distribution. */ /* Copyright (c) Phil Pennock 2012 */ @@ -66,8 +66,17 @@ require current GnuTLS, then we'll drop support for the ancient libraries). #if GNUTLS_VERSION_NUMBER >= 0x030506 && !defined(DISABLE_OCSP) # define SUPPORT_SRV_OCSP_STACK #endif -#if GNUTLS_VERSION_NUMBER >= 0x030000 && defined(EXPERIMENTAL_DANE) -# define SUPPORT_DANE + +#ifdef SUPPORT_DANE +# if GNUTLS_VERSION_NUMBER >= 0x030000 +# define DANESSL_USAGE_DANE_TA 2 +# define DANESSL_USAGE_DANE_EE 3 +# else +# error GnuTLS version too early for DANE +# endif +# if GNUTLS_VERSION_NUMBER < 0x999999 +# define GNUTLS_BROKEN_DANE_VALIDATION +# endif #endif #ifndef DISABLE_OCSP @@ -1573,7 +1582,7 @@ Returns: */ static BOOL -verify_certificate(exim_gnutls_state_st *state, uschar ** errstr) +verify_certificate(exim_gnutls_state_st * state, uschar ** errstr) { int rc; uint verify; @@ -1600,24 +1609,91 @@ else dane_state_t s; dane_query_t r; - const gnutls_datum_t * certlist; uint lsize; + const gnutls_datum_t * certlist = + gnutls_certificate_get_peers(state->session, &lsize); + int usage = tls_out.tlsa_usage; + +# ifdef GNUTLS_BROKEN_DANE_VALIDATION + /* Split the TLSA records into two sets, TA and EE selectors. Run the + dane-verification separately so that we know which selector verified; + then we know whether to do CA-chain-verification and name-verification + (needed for TA but not EE). */ + + if (usage == ((1<dane_data_len[nrec]; ) nrec++; + nrec++; + + dd = store_get(nrec * sizeof(uschar *)); + ddl = store_get(nrec * sizeof(int)); + nrec--; + + if ((rc = dane_state_init(&s, 0))) + goto tlsa_prob; + + for (usage = DANESSL_USAGE_DANE_EE; + usage >= DANESSL_USAGE_DANE_TA; usage--) + { /* take records with this usage */ + for (j = i = 0; i < nrec; i++) + if (state->dane_data[i][0] == usage) + { + dd[j] = state->dane_data[i]; + ddl[j++] = state->dane_data_len[i]; + } + if (j) + { + dd[j] = NULL; + ddl[j] = 0; + + if ((rc = dane_raw_tlsa(s, &r, (char * const *)dd, ddl, 1, 0))) + goto tlsa_prob; + + if ((rc = dane_verify_crt_raw(s, certlist, lsize, + gnutls_certificate_type_get(state->session), + r, 0, + usage == DANESSL_USAGE_DANE_EE + ? DANE_VFLAG_ONLY_CHECK_EE_USAGE : 0, + &verify))) + { + DEBUG(D_tls) + debug_printf("TLSA record problem: %s\n", dane_strerror(rc)); + } + else if (verify == 0) /* verification passed */ + { + usage = 1 << usage; + break; + } + } + } - certlist = gnutls_certificate_get_peers(state->session, &lsize); - - if ( (rc = dane_state_init(&s, 0)) - || (rc = dane_raw_tlsa(s, &r, state->dane_data, state->dane_data_len, - 1, 0)) - || (rc = dane_verify_crt_raw(s, certlist, lsize, - gnutls_certificate_type_get(state->session), - r, 0, 0, &verify)) - ) - + if (rc) goto tlsa_prob; + } + else +# endif { - *errstr = string_sprintf("TLSA record problem: %s", dane_strerror(rc)); - goto badcert; + if ( (rc = dane_state_init(&s, 0)) + || (rc = dane_raw_tlsa(s, &r, state->dane_data, state->dane_data_len, + 1, 0)) + || (rc = dane_verify_crt_raw(s, certlist, lsize, + gnutls_certificate_type_get(state->session), + r, 0, +# ifdef GNUTLS_BROKEN_DANE_VALIDATION + usage == (1 << DANESSL_USAGE_DANE_EE) + ? DANE_VFLAG_ONLY_CHECK_EE_USAGE : 0, +# else + 0, +# endif + &verify)) + ) + goto tlsa_prob; } - if (verify != 0) + + if (verify != 0) /* verification failed */ { gnutls_datum_t str; (void) dane_verification_status_print(verify, &str, 0); @@ -1625,6 +1701,17 @@ else goto badcert; } state->peer_dane_verified = TRUE; + +# ifdef GNUTLS_BROKEN_DANE_VALIDATION + /* If a TA-mode TLSA record was used for verification we must additionally + verify the CA chain and the cert name. For EE-mode, skip it. */ + + if (usage & (1 << DANESSL_USAGE_DANE_EE)) +# endif + { + state->peer_cert_verified = TRUE; + goto goodcert; + } } #endif @@ -1633,9 +1720,7 @@ else /* Handle the result of verification. INVALID is set if any others are. */ -if (rc < 0 || - verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED) - ) +if (rc < 0 || verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED)) { state->peer_cert_verified = FALSE; if (!*errstr) @@ -1676,8 +1761,14 @@ else state->peerdn ? state->peerdn : US""); } -state->tlsp->peerdn = state->peerdn; -return TRUE; +goodcert: + state->tlsp->peerdn = state->peerdn; + return TRUE; + +#ifdef SUPPORT_DANE +tlsa_prob: + *errstr = string_sprintf("TLSA record problem: %s", dane_strerror(rc)); +#endif badcert: gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_BAD_CERTIFICATE); @@ -2075,7 +2166,7 @@ use in DANE verification. We point at the dnsa data not copy it, so it must remain valid until after verification is done.*/ -static void +static BOOL dane_tlsa_load(exim_gnutls_state_st * state, dns_answer * dnsa) { dns_record * rr; @@ -2098,17 +2189,39 @@ for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS), i = 0; ) if (rr->type == T_TLSA) { const uschar * p = rr->data; - uint8_t usage = *p; + uint8_t usage = p[0], sel = p[1], type = p[2]; + + DEBUG(D_tls) + debug_printf("TLSA: %d %d %d size %d\n", usage, sel, type, rr->size); + + if ( (usage != DANESSL_USAGE_DANE_TA && usage != DANESSL_USAGE_DANE_EE) + || (sel != 0 && sel != 1) + ) + continue; + switch(type) + { + case 0: /* Full: cannot check at present */ + break; + case 1: if (rr->size != 3 + 256/8) continue; /* sha2-256 */ + break; + case 2: if (rr->size != 3 + 512/8) continue; /* sha2-512 */ + break; + default: continue; + } tls_out.tlsa_usage |= 1<size; } + +if (!i) return FALSE; + dane_data[i] = NULL; dane_data_len[i] = 0; state->dane_data = (char * const *)dane_data; state->dane_data_len = dane_data_len; +return TRUE; } #endif @@ -2140,7 +2253,7 @@ int tls_client_start(int fd, host_item *host, address_item *addr ARG_UNUSED, transport_instance * tb, -#ifdef EXPERIMENTAL_DANE +#ifdef SUPPORT_DANE dns_answer * tlsa_dnsa, #endif uschar ** errstr) @@ -2185,13 +2298,12 @@ set but both tls_verify_hosts and tls_try_verify_hosts are unset. Check only the specified host patterns if one of them is defined */ #ifdef SUPPORT_DANE -if (tlsa_dnsa) +if (tlsa_dnsa && dane_tlsa_load(state, tlsa_dnsa)) { DEBUG(D_tls) debug_printf("TLS: server certificate DANE required.\n"); state->verify_requirement = VERIFY_DANE; gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE); - dane_tlsa_load(state, tlsa_dnsa); } else #endif @@ -2256,10 +2368,8 @@ DEBUG(D_tls) debug_printf("about to gnutls_handshake\n"); sigalrm_seen = FALSE; alarm(ob->command_timeout); do - { rc = gnutls_handshake(state->session); - } while ((rc == GNUTLS_E_AGAIN) || - (rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen)); +while (rc == GNUTLS_E_AGAIN || rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen); alarm(0); if (rc != GNUTLS_E_SUCCESS) @@ -2375,6 +2485,7 @@ ssize_t inbytes; DEBUG(D_tls) debug_printf("Calling gnutls_record_recv(%p, %p, %u)\n", state->session, state->xfer_buffer, ssl_xfer_buffer_size); +sigalrm_seen = FALSE; if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout); inbytes = gnutls_record_recv(state->session, state->xfer_buffer, MIN(ssl_xfer_buffer_size, lim));