1 /* $Cambridge: exim/src/src/tls-gnu.c,v 1.7 2005/06/07 15:20:56 ph10 Exp $ */
3 /*************************************************
4 * Exim - an Internet mail transport agent *
5 *************************************************/
7 /* Copyright (c) University of Cambridge 1995 - 2005 */
8 /* See the file NOTICE for conditions of use and distribution. */
10 /* This module provides TLS (aka SSL) support for Exim using the GnuTLS
11 library. It is #included into tls.c when that library is used. The code herein
12 is based on a patch that was contributed by Nikos Mavroyanopoulos.
14 No cryptographic code is included in Exim. All this module does is to call
15 functions from the GnuTLS library. */
18 /* Heading stuff for GnuTLS */
20 #include <gnutls/gnutls.h>
21 #include <gnutls/x509.h>
24 #define UNKNOWN_NAME "unknown"
27 #define PARAM_SIZE 2*1024
30 /* Values for verify_requirment and initialized */
32 enum { VERIFY_NONE, VERIFY_OPTIONAL, VERIFY_REQUIRED };
33 enum { INITIALIZED_NOT, INITIALIZED_SERVER, INITIALIZED_CLIENT };
35 /* Local static variables for GNUTLS */
37 static BOOL initialized = INITIALIZED_NOT;
38 static host_item *client_host;
40 static gnutls_rsa_params rsa_params = NULL;
41 static gnutls_dh_params dh_params = NULL;
43 static gnutls_certificate_server_credentials x509_cred = NULL;
44 static gnutls_session tls_session = NULL;
46 static char ssl_errstring[256];
48 static int ssl_session_timeout = 200;
49 static int verify_requirement;
51 /* Priorities for TLS algorithms to use. At present, only the cipher priority
52 vector can be altered. */
54 static const int protocol_priority[16] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 };
56 static const int kx_priority[16] = {
63 static int default_cipher_priority[16] = {
64 GNUTLS_CIPHER_AES_256_CBC,
65 GNUTLS_CIPHER_AES_128_CBC,
66 GNUTLS_CIPHER_3DES_CBC,
67 GNUTLS_CIPHER_ARCFOUR_128,
70 static int cipher_priority[16];
72 static const int mac_priority[16] = {
77 static const int comp_priority[16] = { GNUTLS_COMP_NULL, 0 };
78 static const int cert_type_priority[16] = { GNUTLS_CRT_X509, 0 };
80 /* Tables of cipher names and equivalent numbers */
82 typedef struct pri_item {
87 static int arcfour_128_codes[] = { GNUTLS_CIPHER_ARCFOUR_128, 0 };
88 static int arcfour_40_codes[] = { GNUTLS_CIPHER_ARCFOUR_40, 0 };
89 static int arcfour_codes[] = { GNUTLS_CIPHER_ARCFOUR_128,
90 GNUTLS_CIPHER_ARCFOUR_40, 0 };
91 static int aes_256_codes[] = { GNUTLS_CIPHER_AES_256_CBC, 0 };
92 static int aes_128_codes[] = { GNUTLS_CIPHER_AES_128_CBC, 0 };
93 static int aes_codes[] = { GNUTLS_CIPHER_AES_256_CBC,
94 GNUTLS_CIPHER_AES_128_CBC, 0 };
95 static int des3_codes[] = { GNUTLS_CIPHER_3DES_CBC, 0 };
97 static pri_item cipher_index[] = {
98 { US"ARCFOUR_128", arcfour_128_codes },
99 { US"ARCFOUR_40", arcfour_40_codes },
100 { US"ARCFOUR", arcfour_codes },
101 { US"AES_256", aes_256_codes },
102 { US"AES_128", aes_128_codes },
103 { US"AES", aes_codes },
104 { US"3DES", des3_codes }
109 /*************************************************
111 *************************************************/
113 /* Called from lots of places when errors occur before actually starting to do
114 the TLS handshake, that is, while the session is still in clear. Always returns
115 DEFER for a server and FAIL for a client so that most calls can use "return
116 tls_error(...)" to do this processing and then give an appropriate return. A
117 single function is used for both server and client, because it is called from
118 some shared functions.
121 prefix text to include in the logged error
122 host NULL if setting up a server;
123 the connected host if setting up a client
124 err a GnuTLS error number, or 0 if local error
126 Returns: OK/DEFER/FAIL
130 tls_error(uschar *prefix, host_item *host, int err)
132 uschar *errtext = US"";
133 if (err != 0) errtext = string_sprintf(": %s", gnutls_strerror(err));
136 log_write(0, LOG_MAIN, "TLS error on connection from %s (%s)%s",
137 (sender_fullhost != NULL)? sender_fullhost : US "local process",
143 log_write(0, LOG_MAIN, "TLS error on connection to %s [%s] (%s)%s",
144 host->name, host->address, prefix, errtext);
151 /*************************************************
152 * Verify certificate *
153 *************************************************/
155 /* Called after a successful handshake, when certificate verification is
156 required or optional, for both server and client.
159 session GNUTLS session
160 error where to put text giving a reason for failure
166 verify_certificate(gnutls_session session, uschar **error)
169 uschar *dn_string = US"";
170 const gnutls_datum *cert;
171 unsigned int cert_size = 0;
175 /* Get the peer's certificate. If it sent one, extract it's DN, and then
176 attempt to verify the certificate. If no certificate is supplied, verification
177 is forced to fail. */
179 cert = gnutls_certificate_get_peers(session, &cert_size);
183 gnutls_x509_crt gcert;
185 gnutls_x509_crt_init(&gcert);
186 dn_string = US"unknown";
188 if (gnutls_x509_crt_import(gcert, cert, GNUTLS_X509_FMT_DER) == 0)
190 size_t bufsize = sizeof(buff);
191 if (gnutls_x509_crt_get_dn(gcert, CS buff, &bufsize) >= 0)
192 dn_string = string_copy_malloc(buff);
195 verify = gnutls_certificate_verify_peers(session);
199 DEBUG(D_tls) debug_printf("no peer certificate supplied\n");
200 verify = GNUTLS_CERT_INVALID;
201 *error = US"not supplied";
204 /* Handle the result of verification. INVALID seems to be set as well
205 as REVOKED, but leave the test for both. */
207 if ((verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED)) != 0)
209 tls_certificate_verified = FALSE;
210 if (*error == NULL) *error = ((verify & GNUTLS_CERT_REVOKED) != 0)?
211 US"revoked" : US"invalid";
212 if (verify_requirement == VERIFY_REQUIRED)
214 DEBUG(D_tls) debug_printf("TLS certificate verification failed (%s): "
215 "peerdn=%s\n", *error, dn_string);
216 gnutls_alert_send(session, GNUTLS_AL_FATAL, GNUTLS_A_BAD_CERTIFICATE);
217 return FALSE; /* reject */
219 DEBUG(D_tls) debug_printf("TLS certificate verify failure (%s) overridden "
220 "(host in tls_try_verify_hosts): peerdn=%s\n", *error, dn_string);
224 tls_certificate_verified = TRUE;
225 DEBUG(D_tls) debug_printf("TLS certificate verified: peerdn=%s\n",
229 tls_peerdn = dn_string;
230 return TRUE; /* accept */
235 /*************************************************
236 * Setup up RSA and DH parameters *
237 *************************************************/
239 /* Generating the RSA and D-H parameters takes a long time. They only need to
240 be re-generated every so often, depending on security policy. What we do is to
241 keep these parameters in a file in the spool directory. If the file does not
242 exist, we generate them. This means that it is easy to cause a regeneration.
244 The new file is written as a temporary file and renamed, so that an incomplete
245 file is never present. If two processes both compute some new parameters, you
246 waste a bit of effort, but it doesn't seem worth messing around with locking to
250 host NULL for server, server for client (for error handling)
252 Returns: OK/DEFER/FAIL
256 init_rsa_dh(host_item *host)
261 uschar filename[200];
263 /* Initialize the data structures for holding the parameters */
265 ret = gnutls_rsa_params_init(&rsa_params);
266 if (ret < 0) return tls_error(US"init rsa_params", host, ret);
268 ret = gnutls_dh_params_init(&dh_params);
269 if (ret < 0) return tls_error(US"init dh_params", host, ret);
271 /* Set up the name of the cache file */
273 if (!string_format(filename, sizeof(filename), "%s/gnutls-params",
275 return tls_error(US"overlong filename", host, 0);
277 /* Open the cache file for reading and if successful, read it and set up the
278 parameters. If we can't set up the RSA parameters, assume that we are dealing
279 with an old-style cache file that is in another format, and fall through to
280 compute new values. However, if we correctly get RSA parameters, a failure to
281 set up D-H parameters is treated as an error. */
283 fd = Uopen(filename, O_RDONLY, 0);
287 if (fstat(fd, &statbuf) < 0)
290 return tls_error(US"TLS cache stat failed", host, 0);
293 m.size = statbuf.st_size;
294 m.data = malloc(m.size);
296 return tls_error(US"memory allocation failed", host, 0);
297 if (read(fd, m.data, m.size) != m.size)
298 return tls_error(US"TLS cache read failed", host, 0);
301 ret = gnutls_rsa_params_import_pkcs1(rsa_params, &m, GNUTLS_X509_FMT_PEM);
305 debug_printf("RSA params import failed: assume old-style cache file\n");
309 ret = gnutls_dh_params_import_pkcs3(dh_params, &m, GNUTLS_X509_FMT_PEM);
311 return tls_error(US"DH params import", host, ret);
312 DEBUG(D_tls) debug_printf("read RSA and D-H parameters from file\n");
318 /* If the file does not exist, fall through to compute new data and cache it.
319 If there was any other opening error, it is serious. */
321 else if (errno != ENOENT)
322 return tls_error(string_open_failed(errno, "%s for reading", filename),
325 /* If ret < 0, either the cache file does not exist, or the data it contains
326 is not useful. One particular case of this is when upgrading from an older
327 release of Exim in which the data was stored in a different format. We don't
328 try to be clever and support both formats; we just regenerate new data in this
333 uschar tempfilename[sizeof(filename) + 10];
335 DEBUG(D_tls) debug_printf("generating %d bit RSA key...\n", RSA_BITS);
336 ret = gnutls_rsa_params_generate2(rsa_params, RSA_BITS);
337 if (ret < 0) return tls_error(US"RSA key generation", host, ret);
339 DEBUG(D_tls) debug_printf("generating %d bit Diffie-Hellman key...\n",
341 ret = gnutls_dh_params_generate2(dh_params, DH_BITS);
342 if (ret < 0) return tls_error(US"D-H key generation", host, ret);
344 /* Write the parameters to a file in the spool directory so that we
345 can use them from other Exim processes. */
347 sprintf(CS tempfilename, "%s-%d", filename, (int)getpid());
348 fd = Uopen(tempfilename, O_WRONLY|O_CREAT, 0400);
350 return tls_error(string_open_failed(errno, "%s for writing", filename),
352 (void)fchown(fd, exim_uid, exim_gid); /* Probably not necessary */
354 /* export the parameters in a format that can be generated using GNUTLS'
355 * certtool or other programs.
357 * The commands for certtool are:
358 * $ certtool --generate-privkey --bits 512 >params
360 * $ certtool --generate-dh-params --bits 1024 >> params
364 m.data = malloc(m.size);
366 return tls_error(US"memory allocation failed", host, 0);
368 ret = gnutls_rsa_params_export_pkcs1(rsa_params, GNUTLS_X509_FMT_PEM,
370 if (ret < 0) return tls_error(US"RSA params export", host, ret);
372 /* Do not write the null termination byte. */
374 m.size = Ustrlen(m.data);
375 if (write(fd, m.data, m.size) != m.size || write(fd, "\n", 1) != 1)
376 return tls_error(US"TLS cache write failed", host, 0);
379 ret = gnutls_dh_params_export_pkcs3(dh_params, GNUTLS_X509_FMT_PEM, m.data,
381 if (ret < 0) return tls_error(US"DH params export", host, ret);
383 m.size = Ustrlen(m.data);
384 if (write(fd, m.data, m.size) != m.size || write(fd, "\n", 1) != 1)
385 return tls_error(US"TLS cache write failed", host, 0);
390 if (rename(CS tempfilename, CS filename) < 0)
391 return tls_error(string_sprintf("failed to rename %s as %s: %s",
392 tempfilename, filename, strerror(errno)), host, 0);
394 DEBUG(D_tls) debug_printf("wrote RSA and D-H parameters to file\n");
397 DEBUG(D_tls) debug_printf("initialized RSA and D-H parameters\n");
404 /*************************************************
405 * Initialize for GnuTLS *
406 *************************************************/
408 /* Called from both server and client code. In the case of a server, errors
409 before actual TLS negotiation return DEFER.
412 host connected host, if client; NULL if server
413 certificate certificate file
414 privatekey private key file
418 Returns: OK/DEFER/FAIL
422 tls_init(host_item *host, uschar *certificate, uschar *privatekey, uschar *cas,
426 uschar *cert_expanded, *key_expanded, *cas_expanded, *crl_expanded;
428 initialized = (host == NULL)? INITIALIZED_SERVER : INITIALIZED_CLIENT;
430 rc = gnutls_global_init();
431 if (rc < 0) return tls_error(US"tls-init", host, rc);
433 /* Create RSA and D-H parameters, or read them from the cache file. This
434 function does its own SMTP error messaging. */
436 rc = init_rsa_dh(host);
437 if (rc != OK) return rc;
439 /* Create the credentials structure */
441 rc = gnutls_certificate_allocate_credentials(&x509_cred);
442 if (rc < 0) return tls_error(US"certificate_allocate_credentials", host, rc);
444 /* This stuff must be done for each session, because different certificates
445 may be required for different sessions. */
447 if (!expand_check(certificate, US"tls_certificate", &cert_expanded))
450 if (privatekey != NULL)
452 if (!expand_check(privatekey, US"tls_privatekey", &key_expanded))
455 else key_expanded = cert_expanded;
457 /* Set the certificate and private keys */
459 if (cert_expanded != NULL)
461 DEBUG(D_tls) debug_printf("certificate file = %s\nkey file = %s\n",
462 cert_expanded, key_expanded);
463 rc = gnutls_certificate_set_x509_key_file(x509_cred, CS cert_expanded,
464 CS key_expanded, GNUTLS_X509_FMT_PEM);
467 uschar *msg = string_sprintf("cert/key setup: cert=%s key=%s",
468 cert_expanded, key_expanded);
469 return tls_error(msg, host, rc);
473 /* A certificate is mandatory in a server, but not in a client */
478 return tls_error(US"no TLS server certificate is specified", host, 0);
479 DEBUG(D_tls) debug_printf("no TLS client certificate is specified\n");
482 /* Set the trusted CAs file if one is provided, and then add the CRL if one is
483 provided. Experiment shows that, if the certificate file is empty, an unhelpful
484 error message is provided. However, if we just refrain from setting anything up
485 in that case, certificate verification fails, which seems to be the correct
492 if (!expand_check(cas, US"tls_verify_certificates", &cas_expanded))
495 if (stat(CS cas_expanded, &statbuf) < 0)
497 log_write(0, LOG_MAIN|LOG_PANIC, "could not stat %s "
498 "(tls_verify_certificates): %s", cas_expanded, strerror(errno));
502 DEBUG(D_tls) debug_printf("verify certificates = %s size=%.30g\n",
503 cas_expanded, (double)statbuf.st_size);
505 /* If the cert file is empty, there's no point in loading the CRL file. */
507 if (statbuf.st_size > 0)
509 rc = gnutls_certificate_set_x509_trust_file(x509_cred, CS cas_expanded,
510 GNUTLS_X509_FMT_PEM);
511 if (rc < 0) return tls_error(US"setup_certs", host, rc);
513 if (crl != NULL && *crl != 0)
515 if (!expand_check(crl, US"tls_crl", &crl_expanded))
517 DEBUG(D_tls) debug_printf("loading CRL file = %s\n", crl_expanded);
518 rc = gnutls_certificate_set_x509_crl_file(x509_cred, CS crl_expanded,
519 GNUTLS_X509_FMT_PEM);
520 if (rc < 0) return tls_error(US"CRL setup", host, rc);
525 /* Associate the parameters with the x509 credentials structure. */
527 gnutls_certificate_set_dh_params(x509_cred, dh_params);
528 gnutls_certificate_set_rsa_export_params(x509_cred, rsa_params);
530 DEBUG(D_tls) debug_printf("initialized certificate stuff\n");
537 /*************************************************
538 * Remove ciphers from priority list *
539 *************************************************/
541 /* Cautiously written so that it will remove duplicates if present.
544 list a zero-terminated list
545 remove_list a zero-terminated list to be removed
551 remove_ciphers(int *list, int *remove_list)
553 for (; *remove_list != 0; remove_list++)
558 if (*p == *remove_list)
561 do { pp[0] = pp[1]; pp++; } while (*pp != 0);
570 /*************************************************
571 * Add ciphers to priority list *
572 *************************************************/
574 /* Cautiously written to check the list size
577 list a zero-terminated list
578 list_max maximum offset in the list
579 add_list a zero-terminated list to be added
581 Returns: TRUE if OK; FALSE if list overflows
585 add_ciphers(int *list, int list_max, int *add_list)
588 while (list[next] != 0) next++;
589 while (*add_list != 0)
591 if (next >= list_max) return FALSE;
592 list[next++] = *add_list++;
600 /*************************************************
601 * Initialize a single GNUTLS session *
602 *************************************************/
604 /* Set the algorithm, the db backend, whether to request certificates etc.
606 TLS in Exim was first implemented using OpenSSL. This has a function to which
607 you pass a list of cipher suites that are permitted/not permitted. GnuTLS works
608 differently. It operates using priority lists for the different components of
611 For compatibility of configuration, we scan a list of cipher suites and set
612 priorities therefrom. However, at the moment, we pay attention only to the bulk
616 side one of GNUTLS_SERVER, GNUTLS_CLIENT
617 expciphers expanded ciphers list
619 Returns: a gnutls_session, or NULL if there is a problem
622 static gnutls_session
623 tls_session_init(int side, uschar *expciphers)
625 gnutls_session session;
627 gnutls_init(&session, side);
629 /* Handle the list of permitted ciphers */
631 memcpy(cipher_priority, default_cipher_priority, sizeof(cipher_priority));
633 if (expciphers != NULL)
639 /* The names OpenSSL uses are of the form DES-CBC3-SHA, using hyphen
640 separators. GnuTLS uses underscore separators. So that I can use either form
641 in my tests, and also for general convenience, we turn hyphens into
642 underscores before scanning the list. */
644 uschar *s = expciphers;
645 while (*s != 0) { if (*s == '-') *s = '_'; s++; }
647 while ((cipher = string_nextinlist(&expciphers, &sep, big_buffer,
648 big_buffer_size)) != NULL)
651 BOOL exclude = cipher[0] == '!';
652 if (first && !exclude) cipher_priority[0] = 0;
655 for (i = 0; i < sizeof(cipher_index)/sizeof(pri_item); i++)
657 uschar *ss = strstric(cipher, cipher_index[i].name, FALSE);
660 uschar *endss = ss + Ustrlen(cipher_index[i].name);
661 if ((ss == cipher || !isalnum(ss[-1])) && !isalnum(*endss))
664 remove_ciphers(cipher_priority, cipher_index[i].values);
667 if (!add_ciphers(cipher_priority,
668 sizeof(cipher_priority)/sizeof(pri_item),
669 cipher_index[i].values))
671 log_write(0, LOG_MAIN|LOG_PANIC, "GnuTLS init failed: cipher "
672 "priority table overflow");
673 gnutls_deinit(session);
684 int *ptr = cipher_priority;
685 debug_printf("adjusted cipher priorities:");
686 while (*ptr != 0) debug_printf(" %d", *ptr++);
691 /* Define the various priorities */
693 gnutls_cipher_set_priority(session, cipher_priority);
694 gnutls_compression_set_priority(session, comp_priority);
695 gnutls_kx_set_priority(session, kx_priority);
696 gnutls_protocol_set_priority(session, protocol_priority);
697 gnutls_mac_set_priority(session, mac_priority);
699 gnutls_cred_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred);
701 gnutls_dh_set_prime_bits(session, DH_BITS);
703 /* Request or demand a certificate of the peer, as configured. This will
704 happen only in a server. */
706 if (verify_requirement != VERIFY_NONE)
707 gnutls_certificate_server_set_request(session,
708 (verify_requirement == VERIFY_OPTIONAL)?
709 GNUTLS_CERT_REQUEST : GNUTLS_CERT_REQUIRE);
711 gnutls_db_set_cache_expiration(session, ssl_session_timeout);
713 DEBUG(D_tls) debug_printf("initialized GnuTLS session\n");
719 /*************************************************
720 * Get name of cipher in use *
721 *************************************************/
723 /* The answer is left in a static buffer, and tls_cipher is set to point
726 Argument: pointer to a GnuTLS session
731 construct_cipher_name(gnutls_session session)
733 static uschar cipherbuf[256];
735 int bits, c, kx, mac;
738 US gnutls_protocol_get_name(gnutls_protocol_get_version(session)));
739 if (Ustrncmp(ver, "TLS ", 4) == 0) ver[3] = '-'; /* Don't want space */
741 c = gnutls_cipher_get(session);
742 bits = gnutls_cipher_get_key_size(c);
744 mac = gnutls_mac_get(session);
745 kx = gnutls_kx_get(session);
747 string_format(cipherbuf, sizeof(cipherbuf), "%s:%s:%u", ver,
748 gnutls_cipher_suite_get_name(kx, c, mac), bits);
749 tls_cipher = cipherbuf;
751 DEBUG(D_tls) debug_printf("cipher: %s\n", cipherbuf);
756 /*************************************************
757 * Start a TLS session in a server *
758 *************************************************/
760 /* This is called when Exim is running as a server, after having received
761 the STARTTLS command. It must respond to that command, and then negotiate
765 require_ciphers list of allowed ciphers
767 Returns: OK on success
768 DEFER for errors before the start of the negotiation
769 FAIL for errors during the negotation; the server can't
774 tls_server_start(uschar *require_ciphers)
778 uschar *expciphers = NULL;
780 /* Check for previous activation */
784 log_write(0, LOG_MAIN, "STARTTLS received in already encrypted "
785 "connection from %s",
786 (sender_fullhost != NULL)? sender_fullhost : US"local process");
787 smtp_printf("554 Already in TLS\r\n");
791 /* Initialize the library. If it fails, it will already have logged the error
792 and sent an SMTP response. */
794 DEBUG(D_tls) debug_printf("initializing GnuTLS as a server\n");
796 rc = tls_init(NULL, tls_certificate, tls_privatekey, tls_verify_certificates,
798 if (rc != OK) return rc;
800 if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
803 /* If this is a host for which certificate verification is mandatory or
804 optional, set up appropriately. */
806 tls_certificate_verified = FALSE;
807 verify_requirement = VERIFY_NONE;
809 if (verify_check_host(&tls_verify_hosts) == OK)
810 verify_requirement = VERIFY_REQUIRED;
811 else if (verify_check_host(&tls_try_verify_hosts) == OK)
812 verify_requirement = VERIFY_OPTIONAL;
814 /* Prepare for new connection */
816 tls_session = tls_session_init(GNUTLS_SERVER, expciphers);
817 if (tls_session == NULL)
818 return tls_error(US"tls_session_init", NULL, GNUTLS_E_MEMORY_ERROR);
820 /* Set context and tell client to go ahead, except in the case of TLS startup
821 on connection, where outputting anything now upsets the clients and tends to
822 make them disconnect. We need to have an explicit fflush() here, to force out
823 the response. Other smtp_printf() calls do not need it, because in non-TLS
824 mode, the fflush() happens when smtp_getc() is called. */
828 smtp_printf("220 TLS go ahead\r\n");
832 /* Now negotiate the TLS session. We put our own timer on it, since it seems
833 that the GnuTLS library doesn't. */
835 gnutls_transport_set_ptr(tls_session, (gnutls_transport_ptr)fileno(smtp_out));
837 sigalrm_seen = FALSE;
838 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
839 rc = gnutls_handshake(tls_session);
845 Ustrcpy(ssl_errstring, "timed out");
847 Ustrcpy(ssl_errstring, gnutls_strerror(rc));
848 log_write(0, LOG_MAIN,
849 "TLS error on connection from %s (gnutls_handshake): %s",
850 (sender_fullhost != NULL)? sender_fullhost : US"local process",
853 /* It seems that, except in the case of a timeout, we have to close the
854 connection right here; otherwise if the other end is running OpenSSL it hangs
855 until the server times out. */
866 DEBUG(D_tls) debug_printf("gnutls_handshake was successful\n");
868 if (verify_requirement != VERIFY_NONE &&
869 !verify_certificate(tls_session, &error))
871 log_write(0, LOG_MAIN,
872 "TLS error on connection from %s: certificate verification failed (%s)",
873 (sender_fullhost != NULL)? sender_fullhost : US"local process", error);
877 construct_cipher_name(tls_session);
879 /* TLS has been set up. Adjust the input functions to read via TLS,
880 and initialize appropriately. */
882 ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
883 ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
884 ssl_xfer_eof = ssl_xfer_error = 0;
886 receive_getc = tls_getc;
887 receive_ungetc = tls_ungetc;
888 receive_feof = tls_feof;
889 receive_ferror = tls_ferror;
891 tls_active = fileno(smtp_out);
899 /*************************************************
900 * Start a TLS session in a client *
901 *************************************************/
903 /* Called from the smtp transport after STARTTLS has been accepted.
906 fd the fd of the connection
907 host connected host (for messages)
909 dhparam DH parameter file
910 certificate certificate file
911 privatekey private key file
912 verify_certs file for certificate verify
913 verify_crl CRL for verify
914 require_ciphers list of allowed ciphers
915 timeout startup timeout
917 Returns: OK/DEFER/FAIL (because using common functions),
918 but for a client, DEFER and FAIL have the same meaning
922 tls_client_start(int fd, host_item *host, address_item *addr, uschar *dhparam,
923 uschar *certificate, uschar *privatekey, uschar *verify_certs,
924 uschar *verify_crl, uschar *require_ciphers, int timeout)
926 const gnutls_datum *server_certs;
927 uschar *expciphers = NULL;
929 unsigned int server_certs_size;
932 DEBUG(D_tls) debug_printf("initializing GnuTLS as a client\n");
935 verify_requirement = (verify_certs == NULL)? VERIFY_NONE : VERIFY_REQUIRED;
936 rc = tls_init(host, certificate, privatekey, verify_certs, verify_crl);
937 if (rc != OK) return rc;
939 if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
942 tls_session = tls_session_init(GNUTLS_CLIENT, expciphers);
943 if (tls_session == NULL)
944 return tls_error(US "tls_session_init", host, GNUTLS_E_MEMORY_ERROR);
946 gnutls_transport_set_ptr(tls_session, (gnutls_transport_ptr)fd);
948 /* There doesn't seem to be a built-in timeout on connection. */
950 sigalrm_seen = FALSE;
952 rc = gnutls_handshake(tls_session);
959 log_write(0, LOG_MAIN, "TLS error on connection to %s [%s]: "
960 "gnutls_handshake timed out", host->name, host->address);
963 else return tls_error(US "gnutls_handshake", host, rc);
966 server_certs = gnutls_certificate_get_peers(tls_session, &server_certs_size);
968 if (server_certs != NULL)
971 gnutls_x509_crt gcert;
973 gnutls_x509_crt_init(&gcert);
974 tls_peerdn = US"unknown";
976 if (gnutls_x509_crt_import(gcert, server_certs, GNUTLS_X509_FMT_DER) == 0)
978 size_t bufsize = sizeof(buff);
979 if (gnutls_x509_crt_get_dn(gcert, CS buff, &bufsize) >= 0)
980 tls_peerdn = string_copy_malloc(buff);
984 /* Should we also verify the hostname here? */
986 if (verify_requirement != VERIFY_NONE &&
987 !verify_certificate(tls_session, &error))
989 log_write(0, LOG_MAIN,
990 "TLS error on connection to %s [%s]: certificate verification failed (%s)",
991 host->name, host->address, error);
995 construct_cipher_name(tls_session); /* Sets tls_cipher */
1002 /*************************************************
1003 * Deal with logging errors during I/O *
1004 *************************************************/
1006 /* We have to get the identity of the peer from saved data.
1009 ec the GnuTLS error code, or 0 if it's a local error
1010 when text identifying read or write
1011 text local error text when ec is 0
1017 record_io_error(int ec, uschar *when, uschar *text)
1019 uschar *additional = US"";
1021 if (ec == GNUTLS_E_FATAL_ALERT_RECEIVED)
1022 additional = string_sprintf(": %s",
1023 gnutls_alert_get_name(gnutls_alert_get(tls_session)));
1025 if (initialized == INITIALIZED_SERVER)
1026 log_write(0, LOG_MAIN, "TLS %s error on connection from %s: %s%s", when,
1027 (sender_fullhost != NULL)? sender_fullhost : US "local process",
1028 (ec == 0)? text : US gnutls_strerror(ec), additional);
1031 log_write(0, LOG_MAIN, "TLS %s error on connection to %s [%s]: %s%s", when,
1032 client_host->name, client_host->address,
1033 (ec == 0)? text : US gnutls_strerror(ec), additional);
1038 /*************************************************
1039 * TLS version of getc *
1040 *************************************************/
1042 /* This gets the next byte from the TLS input buffer. If the buffer is empty,
1043 it refills the buffer via the GnuTLS reading function.
1046 Returns: the next character or EOF
1052 if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
1056 DEBUG(D_tls) debug_printf("Calling gnutls_record_recv(%lx, %lx, %u)\n",
1057 (long) tls_session, (long) ssl_xfer_buffer, ssl_xfer_buffer_size);
1059 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
1060 inbytes = gnutls_record_recv(tls_session, CS ssl_xfer_buffer,
1061 ssl_xfer_buffer_size);
1064 /* A zero-byte return appears to mean that the TLS session has been
1065 closed down, not that the socket itself has been closed down. Revert to
1066 non-TLS handling. */
1070 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
1072 receive_getc = smtp_getc;
1073 receive_ungetc = smtp_ungetc;
1074 receive_feof = smtp_feof;
1075 receive_ferror = smtp_ferror;
1077 gnutls_deinit(tls_session);
1086 /* Handle genuine errors */
1088 else if (inbytes < 0)
1090 record_io_error(inbytes, US"recv", NULL);
1095 ssl_xfer_buffer_hwm = inbytes;
1096 ssl_xfer_buffer_lwm = 0;
1100 /* Something in the buffer; return next uschar */
1102 return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
1107 /*************************************************
1108 * Read bytes from TLS channel *
1109 *************************************************/
1116 Returns: the number of bytes read
1117 -1 after a failed read
1121 tls_read(uschar *buff, size_t len)
1125 DEBUG(D_tls) debug_printf("Calling gnutls_record_recv(%lx, %lx, %u)\n",
1126 (long) tls_session, (long) buff, len);
1128 inbytes = gnutls_record_recv(tls_session, CS buff, len);
1129 if (inbytes > 0) return inbytes;
1132 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
1134 else record_io_error(inbytes, US"recv", NULL);
1141 /*************************************************
1142 * Write bytes down TLS channel *
1143 *************************************************/
1150 Returns: the number of bytes after a successful write,
1151 -1 after a failed write
1155 tls_write(const uschar *buff, size_t len)
1160 DEBUG(D_tls) debug_printf("tls_do_write(%lx, %d)\n", (long) buff, left);
1163 DEBUG(D_tls) debug_printf("gnutls_record_send(SSL, %lx, %d)\n", (long)buff,
1165 outbytes = gnutls_record_send(tls_session, CS buff, left);
1167 DEBUG(D_tls) debug_printf("outbytes=%d\n", outbytes);
1170 record_io_error(outbytes, US"send", NULL);
1175 record_io_error(0, US"send", US"TLS channel closed on write");
1188 /*************************************************
1189 * Close down a TLS session *
1190 *************************************************/
1192 /* This is also called from within a delivery subprocess forked from the
1193 daemon, to shut down the TLS library, without actually doing a shutdown (which
1194 would tamper with the TLS session in the parent process).
1196 Arguments: TRUE if gnutls_bye is to be called
1201 tls_close(BOOL shutdown)
1203 if (tls_active < 0) return; /* TLS was not active */
1207 DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS\n");
1208 gnutls_bye(tls_session, GNUTLS_SHUT_WR);
1211 gnutls_deinit(tls_session);
1213 gnutls_global_deinit();
1218 /* End of tls-gnu.c */