1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) University of Cambridge 1995 - 2018 */
6 /* Copyright (c) The Exim Maintainers 2020 */
7 /* See the file NOTICE for conditions of use and distribution. */
9 /* Copyright (c) Phil Pennock 2012 */
11 /* This file provides TLS/SSL support for Exim using the GnuTLS library,
12 one of the available supported implementations. This file is #included into
13 tls.c when USE_GNUTLS has been set.
15 The code herein is a revamp of GnuTLS integration using the current APIs; the
16 original tls-gnu.c was based on a patch which was contributed by Nikos
17 Mavrogiannopoulos. The revamp is partially a rewrite, partially cut&paste as
20 APIs current as of GnuTLS 2.12.18; note that the GnuTLS manual is for GnuTLS 3,
21 which is not widely deployed by OS vendors. Will note issues below, which may
22 assist in updating the code in the future. Another sources of hints is
23 mod_gnutls for Apache (SNI callback registration and handling).
25 Keeping client and server variables more split than before and is currently
26 the norm, in anticipation of TLS in ACL callouts.
28 I wanted to switch to gnutls_certificate_set_verify_function() so that
29 certificate rejection could happen during handshake where it belongs, rather
30 than being dropped afterwards, but that was introduced in 2.10.0 and Debian
31 (6.0.5) is still on 2.8.6. So for now we have to stick with sub-par behaviour.
33 (I wasn't looking for libraries quite that old, when updating to get rid of
34 compiler warnings of deprecated APIs. If it turns out that a lot of the rest
35 require current GnuTLS, then we'll drop support for the ancient libraries).
38 #include <gnutls/gnutls.h>
39 /* needed for cert checks in verification and DN extraction: */
40 #include <gnutls/x509.h>
41 /* man-page is incorrect, gnutls_rnd() is not in gnutls.h: */
42 #include <gnutls/crypto.h>
44 /* needed to disable PKCS11 autoload unless requested */
45 #if GNUTLS_VERSION_NUMBER >= 0x020c00
46 # include <gnutls/pkcs11.h>
47 # define SUPPORT_PARAM_TO_PK_BITS
49 #if GNUTLS_VERSION_NUMBER < 0x030103 && !defined(DISABLE_OCSP)
50 # warning "GnuTLS library version too old; define DISABLE_OCSP in Makefile"
53 #if GNUTLS_VERSION_NUMBER < 0x020a00 && !defined(DISABLE_EVENT)
54 # warning "GnuTLS library version too old; tls:cert event unsupported"
55 # define DISABLE_EVENT
57 #if GNUTLS_VERSION_NUMBER >= 0x030000
58 # define SUPPORT_SELFSIGN /* Uncertain what version is first usable but 2.12.23 is not */
60 #if GNUTLS_VERSION_NUMBER >= 0x030306
61 # define SUPPORT_CA_DIR
63 # undef SUPPORT_CA_DIR
65 #if GNUTLS_VERSION_NUMBER >= 0x030014
66 # define SUPPORT_SYSDEFAULT_CABUNDLE
68 #if GNUTLS_VERSION_NUMBER >= 0x030104
69 # define GNUTLS_CERT_VFY_STATUS_PRINT
71 #if GNUTLS_VERSION_NUMBER >= 0x030109
74 #if GNUTLS_VERSION_NUMBER >= 0x03010a
75 # define SUPPORT_GNUTLS_SESS_DESC
77 #if GNUTLS_VERSION_NUMBER >= 0x030300
78 # define GNUTLS_AUTO_GLOBAL_INIT
79 # define GNUTLS_AUTO_PKCS11_MANUAL
81 #if (GNUTLS_VERSION_NUMBER >= 0x030404) \
82 || (GNUTLS_VERSION_NUMBER >= 0x030311) && (GNUTLS_VERSION_NUMBER & 0xffff00 == 0x030300)
84 # define EXIM_HAVE_OCSP
87 #if GNUTLS_VERSION_NUMBER >= 0x030500
88 # define SUPPORT_GNUTLS_KEYLOG
90 #if GNUTLS_VERSION_NUMBER >= 0x030506 && !defined(DISABLE_OCSP)
91 # define SUPPORT_SRV_OCSP_STACK
93 #if GNUTLS_VERSION_NUMBER >= 0x030600
94 # define GNUTLS_AUTO_DHPARAMS
96 #if GNUTLS_VERSION_NUMBER >= 0x030603
97 # define EXIM_HAVE_TLS1_3
98 # define SUPPORT_GNUTLS_EXT_RAW_PARSE
99 # define GNUTLS_OCSP_STATUS_REQUEST_GET2
103 # if GNUTLS_VERSION_NUMBER >= 0x030000
104 # define DANESSL_USAGE_DANE_TA 2
105 # define DANESSL_USAGE_DANE_EE 3
107 # error GnuTLS version too early for DANE
109 # if GNUTLS_VERSION_NUMBER < 0x999999
110 # define GNUTLS_BROKEN_DANE_VALIDATION
114 #ifndef DISABLE_TLS_RESUME
115 # if GNUTLS_VERSION_NUMBER >= 0x030603
116 # define EXIM_HAVE_TLS_RESUME
118 # warning "GnuTLS library version too old; resumption unsupported"
123 # include <gnutls/ocsp.h>
126 # include <gnutls/dane.h>
129 #include "tls-cipher-stdname.c"
136 # ifndef DISABLE_TLS_RESUME
137 builtin_macro_create_var(US"_RESUME_DECODE", RESUME_DECODE_STRING );
139 # ifdef EXIM_HAVE_TLS1_3
140 builtin_macro_create(US"_HAVE_TLS1_3");
142 # ifdef EXIM_HAVE_OCSP
143 builtin_macro_create(US"_HAVE_TLS_OCSP");
145 # ifdef SUPPORT_SRV_OCSP_STACK
146 builtin_macro_create(US"_HAVE_TLS_OCSP_LIST");
155 gnutls_global_set_audit_log_function()
158 gnutls_certificate_verify_peers2(): is new, drop the 2 for old version
161 /* Local static variables for GnuTLS */
163 /* Values for verify_requirement */
165 enum peer_verify_requirement
166 { VERIFY_NONE, VERIFY_OPTIONAL, VERIFY_REQUIRED, VERIFY_DANE };
168 /* This holds most state for server or client; with this, we can set up an
169 outbound TLS-enabled connection in an ACL callout, while not stomping all
170 over the TLS variables available for expansion.
172 Some of these correspond to variables in globals.c; those variables will
173 be set to point to content in one of these instances, as appropriate for
174 the stage of the process lifetime.
176 Not handled here: global tlsp->tls_channelbinding.
179 typedef struct exim_gnutls_state {
180 gnutls_session_t session;
181 gnutls_certificate_credentials_t x509_cred;
182 gnutls_priority_t priority_cache;
183 enum peer_verify_requirement verify_requirement;
187 BOOL peer_cert_verified:1;
188 BOOL peer_dane_verified:1;
189 BOOL trigger_sni_changes:1;
190 BOOL have_set_peerdn:1;
191 BOOL xfer_eof:1; /*XXX never gets set! */
197 const struct host_item *host; /* NULL if server */
198 gnutls_x509_crt_t peercert;
201 uschar *received_sni;
203 const uschar *tls_certificate;
204 const uschar *tls_privatekey;
205 const uschar *tls_sni; /* client send only, not received */
206 const uschar *tls_verify_certificates;
207 const uschar *tls_crl;
208 const uschar *tls_require_ciphers;
210 uschar *exp_tls_certificate;
211 uschar *exp_tls_privatekey;
212 uschar *exp_tls_verify_certificates;
214 uschar *exp_tls_require_ciphers;
215 const uschar *exp_tls_verify_cert_hostnames;
216 #ifndef DISABLE_EVENT
217 uschar *event_action;
220 char * const * dane_data;
221 const int * dane_data_len;
224 tls_support *tlsp; /* set in tls_init() */
229 } exim_gnutls_state_st;
231 static const exim_gnutls_state_st exim_gnutls_state_init = {
232 /* all elements not explicitly intialised here get 0/NULL/FALSE */
237 /* Not only do we have our own APIs which don't pass around state, assuming
238 it's held in globals, GnuTLS doesn't appear to let us register callback data
239 for callbacks, or as part of the session, so we have to keep a "this is the
240 context we're currently dealing with" pointer and rely upon being
241 single-threaded to keep from processing data on an inbound TLS connection while
242 talking to another TLS connection for an outbound check. This does mean that
243 there's no way for heart-beats to be responded to, for the duration of the
245 XXX But see gnutls_session_get_ptr()
248 static exim_gnutls_state_st state_server;
250 #ifndef GNUTLS_AUTO_DHPARAMS
251 /* dh_params are initialised once within the lifetime of a process using TLS;
252 if we used TLS in a long-lived daemon, we'd have to reconsider this. But we
253 don't want to repeat this. */
255 static gnutls_dh_params_t dh_server_params = NULL;
258 static int ssl_session_timeout = 7200; /* Two hours */
260 static const uschar * const exim_default_gnutls_priority = US"NORMAL";
262 /* Guard library core initialisation */
264 static BOOL exim_gnutls_base_init_done = FALSE;
267 static BOOL gnutls_buggy_ocsp = FALSE;
268 static BOOL exim_testharness_disable_ocsp_validity_check = FALSE;
271 #ifdef EXIM_HAVE_TLS_RESUME
272 static gnutls_datum_t server_sessticket_key;
275 /* ------------------------------------------------------------------------ */
278 #define MAX_HOST_LEN 255
280 /* Set this to control gnutls_global_set_log_level(); values 0 to 9 will setup
281 the library logging; a value less than 0 disables the calls to set up logging
282 callbacks. GNuTLS also looks for an environment variable - except not for
283 setuid binaries, making it useless - "GNUTLS_DEBUG_LEVEL".
284 Allegedly the testscript line "GNUTLS_DEBUG_LEVEL=9 sudo exim ..." would work,
285 but the env var must be added to /etc/sudoers too. */
286 #ifndef EXIM_GNUTLS_LIBRARY_LOG_LEVEL
287 # define EXIM_GNUTLS_LIBRARY_LOG_LEVEL -1
290 #ifndef EXIM_CLIENT_DH_MIN_BITS
291 # define EXIM_CLIENT_DH_MIN_BITS 1024
294 /* With GnuTLS 2.12.x+ we have gnutls_sec_param_to_pk_bits() with which we
295 can ask for a bit-strength. Without that, we stick to the constant we had
297 #ifndef EXIM_SERVER_DH_BITS_PRE2_12
298 # define EXIM_SERVER_DH_BITS_PRE2_12 1024
301 #define expand_check_tlsvar(Varname, errstr) \
302 expand_check(state->Varname, US #Varname, &state->exp_##Varname, errstr)
304 #if GNUTLS_VERSION_NUMBER >= 0x020c00
305 # define HAVE_GNUTLS_SESSION_CHANNEL_BINDING
306 # define HAVE_GNUTLS_SEC_PARAM_CONSTANTS
307 # define HAVE_GNUTLS_RND
308 /* The security fix we provide with the gnutls_allow_auto_pkcs11 option
309 * (4.82 PP/09) introduces a compatibility regression. The symbol simply
310 * isn't available sometimes, so this needs to become a conditional
311 * compilation; the sanest way to deal with this being a problem on
312 * older OSes is to block it in the Local/Makefile with this compiler
314 # ifndef AVOID_GNUTLS_PKCS11
315 # define HAVE_GNUTLS_PKCS11
316 # endif /* AVOID_GNUTLS_PKCS11 */
322 /* ------------------------------------------------------------------------ */
323 /* Callback declarations */
325 #if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
326 static void exim_gnutls_logger_cb(int level, const char *message);
329 static int exim_sni_handling_cb(gnutls_session_t session);
331 #ifdef EXIM_HAVE_TLS_RESUME
333 tls_server_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
334 unsigned incoming, const gnutls_datum_t * msg);
338 /* Daemon one-time initialisation */
340 tls_daemon_init(void)
342 #ifdef EXIM_HAVE_TLS_RESUME
343 /* We are dependent on the GnuTLS implementation of the Session Ticket
344 encryption; both the strength and the key rotation period. We hope that
345 the strength at least matches that of the ciphersuite (but GnuTLS does not
348 static BOOL once = FALSE;
351 gnutls_session_ticket_key_generate(&server_sessticket_key); /* >= 2.10.0 */
352 if (f.running_in_test_harness) ssl_session_timeout = 6;
356 /* ------------------------------------------------------------------------ */
357 /* Static functions */
359 /*************************************************
361 *************************************************/
363 /* Called from lots of places when errors occur before actually starting to do
364 the TLS handshake, that is, while the session is still in clear. Always returns
365 DEFER for a server and FAIL for a client so that most calls can use "return
366 tls_error(...)" to do this processing and then give an appropriate return. A
367 single function is used for both server and client, because it is called from
368 some shared functions.
371 prefix text to include in the logged error
372 msg additional error string (may be NULL)
373 usually obtained from gnutls_strerror()
374 host NULL if setting up a server;
375 the connected host if setting up a client
376 errstr pointer to returned error string
378 Returns: OK/DEFER/FAIL
382 tls_error(const uschar *prefix, const uschar *msg, const host_item *host,
386 *errstr = string_sprintf("(%s)%s%s", prefix, msg ? ": " : "", msg ? msg : US"");
387 return host ? FAIL : DEFER;
392 tls_error_gnu(const uschar *prefix, int err, const host_item *host,
395 return tls_error(prefix, US gnutls_strerror(err), host, errstr);
399 tls_error_sys(const uschar *prefix, int err, const host_item *host,
402 return tls_error(prefix, US strerror(err), host, errstr);
406 /*************************************************
407 * Deal with logging errors during I/O *
408 *************************************************/
410 /* We have to get the identity of the peer from saved data.
413 state the current GnuTLS exim state container
414 rc the GnuTLS error code, or 0 if it's a local error
415 when text identifying read or write
416 text local error text when rc is 0
422 record_io_error(exim_gnutls_state_st *state, int rc, uschar *when, uschar *text)
427 if (rc == GNUTLS_E_FATAL_ALERT_RECEIVED)
428 msg = string_sprintf("A TLS fatal alert has been received: %s",
429 US gnutls_alert_get_name(gnutls_alert_get(state->session)));
431 msg = US gnutls_strerror(rc);
433 (void) tls_error(when, msg, state->host, &errstr);
436 log_write(0, LOG_MAIN, "H=%s [%s] TLS error on connection %s",
437 state->host->name, state->host->address, errstr);
440 uschar * conn_info = smtp_get_connection_info();
441 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0) conn_info += 5;
442 /* I'd like to get separated H= here, but too hard for now */
443 log_write(0, LOG_MAIN, "TLS error on %s %s", conn_info, errstr);
450 /*************************************************
451 * Set various Exim expansion vars *
452 *************************************************/
454 #define exim_gnutls_cert_err(Label) \
457 if (rc != GNUTLS_E_SUCCESS) \
459 DEBUG(D_tls) debug_printf("TLS: cert problem: %s: %s\n", \
460 (Label), gnutls_strerror(rc)); \
466 import_cert(const gnutls_datum_t * cert, gnutls_x509_crt_t * crtp)
470 rc = gnutls_x509_crt_init(crtp);
471 exim_gnutls_cert_err(US"gnutls_x509_crt_init (crt)");
473 rc = gnutls_x509_crt_import(*crtp, cert, GNUTLS_X509_FMT_DER);
474 exim_gnutls_cert_err(US"failed to import certificate [gnutls_x509_crt_import(cert)]");
479 #undef exim_gnutls_cert_err
482 /* We set various Exim global variables from the state, once a session has
483 been established. With TLS callouts, may need to change this to stack
484 variables, or just re-call it with the server state after client callout
487 Make sure anything set here is unset in tls_getc().
491 tls_bits strength indicator
492 tls_certificate_verified bool indicator
493 tls_channelbinding for some SASL mechanisms
496 tls_peercert pointer to library internal
498 tls_sni a (UTF-8) string
499 tls_ourcert pointer to library internal
502 state the relevant exim_gnutls_state_st *
506 extract_exim_vars_from_tls_state(exim_gnutls_state_st * state)
508 #ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
511 gnutls_datum_t channel;
513 tls_support * tlsp = state->tlsp;
515 tlsp->active.sock = state->fd_out;
516 tlsp->active.tls_ctx = state;
518 DEBUG(D_tls) debug_printf("cipher: %s\n", state->ciphersuite);
520 tlsp->certificate_verified = state->peer_cert_verified;
522 tlsp->dane_verified = state->peer_dane_verified;
525 /* note that tls_channelbinding is not saved to the spool file, since it's
526 only available for use for authenticators while this TLS session is running. */
528 tlsp->channelbinding = NULL;
529 #ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
532 if ((rc = gnutls_session_channel_binding(state->session, GNUTLS_CB_TLS_UNIQUE, &channel)))
533 { DEBUG(D_tls) debug_printf("Channel binding error: %s\n", gnutls_strerror(rc)); }
536 /* Declare the taintedness of the binding info. On server, untainted; on
537 client, tainted - being the Finish msg from the server. */
539 old_pool = store_pool;
540 store_pool = POOL_PERM;
541 tlsp->channelbinding = b64encode_taint(CUS channel.data, (int)channel.size,
543 store_pool = old_pool;
544 DEBUG(D_tls) debug_printf("Have channel bindings cached for possible auth usage\n");
548 /* peercert is set in peer_status() */
549 tlsp->peerdn = state->peerdn;
550 tlsp->sni = state->received_sni;
552 /* record our certificate */
554 const gnutls_datum_t * cert = gnutls_certificate_get_ours(state->session);
555 gnutls_x509_crt_t crt;
557 tlsp->ourcert = cert && import_cert(cert, &crt)==0 ? crt : NULL;
564 #ifndef GNUTLS_AUTO_DHPARAMS
565 /*************************************************
566 * Setup up DH parameters *
567 *************************************************/
569 /* Generating the D-H parameters may take a long time. They only need to
570 be re-generated every so often, depending on security policy. What we do is to
571 keep these parameters in a file in the spool directory. If the file does not
572 exist, we generate them. This means that it is easy to cause a regeneration.
574 The new file is written as a temporary file and renamed, so that an incomplete
575 file is never present. If two processes both compute some new parameters, you
576 waste a bit of effort, but it doesn't seem worth messing around with locking to
579 Returns: OK/DEFER/FAIL
583 init_server_dh(uschar ** errstr)
586 unsigned int dh_bits;
587 gnutls_datum_t m = {.data = NULL, .size = 0};
588 uschar filename_buf[PATH_MAX];
589 uschar *filename = NULL;
591 uschar *exp_tls_dhparam;
592 BOOL use_file_in_spool = FALSE;
593 host_item *host = NULL; /* dummy for macros */
595 DEBUG(D_tls) debug_printf("Initialising GnuTLS server params.\n");
597 if ((rc = gnutls_dh_params_init(&dh_server_params)))
598 return tls_error_gnu(US"gnutls_dh_params_init", rc, host, errstr);
600 if (!expand_check(tls_dhparam, US"tls_dhparam", &exp_tls_dhparam, errstr))
603 if (!exp_tls_dhparam)
605 DEBUG(D_tls) debug_printf("Loading default hard-coded DH params\n");
606 m.data = US std_dh_prime_default();
607 m.size = Ustrlen(m.data);
609 else if (Ustrcmp(exp_tls_dhparam, "historic") == 0)
610 use_file_in_spool = TRUE;
611 else if (Ustrcmp(exp_tls_dhparam, "none") == 0)
613 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
616 else if (exp_tls_dhparam[0] != '/')
618 if (!(m.data = US std_dh_prime_named(exp_tls_dhparam)))
619 return tls_error(US"No standard prime named", exp_tls_dhparam, NULL, errstr);
620 m.size = Ustrlen(m.data);
623 filename = exp_tls_dhparam;
627 if ((rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM)))
628 return tls_error_gnu(US"gnutls_dh_params_import_pkcs3", rc, host, errstr);
629 DEBUG(D_tls) debug_printf("Loaded fixed standard D-H parameters\n");
633 #ifdef HAVE_GNUTLS_SEC_PARAM_CONSTANTS
634 /* If you change this constant, also change dh_param_fn_ext so that we can use a
635 different filename and ensure we have sufficient bits. */
637 if (!(dh_bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL)))
638 return tls_error(US"gnutls_sec_param_to_pk_bits() failed", NULL, NULL, errstr);
640 debug_printf("GnuTLS tells us that for D-H PK, NORMAL is %d bits.\n",
643 dh_bits = EXIM_SERVER_DH_BITS_PRE2_12;
645 debug_printf("GnuTLS lacks gnutls_sec_param_to_pk_bits(), using %d bits.\n",
649 /* Some clients have hard-coded limits. */
650 if (dh_bits > tls_dh_max_bits)
653 debug_printf("tls_dh_max_bits clamping override, using %d bits instead.\n",
655 dh_bits = tls_dh_max_bits;
658 if (use_file_in_spool)
660 if (!string_format(filename_buf, sizeof(filename_buf),
661 "%s/gnutls-params-%d", spool_directory, dh_bits))
662 return tls_error(US"overlong filename", NULL, NULL, errstr);
663 filename = filename_buf;
666 /* Open the cache file for reading and if successful, read it and set up the
669 if ((fd = Uopen(filename, O_RDONLY, 0)) >= 0)
675 if (fstat(fd, &statbuf) < 0) /* EIO */
679 return tls_error_sys(US"TLS cache stat failed", saved_errno, NULL, errstr);
681 if (!S_ISREG(statbuf.st_mode))
684 return tls_error(US"TLS cache not a file", NULL, NULL, errstr);
686 if (!(fp = fdopen(fd, "rb")))
690 return tls_error_sys(US"fdopen(TLS cache stat fd) failed",
691 saved_errno, NULL, errstr);
694 m.size = statbuf.st_size;
695 if (!(m.data = store_malloc(m.size)))
698 return tls_error_sys(US"malloc failed", errno, NULL, errstr);
700 if (!(sz = fread(m.data, m.size, 1, fp)))
705 return tls_error_sys(US"fread failed", saved_errno, NULL, errstr);
709 rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM);
712 return tls_error_gnu(US"gnutls_dh_params_import_pkcs3", rc, host, errstr);
713 DEBUG(D_tls) debug_printf("read D-H parameters from file \"%s\"\n", filename);
716 /* If the file does not exist, fall through to compute new data and cache it.
717 If there was any other opening error, it is serious. */
719 else if (errno == ENOENT)
723 debug_printf("D-H parameter cache file \"%s\" does not exist\n", filename);
726 return tls_error(string_open_failed(errno, "\"%s\" for reading", filename),
729 /* If ret < 0, either the cache file does not exist, or the data it contains
730 is not useful. One particular case of this is when upgrading from an older
731 release of Exim in which the data was stored in a different format. We don't
732 try to be clever and support both formats; we just regenerate new data in this
738 unsigned int dh_bits_gen = dh_bits;
740 if ((PATH_MAX - Ustrlen(filename)) < 10)
741 return tls_error(US"Filename too long to generate replacement",
742 filename, NULL, errstr);
744 temp_fn = string_copy(US"%s.XXXXXXX");
745 if ((fd = mkstemp(CS temp_fn)) < 0) /* modifies temp_fn */
746 return tls_error_sys(US"Unable to open temp file", errno, NULL, errstr);
747 (void)exim_chown(temp_fn, exim_uid, exim_gid); /* Probably not necessary */
749 /* GnuTLS overshoots! If we ask for 2236, we might get 2237 or more. But
750 there's no way to ask GnuTLS how many bits there really are. We can ask
751 how many bits were used in a TLS session, but that's it! The prime itself
752 is hidden behind too much abstraction. So we ask for less, and proceed on
753 a wing and a prayer. First attempt, subtracted 3 for 2233 and got 2240. */
755 if (dh_bits >= EXIM_CLIENT_DH_MIN_BITS + 10)
757 dh_bits_gen = dh_bits - 10;
759 debug_printf("being paranoid about DH generation, make it '%d' bits'\n",
764 debug_printf("requesting generation of %d bit Diffie-Hellman prime ...\n",
766 if ((rc = gnutls_dh_params_generate2(dh_server_params, dh_bits_gen)))
767 return tls_error_gnu(US"gnutls_dh_params_generate2", rc, host, errstr);
769 /* gnutls_dh_params_export_pkcs3() will tell us the exact size, every time,
770 and I confirmed that a NULL call to get the size first is how the GnuTLS
771 sample apps handle this. */
775 if ( (rc = gnutls_dh_params_export_pkcs3(dh_server_params,
776 GNUTLS_X509_FMT_PEM, m.data, &sz))
777 && rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
778 return tls_error_gnu(US"gnutls_dh_params_export_pkcs3(NULL) sizing",
781 if (!(m.data = store_malloc(m.size)))
782 return tls_error_sys(US"memory allocation failed", errno, NULL, errstr);
784 /* this will return a size 1 less than the allocation size above */
785 if ((rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM,
789 return tls_error_gnu(US"gnutls_dh_params_export_pkcs3() real", rc, host, errstr);
791 m.size = sz; /* shrink by 1, probably */
793 if ((sz = write_to_fd_buf(fd, m.data, (size_t) m.size)) != m.size)
796 return tls_error_sys(US"TLS cache write D-H params failed",
797 errno, NULL, errstr);
800 if ((sz = write_to_fd_buf(fd, US"\n", 1)) != 1)
801 return tls_error_sys(US"TLS cache write D-H params final newline failed",
802 errno, NULL, errstr);
804 if ((rc = close(fd)))
805 return tls_error_sys(US"TLS cache write close() failed", errno, NULL, errstr);
807 if (Urename(temp_fn, filename) < 0)
808 return tls_error_sys(string_sprintf("failed to rename \"%s\" as \"%s\"",
809 temp_fn, filename), errno, NULL, errstr);
811 DEBUG(D_tls) debug_printf("wrote D-H parameters to file \"%s\"\n", filename);
814 DEBUG(D_tls) debug_printf("initialized server D-H parameters\n");
822 /* Create and install a selfsigned certificate, for use in server mode */
825 tls_install_selfsign(exim_gnutls_state_st * state, uschar ** errstr)
827 gnutls_x509_crt_t cert = NULL;
829 gnutls_x509_privkey_t pkey = NULL;
830 const uschar * where;
833 #ifndef SUPPORT_SELFSIGN
834 where = US"library too old";
835 rc = GNUTLS_E_NO_CERTIFICATE_FOUND;
839 where = US"initialising pkey";
840 if ((rc = gnutls_x509_privkey_init(&pkey))) goto err;
842 where = US"initialising cert";
843 if ((rc = gnutls_x509_crt_init(&cert))) goto err;
845 where = US"generating pkey"; /* Hangs on 2.12.23 */
846 if ((rc = gnutls_x509_privkey_generate(pkey, GNUTLS_PK_RSA,
847 #ifdef SUPPORT_PARAM_TO_PK_BITS
848 # ifndef GNUTLS_SEC_PARAM_MEDIUM
849 # define GNUTLS_SEC_PARAM_MEDIUM GNUTLS_SEC_PARAM_HIGH
851 gnutls_sec_param_to_pk_bits(GNUTLS_PK_RSA, GNUTLS_SEC_PARAM_MEDIUM),
858 where = US"configuring cert";
860 if ( (rc = gnutls_x509_crt_set_version(cert, 3))
861 || (rc = gnutls_x509_crt_set_serial(cert, &now, sizeof(now)))
862 || (rc = gnutls_x509_crt_set_activation_time(cert, now = time(NULL)))
863 || (rc = gnutls_x509_crt_set_expiration_time(cert, now + 60 * 60)) /* 1 hr */
864 || (rc = gnutls_x509_crt_set_key(cert, pkey))
866 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
867 GNUTLS_OID_X520_COUNTRY_NAME, 0, "UK", 2))
868 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
869 GNUTLS_OID_X520_ORGANIZATION_NAME, 0, "Exim Developers", 15))
870 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
871 GNUTLS_OID_X520_COMMON_NAME, 0,
872 smtp_active_hostname, Ustrlen(smtp_active_hostname)))
876 where = US"signing cert";
877 if ((rc = gnutls_x509_crt_sign(cert, cert, pkey))) goto err;
879 where = US"installing selfsign cert";
881 if ((rc = gnutls_certificate_set_x509_key(state->x509_cred, &cert, 1, pkey)))
887 if (cert) gnutls_x509_crt_deinit(cert);
888 if (pkey) gnutls_x509_privkey_deinit(pkey);
892 rc = tls_error_gnu(where, rc, NULL, errstr);
899 /* Add certificate and key, from files.
902 Zero or negative: good. Negate value for certificate index if < 0.
903 Greater than zero: FAIL or DEFER code.
907 tls_add_certfile(exim_gnutls_state_st * state, const host_item * host,
908 uschar * certfile, uschar * keyfile, uschar ** errstr)
910 int rc = gnutls_certificate_set_x509_key_file(state->x509_cred,
911 CS certfile, CS keyfile, GNUTLS_X509_FMT_PEM);
913 return tls_error_gnu(
914 string_sprintf("cert/key setup: cert=%s key=%s", certfile, keyfile),
920 #if !defined(DISABLE_OCSP) && !defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
921 /* Load an OCSP proof from file for sending by the server. Called
922 on getting a status-request handshake message, for earlier versions
926 server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
927 gnutls_datum_t * ocsp_response)
930 DEBUG(D_tls) debug_printf("OCSP stapling callback: %s\n", US ptr);
932 if ((ret = gnutls_load_file(ptr, ocsp_response)) < 0)
934 DEBUG(D_tls) debug_printf("Failed to load ocsp stapling file %s\n",
936 tls_in.ocsp = OCSP_NOT_RESP;
937 return GNUTLS_E_NO_CERTIFICATE_STATUS;
940 tls_in.ocsp = OCSP_VFY_NOT_TRIED;
946 #ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
947 /* Make a note that we saw a status-request */
949 tls_server_clienthello_ext(void * ctx, unsigned tls_id,
950 const unsigned char *data, unsigned size)
952 /* https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml */
953 if (tls_id == 5) /* status_request */
955 DEBUG(D_tls) debug_printf("Seen status_request extension from client\n");
956 tls_in.ocsp = OCSP_NOT_RESP;
961 /* Callback for client-hello, on server, if we think we might serve stapled-OCSP */
963 tls_server_clienthello_cb(gnutls_session_t session, unsigned int htype,
964 unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
966 /* Call fn for each extension seen. 3.6.3 onwards */
967 return gnutls_ext_raw_parse(NULL, tls_server_clienthello_ext, msg,
968 GNUTLS_EXT_RAW_FLAG_TLS_CLIENT_HELLO);
972 /* Make a note that we saw a status-response */
974 tls_server_servercerts_ext(void * ctx, unsigned tls_id,
975 const unsigned char *data, unsigned size)
977 /* debug_printf("%s %u\n", __FUNCTION__, tls_id); */
978 /* https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml */
979 if (FALSE && tls_id == 5) /* status_request */
981 DEBUG(D_tls) debug_printf("Seen status_request extension\n");
982 tls_in.ocsp = exim_testharness_disable_ocsp_validity_check
983 ? OCSP_VFY_NOT_TRIED : OCSP_VFIED; /* We know that GnuTLS verifies responses */
988 /* Callback for certificates packet, on server, if we think we might serve stapled-OCSP */
990 tls_server_servercerts_cb(gnutls_session_t session, unsigned int htype,
991 unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
993 /* Call fn for each extension seen. 3.6.3 onwards */
996 return gnutls_ext_raw_parse(NULL, tls_server_servercerts_ext, msg, 0);
1001 /*XXX in tls1.3 the cert-status travel as an extension next to the cert, in the
1002 "Handshake Protocol: Certificate" record.
1003 So we need to spot the Certificate handshake message, parse it and spot any status_request extension(s)
1005 This is different to tls1.2 - where it is a separate record (wireshark term) / handshake message (gnutls term).
1008 #if defined(EXIM_HAVE_TLS_RESUME) || defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
1009 /* Callback for certificate-status, on server. We sent stapled OCSP. */
1011 tls_server_certstatus_cb(gnutls_session_t session, unsigned int htype,
1012 unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
1014 DEBUG(D_tls) debug_printf("Sending certificate-status\n"); /*XXX we get this for tls1.2 but not for 1.3 */
1015 #ifdef SUPPORT_SRV_OCSP_STACK
1016 tls_in.ocsp = exim_testharness_disable_ocsp_validity_check
1017 ? OCSP_VFY_NOT_TRIED : OCSP_VFIED; /* We know that GnuTLS verifies responses */
1019 tls_in.ocsp = OCSP_VFY_NOT_TRIED;
1024 /* Callback for handshake messages, on server */
1026 tls_server_hook_cb(gnutls_session_t sess, u_int htype, unsigned when,
1027 unsigned incoming, const gnutls_datum_t * msg)
1029 /* debug_printf("%s: htype %u\n", __FUNCTION__, htype); */
1032 # ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
1033 case GNUTLS_HANDSHAKE_CLIENT_HELLO:
1034 return tls_server_clienthello_cb(sess, htype, when, incoming, msg);
1035 case GNUTLS_HANDSHAKE_CERTIFICATE_PKT:
1036 return tls_server_servercerts_cb(sess, htype, when, incoming, msg);
1038 case GNUTLS_HANDSHAKE_CERTIFICATE_STATUS:
1039 return tls_server_certstatus_cb(sess, htype, when, incoming, msg);
1040 # ifdef EXIM_HAVE_TLS_RESUME
1041 case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET:
1042 return tls_server_ticket_cb(sess, htype, when, incoming, msg);
1051 #if !defined(DISABLE_OCSP) && defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
1053 tls_server_testharness_ocsp_fiddle(void)
1055 extern char ** environ;
1056 if (environ) for (uschar ** p = USS environ; *p; p++)
1057 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
1059 DEBUG(D_tls) debug_printf("Permitting known bad OCSP response\n");
1060 exim_testharness_disable_ocsp_validity_check = TRUE;
1065 /*************************************************
1066 * Variables re-expanded post-SNI *
1067 *************************************************/
1069 /* Called from both server and client code, via tls_init(), and also from
1070 the SNI callback after receiving an SNI, if tls_certificate includes "tls_sni".
1072 We can tell the two apart by state->received_sni being non-NULL in callback.
1074 The callback should not call us unless state->trigger_sni_changes is true,
1075 which we are responsible for setting on the first pass through.
1078 state exim_gnutls_state_st *
1079 errstr error string pointer
1081 Returns: OK/DEFER/FAIL
1085 tls_expand_session_files(exim_gnutls_state_st * state, uschar ** errstr)
1087 struct stat statbuf;
1089 const host_item *host = state->host; /* macro should be reconsidered? */
1090 uschar *saved_tls_certificate = NULL;
1091 uschar *saved_tls_privatekey = NULL;
1092 uschar *saved_tls_verify_certificates = NULL;
1093 uschar *saved_tls_crl = NULL;
1096 /* We check for tls_sni *before* expansion. */
1097 if (!host) /* server */
1098 if (!state->received_sni)
1100 if ( state->tls_certificate
1101 && ( Ustrstr(state->tls_certificate, US"tls_sni")
1102 || Ustrstr(state->tls_certificate, US"tls_in_sni")
1103 || Ustrstr(state->tls_certificate, US"tls_out_sni")
1106 DEBUG(D_tls) debug_printf("We will re-expand TLS session files if we receive SNI.\n");
1107 state->trigger_sni_changes = TRUE;
1112 /* useful for debugging */
1113 saved_tls_certificate = state->exp_tls_certificate;
1114 saved_tls_privatekey = state->exp_tls_privatekey;
1115 saved_tls_verify_certificates = state->exp_tls_verify_certificates;
1116 saved_tls_crl = state->exp_tls_crl;
1119 if ((rc = gnutls_certificate_allocate_credentials(&state->x509_cred)))
1120 return tls_error_gnu(US"gnutls_certificate_allocate_credentials",
1123 #ifdef SUPPORT_SRV_OCSP_STACK
1124 gnutls_certificate_set_flags(state->x509_cred, GNUTLS_CERTIFICATE_API_V2);
1126 # if !defined(DISABLE_OCSP) && defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
1127 if (!host && tls_ocsp_file)
1129 if (f.running_in_test_harness)
1130 tls_server_testharness_ocsp_fiddle();
1132 if (exim_testharness_disable_ocsp_validity_check)
1133 gnutls_certificate_set_flags(state->x509_cred,
1134 GNUTLS_CERTIFICATE_API_V2 | GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK);
1139 /* remember: expand_check_tlsvar() is expand_check() but fiddling with
1140 state members, assuming consistent naming; and expand_check() returns
1141 false if expansion failed, unless expansion was forced to fail. */
1143 /* check if we at least have a certificate, before doing expensive
1146 if (!expand_check_tlsvar(tls_certificate, errstr))
1149 /* certificate is mandatory in server, optional in client */
1151 if ( !state->exp_tls_certificate
1152 || !*state->exp_tls_certificate
1155 return tls_install_selfsign(state, errstr);
1157 DEBUG(D_tls) debug_printf("TLS: no client certificate specified; okay\n");
1159 if (state->tls_privatekey && !expand_check_tlsvar(tls_privatekey, errstr))
1162 /* tls_privatekey is optional, defaulting to same file as certificate */
1164 if (!state->tls_privatekey || !*state->tls_privatekey)
1166 state->tls_privatekey = state->tls_certificate;
1167 state->exp_tls_privatekey = state->exp_tls_certificate;
1171 if (state->exp_tls_certificate && *state->exp_tls_certificate)
1173 DEBUG(D_tls) debug_printf("certificate file = %s\nkey file = %s\n",
1174 state->exp_tls_certificate, state->exp_tls_privatekey);
1176 if (state->received_sni)
1177 if ( Ustrcmp(state->exp_tls_certificate, saved_tls_certificate) == 0
1178 && Ustrcmp(state->exp_tls_privatekey, saved_tls_privatekey) == 0
1181 DEBUG(D_tls) debug_printf("TLS SNI: cert and key unchanged\n");
1185 DEBUG(D_tls) debug_printf("TLS SNI: have a changed cert/key pair.\n");
1188 if (!host) /* server */
1190 const uschar * clist = state->exp_tls_certificate;
1191 const uschar * klist = state->exp_tls_privatekey;
1192 const uschar * olist;
1193 int csep = 0, ksep = 0, osep = 0, cnt = 0;
1194 uschar * cfile, * kfile, * ofile;
1195 #ifndef DISABLE_OCSP
1196 # ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
1197 gnutls_x509_crt_fmt_t ocsp_fmt = GNUTLS_X509_FMT_DER;
1200 if (!expand_check(tls_ocsp_file, US"tls_ocsp_file", &ofile, errstr))
1205 while (cfile = string_nextinlist(&clist, &csep, NULL, 0))
1207 if (!(kfile = string_nextinlist(&klist, &ksep, NULL, 0)))
1208 return tls_error(US"cert/key setup: out of keys", NULL, host, errstr);
1209 else if (0 < (rc = tls_add_certfile(state, host, cfile, kfile, errstr)))
1213 int gnutls_cert_index = -rc;
1214 DEBUG(D_tls) debug_printf("TLS: cert/key %d %s registered\n",
1215 gnutls_cert_index, cfile);
1217 #ifndef DISABLE_OCSP
1220 /* Set the OCSP stapling server info */
1221 if (gnutls_buggy_ocsp)
1224 debug_printf("GnuTLS library is buggy for OCSP; avoiding\n");
1226 else if ((ofile = string_nextinlist(&olist, &osep, NULL, 0)))
1228 DEBUG(D_tls) debug_printf("OCSP response file %d = %s\n",
1229 gnutls_cert_index, ofile);
1230 # ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
1231 if (Ustrncmp(ofile, US"PEM ", 4) == 0)
1233 ocsp_fmt = GNUTLS_X509_FMT_PEM;
1236 else if (Ustrncmp(ofile, US"DER ", 4) == 0)
1238 ocsp_fmt = GNUTLS_X509_FMT_DER;
1242 if ((rc = gnutls_certificate_set_ocsp_status_request_file2(
1243 state->x509_cred, CCS ofile, gnutls_cert_index,
1245 return tls_error_gnu(
1246 US"gnutls_certificate_set_ocsp_status_request_file2",
1249 debug_printf(" %d response%s loaded\n", rc, rc>1 ? "s":"");
1251 /* Arrange callbacks for OCSP request observability */
1253 gnutls_handshake_set_hook_function(state->session,
1254 GNUTLS_HANDSHAKE_ANY, GNUTLS_HOOK_POST, tls_server_hook_cb);
1257 # if defined(SUPPORT_SRV_OCSP_STACK)
1258 if ((rc = gnutls_certificate_set_ocsp_status_request_function2(
1259 state->x509_cred, gnutls_cert_index,
1260 server_ocsp_stapling_cb, ofile)))
1261 return tls_error_gnu(
1262 US"gnutls_certificate_set_ocsp_status_request_function2",
1270 debug_printf("oops; multiple OCSP files not supported\n");
1273 gnutls_certificate_set_ocsp_status_request_function(
1274 state->x509_cred, server_ocsp_stapling_cb, ofile);
1276 # endif /* SUPPORT_GNUTLS_EXT_RAW_PARSE */
1279 DEBUG(D_tls) debug_printf("ran out of OCSP response files in list\n");
1281 #endif /* DISABLE_OCSP */
1286 if (0 < (rc = tls_add_certfile(state, host,
1287 state->exp_tls_certificate, state->exp_tls_privatekey, errstr)))
1289 DEBUG(D_tls) debug_printf("TLS: cert/key registered\n");
1292 } /* tls_certificate */
1295 /* Set the trusted CAs file if one is provided, and then add the CRL if one is
1296 provided. Experiment shows that, if the certificate file is empty, an unhelpful
1297 error message is provided. However, if we just refrain from setting anything up
1298 in that case, certificate verification fails, which seems to be the correct
1301 if (state->tls_verify_certificates && *state->tls_verify_certificates)
1303 if (!expand_check_tlsvar(tls_verify_certificates, errstr))
1305 #ifndef SUPPORT_SYSDEFAULT_CABUNDLE
1306 if (Ustrcmp(state->exp_tls_verify_certificates, "system") == 0)
1307 state->exp_tls_verify_certificates = NULL;
1309 if (state->tls_crl && *state->tls_crl)
1310 if (!expand_check_tlsvar(tls_crl, errstr))
1313 if (!(state->exp_tls_verify_certificates &&
1314 *state->exp_tls_verify_certificates))
1317 debug_printf("TLS: tls_verify_certificates expanded empty, ignoring\n");
1318 /* With no tls_verify_certificates, we ignore tls_crl too */
1325 debug_printf("TLS: tls_verify_certificates not set or empty, ignoring\n");
1329 #ifdef SUPPORT_SYSDEFAULT_CABUNDLE
1330 if (Ustrcmp(state->exp_tls_verify_certificates, "system") == 0)
1331 cert_count = gnutls_certificate_set_x509_system_trust(state->x509_cred);
1335 if (Ustat(state->exp_tls_verify_certificates, &statbuf) < 0)
1337 log_write(0, LOG_MAIN|LOG_PANIC, "could not stat '%s' "
1338 "(tls_verify_certificates): %s", state->exp_tls_verify_certificates,
1343 #ifndef SUPPORT_CA_DIR
1344 /* The test suite passes in /dev/null; we could check for that path explicitly,
1345 but who knows if someone has some weird FIFO which always dumps some certs, or
1346 other weirdness. The thing we really want to check is that it's not a
1347 directory, since while OpenSSL supports that, GnuTLS does not.
1348 So s/!S_ISREG/S_ISDIR/ and change some messaging ... */
1349 if (S_ISDIR(statbuf.st_mode))
1352 debug_printf("verify certificates path is a dir: \"%s\"\n",
1353 state->exp_tls_verify_certificates);
1354 log_write(0, LOG_MAIN|LOG_PANIC,
1355 "tls_verify_certificates \"%s\" is a directory",
1356 state->exp_tls_verify_certificates);
1361 DEBUG(D_tls) debug_printf("verify certificates = %s size=" OFF_T_FMT "\n",
1362 state->exp_tls_verify_certificates, statbuf.st_size);
1364 if (statbuf.st_size == 0)
1367 debug_printf("cert file empty, no certs, no verification, ignoring any CRL\n");
1373 #ifdef SUPPORT_CA_DIR
1374 (statbuf.st_mode & S_IFMT) == S_IFDIR
1376 gnutls_certificate_set_x509_trust_dir(state->x509_cred,
1377 CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM)
1380 gnutls_certificate_set_x509_trust_file(state->x509_cred,
1381 CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM);
1383 #ifdef SUPPORT_CA_DIR
1384 /* Mimic the behaviour with OpenSSL of not advertising a usable-cert list
1385 when using the directory-of-certs config model. */
1387 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
1388 gnutls_certificate_send_x509_rdn_sequence(state->session, 1);
1393 return tls_error_gnu(US"setting certificate trust", cert_count, host, errstr);
1395 debug_printf("Added %d certificate authorities.\n", cert_count);
1397 if (state->tls_crl && *state->tls_crl &&
1398 state->exp_tls_crl && *state->exp_tls_crl)
1400 DEBUG(D_tls) debug_printf("loading CRL file = %s\n", state->exp_tls_crl);
1401 if ((cert_count = gnutls_certificate_set_x509_crl_file(state->x509_cred,
1402 CS state->exp_tls_crl, GNUTLS_X509_FMT_PEM)) < 0)
1403 return tls_error_gnu(US"gnutls_certificate_set_x509_crl_file",
1404 cert_count, host, errstr);
1406 DEBUG(D_tls) debug_printf("Processed %d CRLs.\n", cert_count);
1415 /*************************************************
1416 * Set X.509 state variables *
1417 *************************************************/
1419 /* In GnuTLS, the registered cert/key are not replaced by a later
1420 set of a cert/key, so for SNI support we need a whole new x509_cred
1421 structure. Which means various other non-re-expanded pieces of state
1422 need to be re-set in the new struct, so the setting logic is pulled
1426 state exim_gnutls_state_st *
1427 errstr error string pointer
1429 Returns: OK/DEFER/FAIL
1433 tls_set_remaining_x509(exim_gnutls_state_st *state, uschar ** errstr)
1436 const host_item *host = state->host; /* macro should be reconsidered? */
1438 #ifndef GNUTLS_AUTO_DHPARAMS
1439 /* Create D-H parameters, or read them from the cache file. This function does
1440 its own SMTP error messaging. This only happens for the server, TLS D-H ignores
1441 client-side params. */
1445 if (!dh_server_params)
1446 if ((rc = init_server_dh(errstr)) != OK) return rc;
1448 /* Unnecessary & discouraged with 3.6.0 or later */
1449 gnutls_certificate_set_dh_params(state->x509_cred, dh_server_params);
1453 /* Link the credentials to the session. */
1455 if ((rc = gnutls_credentials_set(state->session,
1456 GNUTLS_CRD_CERTIFICATE, state->x509_cred)))
1457 return tls_error_gnu(US"gnutls_credentials_set", rc, host, errstr);
1462 /*************************************************
1463 * Initialize for GnuTLS *
1464 *************************************************/
1467 #ifndef DISABLE_OCSP
1470 tls_is_buggy_ocsp(void)
1473 uschar maj, mid, mic;
1475 s = CUS gnutls_check_version(NULL);
1479 while (*s && *s != '.') s++;
1480 mid = atoi(CCS ++s);
1487 while (*s && *s != '.') s++;
1488 mic = atoi(CCS ++s);
1489 return mic <= (mid == 3 ? 16 : 3);
1498 /* Called from both server and client code. In the case of a server, errors
1499 before actual TLS negotiation return DEFER.
1502 host connected host, if client; NULL if server
1503 certificate certificate file
1504 privatekey private key file
1505 sni TLS SNI to send, sometimes when client; else NULL
1508 require_ciphers tls_require_ciphers setting
1509 caller_state returned state-info structure
1510 errstr error string pointer
1512 Returns: OK/DEFER/FAIL
1517 const host_item *host,
1518 const uschar *certificate,
1519 const uschar *privatekey,
1523 const uschar *require_ciphers,
1524 exim_gnutls_state_st **caller_state,
1528 exim_gnutls_state_st * state;
1531 const char * errpos;
1534 if (!exim_gnutls_base_init_done)
1536 DEBUG(D_tls) debug_printf("GnuTLS global init required.\n");
1538 #if defined(HAVE_GNUTLS_PKCS11) && !defined(GNUTLS_AUTO_PKCS11_MANUAL)
1539 /* By default, gnutls_global_init will init PKCS11 support in auto mode,
1540 which loads modules from a config file, which sounds good and may be wanted
1541 by some sysadmin, but also means in common configurations that GNOME keyring
1542 environment variables are used and so breaks for users calling mailq.
1543 To prevent this, we init PKCS11 first, which is the documented approach. */
1544 if (!gnutls_allow_auto_pkcs11)
1545 if ((rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL)))
1546 return tls_error_gnu(US"gnutls_pkcs11_init", rc, host, errstr);
1549 #ifndef GNUTLS_AUTO_GLOBAL_INIT
1550 if ((rc = gnutls_global_init()))
1551 return tls_error_gnu(US"gnutls_global_init", rc, host, errstr);
1554 #if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
1557 gnutls_global_set_log_function(exim_gnutls_logger_cb);
1558 /* arbitrarily chosen level; bump up to 9 for more */
1559 gnutls_global_set_log_level(EXIM_GNUTLS_LIBRARY_LOG_LEVEL);
1563 #ifndef DISABLE_OCSP
1564 if (tls_ocsp_file && (gnutls_buggy_ocsp = tls_is_buggy_ocsp()))
1565 log_write(0, LOG_MAIN, "OCSP unusable with this GnuTLS library version");
1568 exim_gnutls_base_init_done = TRUE;
1573 /* For client-side sessions we allocate a context. This lets us run
1574 several in parallel. */
1575 int old_pool = store_pool;
1576 store_pool = POOL_PERM;
1577 state = store_get(sizeof(exim_gnutls_state_st), FALSE);
1578 store_pool = old_pool;
1580 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
1582 DEBUG(D_tls) debug_printf("initialising GnuTLS client session\n");
1583 rc = gnutls_init(&state->session, GNUTLS_CLIENT);
1587 state = &state_server;
1588 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
1590 DEBUG(D_tls) debug_printf("initialising GnuTLS server session\n");
1591 rc = gnutls_init(&state->session, GNUTLS_SERVER);
1594 return tls_error_gnu(US"gnutls_init", rc, host, errstr);
1598 state->tls_certificate = certificate;
1599 state->tls_privatekey = privatekey;
1600 state->tls_require_ciphers = require_ciphers;
1601 state->tls_sni = sni;
1602 state->tls_verify_certificates = cas;
1603 state->tls_crl = crl;
1605 /* This handles the variables that might get re-expanded after TLS SNI;
1606 that's tls_certificate, tls_privatekey, tls_verify_certificates, tls_crl */
1609 debug_printf("Expanding various TLS configuration options for session credentials.\n");
1610 if ((rc = tls_expand_session_files(state, errstr)) != OK) return rc;
1612 /* These are all other parts of the x509_cred handling, since SNI in GnuTLS
1613 requires a new structure afterwards. */
1615 if ((rc = tls_set_remaining_x509(state, errstr)) != OK) return rc;
1617 /* set SNI in client, only */
1620 if (!expand_check(sni, US"tls_out_sni", &state->tlsp->sni, errstr))
1622 if (state->tlsp->sni && *state->tlsp->sni)
1625 debug_printf("Setting TLS client SNI to \"%s\"\n", state->tlsp->sni);
1626 sz = Ustrlen(state->tlsp->sni);
1627 if ((rc = gnutls_server_name_set(state->session,
1628 GNUTLS_NAME_DNS, state->tlsp->sni, sz)))
1629 return tls_error_gnu(US"gnutls_server_name_set", rc, host, errstr);
1632 else if (state->tls_sni)
1633 DEBUG(D_tls) debug_printf("*** PROBABLY A BUG *** " \
1634 "have an SNI set for a server [%s]\n", state->tls_sni);
1636 /* This is the priority string support,
1637 http://www.gnutls.org/manual/html_node/Priority-Strings.html
1638 and replaces gnutls_require_kx, gnutls_require_mac & gnutls_require_protocols.
1639 This was backwards incompatible, but means Exim no longer needs to track
1640 all algorithms and provide string forms for them. */
1643 if (state->tls_require_ciphers && *state->tls_require_ciphers)
1645 if (!expand_check_tlsvar(tls_require_ciphers, errstr))
1647 if (state->exp_tls_require_ciphers && *state->exp_tls_require_ciphers)
1649 p = state->exp_tls_require_ciphers;
1650 DEBUG(D_tls) debug_printf("GnuTLS session cipher/priority \"%s\"\n", p);
1655 p = exim_default_gnutls_priority;
1657 debug_printf("GnuTLS using default session cipher/priority \"%s\"\n", p);
1660 if ((rc = gnutls_priority_init(&state->priority_cache, CCS p, &errpos)))
1661 return tls_error_gnu(string_sprintf(
1662 "gnutls_priority_init(%s) failed at offset %ld, \"%.6s..\"",
1663 p, errpos - CS p, errpos),
1666 if ((rc = gnutls_priority_set(state->session, state->priority_cache)))
1667 return tls_error_gnu(US"gnutls_priority_set", rc, host, errstr);
1669 /* This also sets the server ticket expiration time to the same, and
1670 the STEK rotation time to 3x. */
1672 gnutls_db_set_cache_expiration(state->session, ssl_session_timeout);
1674 /* Reduce security in favour of increased compatibility, if the admin
1675 decides to make that trade-off. */
1676 if (gnutls_compat_mode)
1678 #if LIBGNUTLS_VERSION_NUMBER >= 0x020104
1679 DEBUG(D_tls) debug_printf("lowering GnuTLS security, compatibility mode\n");
1680 gnutls_session_enable_compatibility_mode(state->session);
1682 DEBUG(D_tls) debug_printf("Unable to set gnutls_compat_mode - GnuTLS version too old\n");
1686 *caller_state = state;
1692 /*************************************************
1693 * Extract peer information *
1694 *************************************************/
1696 static const uschar *
1697 cipher_stdname_kcm(gnutls_kx_algorithm_t kx, gnutls_cipher_algorithm_t cipher,
1698 gnutls_mac_algorithm_t mac)
1701 gnutls_kx_algorithm_t kx_i;
1702 gnutls_cipher_algorithm_t cipher_i;
1703 gnutls_mac_algorithm_t mac_i;
1706 gnutls_cipher_suite_info(i, cs_id, &kx_i, &cipher_i, &mac_i, NULL);
1708 if (kx_i == kx && cipher_i == cipher && mac_i == mac)
1709 return cipher_stdname(cs_id[0], cs_id[1]);
1715 /* Called from both server and client code.
1716 Only this is allowed to set state->peerdn and state->have_set_peerdn
1717 and we use that to detect double-calls.
1719 NOTE: the state blocks last while the TLS connection is up, which is fine
1720 for logging in the server side, but for the client side, we log after teardown
1721 in src/deliver.c. While the session is up, we can twist about states and
1722 repoint tls_* globals, but those variables used for logging or other variable
1723 expansion that happens _after_ delivery need to have a longer life-time.
1725 So for those, we get the data from POOL_PERM; the re-invoke guard keeps us from
1726 doing this more than once per generation of a state context. We set them in
1727 the state context, and repoint tls_* to them. After the state goes away, the
1728 tls_* copies of the pointers remain valid and client delivery logging is happy.
1730 tls_certificate_verified is a BOOL, so the tls_peerdn and tls_cipher issues
1734 state exim_gnutls_state_st *
1735 errstr pointer to error string
1737 Returns: OK/DEFER/FAIL
1741 peer_status(exim_gnutls_state_st * state, uschar ** errstr)
1743 gnutls_session_t session = state->session;
1744 const gnutls_datum_t * cert_list;
1746 unsigned int cert_list_size = 0;
1747 gnutls_protocol_t protocol;
1748 gnutls_cipher_algorithm_t cipher;
1749 gnutls_kx_algorithm_t kx;
1750 gnutls_mac_algorithm_t mac;
1751 gnutls_certificate_type_t ct;
1752 gnutls_x509_crt_t crt;
1756 if (state->have_set_peerdn)
1758 state->have_set_peerdn = TRUE;
1760 state->peerdn = NULL;
1763 cipher = gnutls_cipher_get(session);
1764 protocol = gnutls_protocol_get_version(session);
1765 mac = gnutls_mac_get(session);
1767 #ifdef GNUTLS_TLS1_3
1768 protocol >= GNUTLS_TLS1_3 ? 0 :
1770 gnutls_kx_get(session);
1772 old_pool = store_pool;
1774 tls_support * tlsp = state->tlsp;
1775 store_pool = POOL_PERM;
1777 #ifdef SUPPORT_GNUTLS_SESS_DESC
1780 uschar * s = US gnutls_session_get_desc(session), c;
1782 /* Nikos M suggests we use this by preference. It returns like:
1783 (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
1785 For partial back-compat, put a colon after the TLS version, replace the
1786 )-( grouping with __, replace in-group - with _ and append the :keysize. */
1788 /* debug_printf("peer_status: gnutls_session_get_desc %s\n", s); */
1790 for (s++; (c = *s) && c != ')'; s++) g = string_catn(g, s, 1);
1792 tlsp->ver = string_copyn(g->s, g->ptr);
1793 for (uschar * p = US tlsp->ver; *p; p++)
1794 if (*p == '-') { *p = '\0'; break; } /* TLS1.0-PKIX -> TLS1.0 */
1796 g = string_catn(g, US":", 1);
1797 if (*s) s++; /* now on _ between groups */
1800 for (*++s && ++s; (c = *s) && c != ')'; s++)
1801 g = string_catn(g, c == '-' ? US"_" : s, 1);
1802 /* now on ) closing group */
1803 if ((c = *s) && *++s == '-') g = string_catn(g, US"__", 2);
1804 /* now on _ between groups */
1806 g = string_catn(g, US":", 1);
1807 g = string_cat(g, string_sprintf("%d", (int) gnutls_cipher_get_key_size(cipher) * 8));
1808 state->ciphersuite = string_from_gstring(g);
1811 state->ciphersuite = string_sprintf("%s:%s:%d",
1812 gnutls_protocol_get_name(protocol),
1813 gnutls_cipher_suite_get_name(kx, cipher, mac),
1814 (int) gnutls_cipher_get_key_size(cipher) * 8);
1816 /* I don't see a way that spaces could occur, in the current GnuTLS
1817 code base, but it was a concern in the old code and perhaps older GnuTLS
1818 releases did return "TLS 1.0"; play it safe, just in case. */
1820 for (uschar * p = state->ciphersuite; *p; p++) if (isspace(*p)) *p = '-';
1821 tlsp->ver = string_copyn(state->ciphersuite,
1822 Ustrchr(state->ciphersuite, ':') - state->ciphersuite);
1825 /* debug_printf("peer_status: ciphersuite %s\n", state->ciphersuite); */
1827 tlsp->cipher = state->ciphersuite;
1828 tlsp->bits = gnutls_cipher_get_key_size(cipher) * 8;
1830 tlsp->cipher_stdname = cipher_stdname_kcm(kx, cipher, mac);
1832 store_pool = old_pool;
1835 cert_list = gnutls_certificate_get_peers(session, &cert_list_size);
1837 if (!cert_list || cert_list_size == 0)
1839 DEBUG(D_tls) debug_printf("TLS: no certificate from peer (%p & %d)\n",
1840 cert_list, cert_list_size);
1841 if (state->verify_requirement >= VERIFY_REQUIRED)
1842 return tls_error(US"certificate verification failed",
1843 US"no certificate received from peer", state->host, errstr);
1847 if ((ct = gnutls_certificate_type_get(session)) != GNUTLS_CRT_X509)
1849 const uschar * ctn = US gnutls_certificate_type_get_name(ct);
1851 debug_printf("TLS: peer cert not X.509 but instead \"%s\"\n", ctn);
1852 if (state->verify_requirement >= VERIFY_REQUIRED)
1853 return tls_error(US"certificate verification not possible, unhandled type",
1854 ctn, state->host, errstr);
1858 #define exim_gnutls_peer_err(Label) \
1860 if (rc != GNUTLS_E_SUCCESS) \
1862 DEBUG(D_tls) debug_printf("TLS: peer cert problem: %s: %s\n", \
1863 (Label), gnutls_strerror(rc)); \
1864 if (state->verify_requirement >= VERIFY_REQUIRED) \
1865 return tls_error_gnu((Label), rc, state->host, errstr); \
1870 rc = import_cert(&cert_list[0], &crt);
1871 exim_gnutls_peer_err(US"cert 0");
1873 state->tlsp->peercert = state->peercert = crt;
1876 rc = gnutls_x509_crt_get_dn(crt, NULL, &sz);
1877 if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
1879 exim_gnutls_peer_err(US"getting size for cert DN failed");
1880 return FAIL; /* should not happen */
1882 dn_buf = store_get_perm(sz, TRUE); /* tainted */
1883 rc = gnutls_x509_crt_get_dn(crt, CS dn_buf, &sz);
1884 exim_gnutls_peer_err(US"failed to extract certificate DN [gnutls_x509_crt_get_dn(cert 0)]");
1886 state->peerdn = dn_buf;
1889 #undef exim_gnutls_peer_err
1895 /*************************************************
1896 * Verify peer certificate *
1897 *************************************************/
1899 /* Called from both server and client code.
1900 *Should* be using a callback registered with
1901 gnutls_certificate_set_verify_function() to fail the handshake if we dislike
1902 the peer information, but that's too new for some OSes.
1905 state exim_gnutls_state_st *
1906 errstr where to put an error message
1909 FALSE if the session should be rejected
1910 TRUE if the cert is okay or we just don't care
1914 verify_certificate(exim_gnutls_state_st * state, uschar ** errstr)
1919 DEBUG(D_tls) debug_printf("TLS: checking peer certificate\n");
1921 rc = peer_status(state, errstr);
1923 if (state->verify_requirement == VERIFY_NONE)
1926 if (rc != OK || !state->peerdn)
1928 verify = GNUTLS_CERT_INVALID;
1929 *errstr = US"certificate not supplied";
1935 if (state->verify_requirement == VERIFY_DANE && state->host)
1937 /* Using dane_verify_session_crt() would be easy, as it does it all for us
1938 including talking to a DNS resolver. But we want to do that bit ourselves
1939 as the testsuite intercepts and fakes its own DNS environment. */
1944 const gnutls_datum_t * certlist =
1945 gnutls_certificate_get_peers(state->session, &lsize);
1946 int usage = tls_out.tlsa_usage;
1948 # ifdef GNUTLS_BROKEN_DANE_VALIDATION
1949 /* Split the TLSA records into two sets, TA and EE selectors. Run the
1950 dane-verification separately so that we know which selector verified;
1951 then we know whether to do name-verification (needed for TA but not EE). */
1953 if (usage == ((1<<DANESSL_USAGE_DANE_TA) | (1<<DANESSL_USAGE_DANE_EE)))
1954 { /* a mixed-usage bundle */
1959 for (nrec = 0; state->dane_data_len[nrec]; ) nrec++;
1962 dd = store_get(nrec * sizeof(uschar *), FALSE);
1963 ddl = store_get(nrec * sizeof(int), FALSE);
1966 if ((rc = dane_state_init(&s, 0)))
1969 for (usage = DANESSL_USAGE_DANE_EE;
1970 usage >= DANESSL_USAGE_DANE_TA; usage--)
1971 { /* take records with this usage */
1972 for (j = i = 0; i < nrec; i++)
1973 if (state->dane_data[i][0] == usage)
1975 dd[j] = state->dane_data[i];
1976 ddl[j++] = state->dane_data_len[i];
1983 if ((rc = dane_raw_tlsa(s, &r, (char * const *)dd, ddl, 1, 0)))
1986 if ((rc = dane_verify_crt_raw(s, certlist, lsize,
1987 gnutls_certificate_type_get(state->session),
1989 usage == DANESSL_USAGE_DANE_EE
1990 ? DANE_VFLAG_ONLY_CHECK_EE_USAGE : 0,
1994 debug_printf("TLSA record problem: %s\n", dane_strerror(rc));
1996 else if (verify == 0) /* verification passed */
2004 if (rc) goto tlsa_prob;
2009 if ( (rc = dane_state_init(&s, 0))
2010 || (rc = dane_raw_tlsa(s, &r, state->dane_data, state->dane_data_len,
2012 || (rc = dane_verify_crt_raw(s, certlist, lsize,
2013 gnutls_certificate_type_get(state->session),
2015 # ifdef GNUTLS_BROKEN_DANE_VALIDATION
2016 usage == (1 << DANESSL_USAGE_DANE_EE)
2017 ? DANE_VFLAG_ONLY_CHECK_EE_USAGE : 0,
2026 if (verify != 0) /* verification failed */
2029 (void) dane_verification_status_print(verify, &str, 0);
2030 *errstr = US str.data; /* don't bother to free */
2034 # ifdef GNUTLS_BROKEN_DANE_VALIDATION
2035 /* If a TA-mode TLSA record was used for verification we must additionally
2036 verify the cert name (but not the CA chain). For EE-mode, skip it. */
2038 if (usage & (1 << DANESSL_USAGE_DANE_EE))
2041 state->peer_dane_verified = state->peer_cert_verified = TRUE;
2044 # ifdef GNUTLS_BROKEN_DANE_VALIDATION
2045 /* Assume that the name on the A-record is the one that should be matching
2046 the cert. An alternate view is that the domain part of the email address
2047 is also permissible. */
2049 if (gnutls_x509_crt_check_hostname(state->tlsp->peercert,
2050 CS state->host->name))
2052 state->peer_dane_verified = state->peer_cert_verified = TRUE;
2057 #endif /*SUPPORT_DANE*/
2059 rc = gnutls_certificate_verify_peers2(state->session, &verify);
2062 /* Handle the result of verification. INVALID is set if any others are. */
2064 if (rc < 0 || verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED))
2066 state->peer_cert_verified = FALSE;
2069 #ifdef GNUTLS_CERT_VFY_STATUS_PRINT
2074 if (gnutls_certificate_verification_status_print(verify,
2075 gnutls_certificate_type_get(state->session), &txt, 0)
2076 == GNUTLS_E_SUCCESS)
2078 debug_printf("%s\n", txt.data);
2079 gnutls_free(txt.data);
2083 *errstr = verify & GNUTLS_CERT_REVOKED
2084 ? US"certificate revoked" : US"certificate invalid";
2088 debug_printf("TLS certificate verification failed (%s): peerdn=\"%s\"\n",
2089 *errstr, state->peerdn ? state->peerdn : US"<unset>");
2091 if (state->verify_requirement >= VERIFY_REQUIRED)
2094 debug_printf("TLS verify failure overridden (host in tls_try_verify_hosts)\n");
2099 /* Client side, check the server's certificate name versus the name on the
2100 A-record for the connection we made. What to do for server side - what name
2101 to use for client? We document that there is no such checking for server
2104 if ( state->exp_tls_verify_cert_hostnames
2105 && !gnutls_x509_crt_check_hostname(state->tlsp->peercert,
2106 CS state->exp_tls_verify_cert_hostnames)
2110 debug_printf("TLS certificate verification failed: cert name mismatch\n");
2111 if (state->verify_requirement >= VERIFY_REQUIRED)
2116 state->peer_cert_verified = TRUE;
2117 DEBUG(D_tls) debug_printf("TLS certificate verified: peerdn=\"%s\"\n",
2118 state->peerdn ? state->peerdn : US"<unset>");
2122 state->tlsp->peerdn = state->peerdn;
2127 *errstr = string_sprintf("TLSA record problem: %s",
2128 rc == DANE_E_REQUESTED_DATA_NOT_AVAILABLE ? "none usable" : dane_strerror(rc));
2132 gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_BAD_CERTIFICATE);
2139 /* ------------------------------------------------------------------------ */
2142 /* Logging function which can be registered with
2143 * gnutls_global_set_log_function()
2144 * gnutls_global_set_log_level() 0..9
2146 #if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
2148 exim_gnutls_logger_cb(int level, const char *message)
2150 size_t len = strlen(message);
2153 DEBUG(D_tls) debug_printf("GnuTLS<%d> empty debug message\n", level);
2156 DEBUG(D_tls) debug_printf("GnuTLS<%d>: %s%s", level, message,
2157 message[len-1] == '\n' ? "" : "\n");
2162 /* Called after client hello, should handle SNI work.
2163 This will always set tls_sni (state->received_sni) if available,
2164 and may trigger presenting different certificates,
2165 if state->trigger_sni_changes is TRUE.
2167 Should be registered with
2168 gnutls_handshake_set_post_client_hello_function()
2170 "This callback must return 0 on success or a gnutls error code to terminate the
2173 For inability to get SNI information, we return 0.
2174 We only return non-zero if re-setup failed.
2175 Only used for server-side TLS.
2179 exim_sni_handling_cb(gnutls_session_t session)
2181 char sni_name[MAX_HOST_LEN];
2182 size_t data_len = MAX_HOST_LEN;
2183 exim_gnutls_state_st *state = &state_server;
2184 unsigned int sni_type;
2186 uschar * dummy_errstr;
2188 rc = gnutls_server_name_get(session, sni_name, &data_len, &sni_type, 0);
2189 if (rc != GNUTLS_E_SUCCESS)
2192 if (rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
2193 debug_printf("TLS: no SNI presented in handshake.\n");
2195 debug_printf("TLS failure: gnutls_server_name_get(): %s [%d]\n",
2196 gnutls_strerror(rc), rc);
2200 if (sni_type != GNUTLS_NAME_DNS)
2202 DEBUG(D_tls) debug_printf("TLS: ignoring SNI of unhandled type %u\n", sni_type);
2206 /* We now have a UTF-8 string in sni_name */
2207 old_pool = store_pool;
2208 store_pool = POOL_PERM;
2209 state->received_sni = string_copy_taint(US sni_name, TRUE);
2210 store_pool = old_pool;
2212 /* We set this one now so that variable expansions below will work */
2213 state->tlsp->sni = state->received_sni;
2215 DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", sni_name,
2216 state->trigger_sni_changes ? "" : " (unused for certificate selection)");
2218 if (!state->trigger_sni_changes)
2221 if ((rc = tls_expand_session_files(state, &dummy_errstr)) != OK)
2223 /* If the setup of certs/etc failed before handshake, TLS would not have
2224 been offered. The best we can do now is abort. */
2225 return GNUTLS_E_APPLICATION_ERROR_MIN;
2228 rc = tls_set_remaining_x509(state, &dummy_errstr);
2229 if (rc != OK) return GNUTLS_E_APPLICATION_ERROR_MIN;
2236 #ifndef DISABLE_EVENT
2238 We use this callback to get observability and detail-level control
2239 for an exim TLS connection (either direction), raising a tls:cert event
2240 for each cert in the chain presented by the peer. Any event
2241 can deny verification.
2243 Return 0 for the handshake to continue or non-zero to terminate.
2247 verify_cb(gnutls_session_t session)
2249 const gnutls_datum_t * cert_list;
2250 unsigned int cert_list_size = 0;
2251 gnutls_x509_crt_t crt;
2254 exim_gnutls_state_st * state = gnutls_session_get_ptr(session);
2256 if ((cert_list = gnutls_certificate_get_peers(session, &cert_list_size)))
2257 while (cert_list_size--)
2259 if ((rc = import_cert(&cert_list[cert_list_size], &crt)) != GNUTLS_E_SUCCESS)
2261 DEBUG(D_tls) debug_printf("TLS: peer cert problem: depth %d: %s\n",
2262 cert_list_size, gnutls_strerror(rc));
2266 state->tlsp->peercert = crt;
2267 if ((yield = event_raise(state->event_action,
2268 US"tls:cert", string_sprintf("%d", cert_list_size))))
2270 log_write(0, LOG_MAIN,
2271 "SSL verify denied by event-action: depth=%d: %s",
2272 cert_list_size, yield);
2273 return 1; /* reject */
2275 state->tlsp->peercert = NULL;
2285 ddump(gnutls_datum_t * d)
2287 gstring * g = string_get((d->size+1) * 2);
2288 uschar * s = d->data;
2289 for (unsigned i = d->size; i > 0; i--, s++)
2291 g = string_catn(g, US "0123456789abcdef" + (*s >> 4), 1);
2292 g = string_catn(g, US "0123456789abcdef" + (*s & 0xf), 1);
2298 post_handshake_debug(exim_gnutls_state_st * state)
2300 #ifdef SUPPORT_GNUTLS_SESS_DESC
2301 debug_printf("%s\n", gnutls_session_get_desc(state->session));
2304 #ifdef SUPPORT_GNUTLS_KEYLOG
2305 # ifdef EXIM_HAVE_TLS1_3
2306 if (gnutls_protocol_get_version(state->session) < GNUTLS_TLS1_3)
2311 gnutls_datum_t c, s;
2313 /* For TLS1.2 we only want the client random and the master secret */
2314 gnutls_session_get_random(state->session, &c, &s);
2315 gnutls_session_get_master_secret(state->session, &s);
2318 debug_printf("CLIENT_RANDOM %.*s %.*s\n", (int)gc->ptr, gc->s, (int)gs->ptr, gs->s);
2321 debug_printf("To get keying info for TLS1.3 is hard:\n"
2322 " Set environment variable SSLKEYLOGFILE to a filename relative to the spool directory,\n"
2323 " and make sure it is writable by the Exim runtime user.\n"
2324 " Add SSLKEYLOGFILE to keep_environment in the exim config.\n"
2325 " Start Exim as root.\n"
2326 " If using sudo, add SSLKEYLOGFILE to env_keep in /etc/sudoers\n"
2327 " (works for TLS1.2 also, and saves cut-paste into file).\n"
2328 " Trying to use add_environment for this will not work\n");
2333 #ifdef EXIM_HAVE_TLS_RESUME
2335 tls_server_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
2336 unsigned incoming, const gnutls_datum_t * msg)
2338 DEBUG(D_tls) debug_printf("newticket cb\n");
2339 tls_in.resumption |= RESUME_CLIENT_REQUESTED;
2344 tls_server_resume_prehandshake(exim_gnutls_state_st * state)
2346 /* Should the server offer session resumption? */
2347 tls_in.resumption = RESUME_SUPPORTED;
2348 if (verify_check_host(&tls_resumption_hosts) == OK)
2351 /* GnuTLS appears to not do ticket overlap, but does emit a fresh ticket when
2352 an offered resumption is unacceptable. We lose one resumption per ticket
2353 lifetime, and sessions cannot be indefinitely re-used. There seems to be no
2354 way (3.6.7) of changing the default number of 2 TLS1.3 tickets issued, but at
2355 least they go out in a single packet. */
2357 if (!(rc = gnutls_session_ticket_enable_server(state->session,
2358 &server_sessticket_key)))
2359 tls_in.resumption |= RESUME_SERVER_TICKET;
2362 debug_printf("enabling session tickets: %s\n", US gnutls_strerror(rc));
2364 /* Try to tell if we see a ticket request */
2365 gnutls_handshake_set_hook_function(state->session,
2366 GNUTLS_HANDSHAKE_ANY, GNUTLS_HOOK_POST, tls_server_hook_cb);
2371 tls_server_resume_posthandshake(exim_gnutls_state_st * state)
2373 if (gnutls_session_resumption_requested(state->session))
2375 /* This tells us the client sent a full ticket. We use a
2376 callback on session-ticket request, elsewhere, to tell
2377 if a client asked for a ticket. */
2379 tls_in.resumption |= RESUME_CLIENT_SUGGESTED;
2380 DEBUG(D_tls) debug_printf("client requested resumption\n");
2382 if (gnutls_session_is_resumed(state->session))
2384 tls_in.resumption |= RESUME_USED;
2385 DEBUG(D_tls) debug_printf("Session resumed\n");
2389 /* ------------------------------------------------------------------------ */
2390 /* Exported functions */
2395 /*************************************************
2396 * Start a TLS session in a server *
2397 *************************************************/
2399 /* This is called when Exim is running as a server, after having received
2400 the STARTTLS command. It must respond to that command, and then negotiate
2404 require_ciphers list of allowed ciphers or NULL
2405 errstr pointer to error string
2407 Returns: OK on success
2408 DEFER for errors before the start of the negotiation
2409 FAIL for errors during the negotiation; the server can't
2414 tls_server_start(const uschar * require_ciphers, uschar ** errstr)
2417 exim_gnutls_state_st * state = NULL;
2419 /* Check for previous activation */
2420 if (tls_in.active.sock >= 0)
2422 tls_error(US"STARTTLS received after TLS started", US "", NULL, errstr);
2423 smtp_printf("554 Already in TLS\r\n", FALSE);
2427 /* Initialize the library. If it fails, it will already have logged the error
2428 and sent an SMTP response. */
2430 DEBUG(D_tls) debug_printf("initialising GnuTLS as a server\n");
2433 #ifdef MEASURE_TIMING
2435 gettimeofday(&t0, NULL);
2438 if ((rc = tls_init(NULL, tls_certificate, tls_privatekey,
2439 NULL, tls_verify_certificates, tls_crl,
2440 require_ciphers, &state, &tls_in, errstr)) != OK) return rc;
2442 #ifdef MEASURE_TIMING
2443 report_time_since(&t0, US"server tls_init (delta)");
2447 #ifdef EXIM_HAVE_TLS_RESUME
2448 tls_server_resume_prehandshake(state);
2451 /* If this is a host for which certificate verification is mandatory or
2452 optional, set up appropriately. */
2454 if (verify_check_host(&tls_verify_hosts) == OK)
2457 debug_printf("TLS: a client certificate will be required.\n");
2458 state->verify_requirement = VERIFY_REQUIRED;
2459 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
2461 else if (verify_check_host(&tls_try_verify_hosts) == OK)
2464 debug_printf("TLS: a client certificate will be requested but not required.\n");
2465 state->verify_requirement = VERIFY_OPTIONAL;
2466 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
2471 debug_printf("TLS: a client certificate will not be requested.\n");
2472 state->verify_requirement = VERIFY_NONE;
2473 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
2476 #ifndef DISABLE_EVENT
2479 state->event_action = event_action;
2480 gnutls_session_set_ptr(state->session, state);
2481 gnutls_certificate_set_verify_function(state->x509_cred, verify_cb);
2485 /* Register SNI handling; always, even if not in tls_certificate, so that the
2486 expansion variable $tls_sni is always available. */
2488 gnutls_handshake_set_post_client_hello_function(state->session,
2489 exim_sni_handling_cb);
2491 /* Set context and tell client to go ahead, except in the case of TLS startup
2492 on connection, where outputting anything now upsets the clients and tends to
2493 make them disconnect. We need to have an explicit fflush() here, to force out
2494 the response. Other smtp_printf() calls do not need it, because in non-TLS
2495 mode, the fflush() happens when smtp_getc() is called. */
2497 if (!state->tlsp->on_connect)
2499 smtp_printf("220 TLS go ahead\r\n", FALSE);
2503 /* Now negotiate the TLS session. We put our own timer on it, since it seems
2504 that the GnuTLS library doesn't.
2505 From 3.1.0 there is gnutls_handshake_set_timeout() - but it requires you
2506 to set (and clear down afterwards) up a pull-timeout callback function that does
2507 a select, so we're no better off unless avoiding signals becomes an issue. */
2509 gnutls_transport_set_ptr2(state->session,
2510 (gnutls_transport_ptr_t)(long) fileno(smtp_in),
2511 (gnutls_transport_ptr_t)(long) fileno(smtp_out));
2512 state->fd_in = fileno(smtp_in);
2513 state->fd_out = fileno(smtp_out);
2515 sigalrm_seen = FALSE;
2516 if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
2518 rc = gnutls_handshake(state->session);
2519 while (rc == GNUTLS_E_AGAIN || rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen);
2522 if (rc != GNUTLS_E_SUCCESS)
2524 /* It seems that, except in the case of a timeout, we have to close the
2525 connection right here; otherwise if the other end is running OpenSSL it hangs
2526 until the server times out. */
2530 tls_error(US"gnutls_handshake", US"timed out", NULL, errstr);
2531 gnutls_db_remove_session(state->session);
2535 tls_error_gnu(US"gnutls_handshake", rc, NULL, errstr);
2536 (void) gnutls_alert_send_appropriate(state->session, rc);
2537 gnutls_deinit(state->session);
2538 gnutls_certificate_free_credentials(state->x509_cred);
2540 shutdown(state->fd_out, SHUT_WR);
2541 for (int i = 1024; fgetc(smtp_in) != EOF && i > 0; ) i--; /* drain skt */
2542 (void)fclose(smtp_out);
2543 (void)fclose(smtp_in);
2544 smtp_out = smtp_in = NULL;
2550 #ifdef GNUTLS_SFLAGS_EXT_MASTER_SECRET
2551 if (gnutls_session_get_flags(state->session) & GNUTLS_SFLAGS_EXT_MASTER_SECRET)
2552 tls_in.ext_master_secret = TRUE;
2555 #ifdef EXIM_HAVE_TLS_RESUME
2556 tls_server_resume_posthandshake(state);
2559 DEBUG(D_tls) post_handshake_debug(state);
2561 /* Verify after the fact */
2563 if (!verify_certificate(state, errstr))
2565 if (state->verify_requirement != VERIFY_OPTIONAL)
2567 (void) tls_error(US"certificate verification failed", *errstr, NULL, errstr);
2571 debug_printf("TLS: continuing on only because verification was optional, after: %s\n",
2575 /* Sets various Exim expansion variables; always safe within server */
2577 extract_exim_vars_from_tls_state(state);
2579 /* TLS has been set up. Adjust the input functions to read via TLS,
2580 and initialize appropriately. */
2582 state->xfer_buffer = store_malloc(ssl_xfer_buffer_size);
2584 receive_getc = tls_getc;
2585 receive_getbuf = tls_getbuf;
2586 receive_get_cache = tls_get_cache;
2587 receive_ungetc = tls_ungetc;
2588 receive_feof = tls_feof;
2589 receive_ferror = tls_ferror;
2590 receive_smtp_buffered = tls_smtp_buffered;
2599 tls_client_setup_hostname_checks(host_item * host, exim_gnutls_state_st * state,
2600 smtp_transport_options_block * ob)
2602 if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
2604 state->exp_tls_verify_cert_hostnames =
2606 string_domain_utf8_to_alabel(host->certname, NULL);
2611 debug_printf("TLS: server cert verification includes hostname: \"%s\".\n",
2612 state->exp_tls_verify_cert_hostnames);
2620 /* Given our list of RRs from the TLSA lookup, build a lookup block in
2621 GnuTLS-DANE's preferred format. Hang it on the state str for later
2622 use in DANE verification.
2624 We point at the dnsa data not copy it, so it must remain valid until
2625 after verification is done.*/
2628 dane_tlsa_load(exim_gnutls_state_st * state, dns_answer * dnsa)
2632 const char ** dane_data;
2633 int * dane_data_len;
2636 for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
2637 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
2638 ) if (rr->type == T_TLSA) i++;
2640 dane_data = store_get(i * sizeof(uschar *), FALSE);
2641 dane_data_len = store_get(i * sizeof(int), FALSE);
2644 for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
2645 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
2646 ) if (rr->type == T_TLSA && rr->size > 3)
2648 const uschar * p = rr->data;
2649 /*XXX need somehow to mark rr and its data as tainted. Doues this mean copying it? */
2650 uint8_t usage = p[0], sel = p[1], type = p[2];
2653 debug_printf("TLSA: %d %d %d size %d\n", usage, sel, type, rr->size);
2655 if ( (usage != DANESSL_USAGE_DANE_TA && usage != DANESSL_USAGE_DANE_EE)
2656 || (sel != 0 && sel != 1)
2661 case 0: /* Full: cannot check at present */
2663 case 1: if (rr->size != 3 + 256/8) continue; /* sha2-256 */
2665 case 2: if (rr->size != 3 + 512/8) continue; /* sha2-512 */
2670 tls_out.tlsa_usage |= 1<<usage;
2671 dane_data[i] = CS p;
2672 dane_data_len[i++] = rr->size;
2675 if (!i) return FALSE;
2677 dane_data[i] = NULL;
2678 dane_data_len[i] = 0;
2680 state->dane_data = (char * const *)dane_data;
2681 state->dane_data_len = dane_data_len;
2688 #ifdef EXIM_HAVE_TLS_RESUME
2689 /* On the client, get any stashed session for the given IP from hints db
2690 and apply it to the ssl-connection for attempted resumption. Although
2691 there is a gnutls_session_ticket_enable_client() interface it is
2692 documented as unnecessary (as of 3.6.7) as "session tickets are emabled
2693 by deafult". There seems to be no way to disable them, so even hosts not
2694 enabled by the transport option will be sent a ticket request. We will
2695 however avoid storing and retrieving session information. */
2698 tls_retrieve_session(tls_support * tlsp, gnutls_session_t session,
2699 host_item * host, smtp_transport_options_block * ob)
2701 tlsp->resumption = RESUME_SUPPORTED;
2702 if (verify_check_given_host(CUSS &ob->tls_resumption_hosts, host) == OK)
2704 dbdata_tls_session * dt;
2706 open_db dbblock, * dbm_file;
2709 debug_printf("check for resumable session for %s\n", host->address);
2710 tlsp->host_resumable = TRUE;
2711 tlsp->resumption |= RESUME_CLIENT_REQUESTED;
2712 if ((dbm_file = dbfn_open(US"tls", O_RDONLY, &dbblock, FALSE, FALSE)))
2714 /* Key for the db is the IP. We'd like to filter the retrieved session
2715 for ticket advisory expiry, but 3.6.1 seems to give no access to that */
2717 if ((dt = dbfn_read_with_length(dbm_file, host->address, &len)))
2718 if (!(rc = gnutls_session_set_data(session,
2719 CUS dt->session, (size_t)len - sizeof(dbdata_tls_session))))
2721 DEBUG(D_tls) debug_printf("good session\n");
2722 tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
2724 else DEBUG(D_tls) debug_printf("setting session resumption data: %s\n",
2725 US gnutls_strerror(rc));
2726 dbfn_close(dbm_file);
2733 tls_save_session(tls_support * tlsp, gnutls_session_t session, const host_item * host)
2735 /* TLS 1.2 - we get both the callback and the direct posthandshake call,
2736 but this flag is not set until the second. TLS 1.3 it's the other way about.
2737 Keep both calls as the session data cannot be extracted before handshake
2740 if (gnutls_session_get_flags(session) & GNUTLS_SFLAGS_SESSION_TICKET)
2745 DEBUG(D_tls) debug_printf("server offered session ticket\n");
2746 tlsp->ticket_received = TRUE;
2747 tlsp->resumption |= RESUME_SERVER_TICKET;
2749 if (tlsp->host_resumable)
2750 if (!(rc = gnutls_session_get_data2(session, &tkt)))
2752 open_db dbblock, * dbm_file;
2753 int dlen = sizeof(dbdata_tls_session) + tkt.size;
2754 dbdata_tls_session * dt = store_get(dlen, TRUE);
2756 DEBUG(D_tls) debug_printf("session data size %u\n", (unsigned)tkt.size);
2757 memcpy(dt->session, tkt.data, tkt.size);
2758 gnutls_free(tkt.data);
2760 if ((dbm_file = dbfn_open(US"tls", O_RDWR, &dbblock, FALSE, FALSE)))
2762 /* key for the db is the IP */
2763 dbfn_delete(dbm_file, host->address);
2764 dbfn_write(dbm_file, host->address, dt, dlen);
2765 dbfn_close(dbm_file);
2768 debug_printf("wrote session db (len %u)\n", (unsigned)dlen);
2772 debug_printf("extract session data: %s\n", US gnutls_strerror(rc));
2777 /* With a TLS1.3 session, the ticket(s) are not seen until
2778 the first data read is attempted. And there's often two of them.
2779 Pick them up with this callback. We are also called for 1.2
2783 tls_client_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
2784 unsigned incoming, const gnutls_datum_t * msg)
2786 exim_gnutls_state_st * state = gnutls_session_get_ptr(sess);
2787 tls_support * tlsp = state->tlsp;
2789 DEBUG(D_tls) debug_printf("newticket cb\n");
2791 if (!tlsp->ticket_received)
2792 tls_save_session(tlsp, sess, state->host);
2798 tls_client_resume_prehandshake(exim_gnutls_state_st * state,
2799 tls_support * tlsp, host_item * host,
2800 smtp_transport_options_block * ob)
2802 gnutls_session_set_ptr(state->session, state);
2803 gnutls_handshake_set_hook_function(state->session,
2804 GNUTLS_HANDSHAKE_NEW_SESSION_TICKET, GNUTLS_HOOK_POST, tls_client_ticket_cb);
2806 tls_retrieve_session(tlsp, state->session, host, ob);
2810 tls_client_resume_posthandshake(exim_gnutls_state_st * state,
2811 tls_support * tlsp, host_item * host)
2813 if (gnutls_session_is_resumed(state->session))
2815 DEBUG(D_tls) debug_printf("Session resumed\n");
2816 tlsp->resumption |= RESUME_USED;
2819 tls_save_session(tlsp, state->session, host);
2821 #endif /* !DISABLE_TLS_RESUME */
2824 /*************************************************
2825 * Start a TLS session in a client *
2826 *************************************************/
2828 /* Called from the smtp transport after STARTTLS has been accepted.
2831 cctx connection context
2832 conn_args connection details
2833 cookie datum for randomness (not used)
2834 tlsp record details of channel configuration here; must be non-NULL
2835 errstr error string pointer
2837 Returns: TRUE for success with TLS session context set in smtp context,
2842 tls_client_start(client_conn_ctx * cctx, smtp_connect_args * conn_args,
2843 void * cookie ARG_UNUSED,
2844 tls_support * tlsp, uschar ** errstr)
2846 host_item * host = conn_args->host; /* for msgs and option-tests */
2847 transport_instance * tb = conn_args->tblock; /* always smtp or NULL */
2848 smtp_transport_options_block * ob = tb
2849 ? (smtp_transport_options_block *)tb->options_block
2850 : &smtp_transport_option_defaults;
2852 exim_gnutls_state_st * state = NULL;
2853 uschar * cipher_list = NULL;
2855 #ifndef DISABLE_OCSP
2857 verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK;
2858 BOOL request_ocsp = require_ocsp ? TRUE
2859 : verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
2862 DEBUG(D_tls) debug_printf("initialising GnuTLS as a client on fd %d\n", cctx->sock);
2865 /* If dane is flagged, have either request or require dane for this host, and
2866 a TLSA record found. Therefore, dane verify required. Which implies cert must
2867 be requested and supplied, dane verify must pass, and cert verify irrelevant
2868 (incl. hostnames), and (caller handled) require_tls */
2870 if (conn_args->dane && ob->dane_require_tls_ciphers)
2872 /* not using expand_check_tlsvar because not yet in state */
2873 if (!expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
2874 &cipher_list, errstr))
2876 cipher_list = cipher_list && *cipher_list
2877 ? ob->dane_require_tls_ciphers : ob->tls_require_ciphers;
2882 cipher_list = ob->tls_require_ciphers;
2885 #ifdef MEASURE_TIMING
2887 gettimeofday(&t0, NULL);
2890 if (tls_init(host, ob->tls_certificate, ob->tls_privatekey,
2891 ob->tls_sni, ob->tls_verify_certificates, ob->tls_crl,
2892 cipher_list, &state, tlsp, errstr) != OK)
2895 #ifdef MEASURE_TIMING
2896 report_time_since(&t0, US"client tls_init (delta)");
2901 int dh_min_bits = ob->tls_dh_min_bits;
2902 if (dh_min_bits < EXIM_CLIENT_DH_MIN_MIN_BITS)
2905 debug_printf("WARNING: tls_dh_min_bits far too low,"
2906 " clamping %d up to %d\n",
2907 dh_min_bits, EXIM_CLIENT_DH_MIN_MIN_BITS);
2908 dh_min_bits = EXIM_CLIENT_DH_MIN_MIN_BITS;
2911 DEBUG(D_tls) debug_printf("Setting D-H prime minimum"
2912 " acceptable bits to %d\n",
2914 gnutls_dh_set_prime_bits(state->session, dh_min_bits);
2917 /* Stick to the old behaviour for compatibility if tls_verify_certificates is
2918 set but both tls_verify_hosts and tls_try_verify_hosts are unset. Check only
2919 the specified host patterns if one of them is defined */
2922 if (conn_args->dane && dane_tlsa_load(state, &conn_args->tlsa_dnsa))
2925 debug_printf("TLS: server certificate DANE required.\n");
2926 state->verify_requirement = VERIFY_DANE;
2927 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
2931 if ( ( state->exp_tls_verify_certificates
2932 && !ob->tls_verify_hosts
2933 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
2935 || verify_check_given_host(CUSS &ob->tls_verify_hosts, host) == OK
2938 tls_client_setup_hostname_checks(host, state, ob);
2940 debug_printf("TLS: server certificate verification required.\n");
2941 state->verify_requirement = VERIFY_REQUIRED;
2942 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
2944 else if (verify_check_given_host(CUSS &ob->tls_try_verify_hosts, host) == OK)
2946 tls_client_setup_hostname_checks(host, state, ob);
2948 debug_printf("TLS: server certificate verification optional.\n");
2949 state->verify_requirement = VERIFY_OPTIONAL;
2950 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
2955 debug_printf("TLS: server certificate verification not required.\n");
2956 state->verify_requirement = VERIFY_NONE;
2957 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
2960 #ifndef DISABLE_OCSP
2961 /* supported since GnuTLS 3.1.3 */
2964 DEBUG(D_tls) debug_printf("TLS: will request OCSP stapling\n");
2965 if ((rc = gnutls_ocsp_status_request_enable_client(state->session,
2966 NULL, 0, NULL)) != OK)
2968 tls_error_gnu(US"cert-status-req", rc, state->host, errstr);
2971 tlsp->ocsp = OCSP_NOT_RESP;
2975 #ifdef EXIM_HAVE_TLS_RESUME
2976 tls_client_resume_prehandshake(state, tlsp, host, ob);
2979 #ifndef DISABLE_EVENT
2980 if (tb && tb->event_action)
2982 state->event_action = tb->event_action;
2983 gnutls_session_set_ptr(state->session, state);
2984 gnutls_certificate_set_verify_function(state->x509_cred, verify_cb);
2988 gnutls_transport_set_ptr(state->session, (gnutls_transport_ptr_t)(long) cctx->sock);
2989 state->fd_in = cctx->sock;
2990 state->fd_out = cctx->sock;
2992 DEBUG(D_tls) debug_printf("about to gnutls_handshake\n");
2993 /* There doesn't seem to be a built-in timeout on connection. */
2995 sigalrm_seen = FALSE;
2996 ALARM(ob->command_timeout);
2998 rc = gnutls_handshake(state->session);
2999 while (rc == GNUTLS_E_AGAIN || rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen);
3002 if (rc != GNUTLS_E_SUCCESS)
3006 gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_USER_CANCELED);
3007 tls_error(US"gnutls_handshake", US"timed out", state->host, errstr);
3010 tls_error_gnu(US"gnutls_handshake", rc, state->host, errstr);
3014 DEBUG(D_tls) post_handshake_debug(state);
3018 if (!verify_certificate(state, errstr))
3020 tls_error(US"certificate verification failed", *errstr, state->host, errstr);
3024 #ifdef GNUTLS_SFLAGS_EXT_MASTER_SECRET
3025 if (gnutls_session_get_flags(state->session) & GNUTLS_SFLAGS_EXT_MASTER_SECRET)
3026 tlsp->ext_master_secret = TRUE;
3029 #ifndef DISABLE_OCSP
3034 gnutls_datum_t stapling;
3035 gnutls_ocsp_resp_t resp;
3036 gnutls_datum_t printed;
3040 # ifdef GNUTLS_OCSP_STATUS_REQUEST_GET2
3041 (rc = gnutls_ocsp_status_request_get2(state->session, idx, &stapling)) == 0;
3043 (rc = gnutls_ocsp_status_request_get(state->session, &stapling)) == 0;
3046 if ( (rc= gnutls_ocsp_resp_init(&resp)) == 0
3047 && (rc= gnutls_ocsp_resp_import(resp, &stapling)) == 0
3048 && (rc= gnutls_ocsp_resp_print(resp, GNUTLS_OCSP_PRINT_COMPACT, &printed)) == 0
3051 debug_printf("%.4096s", printed.data);
3052 gnutls_free(printed.data);
3055 (void) tls_error_gnu(US"ocsp decode", rc, state->host, errstr);
3057 (void) tls_error_gnu(US"ocsp decode", rc, state->host, errstr);
3060 if (gnutls_ocsp_status_request_is_checked(state->session, 0) == 0)
3062 tlsp->ocsp = OCSP_FAILED;
3063 tls_error(US"certificate status check failed", NULL, state->host, errstr);
3069 DEBUG(D_tls) debug_printf("Passed OCSP checking\n");
3070 tlsp->ocsp = OCSP_VFIED;
3075 #ifdef EXIM_HAVE_TLS_RESUME
3076 tls_client_resume_posthandshake(state, tlsp, host);
3079 /* Sets various Exim expansion variables; may need to adjust for ACL callouts */
3081 extract_exim_vars_from_tls_state(state);
3083 cctx->tls_ctx = state;
3090 /*************************************************
3091 * Close down a TLS session *
3092 *************************************************/
3094 /* This is also called from within a delivery subprocess forked from the
3095 daemon, to shut down the TLS library, without actually doing a shutdown (which
3096 would tamper with the TLS session in the parent process).
3099 ct_ctx client context pointer, or NULL for the one global server context
3100 shutdown 1 if TLS close-alert is to be sent,
3101 2 if also response to be waited for
3107 tls_close(void * ct_ctx, int shutdown)
3109 exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
3110 tls_support * tlsp = state->tlsp;
3112 if (!tlsp || tlsp->active.sock < 0) return; /* TLS was not active */
3116 DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS%s\n",
3117 shutdown > 1 ? " (with response-wait)" : "");
3120 gnutls_bye(state->session, shutdown > 1 ? GNUTLS_SHUT_RDWR : GNUTLS_SHUT_WR);
3124 if (!ct_ctx) /* server */
3126 receive_getc = smtp_getc;
3127 receive_getbuf = smtp_getbuf;
3128 receive_get_cache = smtp_get_cache;
3129 receive_ungetc = smtp_ungetc;
3130 receive_feof = smtp_feof;
3131 receive_ferror = smtp_ferror;
3132 receive_smtp_buffered = smtp_buffered;
3135 gnutls_deinit(state->session);
3136 gnutls_certificate_free_credentials(state->x509_cred);
3138 tlsp->active.sock = -1;
3139 tlsp->active.tls_ctx = NULL;
3140 /* Leave bits, peercert, cipher, peerdn, certificate_verified set, for logging */
3141 tlsp->channelbinding = NULL;
3144 if (state->xfer_buffer) store_free(state->xfer_buffer);
3145 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
3152 tls_refill(unsigned lim)
3154 exim_gnutls_state_st * state = &state_server;
3157 DEBUG(D_tls) debug_printf("Calling gnutls_record_recv(session=%p, buffer=%p, buffersize=%u)\n",
3158 state->session, state->xfer_buffer, ssl_xfer_buffer_size);
3160 sigalrm_seen = FALSE;
3161 if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
3164 inbytes = gnutls_record_recv(state->session, state->xfer_buffer,
3165 MIN(ssl_xfer_buffer_size, lim));
3166 while (inbytes == GNUTLS_E_AGAIN);
3168 if (smtp_receive_timeout > 0) ALARM_CLR(0);
3170 if (had_command_timeout) /* set by signal handler */
3171 smtp_command_timeout_exit(); /* does not return */
3172 if (had_command_sigterm)
3173 smtp_command_sigterm_exit();
3174 if (had_data_timeout)
3175 smtp_data_timeout_exit();
3176 if (had_data_sigint)
3177 smtp_data_sigint_exit();
3179 /* Timeouts do not get this far. A zero-byte return appears to mean that the
3180 TLS session has been closed down, not that the socket itself has been closed
3181 down. Revert to non-TLS handling. */
3185 DEBUG(D_tls) debug_printf("Got tls read timeout\n");
3186 state->xfer_error = TRUE;
3190 else if (inbytes == 0)
3192 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
3193 tls_close(NULL, TLS_NO_SHUTDOWN);
3197 /* Handle genuine errors */
3199 else if (inbytes < 0)
3201 DEBUG(D_tls) debug_printf("%s: err from gnutls_record_recv\n", __FUNCTION__);
3202 record_io_error(state, (int) inbytes, US"recv", NULL);
3203 state->xfer_error = TRUE;
3206 #ifndef DISABLE_DKIM
3207 dkim_exim_verify_feed(state->xfer_buffer, inbytes);
3209 state->xfer_buffer_hwm = (int) inbytes;
3210 state->xfer_buffer_lwm = 0;
3214 /*************************************************
3215 * TLS version of getc *
3216 *************************************************/
3218 /* This gets the next byte from the TLS input buffer. If the buffer is empty,
3219 it refills the buffer via the GnuTLS reading function.
3220 Only used by the server-side TLS.
3222 This feeds DKIM and should be used for all message-body reads.
3224 Arguments: lim Maximum amount to read/buffer
3225 Returns: the next character or EOF
3229 tls_getc(unsigned lim)
3231 exim_gnutls_state_st * state = &state_server;
3233 if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
3234 if (!tls_refill(lim))
3235 return state->xfer_error ? EOF : smtp_getc(lim);
3237 /* Something in the buffer; return next uschar */
3239 return state->xfer_buffer[state->xfer_buffer_lwm++];
3243 tls_getbuf(unsigned * len)
3245 exim_gnutls_state_st * state = &state_server;
3249 if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
3250 if (!tls_refill(*len))
3252 if (!state->xfer_error) return smtp_getbuf(len);
3257 if ((size = state->xfer_buffer_hwm - state->xfer_buffer_lwm) > *len)
3259 buf = &state->xfer_buffer[state->xfer_buffer_lwm];
3260 state->xfer_buffer_lwm += size;
3269 #ifndef DISABLE_DKIM
3270 exim_gnutls_state_st * state = &state_server;
3271 int n = state->xfer_buffer_hwm - state->xfer_buffer_lwm;
3273 dkim_exim_verify_feed(state->xfer_buffer+state->xfer_buffer_lwm, n);
3279 tls_could_read(void)
3281 return state_server.xfer_buffer_lwm < state_server.xfer_buffer_hwm
3282 || gnutls_record_check_pending(state_server.session) > 0;
3288 /*************************************************
3289 * Read bytes from TLS channel *
3290 *************************************************/
3292 /* This does not feed DKIM, so if the caller uses this for reading message body,
3293 then the caller must feed DKIM.
3296 ct_ctx client context pointer, or NULL for the one global server context
3300 Returns: the number of bytes read
3301 -1 after a failed read, including EOF
3305 tls_read(void * ct_ctx, uschar *buff, size_t len)
3307 exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
3313 if (state->xfer_buffer_lwm < state->xfer_buffer_hwm)
3315 debug_printf("*** PROBABLY A BUG *** " \
3316 "tls_read() called with data in the tls_getc() buffer, %d ignored\n",
3317 state->xfer_buffer_hwm - state->xfer_buffer_lwm);
3320 debug_printf("Calling gnutls_record_recv(session=%p, buffer=%p, len=" SIZE_T_FMT ")\n",
3321 state->session, buff, len);
3324 inbytes = gnutls_record_recv(state->session, buff, len);
3325 while (inbytes == GNUTLS_E_AGAIN);
3327 if (inbytes > 0) return inbytes;
3330 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
3334 DEBUG(D_tls) debug_printf("%s: err from gnutls_record_recv\n", __FUNCTION__);
3335 record_io_error(state, (int)inbytes, US"recv", NULL);
3344 /*************************************************
3345 * Write bytes down TLS channel *
3346 *************************************************/
3350 ct_ctx client context pointer, or NULL for the one global server context
3353 more more data expected soon
3355 Calling with len zero and more unset will flush buffered writes. The buff
3356 argument can be null for that case.
3358 Returns: the number of bytes after a successful write,
3359 -1 after a failed write
3363 tls_write(void * ct_ctx, const uschar * buff, size_t len, BOOL more)
3367 exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
3370 if (more && !state->corked)
3372 DEBUG(D_tls) debug_printf("gnutls_record_cork(session=%p)\n", state->session);
3373 gnutls_record_cork(state->session);
3374 state->corked = TRUE;
3378 DEBUG(D_tls) debug_printf("%s(%p, " SIZE_T_FMT "%s)\n", __FUNCTION__,
3379 buff, left, more ? ", more" : "");
3383 DEBUG(D_tls) debug_printf("gnutls_record_send(session=%p, buffer=%p, left=" SIZE_T_FMT ")\n",
3384 state->session, buff, left);
3387 outbytes = gnutls_record_send(state->session, buff, left);
3388 while (outbytes == GNUTLS_E_AGAIN);
3390 DEBUG(D_tls) debug_printf("outbytes=" SSIZE_T_FMT "\n", outbytes);
3394 DEBUG(D_tls) debug_printf("%s: gnutls_record_send err\n", __FUNCTION__);
3395 record_io_error(state, outbytes, US"send", NULL);
3400 record_io_error(state, 0, US"send", US"TLS channel closed on write");
3411 debug_printf("Whoops! Wrote more bytes (" SIZE_T_FMT ") than INT_MAX\n",
3417 if (!more && state->corked)
3419 DEBUG(D_tls) debug_printf("gnutls_record_uncork(session=%p)\n", state->session);
3421 /* We can't use GNUTLS_RECORD_WAIT here, as it retries on
3422 GNUTLS_E_AGAIN || GNUTLS_E_INTR, which would break our timeout set by alarm().
3423 The GNUTLS_E_AGAIN should not happen ever, as our sockets are blocking anyway.
3424 But who knows. (That all relies on the fact that GNUTLS_E_INTR and GNUTLS_E_AGAIN
3425 match the EINTR and EAGAIN errno values.) */
3426 outbytes = gnutls_record_uncork(state->session, 0);
3427 while (outbytes == GNUTLS_E_AGAIN);
3431 record_io_error(state, len, US"uncork", NULL);
3435 state->corked = FALSE;
3445 /*************************************************
3446 * Random number generation *
3447 *************************************************/
3449 /* Pseudo-random number generation. The result is not expected to be
3450 cryptographically strong but not so weak that someone will shoot themselves
3451 in the foot using it as a nonce in input in some email header scheme or
3452 whatever weirdness they'll twist this into. The result should handle fork()
3453 and avoid repeating sequences. OpenSSL handles that for us.
3457 Returns a random number in range [0, max-1]
3460 #ifdef HAVE_GNUTLS_RND
3462 vaguely_random_number(int max)
3466 uschar smallbuf[sizeof(r)];
3471 needed_len = sizeof(r);
3472 /* Don't take 8 times more entropy than needed if int is 8 octets and we were
3473 asked for a number less than 10. */
3475 for (r = max, i = 0; r; ++i)
3481 i = gnutls_rnd(GNUTLS_RND_NONCE, smallbuf, needed_len);
3484 DEBUG(D_all) debug_printf("gnutls_rnd() failed, using fallback.\n");
3485 return vaguely_random_number_fallback(max);
3488 for (uschar * p = smallbuf; needed_len; --needed_len, ++p)
3491 /* We don't particularly care about weighted results; if someone wants
3492 * smooth distribution and cares enough then they should submit a patch then. */
3495 #else /* HAVE_GNUTLS_RND */
3497 vaguely_random_number(int max)
3499 return vaguely_random_number_fallback(max);
3501 #endif /* HAVE_GNUTLS_RND */
3506 /*************************************************
3507 * Let tls_require_ciphers be checked at startup *
3508 *************************************************/
3510 /* The tls_require_ciphers option, if set, must be something which the
3513 Returns: NULL on success, or error message
3517 tls_validate_require_cipher(void)
3520 uschar *expciphers = NULL;
3521 gnutls_priority_t priority_cache;
3523 uschar * dummy_errstr;
3525 #ifdef GNUTLS_AUTO_GLOBAL_INIT
3526 # define validate_check_rc(Label) do { \
3527 if (rc != GNUTLS_E_SUCCESS) { if (exim_gnutls_base_init_done) \
3528 return string_sprintf("%s failed: %s", (Label), gnutls_strerror(rc)); } } while (0)
3529 # define return_deinit(Label) do { return (Label); } while (0)
3531 # define validate_check_rc(Label) do { \
3532 if (rc != GNUTLS_E_SUCCESS) { if (exim_gnutls_base_init_done) gnutls_global_deinit(); \
3533 return string_sprintf("%s failed: %s", (Label), gnutls_strerror(rc)); } } while (0)
3534 # define return_deinit(Label) do { gnutls_global_deinit(); return (Label); } while (0)
3537 if (exim_gnutls_base_init_done)
3538 log_write(0, LOG_MAIN|LOG_PANIC,
3539 "already initialised GnuTLS, Exim developer bug");
3541 #if defined(HAVE_GNUTLS_PKCS11) && !defined(GNUTLS_AUTO_PKCS11_MANUAL)
3542 if (!gnutls_allow_auto_pkcs11)
3544 rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
3545 validate_check_rc(US"gnutls_pkcs11_init");
3548 #ifndef GNUTLS_AUTO_GLOBAL_INIT
3549 rc = gnutls_global_init();
3550 validate_check_rc(US"gnutls_global_init()");
3552 exim_gnutls_base_init_done = TRUE;
3554 if (!(tls_require_ciphers && *tls_require_ciphers))
3555 return_deinit(NULL);
3557 if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers,
3559 return_deinit(US"failed to expand tls_require_ciphers");
3561 if (!(expciphers && *expciphers))
3562 return_deinit(NULL);
3565 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
3567 rc = gnutls_priority_init(&priority_cache, CS expciphers, &errpos);
3568 validate_check_rc(string_sprintf(
3569 "gnutls_priority_init(%s) failed at offset %ld, \"%.8s..\"",
3570 expciphers, errpos - CS expciphers, errpos));
3572 #undef return_deinit
3573 #undef validate_check_rc
3574 #ifndef GNUTLS_AUTO_GLOBAL_INIT
3575 gnutls_global_deinit();
3584 /*************************************************
3585 * Report the library versions. *
3586 *************************************************/
3588 /* See a description in tls-openssl.c for an explanation of why this exists.
3590 Arguments: a FILE* to print the results to
3595 tls_version_report(FILE *f)
3597 fprintf(f, "Library version: GnuTLS: Compile: %s\n"
3600 gnutls_check_version(NULL));
3603 #endif /*!MACRO_PREDEF*/
3606 /* End of tls-gnu.c */
git://git.exim.org / exim.git / blob