1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) The Exim Maintainers 2020 - 2022 */
6 /* Copyright (c) University of Cambridge 1995 - 2018 */
7 /* Copyright (c) Phil Pennock 2012 */
8 /* See the file NOTICE for conditions of use and distribution. */
10 /* This file provides TLS/SSL support for Exim using the GnuTLS library,
11 one of the available supported implementations. This file is #included into
12 tls.c when USE_GNUTLS has been set.
14 The code herein is a revamp of GnuTLS integration using the current APIs; the
15 original tls-gnu.c was based on a patch which was contributed by Nikos
16 Mavrogiannopoulos. The revamp is partially a rewrite, partially cut&paste as
19 APIs current as of GnuTLS 2.12.18; note that the GnuTLS manual is for GnuTLS 3,
20 which is not widely deployed by OS vendors. Will note issues below, which may
21 assist in updating the code in the future. Another sources of hints is
22 mod_gnutls for Apache (SNI callback registration and handling).
24 Keeping client and server variables more split than before and is currently
25 the norm, in anticipation of TLS in ACL callouts.
27 I wanted to switch to gnutls_certificate_set_verify_function() so that
28 certificate rejection could happen during handshake where it belongs, rather
29 than being dropped afterwards, but that was introduced in 2.10.0 and Debian
30 (6.0.5) is still on 2.8.6. So for now we have to stick with sub-par behaviour.
32 (I wasn't looking for libraries quite that old, when updating to get rid of
33 compiler warnings of deprecated APIs. If it turns out that a lot of the rest
34 require current GnuTLS, then we'll drop support for the ancient libraries).
37 #include <gnutls/gnutls.h>
38 /* needed for cert checks in verification and DN extraction: */
39 #include <gnutls/x509.h>
40 /* man-page is incorrect, gnutls_rnd() is not in gnutls.h: */
41 #include <gnutls/crypto.h>
43 /* needed to disable PKCS11 autoload unless requested */
44 #if GNUTLS_VERSION_NUMBER >= 0x020c00
45 # include <gnutls/pkcs11.h>
46 # define SUPPORT_PARAM_TO_PK_BITS
48 #if GNUTLS_VERSION_NUMBER < 0x030103 && !defined(DISABLE_OCSP)
49 # warning "GnuTLS library version too old; define DISABLE_OCSP in Makefile"
52 #if GNUTLS_VERSION_NUMBER < 0x020a00 && !defined(DISABLE_EVENT)
53 # warning "GnuTLS library version too old; tls:cert event unsupported"
54 # define DISABLE_EVENT
56 #if GNUTLS_VERSION_NUMBER >= 0x030000
57 # define SUPPORT_SELFSIGN /* Uncertain what version is first usable but 2.12.23 is not */
59 #if GNUTLS_VERSION_NUMBER >= 0x030306
60 # define SUPPORT_CA_DIR
62 # undef SUPPORT_CA_DIR
64 #if GNUTLS_VERSION_NUMBER >= 0x030014
65 # define SUPPORT_SYSDEFAULT_CABUNDLE
67 #if GNUTLS_VERSION_NUMBER >= 0x030104
68 # define GNUTLS_CERT_VFY_STATUS_PRINT
70 #if GNUTLS_VERSION_NUMBER >= 0x030109
73 #if GNUTLS_VERSION_NUMBER >= 0x03010a
74 # define SUPPORT_GNUTLS_SESS_DESC
76 #if GNUTLS_VERSION_NUMBER >= 0x030300
77 # define GNUTLS_AUTO_GLOBAL_INIT
78 # define GNUTLS_AUTO_PKCS11_MANUAL
80 #if (GNUTLS_VERSION_NUMBER >= 0x030404) \
81 || (GNUTLS_VERSION_NUMBER >= 0x030311) && (GNUTLS_VERSION_NUMBER & 0xffff00 == 0x030300)
83 # define EXIM_HAVE_OCSP
86 #if GNUTLS_VERSION_NUMBER >= 0x030500
87 # define SUPPORT_GNUTLS_KEYLOG
89 #if GNUTLS_VERSION_NUMBER >= 0x030506 && !defined(DISABLE_OCSP)
90 # define SUPPORT_SRV_OCSP_STACK
92 #if GNUTLS_VERSION_NUMBER >= 0x030603
93 # define EXIM_HAVE_TLS1_3
94 # define SUPPORT_GNUTLS_EXT_RAW_PARSE
95 # define GNUTLS_OCSP_STATUS_REQUEST_GET2
99 # if GNUTLS_VERSION_NUMBER >= 0x030000
100 # define DANESSL_USAGE_DANE_TA 2
101 # define DANESSL_USAGE_DANE_EE 3
103 # error GnuTLS version too early for DANE
105 # if GNUTLS_VERSION_NUMBER < 0x999999
106 # define GNUTLS_BROKEN_DANE_VALIDATION
110 #ifndef DISABLE_TLS_RESUME
111 # if GNUTLS_VERSION_NUMBER >= 0x030603
112 # define EXIM_HAVE_TLS_RESUME
114 # warning "GnuTLS library version too old; resumption unsupported"
118 #if GNUTLS_VERSION_NUMBER >= 0x030200
119 # ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
120 # define EXIM_HAVE_ALPN
124 #if GNUTLS_VERSION_NUMBER >= 0x030702
125 # define HAVE_GNUTLS_EXPORTER
129 # include <gnutls/ocsp.h>
132 # include <gnutls/dane.h>
135 #include "tls-cipher-stdname.c"
142 # ifndef DISABLE_TLS_RESUME
143 builtin_macro_create_var(US"_RESUME_DECODE", RESUME_DECODE_STRING );
145 # ifdef EXIM_HAVE_TLS1_3
146 builtin_macro_create(US"_HAVE_TLS1_3");
148 # ifdef EXIM_HAVE_OCSP
149 builtin_macro_create(US"_HAVE_TLS_OCSP");
151 # ifdef SUPPORT_SRV_OCSP_STACK
152 builtin_macro_create(US"_HAVE_TLS_OCSP_LIST");
154 #if defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT)
155 builtin_macro_create(US"_HAVE_TLS_CA_CACHE");
157 # ifdef EXIM_HAVE_ALPN
158 builtin_macro_create(US"_HAVE_TLS_ALPN");
167 gnutls_global_set_audit_log_function()
170 gnutls_certificate_verify_peers2(): is new, drop the 2 for old version
173 /* Local static variables for GnuTLS */
175 /* Values for verify_requirement */
177 enum peer_verify_requirement
178 { VERIFY_NONE, VERIFY_OPTIONAL, VERIFY_REQUIRED, VERIFY_DANE };
180 /* This holds most state for server or client; with this, we can set up an
181 outbound TLS-enabled connection in an ACL callout, while not stomping all
182 over the TLS variables available for expansion.
184 Some of these correspond to variables in globals.c; those variables will
185 be set to point to content in one of these instances, as appropriate for
186 the stage of the process lifetime.
188 Not handled here: global tlsp->tls_channelbinding.
191 typedef struct exim_gnutls_state {
192 gnutls_session_t session;
194 exim_tlslib_state lib_state;
195 #define x509_cred libdata0
196 #define pri_cache libdata1
198 enum peer_verify_requirement verify_requirement;
202 BOOL peer_cert_verified:1;
203 BOOL peer_dane_verified:1;
204 BOOL trigger_sni_changes:1;
205 BOOL have_set_peerdn:1;
206 BOOL xfer_eof:1; /*XXX never gets set! */
212 const struct host_item *host; /* NULL if server */
213 gnutls_x509_crt_t peercert;
216 uschar *received_sni;
218 const uschar *tls_certificate;
219 const uschar *tls_privatekey;
220 const uschar *tls_sni; /* client send only, not received */
221 const uschar *tls_verify_certificates;
222 const uschar *tls_crl;
223 const uschar *tls_require_ciphers;
225 uschar *exp_tls_certificate;
226 uschar *exp_tls_privatekey;
227 uschar *exp_tls_verify_certificates;
229 uschar *exp_tls_require_ciphers;
230 const uschar *exp_tls_verify_cert_hostnames;
231 #ifndef DISABLE_EVENT
232 uschar *event_action;
235 char * const * dane_data;
236 const int * dane_data_len;
239 tls_support *tlsp; /* set in tls_init() */
244 } exim_gnutls_state_st;
246 static const exim_gnutls_state_st exim_gnutls_state_init = {
247 /* all elements not explicitly intialised here get 0/NULL/FALSE */
252 /* Not only do we have our own APIs which don't pass around state, assuming
253 it's held in globals, GnuTLS doesn't appear to let us register callback data
254 for callbacks, or as part of the session, so we have to keep a "this is the
255 context we're currently dealing with" pointer and rely upon being
256 single-threaded to keep from processing data on an inbound TLS connection while
257 talking to another TLS connection for an outbound check. This does mean that
258 there's no way for heart-beats to be responded to, for the duration of the
260 XXX But see gnutls_session_get_ptr()
263 static exim_gnutls_state_st state_server = {
264 /* all elements not explicitly intialised here get 0/NULL/FALSE */
269 /* dh_params are initialised once within the lifetime of a process using TLS;
270 if we used TLS in a long-lived daemon, we'd have to reconsider this. But we
271 don't want to repeat this. */
273 static gnutls_dh_params_t dh_server_params = NULL;
275 static int ssl_session_timeout = 7200; /* Two hours */
277 static const uschar * const exim_default_gnutls_priority = US"NORMAL";
279 /* Guard library core initialisation */
281 static BOOL exim_gnutls_base_init_done = FALSE;
284 static BOOL gnutls_buggy_ocsp = FALSE;
285 static BOOL exim_testharness_disable_ocsp_validity_check = FALSE;
288 #ifdef EXIM_HAVE_ALPN
289 static int server_seen_alpn = -1; /* count of names */
291 #ifdef EXIM_HAVE_TLS_RESUME
292 static gnutls_datum_t server_sessticket_key;
296 /* ------------------------------------------------------------------------ */
299 #define MAX_HOST_LEN 255
301 /* Set this to control gnutls_global_set_log_level(); values 0 to 9 will setup
302 the library logging; a value less than 0 disables the calls to set up logging
303 callbacks. GNuTLS also looks for an environment variable - except not for
304 setuid binaries, making it useless - "GNUTLS_DEBUG_LEVEL".
305 Allegedly the testscript line "GNUTLS_DEBUG_LEVEL=9 sudo exim ..." would work,
306 but the env var must be added to /etc/sudoers too. */
307 #ifndef EXIM_GNUTLS_LIBRARY_LOG_LEVEL
308 # define EXIM_GNUTLS_LIBRARY_LOG_LEVEL -1
311 #ifndef EXIM_CLIENT_DH_MIN_BITS
312 # define EXIM_CLIENT_DH_MIN_BITS 1024
315 /* With GnuTLS 2.12.x+ we have gnutls_sec_param_to_pk_bits() with which we
316 can ask for a bit-strength. Without that, we stick to the constant we had
318 #ifndef EXIM_SERVER_DH_BITS_PRE2_12
319 # define EXIM_SERVER_DH_BITS_PRE2_12 1024
322 #define Expand_check_tlsvar(Varname, errstr) \
323 expand_check(state->Varname, US #Varname, &state->exp_##Varname, errstr)
325 #if GNUTLS_VERSION_NUMBER >= 0x020c00
326 # define HAVE_GNUTLS_SESSION_CHANNEL_BINDING
327 # define HAVE_GNUTLS_SEC_PARAM_CONSTANTS
328 # define HAVE_GNUTLS_RND
329 /* The security fix we provide with the gnutls_allow_auto_pkcs11 option
330 * (4.82 PP/09) introduces a compatibility regression. The symbol simply
331 * isn't available sometimes, so this needs to become a conditional
332 * compilation; the sanest way to deal with this being a problem on
333 * older OSes is to block it in the Local/Makefile with this compiler
335 # ifndef AVOID_GNUTLS_PKCS11
336 # define HAVE_GNUTLS_PKCS11
337 # endif /* AVOID_GNUTLS_PKCS11 */
340 #if GNUTLS_VERSION_NUMBER >= 0x030404
341 # define HAVE_GNUTLS_PRF_RFC5705
346 /* ------------------------------------------------------------------------ */
347 /* Callback declarations */
349 #if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
350 static void exim_gnutls_logger_cb(int level, const char *message);
353 static int exim_sni_handling_cb(gnutls_session_t session);
355 #ifdef EXIM_HAVE_TLS_RESUME
357 tls_server_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
358 unsigned incoming, const gnutls_datum_t * msg);
362 /*************************************************
364 *************************************************/
366 /* Called from lots of places when errors occur before actually starting to do
367 the TLS handshake, that is, while the session is still in clear. Always returns
368 DEFER for a server and FAIL for a client so that most calls can use "return
369 tls_error(...)" to do this processing and then give an appropriate return. A
370 single function is used for both server and client, because it is called from
371 some shared functions.
374 prefix text to include in the logged error
375 msg additional error string (may be NULL)
376 usually obtained from gnutls_strerror()
377 host NULL if setting up a server;
378 the connected host if setting up a client
379 errstr pointer to returned error string
381 Returns: OK/DEFER/FAIL
385 tls_error(const uschar *prefix, const uschar *msg, const host_item *host,
389 *errstr = string_sprintf("(%s)%s%s", prefix, msg ? ": " : "", msg ? msg : US"");
390 return host ? FAIL : DEFER;
395 tls_error_gnu(exim_gnutls_state_st * state, const uschar *prefix, int err,
398 return tls_error(prefix,
399 state && err == GNUTLS_E_FATAL_ALERT_RECEIVED
400 ? US gnutls_alert_get_name(gnutls_alert_get(state->session))
401 : US gnutls_strerror(err),
402 state ? state->host : NULL,
407 tls_error_sys(const uschar *prefix, int err, const host_item *host,
410 return tls_error(prefix, US strerror(err), host, errstr);
414 /* ------------------------------------------------------------------------ */
420 tls_is_buggy_ocsp(void)
423 uschar maj, mid, mic;
425 s = CUS gnutls_check_version(NULL);
429 while (*s && *s != '.') s++;
437 while (*s && *s != '.') s++;
439 return mic <= (mid == 3 ? 16 : 3);
449 tls_g_init(uschar ** errstr)
452 DEBUG(D_tls) debug_printf("GnuTLS global init required\n");
454 #if defined(HAVE_GNUTLS_PKCS11) && !defined(GNUTLS_AUTO_PKCS11_MANUAL)
455 /* By default, gnutls_global_init will init PKCS11 support in auto mode,
456 which loads modules from a config file, which sounds good and may be wanted
457 by some sysadmin, but also means in common configurations that GNOME keyring
458 environment variables are used and so breaks for users calling mailq.
459 To prevent this, we init PKCS11 first, which is the documented approach. */
461 if (!gnutls_allow_auto_pkcs11)
462 if ((rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL)))
463 return tls_error_gnu(NULL, US"gnutls_pkcs11_init", rc, errstr);
466 #ifndef GNUTLS_AUTO_GLOBAL_INIT
467 if ((rc = gnutls_global_init()))
468 return tls_error_gnu(NULL, US"gnutls_global_init", rc, errstr);
471 #if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
474 gnutls_global_set_log_function(exim_gnutls_logger_cb);
475 /* arbitrarily chosen level; bump up to 9 for more */
476 gnutls_global_set_log_level(EXIM_GNUTLS_LIBRARY_LOG_LEVEL);
481 if (tls_ocsp_file && (gnutls_buggy_ocsp = tls_is_buggy_ocsp()))
482 log_write(0, LOG_MAIN, "OCSP unusable with this GnuTLS library version");
485 exim_gnutls_base_init_done = TRUE;
491 /* Daemon-call before each connection. Nothing to do for GnuTLS. */
494 tls_per_lib_daemon_tick(void)
498 /* Daemon one-time initialisation */
501 tls_per_lib_daemon_init(void)
503 uschar * dummy_errstr;
504 static BOOL once = FALSE;
506 if (!exim_gnutls_base_init_done)
507 tls_g_init(&dummy_errstr);
513 #ifdef EXIM_HAVE_TLS_RESUME
514 /* We are dependent on the GnuTLS implementation of the Session Ticket
515 encryption; both the strength and the key rotation period. We hope that
516 the strength at least matches that of the ciphersuite (but GnuTLS does not
519 gnutls_session_ticket_key_generate(&server_sessticket_key); /* >= 2.10.0 */
520 if (f.running_in_test_harness) ssl_session_timeout = 6;
523 tls_daemon_creds_reload();
527 /* ------------------------------------------------------------------------ */
529 /*************************************************
530 * Deal with logging errors during I/O *
531 *************************************************/
533 /* We have to get the identity of the peer from saved data.
536 state the current GnuTLS exim state container
537 rc the GnuTLS error code, or 0 if it's a local error
538 when text identifying read or write
539 text local error text when rc is 0
545 record_io_error(exim_gnutls_state_st *state, int rc, uschar *when, uschar *text)
550 msg = rc == GNUTLS_E_FATAL_ALERT_RECEIVED
551 ? string_sprintf("A TLS fatal alert has been received: %s",
552 US gnutls_alert_get_name(gnutls_alert_get(state->session)))
553 #ifdef GNUTLS_E_PREMATURE_TERMINATION
554 : rc == GNUTLS_E_PREMATURE_TERMINATION && errno
555 ? string_sprintf("%s: syscall: %s", US gnutls_strerror(rc), strerror(errno))
557 : US gnutls_strerror(rc);
559 (void) tls_error(when, msg, state->host, &errstr);
562 log_write(0, LOG_MAIN, "H=%s [%s] TLS error on connection %s",
563 state->host->name, state->host->address, errstr);
566 uschar * conn_info = smtp_get_connection_info();
567 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0) conn_info += 5;
568 /* I'd like to get separated H= here, but too hard for now */
569 log_write(0, LOG_MAIN, "TLS error on %s %s", conn_info, errstr);
576 /*************************************************
577 * Set various Exim expansion vars *
578 *************************************************/
580 #define exim_gnutls_cert_err(Label) \
583 if (rc != GNUTLS_E_SUCCESS) \
585 DEBUG(D_tls) debug_printf("TLS: cert problem: %s: %s\n", \
586 (Label), gnutls_strerror(rc)); \
592 import_cert(const gnutls_datum_t * cert, gnutls_x509_crt_t * crtp)
596 rc = gnutls_x509_crt_init(crtp);
597 exim_gnutls_cert_err(US"gnutls_x509_crt_init (crt)");
599 rc = gnutls_x509_crt_import(*crtp, cert, GNUTLS_X509_FMT_DER);
600 exim_gnutls_cert_err(US"failed to import certificate [gnutls_x509_crt_import(cert)]");
605 #undef exim_gnutls_cert_err
608 /* We set various Exim global variables from the state, once a session has
609 been established. With TLS callouts, may need to change this to stack
610 variables, or just re-call it with the server state after client callout
613 Make sure anything set here is unset in tls_getc().
617 tls_bits strength indicator
618 tls_certificate_verified bool indicator
619 tls_channelbinding for some SASL mechanisms
622 tls_peercert pointer to library internal
624 tls_sni a (UTF-8) string
625 tls_ourcert pointer to library internal
628 state the relevant exim_gnutls_state_st *
632 extract_exim_vars_from_tls_state(exim_gnutls_state_st * state)
634 tls_support * tlsp = state->tlsp;
636 tlsp->active.sock = state->fd_out;
637 tlsp->active.tls_ctx = state;
639 DEBUG(D_tls) debug_printf("cipher: %s\n", state->ciphersuite);
641 tlsp->certificate_verified = state->peer_cert_verified;
643 tlsp->dane_verified = state->peer_dane_verified;
646 /* note that tls_channelbinding is not saved to the spool file, since it's
647 only available for use for authenticators while this TLS session is running. */
649 tlsp->channelbinding = NULL;
650 #ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
652 gnutls_datum_t channel = {.data = NULL, .size = 0};
655 # ifdef HAVE_GNUTLS_EXPORTER
656 if (gnutls_protocol_get_version(state->session) >= GNUTLS_TLS1_3)
658 rc = gnutls_session_channel_binding(state->session, GNUTLS_CB_TLS_EXPORTER, &channel);
659 tlsp->channelbind_exporter = TRUE;
662 # elif defined(HAVE_GNUTLS_PRF_RFC5705)
663 /* Older libraries may not have GNUTLS_TLS1_3 defined! */
664 if (gnutls_protocol_get_version(state->session) > GNUTLS_TLS1_2)
666 uschar * buf = store_get(32, state->host ? GET_TAINTED : GET_UNTAINTED);
667 rc = gnutls_prf_rfc5705(state->session,
668 (size_t)24, "EXPORTER-Channel-Binding", (size_t)0, "",
675 rc = gnutls_session_channel_binding(state->session, GNUTLS_CB_TLS_UNIQUE, &channel);
678 { DEBUG(D_tls) debug_printf("extracting channel binding: %s\n", gnutls_strerror(rc)); }
681 int old_pool = store_pool;
682 /* Declare the taintedness of the binding info. On server, untainted; on
683 client, tainted if we used the Finish msg from the server. */
685 store_pool = POOL_PERM;
686 tlsp->channelbinding = b64encode_taint(CUS channel.data, (int)channel.size,
687 !tlsp->channelbind_exporter && state->host ? GET_TAINTED : GET_UNTAINTED);
688 store_pool = old_pool;
689 DEBUG(D_tls) debug_printf("Have channel bindings cached for possible auth usage\n");
694 /* peercert is set in peer_status() */
695 tlsp->peerdn = state->peerdn;
697 /* do not corrupt sni sent by client; record sni rxd by server */
699 tlsp->sni = state->received_sni;
701 /* record our certificate */
703 const gnutls_datum_t * cert = gnutls_certificate_get_ours(state->session);
704 gnutls_x509_crt_t crt;
706 tlsp->ourcert = cert && import_cert(cert, &crt)==0 ? crt : NULL;
713 /*************************************************
714 * Setup up DH parameters *
715 *************************************************/
717 /* Generating the D-H parameters may take a long time. They only need to
718 be re-generated every so often, depending on security policy. What we do is to
719 keep these parameters in a file in the spool directory. If the file does not
720 exist, we generate them. This means that it is easy to cause a regeneration.
722 The new file is written as a temporary file and renamed, so that an incomplete
723 file is never present. If two processes both compute some new parameters, you
724 waste a bit of effort, but it doesn't seem worth messing around with locking to
727 Returns: OK/DEFER/FAIL
731 init_server_dh(uschar ** errstr)
734 unsigned int dh_bits;
736 uschar filename_buf[PATH_MAX];
737 uschar *filename = NULL;
739 uschar *exp_tls_dhparam;
740 BOOL use_file_in_spool = FALSE;
741 host_item *host = NULL; /* dummy for macros */
743 DEBUG(D_tls) debug_printf("Initialising GnuTLS server params\n");
745 if ((rc = gnutls_dh_params_init(&dh_server_params)))
746 return tls_error_gnu(NULL, US"gnutls_dh_params_init", rc, errstr);
751 if (!expand_check(tls_dhparam, US"tls_dhparam", &exp_tls_dhparam, errstr))
754 if (!exp_tls_dhparam)
756 DEBUG(D_tls) debug_printf("Loading default hard-coded DH params\n");
757 m.data = US std_dh_prime_default();
758 m.size = Ustrlen(m.data);
760 else if (Ustrcmp(exp_tls_dhparam, "historic") == 0)
761 use_file_in_spool = TRUE;
762 else if (Ustrcmp(exp_tls_dhparam, "none") == 0)
764 DEBUG(D_tls) debug_printf("Requested no DH parameters\n");
767 else if (exp_tls_dhparam[0] != '/')
769 if (!(m.data = US std_dh_prime_named(exp_tls_dhparam)))
770 return tls_error(US"No standard prime named", exp_tls_dhparam, NULL, errstr);
771 m.size = Ustrlen(m.data);
774 filename = exp_tls_dhparam;
778 if ((rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM)))
779 return tls_error_gnu(NULL, US"gnutls_dh_params_import_pkcs3", rc, errstr);
780 DEBUG(D_tls) debug_printf("Loaded fixed standard D-H parameters\n");
784 #ifdef HAVE_GNUTLS_SEC_PARAM_CONSTANTS
785 /* If you change this constant, also change dh_param_fn_ext so that we can use a
786 different filename and ensure we have sufficient bits. */
788 if (!(dh_bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL)))
789 return tls_error(US"gnutls_sec_param_to_pk_bits() failed", NULL, NULL, errstr);
791 debug_printf("GnuTLS tells us that for D-H PK, NORMAL is %d bits\n",
794 dh_bits = EXIM_SERVER_DH_BITS_PRE2_12;
796 debug_printf("GnuTLS lacks gnutls_sec_param_to_pk_bits(), using %d bits\n",
800 /* Some clients have hard-coded limits. */
801 if (dh_bits > tls_dh_max_bits)
804 debug_printf("tls_dh_max_bits clamping override, using %d bits instead\n",
806 dh_bits = tls_dh_max_bits;
809 if (use_file_in_spool)
811 if (!string_format(filename_buf, sizeof(filename_buf),
812 "%s/gnutls-params-%d", spool_directory, dh_bits))
813 return tls_error(US"overlong filename", NULL, NULL, errstr);
814 filename = filename_buf;
817 /* Open the cache file for reading and if successful, read it and set up the
820 if ((fd = Uopen(filename, O_RDONLY, 0)) >= 0)
826 if (fstat(fd, &statbuf) < 0) /* EIO */
830 return tls_error_sys(US"TLS cache stat failed", saved_errno, NULL, errstr);
832 if (!S_ISREG(statbuf.st_mode))
835 return tls_error(US"TLS cache not a file", NULL, NULL, errstr);
837 if (!(fp = fdopen(fd, "rb")))
841 return tls_error_sys(US"fdopen(TLS cache stat fd) failed",
842 saved_errno, NULL, errstr);
845 m.size = statbuf.st_size;
846 if (!(m.data = store_malloc(m.size)))
849 return tls_error_sys(US"malloc failed", errno, NULL, errstr);
851 if (!(sz = fread(m.data, m.size, 1, fp)))
856 return tls_error_sys(US"fread failed", saved_errno, NULL, errstr);
860 rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM);
863 return tls_error_gnu(NULL, US"gnutls_dh_params_import_pkcs3", rc, errstr);
864 DEBUG(D_tls) debug_printf("read D-H parameters from file \"%s\"\n", filename);
867 /* If the file does not exist, fall through to compute new data and cache it.
868 If there was any other opening error, it is serious. */
870 else if (errno == ENOENT)
874 debug_printf("D-H parameter cache file \"%s\" does not exist\n", filename);
877 return tls_error(string_open_failed("\"%s\" for reading", filename),
880 /* If ret < 0, either the cache file does not exist, or the data it contains
881 is not useful. One particular case of this is when upgrading from an older
882 release of Exim in which the data was stored in a different format. We don't
883 try to be clever and support both formats; we just regenerate new data in this
889 unsigned int dh_bits_gen = dh_bits;
891 if ((PATH_MAX - Ustrlen(filename)) < 10)
892 return tls_error(US"Filename too long to generate replacement",
893 filename, NULL, errstr);
895 temp_fn = string_copy(US"exim-dh.XXXXXXX");
896 if ((fd = mkstemp(CS temp_fn)) < 0) /* modifies temp_fn */
897 return tls_error_sys(US"Unable to open temp file", errno, NULL, errstr);
898 (void)exim_chown(temp_fn, exim_uid, exim_gid); /* Probably not necessary */
900 /* GnuTLS overshoots!
901 * If we ask for 2236, we might get 2237 or more.
902 * But there's no way to ask GnuTLS how many bits there really are.
903 * We can ask how many bits were used in a TLS session, but that's it!
904 * The prime itself is hidden behind too much abstraction.
905 * So we ask for less, and proceed on a wing and a prayer.
906 * First attempt, subtracted 3 for 2233 and got 2240.
908 if (dh_bits >= EXIM_CLIENT_DH_MIN_BITS + 10)
910 dh_bits_gen = dh_bits - 10;
912 debug_printf("being paranoid about DH generation, make it '%d' bits'\n",
917 debug_printf("requesting generation of %d bit Diffie-Hellman prime ...\n",
919 if ((rc = gnutls_dh_params_generate2(dh_server_params, dh_bits_gen)))
920 return tls_error_gnu(NULL, US"gnutls_dh_params_generate2", rc, errstr);
922 /* gnutls_dh_params_export_pkcs3() will tell us the exact size, every time,
923 and I confirmed that a NULL call to get the size first is how the GnuTLS
924 sample apps handle this. */
928 if ( (rc = gnutls_dh_params_export_pkcs3(dh_server_params,
929 GNUTLS_X509_FMT_PEM, m.data, &sz))
930 && rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
931 return tls_error_gnu(NULL, US"gnutls_dh_params_export_pkcs3(NULL) sizing",
934 if (!(m.data = store_malloc(m.size)))
935 return tls_error_sys(US"memory allocation failed", errno, NULL, errstr);
937 /* this will return a size 1 less than the allocation size above */
938 if ((rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM,
942 return tls_error_gnu(NULL, US"gnutls_dh_params_export_pkcs3() real", rc, errstr);
944 m.size = sz; /* shrink by 1, probably */
946 if ((sz = write_to_fd_buf(fd, m.data, (size_t) m.size)) != m.size)
949 return tls_error_sys(US"TLS cache write D-H params failed",
950 errno, NULL, errstr);
953 if ((sz = write_to_fd_buf(fd, US"\n", 1)) != 1)
954 return tls_error_sys(US"TLS cache write D-H params final newline failed",
955 errno, NULL, errstr);
957 if ((rc = close(fd)))
958 return tls_error_sys(US"TLS cache write close() failed", errno, NULL, errstr);
960 if (Urename(temp_fn, filename) < 0)
961 return tls_error_sys(string_sprintf("failed to rename \"%s\" as \"%s\"",
962 temp_fn, filename), errno, NULL, errstr);
964 DEBUG(D_tls) debug_printf("wrote D-H parameters to file \"%s\"\n", filename);
967 DEBUG(D_tls) debug_printf("initialized server D-H parameters\n");
974 /* Create and install a selfsigned certificate, for use in server mode. */
977 tls_install_selfsign(exim_gnutls_state_st * state, uschar ** errstr)
979 gnutls_x509_crt_t cert = NULL;
981 gnutls_x509_privkey_t pkey = NULL;
982 const uschar * where;
985 #ifndef SUPPORT_SELFSIGN
986 where = US"library too old";
987 rc = GNUTLS_E_NO_CERTIFICATE_FOUND;
991 DEBUG(D_tls) debug_printf("TLS: generating selfsigned server cert\n");
992 where = US"initialising pkey";
993 if ((rc = gnutls_x509_privkey_init(&pkey))) goto err;
995 where = US"initialising cert";
996 if ((rc = gnutls_x509_crt_init(&cert))) goto err;
998 where = US"generating pkey"; /* Hangs on 2.12.23 */
999 if ((rc = gnutls_x509_privkey_generate(pkey, GNUTLS_PK_RSA,
1000 #ifdef SUPPORT_PARAM_TO_PK_BITS
1001 # ifndef GNUTLS_SEC_PARAM_MEDIUM
1002 # define GNUTLS_SEC_PARAM_MEDIUM GNUTLS_SEC_PARAM_HIGH
1004 gnutls_sec_param_to_pk_bits(GNUTLS_PK_RSA, GNUTLS_SEC_PARAM_MEDIUM),
1011 where = US"configuring cert";
1013 if ( (rc = gnutls_x509_crt_set_version(cert, 3))
1014 || (rc = gnutls_x509_crt_set_serial(cert, &now, sizeof(now)))
1015 || (rc = gnutls_x509_crt_set_activation_time(cert, now = time(NULL)))
1016 || (rc = gnutls_x509_crt_set_expiration_time(cert, (long)2 * 60 * 60)) /* 2 hour */
1017 || (rc = gnutls_x509_crt_set_key(cert, pkey))
1019 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
1020 GNUTLS_OID_X520_COUNTRY_NAME, 0, "UK", 2))
1021 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
1022 GNUTLS_OID_X520_ORGANIZATION_NAME, 0, "Exim Developers", 15))
1023 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
1024 GNUTLS_OID_X520_COMMON_NAME, 0,
1025 smtp_active_hostname, Ustrlen(smtp_active_hostname)))
1029 where = US"signing cert";
1030 if ((rc = gnutls_x509_crt_sign(cert, cert, pkey))) goto err;
1032 where = US"installing selfsign cert";
1034 if ((rc = gnutls_certificate_set_x509_key(state->lib_state.x509_cred,
1041 if (cert) gnutls_x509_crt_deinit(cert);
1042 if (pkey) gnutls_x509_privkey_deinit(pkey);
1046 rc = tls_error_gnu(state, where, rc, errstr);
1053 /* Add certificate and key, from files.
1056 Zero or negative: good. Negate value for certificate index if < 0.
1057 Greater than zero: FAIL or DEFER code.
1061 tls_add_certfile(exim_gnutls_state_st * state, const host_item * host,
1062 const uschar * certfile, const uschar * keyfile, uschar ** errstr)
1064 int rc = gnutls_certificate_set_x509_key_file(state->lib_state.x509_cred,
1065 CCS certfile, CCS keyfile, GNUTLS_X509_FMT_PEM);
1067 return tls_error_gnu(state,
1068 string_sprintf("cert/key setup: cert=%s key=%s", certfile, keyfile),
1074 #if !defined(DISABLE_OCSP) && !defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
1075 /* Load an OCSP proof from file for sending by the server. Called
1076 on getting a status-request handshake message, for earlier versions
1080 server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
1081 gnutls_datum_t * ocsp_response)
1084 DEBUG(D_tls) debug_printf("OCSP stapling callback: %s\n", US ptr);
1086 if ((ret = gnutls_load_file(ptr, ocsp_response)) < 0)
1088 DEBUG(D_tls) debug_printf("Failed to load ocsp stapling file %s\n",
1090 tls_in.ocsp = OCSP_NOT_RESP;
1091 return GNUTLS_E_NO_CERTIFICATE_STATUS;
1094 tls_in.ocsp = OCSP_VFY_NOT_TRIED;
1100 #ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
1101 /* Make a note that we saw a status-request */
1103 tls_server_clienthello_ext(void * ctx, unsigned tls_id,
1104 const uschar * data, unsigned size)
1106 /* The values for tls_id are documented here:
1107 https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml */
1110 case 5: /* Status Request */
1111 DEBUG(D_tls) debug_printf("Seen status_request extension from client\n");
1112 tls_in.ocsp = OCSP_NOT_RESP;
1114 #ifdef EXIM_HAVE_ALPN
1115 case 16: /* Application Layer Protocol Notification */
1116 /* The format of "data" here doesn't seem to be documented, but appears
1117 to be a 2-byte field with a (redundant, given the "size" arg) total length
1118 then a sequence of one-byte size then string (not nul-term) names. The
1119 latter is as described in OpenSSL documentation. */
1121 DEBUG(D_tls) debug_printf("Seen ALPN extension from client (s=%u):", size);
1122 for (const uschar * s = data+2; s-data < size-1; s += *s + 1)
1125 DEBUG(D_tls) debug_printf(" '%.*s'", (int)*s, s+1);
1127 DEBUG(D_tls) debug_printf("\n");
1128 if (server_seen_alpn > 1)
1130 DEBUG(D_tls) debug_printf("TLS: too many ALPNs presented in handshake\n");
1131 return GNUTLS_E_NO_APPLICATION_PROTOCOL;
1139 /* Callback for client-hello, on server, if we think we might serve stapled-OCSP */
1141 tls_server_clienthello_cb(gnutls_session_t session, unsigned int htype,
1142 unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
1144 /* Call fn for each extension seen. 3.6.3 onwards */
1145 int rc = gnutls_ext_raw_parse(NULL, tls_server_clienthello_ext, msg,
1146 GNUTLS_EXT_RAW_FLAG_TLS_CLIENT_HELLO);
1147 return rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE ? 0 : rc;
1151 # ifdef notdef_crashes
1152 /* Make a note that we saw a status-response */
1154 tls_server_servercerts_ext(void * ctx, unsigned tls_id,
1155 const unsigned char *data, unsigned size)
1157 /* debug_printf("%s %u\n", __FUNCTION__, tls_id); */
1158 /* https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml */
1159 if (FALSE && tls_id == 5) /* status_request */
1161 DEBUG(D_tls) debug_printf("Seen status_request extension\n");
1162 tls_in.ocsp = exim_testharness_disable_ocsp_validity_check
1163 ? OCSP_VFY_NOT_TRIED : OCSP_VFIED; /* We know that GnuTLS verifies responses */
1169 /* Callback for certificates packet, on server, if we think we might serve stapled-OCSP */
1171 tls_server_servercerts_cb(gnutls_session_t session, unsigned int htype,
1172 unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
1174 /* Call fn for each extension seen. 3.6.3 onwards */
1175 # ifdef notdef_crashes
1177 return gnutls_ext_raw_parse(NULL, tls_server_servercerts_ext, msg, 0);
1180 #endif /*SUPPORT_GNUTLS_EXT_RAW_PARSE*/
1182 /*XXX in tls1.3 the cert-status travel as an extension next to the cert, in the
1183 "Handshake Protocol: Certificate" record.
1184 So we need to spot the Certificate handshake message, parse it and spot any status_request extension(s)
1186 This is different to tls1.2 - where it is a separate record (wireshark term) / handshake message (gnutls term).
1189 #if defined(EXIM_HAVE_TLS_RESUME) || defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
1190 /* Callback for certificate-status, on server. We sent stapled OCSP. */
1192 tls_server_certstatus_cb(gnutls_session_t session, unsigned int htype,
1193 unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
1195 DEBUG(D_tls) debug_printf("Sending certificate-status\n"); /*XXX we get this for tls1.2 but not for 1.3 */
1196 # ifdef SUPPORT_SRV_OCSP_STACK
1197 tls_in.ocsp = exim_testharness_disable_ocsp_validity_check
1198 ? OCSP_VFY_NOT_TRIED : OCSP_VFIED; /* We know that GnuTLS verifies responses */
1200 tls_in.ocsp = OCSP_VFY_NOT_TRIED;
1205 /* Callback for handshake messages, on server */
1207 tls_server_hook_cb(gnutls_session_t sess, u_int htype, unsigned when,
1208 unsigned incoming, const gnutls_datum_t * msg)
1210 /* debug_printf("%s: htype %u\n", __FUNCTION__, htype); */
1213 # ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
1214 case GNUTLS_HANDSHAKE_CLIENT_HELLO:
1215 return tls_server_clienthello_cb(sess, htype, when, incoming, msg);
1216 case GNUTLS_HANDSHAKE_CERTIFICATE_PKT:
1217 return tls_server_servercerts_cb(sess, htype, when, incoming, msg);
1219 case GNUTLS_HANDSHAKE_CERTIFICATE_STATUS:
1220 return tls_server_certstatus_cb(sess, htype, when, incoming, msg);
1221 # ifdef EXIM_HAVE_TLS_RESUME
1222 case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET:
1223 return tls_server_ticket_cb(sess, htype, when, incoming, msg);
1232 #if !defined(DISABLE_OCSP) && defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
1234 tls_server_testharness_ocsp_fiddle(void)
1236 extern char ** environ;
1237 if (environ) for (uschar ** p = USS environ; *p; p++)
1238 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
1240 DEBUG(D_tls) debug_printf("Permitting known bad OCSP response\n");
1241 exim_testharness_disable_ocsp_validity_check = TRUE;
1246 /**************************************************
1247 * One-time init credentials for server and client *
1248 **************************************************/
1251 creds_basic_init(gnutls_certificate_credentials_t x509_cred, BOOL server)
1253 #ifdef SUPPORT_SRV_OCSP_STACK
1254 gnutls_certificate_set_flags(x509_cred, GNUTLS_CERTIFICATE_API_V2);
1256 # if !defined(DISABLE_OCSP) && defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
1257 if (server && tls_ocsp_file)
1259 if (f.running_in_test_harness)
1260 tls_server_testharness_ocsp_fiddle();
1262 if (exim_testharness_disable_ocsp_validity_check)
1263 gnutls_certificate_set_flags(x509_cred,
1264 GNUTLS_CERTIFICATE_API_V2 | GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK);
1269 debug_printf("TLS: basic cred init, %s\n", server ? "server" : "client");
1273 creds_load_server_certs(exim_gnutls_state_st * state, const uschar * cert,
1274 const uschar * pkey, const uschar * ocsp, uschar ** errstr)
1276 const uschar * clist = cert;
1277 const uschar * klist = pkey;
1278 const uschar * olist;
1279 int csep = 0, ksep = 0, osep = 0, cnt = 0, rc;
1280 uschar * cfile, * kfile, * ofile;
1281 #ifndef DISABLE_OCSP
1282 # ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
1283 gnutls_x509_crt_fmt_t ocsp_fmt = GNUTLS_X509_FMT_DER;
1286 if (!expand_check(ocsp, US"tls_ocsp_file", &ofile, errstr))
1291 while (cfile = string_nextinlist(&clist, &csep, NULL, 0))
1293 if (!(kfile = string_nextinlist(&klist, &ksep, NULL, 0)))
1294 return tls_error(US"cert/key setup: out of keys", NULL, NULL, errstr);
1295 else if ((rc = tls_add_certfile(state, NULL, cfile, kfile, errstr)) > 0)
1299 int gnutls_cert_index = -rc;
1300 DEBUG(D_tls) debug_printf("TLS: cert/key %d %s registered\n",
1301 gnutls_cert_index, cfile);
1303 #ifndef DISABLE_OCSP
1306 /* Set the OCSP stapling server info */
1307 if (gnutls_buggy_ocsp)
1310 debug_printf("GnuTLS library is buggy for OCSP; avoiding\n");
1312 else if ((ofile = string_nextinlist(&olist, &osep, NULL, 0)))
1314 DEBUG(D_tls) debug_printf("OCSP response file %d = %s\n",
1315 gnutls_cert_index, ofile);
1316 # ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
1317 if (Ustrncmp(ofile, US"PEM ", 4) == 0)
1319 ocsp_fmt = GNUTLS_X509_FMT_PEM;
1322 else if (Ustrncmp(ofile, US"DER ", 4) == 0)
1324 ocsp_fmt = GNUTLS_X509_FMT_DER;
1328 if ((rc = gnutls_certificate_set_ocsp_status_request_file2(
1329 state->lib_state.x509_cred, CCS ofile, gnutls_cert_index,
1331 return tls_error_gnu(state,
1332 US"gnutls_certificate_set_ocsp_status_request_file2",
1335 debug_printf(" %d response%s loaded\n", rc, rc>1 ? "s":"");
1337 /* Arrange callbacks for OCSP request observability */
1340 gnutls_handshake_set_hook_function(state->session,
1341 GNUTLS_HANDSHAKE_ANY, GNUTLS_HOOK_POST, tls_server_hook_cb);
1343 state->lib_state.ocsp_hook = TRUE;
1347 # if defined(SUPPORT_SRV_OCSP_STACK)
1348 if ((rc = gnutls_certificate_set_ocsp_status_request_function2(
1349 state->lib_state.x509_cred, gnutls_cert_index,
1350 server_ocsp_stapling_cb, ofile)))
1351 return tls_error_gnu(state,
1352 US"gnutls_certificate_set_ocsp_status_request_function2",
1360 debug_printf("oops; multiple OCSP files not supported\n");
1363 gnutls_certificate_set_ocsp_status_request_function(
1364 state->lib_state.x509_cred, server_ocsp_stapling_cb, ofile);
1366 # endif /* SUPPORT_GNUTLS_EXT_RAW_PARSE */
1369 DEBUG(D_tls) debug_printf("ran out of OCSP response files in list\n");
1371 #endif /* DISABLE_OCSP */
1377 creds_load_client_certs(exim_gnutls_state_st * state, const host_item * host,
1378 const uschar * cert, const uschar * pkey, uschar ** errstr)
1380 int rc = tls_add_certfile(state, host, cert, pkey, errstr);
1381 if (rc > 0) return rc;
1382 DEBUG(D_tls) debug_printf("TLS: cert/key registered\n");
1387 creds_load_cabundle(exim_gnutls_state_st * state, const uschar * bundle,
1388 const host_item * host, uschar ** errstr)
1391 struct stat statbuf;
1393 #ifdef SUPPORT_SYSDEFAULT_CABUNDLE
1394 if (Ustrcmp(bundle, "system") == 0 || Ustrncmp(bundle, "system,", 7) == 0)
1395 cert_count = gnutls_certificate_set_x509_system_trust(state->lib_state.x509_cred);
1399 if (Ustat(bundle, &statbuf) < 0)
1401 log_write(0, LOG_MAIN|LOG_PANIC, "could not stat '%s' "
1402 "(tls_verify_certificates): %s", bundle, strerror(errno));
1406 #ifndef SUPPORT_CA_DIR
1407 /* The test suite passes in /dev/null; we could check for that path explicitly,
1408 but who knows if someone has some weird FIFO which always dumps some certs, or
1409 other weirdness. The thing we really want to check is that it's not a
1410 directory, since while OpenSSL supports that, GnuTLS does not.
1411 So s/!S_ISREG/S_ISDIR/ and change some messaging ... */
1412 if (S_ISDIR(statbuf.st_mode))
1414 log_write(0, LOG_MAIN|LOG_PANIC,
1415 "tls_verify_certificates \"%s\" is a directory", bundle);
1420 DEBUG(D_tls) debug_printf("verify certificates = %s size=" OFF_T_FMT "\n",
1421 bundle, statbuf.st_size);
1423 if (statbuf.st_size == 0)
1426 debug_printf("cert file empty, no certs, no verification, ignoring any CRL\n");
1432 #ifdef SUPPORT_CA_DIR
1433 (statbuf.st_mode & S_IFMT) == S_IFDIR
1435 gnutls_certificate_set_x509_trust_dir(state->lib_state.x509_cred,
1436 CS bundle, GNUTLS_X509_FMT_PEM)
1439 gnutls_certificate_set_x509_trust_file(state->lib_state.x509_cred,
1440 CS bundle, GNUTLS_X509_FMT_PEM);
1442 #ifdef SUPPORT_CA_DIR
1443 /* Mimic the behaviour with OpenSSL of not advertising a usable-cert list
1444 when using the directory-of-certs config model. */
1446 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
1448 gnutls_certificate_send_x509_rdn_sequence(state->session, 1);
1450 state->lib_state.ca_rdn_emulate = TRUE;
1455 return tls_error_gnu(state, US"setting certificate trust", cert_count, errstr);
1457 debug_printf("Added %d certificate authorities\n", cert_count);
1464 creds_load_crl(exim_gnutls_state_st * state, const uschar * crl, uschar ** errstr)
1467 DEBUG(D_tls) debug_printf("loading CRL file = %s\n", crl);
1468 if ((cert_count = gnutls_certificate_set_x509_crl_file(state->lib_state.x509_cred,
1469 CS crl, GNUTLS_X509_FMT_PEM)) < 0)
1470 return tls_error_gnu(state, US"gnutls_certificate_set_x509_crl_file",
1471 cert_count, errstr);
1473 DEBUG(D_tls) debug_printf("Processed %d CRLs\n", cert_count);
1479 creds_load_pristring(exim_gnutls_state_st * state, const uschar * p,
1480 const char ** errpos)
1484 p = exim_default_gnutls_priority;
1486 debug_printf("GnuTLS using default session cipher/priority \"%s\"\n", p);
1488 return gnutls_priority_init( (gnutls_priority_t *) &state->lib_state.pri_cache,
1493 tls_server_creds_init(void)
1495 uschar * dummy_errstr;
1496 unsigned lifetime = 0;
1498 state_server.lib_state = null_tls_preload;
1499 if (gnutls_certificate_allocate_credentials(
1500 (gnutls_certificate_credentials_t *) &state_server.lib_state.x509_cred))
1502 state_server.lib_state.x509_cred = NULL;
1505 creds_basic_init(state_server.lib_state.x509_cred, TRUE);
1507 #if defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT)
1508 /* If tls_certificate has any $ indicating expansions, it is not good.
1509 If tls_privatekey is set but has $, not good. Likewise for tls_ocsp_file.
1510 If all good (and tls_certificate set), load the cert(s). */
1512 if ( opt_set_and_noexpand(tls_certificate)
1513 # ifndef DISABLE_OCSP
1514 && opt_unset_or_noexpand(tls_ocsp_file)
1516 && opt_unset_or_noexpand(tls_privatekey))
1518 /* Set watches on the filenames. The implementation does de-duplication
1519 so we can just blindly do them all.
1522 if ( tls_set_watch(tls_certificate, TRUE)
1523 # ifndef DISABLE_OCSP
1524 && tls_set_watch(tls_ocsp_file, TRUE)
1526 && tls_set_watch(tls_privatekey, TRUE))
1528 DEBUG(D_tls) debug_printf("TLS: preloading server certs\n");
1529 if (creds_load_server_certs(&state_server, tls_certificate,
1530 tls_privatekey && *tls_privatekey ? tls_privatekey : tls_certificate,
1531 # ifdef DISABLE_OCSP
1536 &dummy_errstr) == 0)
1537 state_server.lib_state.conn_certs = TRUE;
1540 else if ( !tls_certificate && !tls_privatekey
1541 # ifndef DISABLE_OCSP
1545 { /* Generate & preload a selfsigned cert. No files to watch. */
1546 if ((tls_install_selfsign(&state_server, &dummy_errstr)) == OK)
1548 state_server.lib_state.conn_certs = TRUE;
1549 lifetime = f.running_in_test_harness ? 2 : 60 * 60; /* 1 hour */
1553 DEBUG(D_tls) debug_printf("TLS: not preloading server certs\n");
1555 /* If tls_verify_certificates is non-empty and has no $, load CAs.
1556 If none was configured and we can't handle "system", treat as empty. */
1558 if ( opt_set_and_noexpand(tls_verify_certificates)
1559 #ifndef SUPPORT_SYSDEFAULT_CABUNDLE
1560 && Ustrcmp(tls_verify_certificates, "system") != 0
1564 if (tls_set_watch(tls_verify_certificates, FALSE))
1566 DEBUG(D_tls) debug_printf("TLS: preloading CA bundle for server\n");
1567 if (creds_load_cabundle(&state_server, tls_verify_certificates,
1568 NULL, &dummy_errstr) != OK)
1570 state_server.lib_state.cabundle = TRUE;
1572 /* If CAs loaded and tls_crl is non-empty and has no $, load it */
1574 if (opt_set_and_noexpand(tls_crl))
1576 if (tls_set_watch(tls_crl, FALSE))
1578 DEBUG(D_tls) debug_printf("TLS: preloading CRL for server\n");
1579 if (creds_load_crl(&state_server, tls_crl, &dummy_errstr) != OK)
1581 state_server.lib_state.crl = TRUE;
1585 DEBUG(D_tls) debug_printf("TLS: not preloading CRL for server\n");
1589 DEBUG(D_tls) debug_printf("TLS: not preloading CA bundle for server\n");
1590 #endif /* EXIM_HAVE_INOTIFY */
1592 /* If tls_require_ciphers is non-empty and has no $, load the
1593 ciphers priority cache. If unset, load with the default.
1594 (server-only as the client one depends on non/DANE) */
1596 if (!tls_require_ciphers || opt_set_and_noexpand(tls_require_ciphers))
1598 const char * dummy_errpos;
1599 DEBUG(D_tls) debug_printf("TLS: preloading cipher list for server: %s\n",
1600 tls_require_ciphers);
1601 if ( creds_load_pristring(&state_server, tls_require_ciphers, &dummy_errpos)
1603 state_server.lib_state.pri_string = TRUE;
1606 DEBUG(D_tls) debug_printf("TLS: not preloading cipher list for server\n");
1611 /* Preload whatever creds are static, onto a transport. The client can then
1612 just copy the pointer as it starts up. */
1614 /*XXX this is not called for a cmdline send. But one needing to use >1 conn would benefit,
1615 and there seems little downside. */
1618 tls_client_creds_init(transport_instance * t, BOOL watch)
1620 smtp_transport_options_block * ob = t->options_block;
1621 exim_gnutls_state_st tpt_dummy_state;
1622 host_item * dummy_host = (host_item *)1;
1623 uschar * dummy_errstr;
1625 if ( !exim_gnutls_base_init_done
1626 && tls_g_init(&dummy_errstr) != OK)
1629 ob->tls_preload = null_tls_preload;
1630 if (gnutls_certificate_allocate_credentials(
1631 (struct gnutls_certificate_credentials_st **)&ob->tls_preload.x509_cred))
1633 ob->tls_preload.x509_cred = NULL;
1636 creds_basic_init(ob->tls_preload.x509_cred, FALSE);
1638 tpt_dummy_state.session = NULL;
1639 tpt_dummy_state.lib_state = ob->tls_preload;
1641 #if defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT)
1642 if ( opt_set_and_noexpand(ob->tls_certificate)
1643 && opt_unset_or_noexpand(ob->tls_privatekey))
1646 || ( tls_set_watch(ob->tls_certificate, FALSE)
1647 && tls_set_watch(ob->tls_privatekey, FALSE)
1650 const uschar * pkey = ob->tls_privatekey;
1653 debug_printf("TLS: preloading client certs for transport '%s'\n", t->name);
1655 /* The state->lib_state.x509_cred is used for the certs load, and is the sole
1656 structure element used. So we can set up a dummy. The hoat arg only
1657 selects a retcode in case of fail, so any value */
1659 if (creds_load_client_certs(&tpt_dummy_state, dummy_host,
1660 ob->tls_certificate, pkey ? pkey : ob->tls_certificate,
1661 &dummy_errstr) == OK)
1662 ob->tls_preload.conn_certs = TRUE;
1667 debug_printf("TLS: not preloading client certs, for transport '%s'\n", t->name);
1669 /* If tls_verify_certificates is non-empty and has no $, load CAs.
1670 If none was configured and we can't handle "system", treat as empty. */
1672 if ( opt_set_and_noexpand(ob->tls_verify_certificates)
1673 #ifndef SUPPORT_SYSDEFAULT_CABUNDLE
1674 && Ustrcmp(ob->tls_verify_certificates, "system") != 0
1678 if (!watch || tls_set_watch(ob->tls_verify_certificates, FALSE))
1681 debug_printf("TLS: preloading CA bundle for transport '%s'\n", t->name);
1682 if (creds_load_cabundle(&tpt_dummy_state, ob->tls_verify_certificates,
1683 dummy_host, &dummy_errstr) != OK)
1685 ob->tls_preload.cabundle = TRUE;
1687 if (opt_set_and_noexpand(ob->tls_crl))
1689 if (!watch || tls_set_watch(ob->tls_crl, FALSE))
1691 DEBUG(D_tls) debug_printf("TLS: preloading CRL for transport '%s'\n", t->name);
1692 if (creds_load_crl(&tpt_dummy_state, ob->tls_crl, &dummy_errstr) != OK)
1694 ob->tls_preload.crl = TRUE;
1698 DEBUG(D_tls) debug_printf("TLS: not preloading CRL, for transport '%s'\n", t->name);
1703 debug_printf("TLS: not preloading CA bundle, for transport '%s'\n", t->name);
1705 /* We do not preload tls_require_ciphers to to the transport as it implicitly
1706 depends on DANE or plain usage. */
1712 #if defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT)
1713 /* Invalidate the creds cached, by dropping the current ones.
1714 Call when we notice one of the source files has changed. */
1717 tls_server_creds_invalidate(void)
1719 if (state_server.lib_state.pri_cache)
1720 gnutls_priority_deinit(state_server.lib_state.pri_cache);
1721 state_server.lib_state.pri_cache = NULL;
1723 if (state_server.lib_state.x509_cred)
1724 gnutls_certificate_free_credentials(state_server.lib_state.x509_cred);
1725 state_server.lib_state = null_tls_preload;
1730 tls_client_creds_invalidate(transport_instance * t)
1732 smtp_transport_options_block * ob = t->options_block;
1733 if (ob->tls_preload.x509_cred)
1734 gnutls_certificate_free_credentials(ob->tls_preload.x509_cred);
1735 ob->tls_preload = null_tls_preload;
1740 /*************************************************
1741 * Variables re-expanded post-SNI *
1742 *************************************************/
1744 /* Called from both server and client code, via tls_init(), and also from
1745 the SNI callback after receiving an SNI, if tls_certificate includes "tls_sni".
1747 We can tell the two apart by state->received_sni being non-NULL in callback.
1749 The callback should not call us unless state->trigger_sni_changes is true,
1750 which we are responsible for setting on the first pass through.
1753 state exim_gnutls_state_st *
1754 errstr error string pointer
1756 Returns: OK/DEFER/FAIL
1760 tls_expand_session_files(exim_gnutls_state_st * state, uschar ** errstr)
1763 const host_item *host = state->host; /* macro should be reconsidered? */
1764 const uschar *saved_tls_certificate = NULL;
1765 const uschar *saved_tls_privatekey = NULL;
1766 const uschar *saved_tls_verify_certificates = NULL;
1767 const uschar *saved_tls_crl = NULL;
1770 /* We check for tls_sni *before* expansion. */
1771 if (!host) /* server */
1772 if (!state->received_sni)
1774 if ( state->tls_certificate
1775 && ( Ustrstr(state->tls_certificate, US"tls_sni")
1776 || Ustrstr(state->tls_certificate, US"tls_in_sni")
1777 || Ustrstr(state->tls_certificate, US"tls_out_sni")
1780 DEBUG(D_tls) debug_printf("We will re-expand TLS session files if we receive SNI\n");
1781 state->trigger_sni_changes = TRUE;
1784 else /* SNI callback case */
1786 /* useful for debugging */
1787 saved_tls_certificate = state->exp_tls_certificate;
1788 saved_tls_privatekey = state->exp_tls_privatekey;
1789 saved_tls_verify_certificates = state->exp_tls_verify_certificates;
1790 saved_tls_crl = state->exp_tls_crl;
1793 if (!state->lib_state.x509_cred)
1795 if ((rc = gnutls_certificate_allocate_credentials(
1796 (gnutls_certificate_credentials_t *) &state->lib_state.x509_cred)))
1797 return tls_error_gnu(state, US"gnutls_certificate_allocate_credentials",
1799 creds_basic_init(state->lib_state.x509_cred, !host);
1803 /* remember: Expand_check_tlsvar() is expand_check() but fiddling with
1804 state members, assuming consistent naming; and expand_check() returns
1805 false if expansion failed, unless expansion was forced to fail. */
1807 /* check if we at least have a certificate, before doing expensive
1810 if (!state->lib_state.conn_certs)
1812 if (!Expand_check_tlsvar(tls_certificate, errstr))
1815 /* certificate is mandatory in server, optional in client */
1817 if ( !state->exp_tls_certificate
1818 || !*state->exp_tls_certificate
1821 return tls_install_selfsign(state, errstr);
1823 DEBUG(D_tls) debug_printf("TLS: no client certificate specified; okay\n");
1825 if (state->tls_privatekey && !Expand_check_tlsvar(tls_privatekey, errstr))
1828 /* tls_privatekey is optional, defaulting to same file as certificate */
1830 if (!state->tls_privatekey || !*state->tls_privatekey)
1832 state->tls_privatekey = state->tls_certificate;
1833 state->exp_tls_privatekey = state->exp_tls_certificate;
1836 if (state->exp_tls_certificate && *state->exp_tls_certificate)
1839 DEBUG(D_tls) debug_printf("certificate file = %s\nkey file = %s\n",
1840 state->exp_tls_certificate, state->exp_tls_privatekey);
1842 if (state->received_sni)
1843 if ( Ustrcmp(state->exp_tls_certificate, saved_tls_certificate) == 0
1844 && Ustrcmp(state->exp_tls_privatekey, saved_tls_privatekey) == 0
1847 DEBUG(D_tls) debug_printf("TLS SNI: cert and key unchanged\n");
1848 load = FALSE; /* avoid re-loading the same certs */
1850 else /* unload the pre-SNI certs before loading new ones */
1852 DEBUG(D_tls) debug_printf("TLS SNI: have a changed cert/key pair\n");
1853 gnutls_certificate_free_keys(state->lib_state.x509_cred);
1858 ? creds_load_client_certs(state, host, state->exp_tls_certificate,
1859 state->exp_tls_privatekey, errstr)
1860 : creds_load_server_certs(state, state->exp_tls_certificate,
1861 state->exp_tls_privatekey,
1874 debug_printf("%s certs were preloaded\n", host ? "client" : "server");
1876 if (!state->tls_privatekey) state->tls_privatekey = state->tls_certificate;
1877 state->exp_tls_certificate = US state->tls_certificate;
1878 state->exp_tls_privatekey = US state->tls_privatekey;
1880 #ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
1881 if (state->lib_state.ocsp_hook)
1882 gnutls_handshake_set_hook_function(state->session,
1883 GNUTLS_HANDSHAKE_ANY, GNUTLS_HOOK_POST, tls_server_hook_cb);
1888 /* Set the trusted CAs file if one is provided, and then add the CRL if one is
1889 provided. Experiment shows that, if the certificate file is empty, an unhelpful
1890 error message is provided. However, if we just refrain from setting anything up
1891 in that case, certificate verification fails, which seems to be the correct
1893 If none was configured and we can't handle "system", treat as empty. */
1895 if (!state->lib_state.cabundle)
1897 if (state->tls_verify_certificates && *state->tls_verify_certificates)
1899 if (!Expand_check_tlsvar(tls_verify_certificates, errstr))
1901 #ifndef SUPPORT_SYSDEFAULT_CABUNDLE
1902 if (Ustrcmp(state->exp_tls_verify_certificates, "system") == 0)
1903 state->exp_tls_verify_certificates = NULL;
1905 if (state->tls_crl && *state->tls_crl)
1906 if (!Expand_check_tlsvar(tls_crl, errstr))
1909 if (!(state->exp_tls_verify_certificates &&
1910 *state->exp_tls_verify_certificates))
1913 debug_printf("TLS: tls_verify_certificates expanded empty, ignoring\n");
1914 /* With no tls_verify_certificates, we ignore tls_crl too */
1921 debug_printf("TLS: tls_verify_certificates not set or empty, ignoring\n");
1924 rc = creds_load_cabundle(state, state->exp_tls_verify_certificates, host, errstr);
1925 if (rc != OK) return rc;
1930 debug_printf("%s CA bundle was preloaded\n", host ? "client" : "server");
1931 state->exp_tls_verify_certificates = US state->tls_verify_certificates;
1933 #ifdef SUPPORT_CA_DIR
1934 /* Mimic the behaviour with OpenSSL of not advertising a usable-cert list
1935 when using the directory-of-certs config model. */
1936 if (state->lib_state.ca_rdn_emulate)
1937 gnutls_certificate_send_x509_rdn_sequence(state->session, 1);
1942 if (!state->lib_state.crl)
1944 if ( state->tls_crl && *state->tls_crl
1945 && state->exp_tls_crl && *state->exp_tls_crl)
1946 return creds_load_crl(state, state->exp_tls_crl, errstr);
1951 debug_printf("%s CRL was preloaded\n", host ? "client" : "server");
1952 state->exp_tls_crl = US state->tls_crl;
1961 /*************************************************
1962 * Set X.509 state variables *
1963 *************************************************/
1965 /* In GnuTLS, the registered cert/key are not replaced by a later
1966 set of a cert/key, so for SNI support we need a whole new x509_cred
1967 structure. Which means various other non-re-expanded pieces of state
1968 need to be re-set in the new struct, so the setting logic is pulled
1972 state exim_gnutls_state_st *
1973 errstr error string pointer
1975 Returns: OK/DEFER/FAIL
1979 tls_set_remaining_x509(exim_gnutls_state_st *state, uschar ** errstr)
1982 const host_item *host = state->host; /* macro should be reconsidered? */
1984 /* Create D-H parameters, or read them from the cache file. This function does
1985 its own SMTP error messaging. This only happens for the server, TLS D-H ignores
1986 client-side params. */
1990 if (!dh_server_params)
1991 if ((rc = init_server_dh(errstr)) != OK) return rc;
1993 /* Unnecessary & discouraged with 3.6.0 or later, according to docs. But without it,
1994 no DHE- ciphers are advertised. */
1995 gnutls_certificate_set_dh_params(state->lib_state.x509_cred, dh_server_params);
1998 /* Link the credentials to the session. */
2000 if ((rc = gnutls_credentials_set(state->session,
2001 GNUTLS_CRD_CERTIFICATE, state->lib_state.x509_cred)))
2002 return tls_error_gnu(state, US"gnutls_credentials_set", rc, errstr);
2007 /*************************************************
2008 * Initialize for GnuTLS *
2009 *************************************************/
2012 /* Called from both server and client code. In the case of a server, errors
2013 before actual TLS negotiation return DEFER.
2016 host connected host, if client; NULL if server
2017 ob tranport options block, if client; NULL if server
2018 require_ciphers tls_require_ciphers setting
2019 caller_state returned state-info structure
2020 errstr error string pointer
2022 Returns: OK/DEFER/FAIL
2027 const host_item *host,
2028 smtp_transport_options_block * ob,
2029 const uschar * require_ciphers,
2030 exim_gnutls_state_st **caller_state,
2034 exim_gnutls_state_st * state;
2038 if ( !exim_gnutls_base_init_done
2039 && (rc = tls_g_init(errstr)) != OK)
2044 /* For client-side sessions we allocate a context. This lets us run
2045 several in parallel. */
2047 int old_pool = store_pool;
2048 store_pool = POOL_PERM;
2049 state = store_get(sizeof(exim_gnutls_state_st), GET_UNTAINTED);
2050 store_pool = old_pool;
2052 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
2053 state->lib_state = ob->tls_preload;
2055 DEBUG(D_tls) debug_printf("initialising GnuTLS client session\n");
2056 rc = gnutls_init(&state->session, GNUTLS_CLIENT);
2058 state->tls_certificate = ob->tls_certificate;
2059 state->tls_privatekey = ob->tls_privatekey;
2060 state->tls_sni = ob->tls_sni;
2061 state->tls_verify_certificates = ob->tls_verify_certificates;
2062 state->tls_crl = ob->tls_crl;
2066 /* Server operations always use the one state_server context. It is not
2067 shared because we have forked a fresh process for every receive. However it
2068 can get re-used for successive TLS sessions on a single TCP connection. */
2070 state = &state_server;
2072 DEBUG(D_tls) debug_printf("initialising GnuTLS server session\n");
2073 rc = gnutls_init(&state->session, GNUTLS_SERVER);
2075 state->tls_certificate = tls_certificate;
2076 state->tls_privatekey = tls_privatekey;
2077 state->tls_sni = NULL;
2078 state->tls_verify_certificates = tls_verify_certificates;
2079 state->tls_crl = tls_crl;
2082 return tls_error_gnu(state, US"gnutls_init", rc, errstr);
2084 state->tls_require_ciphers = require_ciphers;
2087 /* This handles the variables that might get re-expanded after TLS SNI;
2088 tls_certificate, tls_privatekey, tls_verify_certificates, tls_crl */
2091 debug_printf("Expanding various TLS configuration options for session credentials\n");
2092 if ((rc = tls_expand_session_files(state, errstr)) != OK) return rc;
2094 /* These are all other parts of the x509_cred handling, since SNI in GnuTLS
2095 requires a new structure afterwards. */
2097 if ((rc = tls_set_remaining_x509(state, errstr)) != OK) return rc;
2099 /* set SNI in client, only */
2102 if (!expand_check(state->tls_sni, US"tls_out_sni", &state->tlsp->sni, errstr))
2104 if (state->tlsp->sni && *state->tlsp->sni)
2107 debug_printf("Setting TLS client SNI to \"%s\"\n", state->tlsp->sni);
2108 sz = Ustrlen(state->tlsp->sni);
2109 if ((rc = gnutls_server_name_set(state->session,
2110 GNUTLS_NAME_DNS, state->tlsp->sni, sz)))
2111 return tls_error_gnu(state, US"gnutls_server_name_set", rc, errstr);
2114 else if (state->tls_sni)
2115 DEBUG(D_tls) debug_printf("*** PROBABLY A BUG *** " \
2116 "have an SNI set for a server [%s]\n", state->tls_sni);
2118 if (!state->lib_state.pri_string)
2120 const uschar * p = NULL;
2121 const char * errpos;
2123 /* This is the priority string support,
2124 http://www.gnutls.org/manual/html_node/Priority-Strings.html
2125 and replaces gnutls_require_kx, gnutls_require_mac & gnutls_require_protocols.
2126 This was backwards incompatible, but means Exim no longer needs to track
2127 all algorithms and provide string forms for them. */
2129 if (state->tls_require_ciphers && *state->tls_require_ciphers)
2131 if (!Expand_check_tlsvar(tls_require_ciphers, errstr))
2133 if (state->exp_tls_require_ciphers && *state->exp_tls_require_ciphers)
2135 p = state->exp_tls_require_ciphers;
2136 DEBUG(D_tls) debug_printf("GnuTLS session cipher/priority \"%s\"\n", p);
2140 if ((rc = creds_load_pristring(state, p, &errpos)))
2141 return tls_error_gnu(state, string_sprintf(
2142 "gnutls_priority_init(%s) failed at offset %ld, \"%.6s..\"",
2143 p, (long)(errpos - CS p), errpos),
2148 DEBUG(D_tls) debug_printf("cipher list preloaded\n");
2149 state->exp_tls_require_ciphers = US state->tls_require_ciphers;
2153 if ((rc = gnutls_priority_set(state->session, state->lib_state.pri_cache)))
2154 return tls_error_gnu(state, US"gnutls_priority_set", rc, errstr);
2156 /* This also sets the server ticket expiration time to the same, and
2157 the STEK rotation time to 3x. */
2159 gnutls_db_set_cache_expiration(state->session, ssl_session_timeout);
2161 /* Reduce security in favour of increased compatibility, if the admin
2162 decides to make that trade-off. */
2163 if (gnutls_compat_mode)
2165 #if LIBGNUTLS_VERSION_NUMBER >= 0x020104
2166 DEBUG(D_tls) debug_printf("lowering GnuTLS security, compatibility mode\n");
2167 gnutls_session_enable_compatibility_mode(state->session);
2169 DEBUG(D_tls) debug_printf("Unable to set gnutls_compat_mode - GnuTLS version too old\n");
2173 *caller_state = state;
2179 /*************************************************
2180 * Extract peer information *
2181 *************************************************/
2183 static const uschar *
2184 cipher_stdname_kcm(gnutls_kx_algorithm_t kx, gnutls_cipher_algorithm_t cipher,
2185 gnutls_mac_algorithm_t mac)
2188 gnutls_kx_algorithm_t kx_i;
2189 gnutls_cipher_algorithm_t cipher_i;
2190 gnutls_mac_algorithm_t mac_i;
2193 gnutls_cipher_suite_info(i, cs_id, &kx_i, &cipher_i, &mac_i, NULL);
2195 if (kx_i == kx && cipher_i == cipher && mac_i == mac)
2196 return cipher_stdname(cs_id[0], cs_id[1]);
2202 /* Called from both server and client code.
2203 Only this is allowed to set state->peerdn and state->have_set_peerdn
2204 and we use that to detect double-calls.
2206 NOTE: the state blocks last while the TLS connection is up, which is fine
2207 for logging in the server side, but for the client side, we log after teardown
2208 in src/deliver.c. While the session is up, we can twist about states and
2209 repoint tls_* globals, but those variables used for logging or other variable
2210 expansion that happens _after_ delivery need to have a longer life-time.
2212 So for those, we get the data from POOL_PERM; the re-invoke guard keeps us from
2213 doing this more than once per generation of a state context. We set them in
2214 the state context, and repoint tls_* to them. After the state goes away, the
2215 tls_* copies of the pointers remain valid and client delivery logging is happy.
2217 tls_certificate_verified is a BOOL, so the tls_peerdn and tls_cipher issues
2221 state exim_gnutls_state_st *
2222 errstr pointer to error string
2224 Returns: OK/DEFER/FAIL
2228 peer_status(exim_gnutls_state_st * state, uschar ** errstr)
2230 gnutls_session_t session = state->session;
2231 const gnutls_datum_t * cert_list;
2233 unsigned int cert_list_size = 0;
2234 gnutls_protocol_t protocol;
2235 gnutls_cipher_algorithm_t cipher;
2236 gnutls_kx_algorithm_t kx;
2237 gnutls_mac_algorithm_t mac;
2238 gnutls_certificate_type_t ct;
2239 gnutls_x509_crt_t crt;
2243 if (state->have_set_peerdn)
2245 state->have_set_peerdn = TRUE;
2247 state->peerdn = NULL;
2250 cipher = gnutls_cipher_get(session);
2251 protocol = gnutls_protocol_get_version(session);
2252 mac = gnutls_mac_get(session);
2254 #ifdef GNUTLS_TLS1_3
2255 protocol >= GNUTLS_TLS1_3 ? 0 :
2257 gnutls_kx_get(session);
2259 old_pool = store_pool;
2261 tls_support * tlsp = state->tlsp;
2262 store_pool = POOL_PERM;
2264 #ifdef SUPPORT_GNUTLS_SESS_DESC
2267 uschar * s = US gnutls_session_get_desc(session), c;
2269 /* Nikos M suggests we use this by preference. It returns like:
2270 (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
2272 For partial back-compat, put a colon after the TLS version, replace the
2273 )-( grouping with __, replace in-group - with _ and append the :keysize. */
2275 /* debug_printf("peer_status: gnutls_session_get_desc %s\n", s); */
2277 for (s++; (c = *s) && c != ')'; s++) g = string_catn(g, s, 1);
2279 tlsp->ver = string_copyn(g->s, g->ptr);
2280 for (uschar * p = US tlsp->ver; *p; p++)
2281 if (*p == '-') { *p = '\0'; break; } /* TLS1.0-PKIX -> TLS1.0 */
2283 g = string_catn(g, US":", 1);
2284 if (*s) s++; /* now on _ between groups */
2287 for (*++s && ++s; (c = *s) && c != ')'; s++)
2288 g = string_catn(g, c == '-' ? US"_" : s, 1);
2289 /* now on ) closing group */
2290 if ((c = *s) && *++s == '-') g = string_catn(g, US"__", 2);
2291 /* now on _ between groups */
2293 g = string_catn(g, US":", 1);
2294 g = string_cat(g, string_sprintf("%d", (int) gnutls_cipher_get_key_size(cipher) * 8));
2295 state->ciphersuite = string_from_gstring(g);
2298 state->ciphersuite = string_sprintf("%s:%s:%d",
2299 gnutls_protocol_get_name(protocol),
2300 gnutls_cipher_suite_get_name(kx, cipher, mac),
2301 (int) gnutls_cipher_get_key_size(cipher) * 8);
2303 /* I don't see a way that spaces could occur, in the current GnuTLS
2304 code base, but it was a concern in the old code and perhaps older GnuTLS
2305 releases did return "TLS 1.0"; play it safe, just in case. */
2307 for (uschar * p = state->ciphersuite; *p; p++) if (isspace(*p)) *p = '-';
2308 tlsp->ver = string_copyn(state->ciphersuite,
2309 Ustrchr(state->ciphersuite, ':') - state->ciphersuite);
2312 /* debug_printf("peer_status: ciphersuite %s\n", state->ciphersuite); */
2314 tlsp->cipher = state->ciphersuite;
2315 tlsp->bits = gnutls_cipher_get_key_size(cipher) * 8;
2317 tlsp->cipher_stdname = cipher_stdname_kcm(kx, cipher, mac);
2319 store_pool = old_pool;
2322 cert_list = gnutls_certificate_get_peers(session, &cert_list_size);
2324 if (!cert_list || cert_list_size == 0)
2326 DEBUG(D_tls) debug_printf("TLS: no certificate from peer (%p & %d)\n",
2327 cert_list, cert_list_size);
2328 if (state->verify_requirement >= VERIFY_REQUIRED)
2329 return tls_error(US"certificate verification failed",
2330 US"no certificate received from peer", state->host, errstr);
2334 if ((ct = gnutls_certificate_type_get(session)) != GNUTLS_CRT_X509)
2336 const uschar * ctn = US gnutls_certificate_type_get_name(ct);
2338 debug_printf("TLS: peer cert not X.509 but instead \"%s\"\n", ctn);
2339 if (state->verify_requirement >= VERIFY_REQUIRED)
2340 return tls_error(US"certificate verification not possible, unhandled type",
2341 ctn, state->host, errstr);
2345 #define exim_gnutls_peer_err(Label) \
2347 if (rc != GNUTLS_E_SUCCESS) \
2349 DEBUG(D_tls) debug_printf("TLS: peer cert problem: %s: %s\n", \
2350 (Label), gnutls_strerror(rc)); \
2351 if (state->verify_requirement >= VERIFY_REQUIRED) \
2352 return tls_error_gnu(state, (Label), rc, errstr); \
2357 rc = import_cert(&cert_list[0], &crt);
2358 exim_gnutls_peer_err(US"cert 0");
2360 state->tlsp->peercert = state->peercert = crt;
2363 rc = gnutls_x509_crt_get_dn(crt, NULL, &sz);
2364 if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
2366 exim_gnutls_peer_err(US"getting size for cert DN failed");
2367 return FAIL; /* should not happen */
2369 dn_buf = store_get_perm(sz, GET_TAINTED);
2370 rc = gnutls_x509_crt_get_dn(crt, CS dn_buf, &sz);
2371 exim_gnutls_peer_err(US"failed to extract certificate DN [gnutls_x509_crt_get_dn(cert 0)]");
2373 state->peerdn = dn_buf;
2376 #undef exim_gnutls_peer_err
2382 /*************************************************
2383 * Verify peer certificate *
2384 *************************************************/
2386 /* Called from both server and client code.
2387 *Should* be using a callback registered with
2388 gnutls_certificate_set_verify_function() to fail the handshake if we dislike
2389 the peer information, but that's too new for some OSes.
2392 state exim_gnutls_state_st *
2393 errstr where to put an error message
2396 FALSE if the session should be rejected
2397 TRUE if the cert is okay or we just don't care
2401 verify_certificate(exim_gnutls_state_st * state, uschar ** errstr)
2406 DEBUG(D_tls) debug_printf("TLS: checking peer certificate\n");
2408 rc = peer_status(state, errstr);
2410 if (state->verify_requirement == VERIFY_NONE)
2413 if (rc != OK || !state->peerdn)
2415 verify = GNUTLS_CERT_INVALID;
2416 *errstr = US"certificate not supplied";
2422 if (state->verify_requirement == VERIFY_DANE && state->host)
2424 /* Using dane_verify_session_crt() would be easy, as it does it all for us
2425 including talking to a DNS resolver. But we want to do that bit ourselves
2426 as the testsuite intercepts and fakes its own DNS environment. */
2431 const gnutls_datum_t * certlist =
2432 gnutls_certificate_get_peers(state->session, &lsize);
2433 int usage = tls_out.tlsa_usage;
2435 # ifdef GNUTLS_BROKEN_DANE_VALIDATION
2436 /* Split the TLSA records into two sets, TA and EE selectors. Run the
2437 dane-verification separately so that we know which selector verified;
2438 then we know whether to do name-verification (needed for TA but not EE). */
2440 if (usage == ((1<<DANESSL_USAGE_DANE_TA) | (1<<DANESSL_USAGE_DANE_EE)))
2441 { /* a mixed-usage bundle */
2446 for (nrec = 0; state->dane_data_len[nrec]; ) nrec++;
2449 dd = store_get(nrec * sizeof(uschar *), GET_UNTAINTED);
2450 ddl = store_get(nrec * sizeof(int), GET_UNTAINTED);
2453 if ((rc = dane_state_init(&s, 0)))
2456 for (usage = DANESSL_USAGE_DANE_EE;
2457 usage >= DANESSL_USAGE_DANE_TA; usage--)
2458 { /* take records with this usage */
2459 for (j = i = 0; i < nrec; i++)
2460 if (state->dane_data[i][0] == usage)
2462 dd[j] = state->dane_data[i];
2463 ddl[j++] = state->dane_data_len[i];
2470 if ((rc = dane_raw_tlsa(s, &r, (char * const *)dd, ddl, 1, 0)))
2473 if ((rc = dane_verify_crt_raw(s, certlist, lsize,
2474 gnutls_certificate_type_get(state->session),
2476 usage == DANESSL_USAGE_DANE_EE
2477 ? DANE_VFLAG_ONLY_CHECK_EE_USAGE : 0,
2481 debug_printf("TLSA record problem: %s\n", dane_strerror(rc));
2483 else if (verify == 0) /* verification passed */
2491 if (rc) goto tlsa_prob;
2496 if ( (rc = dane_state_init(&s, 0))
2497 || (rc = dane_raw_tlsa(s, &r, state->dane_data, state->dane_data_len,
2499 || (rc = dane_verify_crt_raw(s, certlist, lsize,
2500 gnutls_certificate_type_get(state->session),
2502 # ifdef GNUTLS_BROKEN_DANE_VALIDATION
2503 usage == (1 << DANESSL_USAGE_DANE_EE)
2504 ? DANE_VFLAG_ONLY_CHECK_EE_USAGE : 0,
2513 if (verify != 0) /* verification failed */
2516 (void) dane_verification_status_print(verify, &str, 0);
2517 *errstr = US str.data; /* don't bother to free */
2521 # ifdef GNUTLS_BROKEN_DANE_VALIDATION
2522 /* If a TA-mode TLSA record was used for verification we must additionally
2523 verify the cert name (but not the CA chain). For EE-mode, skip it. */
2525 if (usage & (1 << DANESSL_USAGE_DANE_EE))
2528 state->peer_dane_verified = state->peer_cert_verified = TRUE;
2531 # ifdef GNUTLS_BROKEN_DANE_VALIDATION
2532 /* Assume that the name on the A-record is the one that should be matching
2533 the cert. An alternate view is that the domain part of the email address
2534 is also permissible. */
2536 if (gnutls_x509_crt_check_hostname(state->tlsp->peercert,
2537 CS state->host->name))
2539 state->peer_dane_verified = state->peer_cert_verified = TRUE;
2544 #endif /*SUPPORT_DANE*/
2546 rc = gnutls_certificate_verify_peers2(state->session, &verify);
2549 /* Handle the result of verification. INVALID is set if any others are. */
2551 if (rc < 0 || verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED))
2553 state->peer_cert_verified = FALSE;
2556 #ifdef GNUTLS_CERT_VFY_STATUS_PRINT
2561 if (gnutls_certificate_verification_status_print(verify,
2562 gnutls_certificate_type_get(state->session), &txt, 0)
2563 == GNUTLS_E_SUCCESS)
2565 debug_printf("%s\n", txt.data);
2566 gnutls_free(txt.data);
2570 *errstr = verify & GNUTLS_CERT_REVOKED
2571 ? US"certificate revoked" : US"certificate invalid";
2575 debug_printf("TLS certificate verification failed (%s): peerdn=\"%s\"\n",
2576 *errstr, state->peerdn ? state->peerdn : US"<unset>");
2578 if (state->verify_requirement >= VERIFY_REQUIRED)
2581 debug_printf("TLS verify failure overridden (host in tls_try_verify_hosts)\n");
2586 /* Client side, check the server's certificate name versus the name on the
2587 A-record for the connection we made. What to do for server side - what name
2588 to use for client? We document that there is no such checking for server
2591 if ( state->exp_tls_verify_cert_hostnames
2592 && !gnutls_x509_crt_check_hostname(state->tlsp->peercert,
2593 CS state->exp_tls_verify_cert_hostnames)
2597 debug_printf("TLS certificate verification failed: cert name mismatch\n");
2598 if (state->verify_requirement >= VERIFY_REQUIRED)
2603 state->peer_cert_verified = TRUE;
2604 DEBUG(D_tls) debug_printf("TLS certificate verified: peerdn=\"%s\"\n",
2605 state->peerdn ? state->peerdn : US"<unset>");
2609 state->tlsp->peerdn = state->peerdn;
2614 *errstr = string_sprintf("TLSA record problem: %s",
2615 rc == DANE_E_REQUESTED_DATA_NOT_AVAILABLE ? "none usable" : dane_strerror(rc));
2619 gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_BAD_CERTIFICATE);
2626 /* ------------------------------------------------------------------------ */
2629 /* Logging function which can be registered with
2630 * gnutls_global_set_log_function()
2631 * gnutls_global_set_log_level() 0..9
2633 #if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
2635 exim_gnutls_logger_cb(int level, const char *message)
2637 size_t len = strlen(message);
2640 DEBUG(D_tls) debug_printf("GnuTLS<%d> empty debug message\n", level);
2643 DEBUG(D_tls) debug_printf("GnuTLS<%d>: %s%s", level, message,
2644 message[len-1] == '\n' ? "" : "\n");
2649 /* Called after client hello, should handle SNI work.
2650 This will always set tls_sni (state->received_sni) if available,
2651 and may trigger presenting different certificates,
2652 if state->trigger_sni_changes is TRUE.
2654 Should be registered with
2655 gnutls_handshake_set_post_client_hello_function()
2657 "This callback must return 0 on success or a gnutls error code to terminate the
2660 For inability to get SNI information, we return 0.
2661 We only return non-zero if re-setup failed.
2662 Only used for server-side TLS.
2666 exim_sni_handling_cb(gnutls_session_t session)
2668 char sni_name[MAX_HOST_LEN];
2669 size_t data_len = MAX_HOST_LEN;
2670 exim_gnutls_state_st *state = &state_server;
2671 unsigned int sni_type;
2673 uschar * dummy_errstr;
2675 rc = gnutls_server_name_get(session, sni_name, &data_len, &sni_type, 0);
2676 if (rc != GNUTLS_E_SUCCESS)
2679 if (rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
2680 debug_printf("TLS: no SNI presented in handshake\n");
2682 debug_printf("TLS failure: gnutls_server_name_get(): %s [%d]\n",
2683 gnutls_strerror(rc), rc);
2687 if (sni_type != GNUTLS_NAME_DNS)
2689 DEBUG(D_tls) debug_printf("TLS: ignoring SNI of unhandled type %u\n", sni_type);
2693 /* We now have a UTF-8 string in sni_name */
2694 old_pool = store_pool;
2695 store_pool = POOL_PERM;
2696 state->received_sni = string_copy_taint(US sni_name, GET_TAINTED);
2697 store_pool = old_pool;
2699 /* We set this one now so that variable expansions below will work */
2700 state->tlsp->sni = state->received_sni;
2702 DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", sni_name,
2703 state->trigger_sni_changes ? "" : " (unused for certificate selection)");
2705 if (!state->trigger_sni_changes)
2708 if ((rc = tls_expand_session_files(state, &dummy_errstr)) != OK)
2710 /* If the setup of certs/etc failed before handshake, TLS would not have
2711 been offered. The best we can do now is abort. */
2712 return GNUTLS_E_APPLICATION_ERROR_MIN;
2715 rc = tls_set_remaining_x509(state, &dummy_errstr);
2716 if (rc != OK) return GNUTLS_E_APPLICATION_ERROR_MIN;
2723 #ifndef DISABLE_EVENT
2725 We use this callback to get observability and detail-level control
2726 for an exim TLS connection (either direction), raising a tls:cert event
2727 for each cert in the chain presented by the peer. Any event
2728 can deny verification.
2730 Return 0 for the handshake to continue or non-zero to terminate.
2734 verify_cb(gnutls_session_t session)
2736 const gnutls_datum_t * cert_list;
2737 unsigned int cert_list_size = 0;
2738 gnutls_x509_crt_t crt;
2741 exim_gnutls_state_st * state = gnutls_session_get_ptr(session);
2743 if ((cert_list = gnutls_certificate_get_peers(session, &cert_list_size)))
2744 while (cert_list_size--)
2746 if ((rc = import_cert(&cert_list[cert_list_size], &crt)) != GNUTLS_E_SUCCESS)
2748 DEBUG(D_tls) debug_printf("TLS: peer cert problem: depth %d: %s\n",
2749 cert_list_size, gnutls_strerror(rc));
2753 state->tlsp->peercert = crt;
2754 if ((yield = event_raise(state->event_action,
2755 US"tls:cert", string_sprintf("%d", cert_list_size), &errno)))
2757 log_write(0, LOG_MAIN,
2758 "SSL verify denied by event-action: depth=%d: %s",
2759 cert_list_size, yield);
2760 return 1; /* reject */
2762 state->tlsp->peercert = NULL;
2772 ddump(gnutls_datum_t * d)
2774 gstring * g = string_get((d->size+1) * 2);
2775 uschar * s = d->data;
2776 for (unsigned i = d->size; i > 0; i--, s++)
2778 g = string_catn(g, US "0123456789abcdef" + (*s >> 4), 1);
2779 g = string_catn(g, US "0123456789abcdef" + (*s & 0xf), 1);
2785 post_handshake_debug(exim_gnutls_state_st * state)
2787 #ifdef SUPPORT_GNUTLS_SESS_DESC
2788 debug_printf("%s\n", gnutls_session_get_desc(state->session));
2791 #ifdef SUPPORT_GNUTLS_KEYLOG
2792 # ifdef EXIM_HAVE_TLS1_3
2793 if (gnutls_protocol_get_version(state->session) < GNUTLS_TLS1_3)
2798 gnutls_datum_t c, s;
2800 /* For TLS1.2 we only want the client random and the master secret */
2801 gnutls_session_get_random(state->session, &c, &s);
2802 gnutls_session_get_master_secret(state->session, &s);
2805 debug_printf("CLIENT_RANDOM %.*s %.*s\n", (int)gc->ptr, gc->s, (int)gs->ptr, gs->s);
2808 debug_printf("To get keying info for TLS1.3 is hard:\n"
2809 " Set environment variable SSLKEYLOGFILE to a filename relative to the spool directory,\n"
2810 " and make sure it is writable by the Exim runtime user.\n"
2811 " Add SSLKEYLOGFILE to keep_environment in the exim config.\n"
2812 " Start Exim as root.\n"
2813 " If using sudo, add SSLKEYLOGFILE to env_keep in /etc/sudoers\n"
2814 " (works for TLS1.2 also, and saves cut-paste into file).\n"
2815 " Trying to use add_environment for this will not work\n");
2820 #ifdef EXIM_HAVE_TLS_RESUME
2822 tls_server_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
2823 unsigned incoming, const gnutls_datum_t * msg)
2825 DEBUG(D_tls) debug_printf("newticket cb\n");
2826 tls_in.resumption |= RESUME_CLIENT_REQUESTED;
2831 tls_server_resume_prehandshake(exim_gnutls_state_st * state)
2833 /* Should the server offer session resumption? */
2834 tls_in.resumption = RESUME_SUPPORTED;
2835 if (verify_check_host(&tls_resumption_hosts) == OK)
2838 /* GnuTLS appears to not do ticket overlap, but does emit a fresh ticket when
2839 an offered resumption is unacceptable. We lose one resumption per ticket
2840 lifetime, and sessions cannot be indefinitely re-used. There seems to be no
2841 way (3.6.7) of changing the default number of 2 TLS1.3 tickets issued, but at
2842 least they go out in a single packet. */
2844 if (!(rc = gnutls_session_ticket_enable_server(state->session,
2845 &server_sessticket_key)))
2846 tls_in.resumption |= RESUME_SERVER_TICKET;
2849 debug_printf("enabling session tickets: %s\n", US gnutls_strerror(rc));
2851 /* Try to tell if we see a ticket request */
2852 gnutls_handshake_set_hook_function(state->session,
2853 GNUTLS_HANDSHAKE_ANY, GNUTLS_HOOK_POST, tls_server_hook_cb);
2858 tls_server_resume_posthandshake(exim_gnutls_state_st * state)
2860 if (gnutls_session_resumption_requested(state->session))
2862 /* This tells us the client sent a full ticket. We use a
2863 callback on session-ticket request, elsewhere, to tell
2864 if a client asked for a ticket. */
2866 tls_in.resumption |= RESUME_CLIENT_SUGGESTED;
2867 DEBUG(D_tls) debug_printf("client requested resumption\n");
2869 if (gnutls_session_is_resumed(state->session))
2871 tls_in.resumption |= RESUME_USED;
2872 DEBUG(D_tls) debug_printf("Session resumed\n");
2875 #endif /* EXIM_HAVE_TLS_RESUME */
2878 #ifdef EXIM_HAVE_ALPN
2879 /* Expand and convert an Exim list to a gnutls_datum list. False return for fail.
2880 NULL plist return for silent no-ALPN.
2884 tls_alpn_plist(uschar ** tls_alpn, const gnutls_datum_t ** plist, unsigned * plen,
2889 if (!expand_check(*tls_alpn, US"tls_alpn", &exp_alpn, errstr))
2894 DEBUG(D_tls) debug_printf("Setting TLS ALPN forced to fail, not sending\n");
2899 const uschar * list = exp_alpn;
2905 while (string_nextinlist(&list, &sep, NULL, 0)) cnt++;
2907 p = store_get(sizeof(gnutls_datum_t) * cnt, exp_alpn);
2909 for (int i = 0; s = string_nextinlist(&list, &sep, NULL, 0); i++)
2910 { p[i].data = s; p[i].size = Ustrlen(s); }
2911 *plist = (*plen = cnt) ? p : NULL;
2917 tls_server_set_acceptable_alpns(exim_gnutls_state_st * state, uschar ** errstr)
2919 uschar * local_alpn = string_copy(tls_alpn);
2921 const gnutls_datum_t * plist;
2924 if (tls_alpn_plist(&local_alpn, &plist, &plen, errstr) && plist)
2926 /* This seems to be only mandatory if the client sends an ALPN extension;
2927 not trying ALPN is ok. Need to decide how to support server-side must-alpn. */
2929 server_seen_alpn = 0;
2930 if (!(rc = gnutls_alpn_set_protocols(state->session, plist, plen,
2931 GNUTLS_ALPN_MANDATORY)))
2932 gnutls_handshake_set_hook_function(state->session,
2933 GNUTLS_HANDSHAKE_ANY, GNUTLS_HOOK_POST, tls_server_hook_cb);
2936 debug_printf("setting alpn protocols: %s\n", US gnutls_strerror(rc));
2939 #endif /* EXIM_HAVE_ALPN */
2941 /* ------------------------------------------------------------------------ */
2942 /* Exported functions */
2947 /*************************************************
2948 * Start a TLS session in a server *
2949 *************************************************/
2951 /* This is called when Exim is running as a server, after having received
2952 the STARTTLS command. It must respond to that command, and then negotiate
2956 errstr pointer to error string
2958 Returns: OK on success
2959 DEFER for errors before the start of the negotiation
2960 FAIL for errors during the negotiation; the server can't
2965 tls_server_start(uschar ** errstr)
2968 exim_gnutls_state_st * state = NULL;
2970 /* Check for previous activation */
2971 if (tls_in.active.sock >= 0)
2973 tls_error(US"STARTTLS received after TLS started", US "", NULL, errstr);
2974 smtp_printf("554 Already in TLS\r\n", FALSE);
2978 /* Initialize the library. If it fails, it will already have logged the error
2979 and sent an SMTP response. */
2981 DEBUG(D_tls) debug_printf("initialising GnuTLS as a server\n");
2984 #ifdef MEASURE_TIMING
2986 gettimeofday(&t0, NULL);
2989 if ((rc = tls_init(NULL, NULL,
2990 tls_require_ciphers, &state, &tls_in, errstr)) != OK) return rc;
2992 #ifdef MEASURE_TIMING
2993 report_time_since(&t0, US"server tls_init (delta)");
2997 #ifdef EXIM_HAVE_ALPN
2998 tls_server_set_acceptable_alpns(state, errstr);
3001 #ifdef EXIM_HAVE_TLS_RESUME
3002 tls_server_resume_prehandshake(state);
3005 /* If this is a host for which certificate verification is mandatory or
3006 optional, set up appropriately. */
3008 if (verify_check_host(&tls_verify_hosts) == OK)
3011 debug_printf("TLS: a client certificate will be required\n");
3012 state->verify_requirement = VERIFY_REQUIRED;
3013 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
3015 else if (verify_check_host(&tls_try_verify_hosts) == OK)
3018 debug_printf("TLS: a client certificate will be requested but not required\n");
3019 state->verify_requirement = VERIFY_OPTIONAL;
3020 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
3025 debug_printf("TLS: a client certificate will not be requested\n");
3026 state->verify_requirement = VERIFY_NONE;
3027 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
3030 #ifndef DISABLE_EVENT
3033 state->event_action = event_action;
3034 gnutls_session_set_ptr(state->session, state);
3035 gnutls_certificate_set_verify_function(state->lib_state.x509_cred, verify_cb);
3039 /* Register SNI handling; always, even if not in tls_certificate, so that the
3040 expansion variable $tls_sni is always available. */
3042 gnutls_handshake_set_post_client_hello_function(state->session,
3043 exim_sni_handling_cb);
3045 /* Set context and tell client to go ahead, except in the case of TLS startup
3046 on connection, where outputting anything now upsets the clients and tends to
3047 make them disconnect. We need to have an explicit fflush() here, to force out
3048 the response. Other smtp_printf() calls do not need it, because in non-TLS
3049 mode, the fflush() happens when smtp_getc() is called. */
3051 if (!state->tlsp->on_connect)
3053 smtp_printf("220 TLS go ahead\r\n", FALSE);
3057 /* Now negotiate the TLS session. We put our own timer on it, since it seems
3058 that the GnuTLS library doesn't.
3059 From 3.1.0 there is gnutls_handshake_set_timeout() - but it requires you
3060 to set (and clear down afterwards) up a pull-timeout callback function that does
3061 a select, so we're no better off unless avoiding signals becomes an issue. */
3063 gnutls_transport_set_ptr2(state->session,
3064 (gnutls_transport_ptr_t)(long) fileno(smtp_in),
3065 (gnutls_transport_ptr_t)(long) fileno(smtp_out));
3066 state->fd_in = fileno(smtp_in);
3067 state->fd_out = fileno(smtp_out);
3069 sigalrm_seen = FALSE;
3070 if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
3072 rc = gnutls_handshake(state->session);
3073 while (rc == GNUTLS_E_AGAIN || rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen);
3076 if (rc != GNUTLS_E_SUCCESS)
3078 DEBUG(D_tls) debug_printf(" error %d from gnutls_handshake: %s\n",
3079 rc, gnutls_strerror(rc));
3081 /* It seems that, except in the case of a timeout, we have to close the
3082 connection right here; otherwise if the other end is running OpenSSL it hangs
3083 until the server times out. */
3087 tls_error(US"gnutls_handshake", US"timed out", NULL, errstr);
3088 #ifndef DISABLE_EVENT
3089 (void) event_raise(event_action, US"tls:fail:connect", *errstr, NULL);
3091 gnutls_db_remove_session(state->session);
3095 tls_error_gnu(state, US"gnutls_handshake", rc, errstr);
3096 #ifndef DISABLE_EVENT
3097 (void) event_raise(event_action, US"tls:fail:connect", *errstr, NULL);
3099 (void) gnutls_alert_send_appropriate(state->session, rc);
3100 gnutls_deinit(state->session);
3102 shutdown(state->fd_out, SHUT_WR);
3103 for (int i = 1024; fgetc(smtp_in) != EOF && i > 0; ) i--; /* drain skt */
3104 (void)fclose(smtp_out);
3105 (void)fclose(smtp_in);
3106 smtp_out = smtp_in = NULL;
3112 #ifdef GNUTLS_SFLAGS_EXT_MASTER_SECRET
3113 if (gnutls_session_get_flags(state->session) & GNUTLS_SFLAGS_EXT_MASTER_SECRET)
3114 tls_in.ext_master_secret = TRUE;
3117 #ifdef EXIM_HAVE_TLS_RESUME
3118 tls_server_resume_posthandshake(state);
3121 DEBUG(D_tls) post_handshake_debug(state);
3123 #ifdef EXIM_HAVE_ALPN
3124 if (server_seen_alpn > 0)
3127 { /* The client offered ALPN. See what was negotiated. */
3128 gnutls_datum_t p = {.size = 0};
3129 int rc = gnutls_alpn_get_selected_protocol(state->session, &p);
3131 debug_printf("ALPN negotiated: %.*s\n", (int)p.size, p.data);
3133 debug_printf("getting alpn protocol: %s\n", US gnutls_strerror(rc));
3137 else if (server_seen_alpn == 0)
3138 if (verify_check_host(&hosts_require_alpn) == OK)
3140 gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_NO_APPLICATION_PROTOCOL);
3141 tls_error(US"handshake", US"ALPN required but not negotiated", NULL, errstr);
3145 DEBUG(D_tls) debug_printf("TLS: no ALPN presented in handshake\n");
3147 DEBUG(D_tls) debug_printf("TLS: was not watching for ALPN\n");
3150 /* Verify after the fact */
3152 if (!verify_certificate(state, errstr))
3154 if (state->verify_requirement != VERIFY_OPTIONAL)
3156 (void) tls_error(US"certificate verification failed", *errstr, NULL, errstr);
3160 debug_printf("TLS: continuing on only because verification was optional, after: %s\n",
3164 /* Sets various Exim expansion variables; always safe within server */
3166 extract_exim_vars_from_tls_state(state);
3168 /* TLS has been set up. Adjust the input functions to read via TLS,
3169 and initialize appropriately. */
3171 state->xfer_buffer = store_malloc(ssl_xfer_buffer_size);
3173 receive_getc = tls_getc;
3174 receive_getbuf = tls_getbuf;
3175 receive_get_cache = tls_get_cache;
3176 receive_hasc = tls_hasc;
3177 receive_ungetc = tls_ungetc;
3178 receive_feof = tls_feof;
3179 receive_ferror = tls_ferror;
3188 tls_client_setup_hostname_checks(host_item * host, exim_gnutls_state_st * state,
3189 smtp_transport_options_block * ob)
3191 if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
3193 state->exp_tls_verify_cert_hostnames =
3195 string_domain_utf8_to_alabel(host->certname, NULL);
3200 debug_printf("TLS: server cert verification includes hostname: \"%s\"\n",
3201 state->exp_tls_verify_cert_hostnames);
3209 /* Given our list of RRs from the TLSA lookup, build a lookup block in
3210 GnuTLS-DANE's preferred format. Hang it on the state str for later
3211 use in DANE verification.
3213 We point at the dnsa data not copy it, so it must remain valid until
3214 after verification is done.*/
3217 dane_tlsa_load(exim_gnutls_state_st * state, dns_answer * dnsa)
3221 const char ** dane_data;
3222 int * dane_data_len;
3225 for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
3226 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
3227 ) if (rr->type == T_TLSA) i++;
3229 dane_data = store_get(i * sizeof(uschar *), GET_UNTAINTED);
3230 dane_data_len = store_get(i * sizeof(int), GET_UNTAINTED);
3233 for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
3234 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
3235 ) if (rr->type == T_TLSA && rr->size > 3)
3237 const uschar * p = rr->data;
3238 /*XXX need somehow to mark rr and its data as tainted. Doues this mean copying it? */
3239 uint8_t usage = p[0], sel = p[1], type = p[2];
3242 debug_printf("TLSA: %d %d %d size %d\n", usage, sel, type, rr->size);
3244 if ( (usage != DANESSL_USAGE_DANE_TA && usage != DANESSL_USAGE_DANE_EE)
3245 || (sel != 0 && sel != 1)
3250 case 0: /* Full: cannot check at present */
3252 case 1: if (rr->size != 3 + 256/8) continue; /* sha2-256 */
3254 case 2: if (rr->size != 3 + 512/8) continue; /* sha2-512 */
3259 tls_out.tlsa_usage |= 1<<usage;
3260 dane_data[i] = CS p;
3261 dane_data_len[i++] = rr->size;
3264 if (!i) return FALSE;
3266 dane_data[i] = NULL;
3267 dane_data_len[i] = 0;
3269 state->dane_data = (char * const *)dane_data;
3270 state->dane_data_len = dane_data_len;
3277 #ifdef EXIM_HAVE_TLS_RESUME
3278 /* On the client, get any stashed session for the given IP from hints db
3279 and apply it to the ssl-connection for attempted resumption. Although
3280 there is a gnutls_session_ticket_enable_client() interface it is
3281 documented as unnecessary (as of 3.6.7) as "session tickets are emabled
3282 by deafult". There seems to be no way to disable them, so even hosts not
3283 enabled by the transport option will be sent a ticket request. We will
3284 however avoid storing and retrieving session information. */
3287 tls_retrieve_session(tls_support * tlsp, gnutls_session_t session,
3288 smtp_connect_args * conn_args, smtp_transport_options_block * ob)
3290 tlsp->resumption = RESUME_SUPPORTED;
3292 if (!conn_args->have_lbserver)
3293 { DEBUG(D_tls) debug_printf("resumption not supported on continued-connection\n"); }
3294 else if (verify_check_given_host(CUSS &ob->tls_resumption_hosts, conn_args->host) == OK)
3296 dbdata_tls_session * dt;
3298 open_db dbblock, * dbm_file;
3300 tlsp->host_resumable = TRUE;
3301 tls_client_resmption_key(tlsp, conn_args, ob);
3303 tlsp->resumption |= RESUME_CLIENT_REQUESTED;
3304 if ((dbm_file = dbfn_open(US"tls", O_RDONLY, &dbblock, FALSE, FALSE)))
3306 /* We'd like to filter the retrieved session for ticket advisory expiry,
3307 but 3.6.1 seems to give no access to that */
3309 if ((dt = dbfn_read_with_length(dbm_file, tlsp->resume_index, &len)))
3310 if (!(rc = gnutls_session_set_data(session,
3311 CUS dt->session, (size_t)len - sizeof(dbdata_tls_session))))
3313 DEBUG(D_tls) debug_printf("good session\n");
3314 tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
3316 else DEBUG(D_tls) debug_printf("setting session resumption data: %s\n",
3317 US gnutls_strerror(rc));
3318 dbfn_close(dbm_file);
3325 tls_save_session(tls_support * tlsp, gnutls_session_t session, const host_item * host)
3327 /* TLS 1.2 - we get both the callback and the direct posthandshake call,
3328 but this flag is not set until the second. TLS 1.3 it's the other way about.
3329 Keep both calls as the session data cannot be extracted before handshake
3332 if (gnutls_session_get_flags(session) & GNUTLS_SFLAGS_SESSION_TICKET)
3337 DEBUG(D_tls) debug_printf("server offered session ticket\n");
3338 tlsp->ticket_received = TRUE;
3339 tlsp->resumption |= RESUME_SERVER_TICKET;
3341 if (tlsp->host_resumable)
3342 if (!(rc = gnutls_session_get_data2(session, &tkt)))
3344 open_db dbblock, * dbm_file;
3345 int dlen = sizeof(dbdata_tls_session) + tkt.size;
3346 dbdata_tls_session * dt = store_get(dlen, GET_TAINTED);
3348 DEBUG(D_tls) debug_printf("session data size %u\n", (unsigned)tkt.size);
3349 memcpy(dt->session, tkt.data, tkt.size);
3350 gnutls_free(tkt.data);
3352 if ((dbm_file = dbfn_open(US"tls", O_RDWR, &dbblock, FALSE, FALSE)))
3354 /* key for the db is the IP */
3355 dbfn_write(dbm_file, tlsp->resume_index, dt, dlen);
3356 dbfn_close(dbm_file);
3359 debug_printf("wrote session db (len %u)\n", (unsigned)dlen);
3363 debug_printf("extract session data: %s\n", US gnutls_strerror(rc));
3368 /* With a TLS1.3 session, the ticket(s) are not seen until
3369 the first data read is attempted. And there's often two of them.
3370 Pick them up with this callback. We are also called for 1.2
3374 tls_client_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
3375 unsigned incoming, const gnutls_datum_t * msg)
3377 exim_gnutls_state_st * state = gnutls_session_get_ptr(sess);
3378 tls_support * tlsp = state->tlsp;
3380 DEBUG(D_tls) debug_printf("newticket cb\n");
3382 if (!tlsp->ticket_received)
3383 tls_save_session(tlsp, sess, state->host);
3389 tls_client_resume_prehandshake(exim_gnutls_state_st * state,
3390 tls_support * tlsp, smtp_connect_args * conn_args,
3391 smtp_transport_options_block * ob)
3393 gnutls_session_set_ptr(state->session, state);
3394 gnutls_handshake_set_hook_function(state->session,
3395 GNUTLS_HANDSHAKE_NEW_SESSION_TICKET, GNUTLS_HOOK_POST, tls_client_ticket_cb);
3397 tls_retrieve_session(tlsp, state->session, conn_args, ob);
3401 tls_client_resume_posthandshake(exim_gnutls_state_st * state,
3402 tls_support * tlsp, host_item * host)
3404 if (gnutls_session_is_resumed(state->session))
3406 DEBUG(D_tls) debug_printf("Session resumed\n");
3407 tlsp->resumption |= RESUME_USED;
3410 tls_save_session(tlsp, state->session, host);
3412 #endif /* !DISABLE_TLS_RESUME */
3415 /*************************************************
3416 * Start a TLS session in a client *
3417 *************************************************/
3419 /* Called from the smtp transport after STARTTLS has been accepted.
3422 cctx connection context
3423 conn_args connection details
3424 cookie datum for randomness (not used)
3425 tlsp record details of channel configuration here; must be non-NULL
3426 errstr error string pointer
3428 Returns: TRUE for success with TLS session context set in smtp context,
3433 tls_client_start(client_conn_ctx * cctx, smtp_connect_args * conn_args,
3434 void * cookie ARG_UNUSED,
3435 tls_support * tlsp, uschar ** errstr)
3437 host_item * host = conn_args->host; /* for msgs and option-tests */
3438 transport_instance * tb = conn_args->tblock; /* always smtp or NULL */
3439 smtp_transport_options_block * ob = tb
3440 ? (smtp_transport_options_block *)tb->options_block
3441 : &smtp_transport_option_defaults;
3443 exim_gnutls_state_st * state = NULL;
3444 uschar * cipher_list = NULL;
3446 #ifndef DISABLE_OCSP
3448 verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK;
3449 BOOL request_ocsp = require_ocsp ? TRUE
3450 : verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
3453 DEBUG(D_tls) debug_printf("initialising GnuTLS as a client on fd %d\n", cctx->sock);
3456 /* If dane is flagged, have either request or require dane for this host, and
3457 a TLSA record found. Therefore, dane verify required. Which implies cert must
3458 be requested and supplied, dane verify must pass, and cert verify irrelevant
3459 (incl. hostnames), and (caller handled) require_tls and sni=$domain */
3461 if (conn_args->dane && ob->dane_require_tls_ciphers)
3463 /* not using Expand_check_tlsvar because not yet in state */
3464 if (!expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
3465 &cipher_list, errstr))
3467 cipher_list = cipher_list && *cipher_list
3468 ? ob->dane_require_tls_ciphers : ob->tls_require_ciphers;
3473 cipher_list = ob->tls_require_ciphers;
3476 #ifdef MEASURE_TIMING
3478 gettimeofday(&t0, NULL);
3481 if (tls_init(host, ob, cipher_list, &state, tlsp, errstr) != OK)
3484 #ifdef MEASURE_TIMING
3485 report_time_since(&t0, US"client tls_init (delta)");
3490 #ifdef EXIM_HAVE_ALPN
3492 const gnutls_datum_t * plist;
3495 if (!tls_alpn_plist(&ob->tls_alpn, &plist, &plen, errstr))
3498 if (gnutls_alpn_set_protocols(state->session, plist, plen, 0) != 0)
3500 tls_error(US"alpn init", NULL, state->host, errstr);
3504 DEBUG(D_tls) debug_printf("Setting TLS ALPN '%s'\n", ob->tls_alpn);
3507 log_write(0, LOG_MAIN, "ALPN unusable with this GnuTLS library version; ignoring \"%s\"\n",
3512 int dh_min_bits = ob->tls_dh_min_bits;
3513 if (dh_min_bits < EXIM_CLIENT_DH_MIN_MIN_BITS)
3516 debug_printf("WARNING: tls_dh_min_bits far too low,"
3517 " clamping %d up to %d\n",
3518 dh_min_bits, EXIM_CLIENT_DH_MIN_MIN_BITS);
3519 dh_min_bits = EXIM_CLIENT_DH_MIN_MIN_BITS;
3522 DEBUG(D_tls) debug_printf("Setting D-H prime minimum"
3523 " acceptable bits to %d\n",
3525 gnutls_dh_set_prime_bits(state->session, dh_min_bits);
3528 /* Stick to the old behaviour for compatibility if tls_verify_certificates is
3529 set but both tls_verify_hosts and tls_try_verify_hosts are unset. Check only
3530 the specified host patterns if one of them is defined */
3533 if (conn_args->dane && dane_tlsa_load(state, &conn_args->tlsa_dnsa))
3536 debug_printf("TLS: server certificate DANE required\n");
3537 state->verify_requirement = VERIFY_DANE;
3538 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
3542 if ( ( state->exp_tls_verify_certificates
3543 && !ob->tls_verify_hosts
3544 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
3546 || verify_check_given_host(CUSS &ob->tls_verify_hosts, host) == OK
3549 tls_client_setup_hostname_checks(host, state, ob);
3551 debug_printf("TLS: server certificate verification required\n");
3552 state->verify_requirement = VERIFY_REQUIRED;
3553 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
3555 else if (verify_check_given_host(CUSS &ob->tls_try_verify_hosts, host) == OK)
3557 tls_client_setup_hostname_checks(host, state, ob);
3559 debug_printf("TLS: server certificate verification optional\n");
3560 state->verify_requirement = VERIFY_OPTIONAL;
3561 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
3566 debug_printf("TLS: server certificate verification not required\n");
3567 state->verify_requirement = VERIFY_NONE;
3568 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
3571 #ifndef DISABLE_OCSP
3572 /* supported since GnuTLS 3.1.3 */
3575 DEBUG(D_tls) debug_printf("TLS: will request OCSP stapling\n");
3576 if ((rc = gnutls_ocsp_status_request_enable_client(state->session,
3577 NULL, 0, NULL)) != OK)
3579 tls_error_gnu(state, US"cert-status-req", rc, errstr);
3582 tlsp->ocsp = OCSP_NOT_RESP;
3586 #ifdef EXIM_HAVE_TLS_RESUME
3587 tls_client_resume_prehandshake(state, tlsp, conn_args, ob);
3590 #ifndef DISABLE_EVENT
3591 if (tb && tb->event_action)
3593 state->event_action = tb->event_action;
3594 gnutls_session_set_ptr(state->session, state);
3595 gnutls_certificate_set_verify_function(state->lib_state.x509_cred, verify_cb);
3599 gnutls_transport_set_ptr(state->session, (gnutls_transport_ptr_t)(long) cctx->sock);
3600 state->fd_in = cctx->sock;
3601 state->fd_out = cctx->sock;
3603 DEBUG(D_tls) debug_printf("about to gnutls_handshake\n");
3604 /* There doesn't seem to be a built-in timeout on connection. */
3606 sigalrm_seen = FALSE;
3607 ALARM(ob->command_timeout);
3609 rc = gnutls_handshake(state->session);
3610 while (rc == GNUTLS_E_AGAIN || rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen);
3613 if (rc != GNUTLS_E_SUCCESS)
3617 gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_USER_CANCELED);
3618 tls_error(US"gnutls_handshake", US"timed out", state->host, errstr);
3621 tls_error_gnu(state, US"gnutls_handshake", rc, errstr);
3625 DEBUG(D_tls) post_handshake_debug(state);
3629 if (!verify_certificate(state, errstr))
3631 tls_error(US"certificate verification failed", *errstr, state->host, errstr);
3635 #ifdef GNUTLS_SFLAGS_EXT_MASTER_SECRET
3636 if (gnutls_session_get_flags(state->session) & GNUTLS_SFLAGS_EXT_MASTER_SECRET)
3637 tlsp->ext_master_secret = TRUE;
3640 #ifndef DISABLE_OCSP
3645 gnutls_datum_t stapling;
3646 gnutls_ocsp_resp_t resp;
3647 gnutls_datum_t printed;
3651 # ifdef GNUTLS_OCSP_STATUS_REQUEST_GET2
3652 (rc = gnutls_ocsp_status_request_get2(state->session, idx, &stapling)) == 0;
3654 (rc = gnutls_ocsp_status_request_get(state->session, &stapling)) == 0;
3657 if ( (rc= gnutls_ocsp_resp_init(&resp)) == 0
3658 && (rc= gnutls_ocsp_resp_import(resp, &stapling)) == 0
3659 && (rc= gnutls_ocsp_resp_print(resp, GNUTLS_OCSP_PRINT_COMPACT, &printed)) == 0
3662 debug_printf("%.4096s", printed.data);
3663 gnutls_free(printed.data);
3666 (void) tls_error_gnu(state, US"ocsp decode", rc, errstr);
3668 (void) tls_error_gnu(state, US"ocsp decode", rc, errstr);
3671 if (gnutls_ocsp_status_request_is_checked(state->session, 0) == 0)
3673 tlsp->ocsp = OCSP_FAILED;
3674 tls_error(US"certificate status check failed", NULL, state->host, errstr);
3680 DEBUG(D_tls) debug_printf("Passed OCSP checking\n");
3681 tlsp->ocsp = OCSP_VFIED;
3686 #ifdef EXIM_HAVE_TLS_RESUME
3687 tls_client_resume_posthandshake(state, tlsp, host);
3690 #ifdef EXIM_HAVE_ALPN
3691 if (ob->tls_alpn) /* We requested. See what was negotiated. */
3693 gnutls_datum_t p = {.size = 0};
3695 if (gnutls_alpn_get_selected_protocol(state->session, &p) == 0)
3696 { DEBUG(D_tls) debug_printf("ALPN negotiated: '%.*s'\n", (int)p.size, p.data); }
3697 else if (verify_check_given_host(CUSS &ob->hosts_require_alpn, host) == OK)
3699 gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_NO_APPLICATION_PROTOCOL);
3700 tls_error(US"handshake", US"ALPN required but not negotiated", state->host, errstr);
3704 DEBUG(D_tls) debug_printf("No ALPN negotiated");
3708 /* Sets various Exim expansion variables; may need to adjust for ACL callouts */
3710 extract_exim_vars_from_tls_state(state);
3712 cctx->tls_ctx = state;
3721 ct_ctx client TLS context pointer, or NULL for the one global server context
3725 tls_shutdown_wr(void * ct_ctx)
3727 exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
3728 tls_support * tlsp = state->tlsp;
3730 if (!tlsp || tlsp->active.sock < 0) return; /* TLS was not active */
3732 tls_write(ct_ctx, NULL, 0, FALSE); /* flush write buffer */
3734 HDEBUG(D_transport|D_tls|D_acl|D_v) debug_printf_indent(" SMTP(TLS shutdown)>>\n");
3735 gnutls_bye(state->session, GNUTLS_SHUT_WR);
3738 /*************************************************
3739 * Close down a TLS session *
3740 *************************************************/
3742 /* This is also called from within a delivery subprocess forked from the
3743 daemon, to shut down the TLS library, without actually doing a shutdown (which
3744 would tamper with the TLS session in the parent process).
3747 ct_ctx client context pointer, or NULL for the one global server context
3748 do_shutdown 0 no data-flush or TLS close-alert
3749 1 if TLS close-alert is to be sent,
3750 2 if also response to be waited for (2s timeout)
3756 tls_close(void * ct_ctx, int do_shutdown)
3758 exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
3759 tls_support * tlsp = state->tlsp;
3761 if (!tlsp || tlsp->active.sock < 0) return; /* TLS was not active */
3765 DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS%s\n",
3766 do_shutdown > TLS_SHUTDOWN_NOWAIT ? " (with response-wait)" : "");
3768 tls_write(ct_ctx, NULL, 0, FALSE); /* flush write buffer */
3770 #ifdef EXIM_TCP_CORK
3771 if (do_shutdown == TLS_SHUTDOWN_WAIT)
3772 (void) setsockopt(tlsp->active.sock, IPPROTO_TCP, EXIM_TCP_CORK, US &off, sizeof(off));
3775 /* The library seems to have no way to only wait for a peer's
3776 shutdown, so handle the same as TLS_SHUTDOWN_WAIT */
3779 gnutls_bye(state->session,
3780 do_shutdown > TLS_SHUTDOWN_NOWAIT ? GNUTLS_SHUT_RDWR : GNUTLS_SHUT_WR);
3784 if (!ct_ctx) /* server */
3786 receive_getc = smtp_getc;
3787 receive_getbuf = smtp_getbuf;
3788 receive_get_cache = smtp_get_cache;
3789 receive_hasc = smtp_hasc;
3790 receive_ungetc = smtp_ungetc;
3791 receive_feof = smtp_feof;
3792 receive_ferror = smtp_ferror;
3795 gnutls_deinit(state->session);
3796 tlsp->active.sock = -1;
3797 tlsp->active.tls_ctx = NULL;
3798 /* Leave bits, peercert, cipher, peerdn, certificate_verified set, for logging */
3799 tlsp->channelbinding = NULL;
3802 if (state->xfer_buffer) store_free(state->xfer_buffer);
3809 tls_refill(unsigned lim)
3811 exim_gnutls_state_st * state = &state_server;
3814 DEBUG(D_tls) debug_printf("Calling gnutls_record_recv(session=%p, buffer=%p, buffersize=%u)\n",
3815 state->session, state->xfer_buffer, ssl_xfer_buffer_size);
3817 sigalrm_seen = FALSE;
3818 if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
3822 inbytes = gnutls_record_recv(state->session, state->xfer_buffer,
3823 MIN(ssl_xfer_buffer_size, lim));
3824 while (inbytes == GNUTLS_E_AGAIN);
3826 if (smtp_receive_timeout > 0) ALARM_CLR(0);
3828 if (had_command_timeout) /* set by signal handler */
3829 smtp_command_timeout_exit(); /* does not return */
3830 if (had_command_sigterm)
3831 smtp_command_sigterm_exit();
3832 if (had_data_timeout)
3833 smtp_data_timeout_exit();
3834 if (had_data_sigint)
3835 smtp_data_sigint_exit();
3837 /* Timeouts do not get this far. A zero-byte return appears to mean that the
3838 TLS session has been closed down, not that the socket itself has been closed
3839 down. Revert to non-TLS handling. */
3843 DEBUG(D_tls) debug_printf("Got tls read timeout\n");
3844 state->xfer_error = TRUE;
3848 else if (inbytes == 0)
3850 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
3851 tls_close(NULL, TLS_NO_SHUTDOWN);
3855 /* Handle genuine errors */
3857 else if (inbytes < 0)
3859 DEBUG(D_tls) debug_printf("%s: err from gnutls_record_recv\n", __FUNCTION__);
3860 record_io_error(state, (int) inbytes, US"recv", NULL);
3861 state->xfer_error = TRUE;
3864 #ifndef DISABLE_DKIM
3865 dkim_exim_verify_feed(state->xfer_buffer, inbytes);
3867 state->xfer_buffer_hwm = (int) inbytes;
3868 state->xfer_buffer_lwm = 0;
3872 /*************************************************
3873 * TLS version of getc *
3874 *************************************************/
3876 /* This gets the next byte from the TLS input buffer. If the buffer is empty,
3877 it refills the buffer via the GnuTLS reading function.
3878 Only used by the server-side TLS.
3880 This feeds DKIM and should be used for all message-body reads.
3882 Arguments: lim Maximum amount to read/buffer
3883 Returns: the next character or EOF
3887 tls_getc(unsigned lim)
3889 exim_gnutls_state_st * state = &state_server;
3891 if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
3892 if (!tls_refill(lim))
3893 return state->xfer_error ? EOF : smtp_getc(lim);
3895 /* Something in the buffer; return next uschar */
3897 return state->xfer_buffer[state->xfer_buffer_lwm++];
3903 exim_gnutls_state_st * state = &state_server;
3904 return state->xfer_buffer_lwm < state->xfer_buffer_hwm;
3908 tls_getbuf(unsigned * len)
3910 exim_gnutls_state_st * state = &state_server;
3914 if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
3915 if (!tls_refill(*len))
3917 if (!state->xfer_error) return smtp_getbuf(len);
3922 if ((size = state->xfer_buffer_hwm - state->xfer_buffer_lwm) > *len)
3924 buf = &state->xfer_buffer[state->xfer_buffer_lwm];
3925 state->xfer_buffer_lwm += size;
3931 /* Get up to the given number of bytes from any cached data, and feed to dkim. */
3933 tls_get_cache(unsigned lim)
3935 #ifndef DISABLE_DKIM
3936 exim_gnutls_state_st * state = &state_server;
3937 int n = state->xfer_buffer_hwm - state->xfer_buffer_lwm;
3941 dkim_exim_verify_feed(state->xfer_buffer+state->xfer_buffer_lwm, n);
3947 tls_could_getc(void)
3949 return state_server.xfer_buffer_lwm < state_server.xfer_buffer_hwm
3950 || gnutls_record_check_pending(state_server.session) > 0;
3954 /*************************************************
3955 * Read bytes from TLS channel *
3956 *************************************************/
3958 /* This does not feed DKIM, so if the caller uses this for reading message body,
3959 then the caller must feed DKIM.
3962 ct_ctx client context pointer, or NULL for the one global server context
3966 Returns: the number of bytes read
3967 -1 after a failed read, including EOF
3971 tls_read(void * ct_ctx, uschar *buff, size_t len)
3973 exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
3979 if (state->xfer_buffer_lwm < state->xfer_buffer_hwm)
3981 debug_printf("*** PROBABLY A BUG *** " \
3982 "tls_read() called with data in the tls_getc() buffer, %d ignored\n",
3983 state->xfer_buffer_hwm - state->xfer_buffer_lwm);
3986 debug_printf("Calling gnutls_record_recv(session=%p, buffer=%p, len=" SIZE_T_FMT ")\n",
3987 state->session, buff, len);
3991 inbytes = gnutls_record_recv(state->session, buff, len);
3992 while (inbytes == GNUTLS_E_AGAIN);
3994 if (inbytes > 0) return inbytes;
3997 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
4001 DEBUG(D_tls) debug_printf("%s: err from gnutls_record_recv\n", __FUNCTION__);
4002 record_io_error(state, (int)inbytes, US"recv", NULL);
4011 /*************************************************
4012 * Write bytes down TLS channel *
4013 *************************************************/
4017 ct_ctx client context pointer, or NULL for the one global server context
4020 more more data expected soon
4022 Calling with len zero and more unset will flush buffered writes. The buff
4023 argument can be null for that case.
4025 Returns: the number of bytes after a successful write,
4026 -1 after a failed write
4030 tls_write(void * ct_ctx, const uschar * buff, size_t len, BOOL more)
4034 exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
4037 if (more && !state->corked)
4039 DEBUG(D_tls) debug_printf("gnutls_record_cork(session=%p)\n", state->session);
4040 gnutls_record_cork(state->session);
4041 state->corked = TRUE;
4045 DEBUG(D_tls) debug_printf("%s(%p, " SIZE_T_FMT "%s)\n", __FUNCTION__,
4046 buff, left, more ? ", more" : "");
4050 DEBUG(D_tls) debug_printf("gnutls_record_send(session=%p, buffer=%p, left=" SIZE_T_FMT ")\n",
4051 state->session, buff, left);
4055 outbytes = gnutls_record_send(state->session, buff, left);
4056 while (outbytes == GNUTLS_E_AGAIN);
4058 DEBUG(D_tls) debug_printf("outbytes=" SSIZE_T_FMT "\n", outbytes);
4062 #ifdef GNUTLS_E_PREMATURE_TERMINATION
4063 if ( outbytes == GNUTLS_E_PREMATURE_TERMINATION && errno == ECONNRESET
4064 && !ct_ctx && f.smtp_in_quit
4066 { /* Outlook, dammit */
4067 if (LOGGING(protocol_detail))
4068 log_write(0, LOG_MAIN, "[%s] after QUIT, client reset TCP before"
4069 " SMTP response and TLS close\n", sender_host_address);
4071 DEBUG(D_tls) debug_printf("[%s] SSL_write: after QUIT,"
4072 " client reset TCP before TLS close\n", sender_host_address);
4077 DEBUG(D_tls) debug_printf("%s: gnutls_record_send err\n", __FUNCTION__);
4078 record_io_error(state, outbytes, US"send", NULL);
4084 record_io_error(state, 0, US"send", US"TLS channel closed on write");
4095 debug_printf("Whoops! Wrote more bytes (" SIZE_T_FMT ") than INT_MAX\n",
4101 if (!more && state->corked)
4103 DEBUG(D_tls) debug_printf("gnutls_record_uncork(session=%p)\n", state->session);
4105 /* We can't use GNUTLS_RECORD_WAIT here, as it retries on
4106 GNUTLS_E_AGAIN || GNUTLS_E_INTR, which would break our timeout set by alarm().
4107 The GNUTLS_E_AGAIN should not happen ever, as our sockets are blocking anyway.
4108 But who knows. (That all relies on the fact that GNUTLS_E_INTR and GNUTLS_E_AGAIN
4109 match the EINTR and EAGAIN errno values.) */
4110 outbytes = gnutls_record_uncork(state->session, 0);
4111 while (outbytes == GNUTLS_E_AGAIN);
4115 record_io_error(state, len, US"uncork", NULL);
4119 state->corked = FALSE;
4129 /*************************************************
4130 * Random number generation *
4131 *************************************************/
4133 /* Pseudo-random number generation. The result is not expected to be
4134 cryptographically strong but not so weak that someone will shoot themselves
4135 in the foot using it as a nonce in input in some email header scheme or
4136 whatever weirdness they'll twist this into. The result should handle fork()
4137 and avoid repeating sequences. OpenSSL handles that for us.
4141 Returns a random number in range [0, max-1]
4144 #ifdef HAVE_GNUTLS_RND
4146 vaguely_random_number(int max)
4150 uschar smallbuf[sizeof(r)];
4155 needed_len = sizeof(r);
4156 /* Don't take 8 times more entropy than needed if int is 8 octets and we were
4157 asked for a number less than 10. */
4159 for (r = max, i = 0; r; ++i)
4165 i = gnutls_rnd(GNUTLS_RND_NONCE, smallbuf, needed_len);
4168 DEBUG(D_all) debug_printf("gnutls_rnd() failed, using fallback\n");
4169 return vaguely_random_number_fallback(max);
4172 for (uschar * p = smallbuf; needed_len; --needed_len, ++p)
4175 /* We don't particularly care about weighted results; if someone wants
4176 * smooth distribution and cares enough then they should submit a patch then. */
4179 #else /* HAVE_GNUTLS_RND */
4181 vaguely_random_number(int max)
4183 return vaguely_random_number_fallback(max);
4185 #endif /* HAVE_GNUTLS_RND */
4190 /*************************************************
4191 * Let tls_require_ciphers be checked at startup *
4192 *************************************************/
4194 /* The tls_require_ciphers option, if set, must be something which the
4197 Returns: NULL on success, or error message
4201 tls_validate_require_cipher(void)
4204 uschar *expciphers = NULL;
4205 gnutls_priority_t priority_cache;
4207 uschar * dummy_errstr;
4209 #ifdef GNUTLS_AUTO_GLOBAL_INIT
4210 # define validate_check_rc(Label) do { \
4211 if (rc != GNUTLS_E_SUCCESS) { if (exim_gnutls_base_init_done) \
4212 return string_sprintf("%s failed: %s", (Label), gnutls_strerror(rc)); } } while (0)
4213 # define return_deinit(Label) do { return (Label); } while (0)
4215 # define validate_check_rc(Label) do { \
4216 if (rc != GNUTLS_E_SUCCESS) { if (exim_gnutls_base_init_done) gnutls_global_deinit(); \
4217 return string_sprintf("%s failed: %s", (Label), gnutls_strerror(rc)); } } while (0)
4218 # define return_deinit(Label) do { gnutls_global_deinit(); return (Label); } while (0)
4221 if (exim_gnutls_base_init_done)
4222 log_write(0, LOG_MAIN|LOG_PANIC,
4223 "already initialised GnuTLS, Exim developer bug");
4225 #if defined(HAVE_GNUTLS_PKCS11) && !defined(GNUTLS_AUTO_PKCS11_MANUAL)
4226 if (!gnutls_allow_auto_pkcs11)
4228 rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
4229 validate_check_rc(US"gnutls_pkcs11_init");
4232 #ifndef GNUTLS_AUTO_GLOBAL_INIT
4233 rc = gnutls_global_init();
4234 validate_check_rc(US"gnutls_global_init()");
4236 exim_gnutls_base_init_done = TRUE;
4238 if (!(tls_require_ciphers && *tls_require_ciphers))
4239 return_deinit(NULL);
4241 if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers,
4243 return_deinit(US"failed to expand tls_require_ciphers");
4245 if (!(expciphers && *expciphers))
4246 return_deinit(NULL);
4249 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
4251 rc = gnutls_priority_init(&priority_cache, CS expciphers, &errpos);
4252 validate_check_rc(string_sprintf(
4253 "gnutls_priority_init(%s) failed at offset %ld, \"%.8s..\"",
4254 expciphers, (long)(errpos - CS expciphers), errpos));
4256 #undef return_deinit
4257 #undef validate_check_rc
4258 #ifndef GNUTLS_AUTO_GLOBAL_INIT
4259 gnutls_global_deinit();
4268 /*************************************************
4269 * Report the library versions. *
4270 *************************************************/
4272 /* See a description in tls-openssl.c for an explanation of why this exists.
4274 Arguments: string to append to
4279 tls_version_report(gstring * g)
4281 return string_fmt_append(g,
4282 "Library version: GnuTLS: Compile: %s\n"
4285 gnutls_check_version(NULL));
4288 #endif /*!MACRO_PREDEF*/
4291 /* End of tls-gnu.c */