1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) The Exim Maintainers 2020 - 2022 */
6 /* Copyright (c) University of Cambridge 1995 - 2018 */
7 /* Copyright (c) Phil Pennock 2012 */
8 /* See the file NOTICE for conditions of use and distribution. */
10 /* This file provides TLS/SSL support for Exim using the GnuTLS library,
11 one of the available supported implementations. This file is #included into
12 tls.c when USE_GNUTLS has been set.
14 The code herein is a revamp of GnuTLS integration using the current APIs; the
15 original tls-gnu.c was based on a patch which was contributed by Nikos
16 Mavrogiannopoulos. The revamp is partially a rewrite, partially cut&paste as
19 APIs current as of GnuTLS 2.12.18; note that the GnuTLS manual is for GnuTLS 3,
20 which is not widely deployed by OS vendors. Will note issues below, which may
21 assist in updating the code in the future. Another sources of hints is
22 mod_gnutls for Apache (SNI callback registration and handling).
24 Keeping client and server variables more split than before and is currently
25 the norm, in anticipation of TLS in ACL callouts.
27 I wanted to switch to gnutls_certificate_set_verify_function() so that
28 certificate rejection could happen during handshake where it belongs, rather
29 than being dropped afterwards, but that was introduced in 2.10.0 and Debian
30 (6.0.5) is still on 2.8.6. So for now we have to stick with sub-par behaviour.
32 (I wasn't looking for libraries quite that old, when updating to get rid of
33 compiler warnings of deprecated APIs. If it turns out that a lot of the rest
34 require current GnuTLS, then we'll drop support for the ancient libraries).
37 #include <gnutls/gnutls.h>
38 /* needed for cert checks in verification and DN extraction: */
39 #include <gnutls/x509.h>
40 /* man-page is incorrect, gnutls_rnd() is not in gnutls.h: */
41 #include <gnutls/crypto.h>
43 /* needed to disable PKCS11 autoload unless requested */
44 #if GNUTLS_VERSION_NUMBER >= 0x020c00
45 # include <gnutls/pkcs11.h>
46 # define SUPPORT_PARAM_TO_PK_BITS
48 #if GNUTLS_VERSION_NUMBER < 0x030103 && !defined(DISABLE_OCSP)
49 # warning "GnuTLS library version too old; define DISABLE_OCSP in Makefile"
52 #if GNUTLS_VERSION_NUMBER < 0x020a00 && !defined(DISABLE_EVENT)
53 # warning "GnuTLS library version too old; tls:cert event unsupported"
54 # define DISABLE_EVENT
56 #if GNUTLS_VERSION_NUMBER >= 0x030000
57 # define SUPPORT_SELFSIGN /* Uncertain what version is first usable but 2.12.23 is not */
59 #if GNUTLS_VERSION_NUMBER >= 0x030306
60 # define SUPPORT_CA_DIR
62 # undef SUPPORT_CA_DIR
64 #if GNUTLS_VERSION_NUMBER >= 0x030014
65 # define SUPPORT_SYSDEFAULT_CABUNDLE
67 #if GNUTLS_VERSION_NUMBER >= 0x030104
68 # define GNUTLS_CERT_VFY_STATUS_PRINT
70 #if GNUTLS_VERSION_NUMBER >= 0x030109
73 #if GNUTLS_VERSION_NUMBER >= 0x03010a
74 # define SUPPORT_GNUTLS_SESS_DESC
76 #if GNUTLS_VERSION_NUMBER >= 0x030300
77 # define GNUTLS_AUTO_GLOBAL_INIT
78 # define GNUTLS_AUTO_PKCS11_MANUAL
80 #if (GNUTLS_VERSION_NUMBER >= 0x030404) \
81 || (GNUTLS_VERSION_NUMBER >= 0x030311) && (GNUTLS_VERSION_NUMBER & 0xffff00 == 0x030300)
83 # define EXIM_HAVE_OCSP
86 #if GNUTLS_VERSION_NUMBER >= 0x030500
87 # define SUPPORT_GNUTLS_KEYLOG
89 #if GNUTLS_VERSION_NUMBER >= 0x030506 && !defined(DISABLE_OCSP)
90 # define SUPPORT_SRV_OCSP_STACK
92 #if GNUTLS_VERSION_NUMBER >= 0x030603
93 # define EXIM_HAVE_TLS1_3
94 # define SUPPORT_GNUTLS_EXT_RAW_PARSE
95 # define GNUTLS_OCSP_STATUS_REQUEST_GET2
99 # if GNUTLS_VERSION_NUMBER >= 0x030000
100 # define DANESSL_USAGE_DANE_TA 2
101 # define DANESSL_USAGE_DANE_EE 3
103 # error GnuTLS version too early for DANE
105 # if GNUTLS_VERSION_NUMBER < 0x999999
106 # define GNUTLS_BROKEN_DANE_VALIDATION
110 #ifndef DISABLE_TLS_RESUME
111 # if GNUTLS_VERSION_NUMBER >= 0x030603
112 # define EXIM_HAVE_TLS_RESUME
114 # warning "GnuTLS library version too old; resumption unsupported"
118 #if GNUTLS_VERSION_NUMBER >= 0x030200
119 # ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
120 # define EXIM_HAVE_ALPN
124 #if GNUTLS_VERSION_NUMBER >= 0x030702
125 # define HAVE_GNUTLS_EXPORTER
129 # include <gnutls/ocsp.h>
132 # include <gnutls/dane.h>
135 #include "tls-cipher-stdname.c"
142 # ifndef DISABLE_TLS_RESUME
143 builtin_macro_create_var(US"_RESUME_DECODE", RESUME_DECODE_STRING );
145 # ifdef EXIM_HAVE_TLS1_3
146 builtin_macro_create(US"_HAVE_TLS1_3");
148 # ifdef EXIM_HAVE_OCSP
149 builtin_macro_create(US"_HAVE_TLS_OCSP");
151 # ifdef SUPPORT_SRV_OCSP_STACK
152 builtin_macro_create(US"_HAVE_TLS_OCSP_LIST");
154 #if defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT)
155 builtin_macro_create(US"_HAVE_TLS_CA_CACHE");
157 # ifdef EXIM_HAVE_ALPN
158 builtin_macro_create(US"_HAVE_TLS_ALPN");
167 gnutls_global_set_audit_log_function()
170 gnutls_certificate_verify_peers2(): is new, drop the 2 for old version
173 /* Local static variables for GnuTLS */
175 /* Values for verify_requirement */
177 enum peer_verify_requirement
178 { VERIFY_NONE, VERIFY_OPTIONAL, VERIFY_REQUIRED, VERIFY_DANE };
180 /* This holds most state for server or client; with this, we can set up an
181 outbound TLS-enabled connection in an ACL callout, while not stomping all
182 over the TLS variables available for expansion.
184 Some of these correspond to variables in globals.c; those variables will
185 be set to point to content in one of these instances, as appropriate for
186 the stage of the process lifetime.
188 Not handled here: global tlsp->tls_channelbinding.
191 typedef struct exim_gnutls_state {
192 gnutls_session_t session;
194 exim_tlslib_state lib_state;
195 #define x509_cred libdata0
196 #define pri_cache libdata1
198 enum peer_verify_requirement verify_requirement;
202 BOOL peer_cert_verified:1;
203 BOOL peer_dane_verified:1;
204 BOOL trigger_sni_changes:1;
205 BOOL have_set_peerdn:1;
206 BOOL xfer_eof:1; /*XXX never gets set! */
212 const struct host_item *host; /* NULL if server */
213 gnutls_x509_crt_t peercert;
216 uschar *received_sni;
218 const uschar *tls_certificate;
219 const uschar *tls_privatekey;
220 const uschar *tls_sni; /* client send only, not received */
221 const uschar *tls_verify_certificates;
222 const uschar *tls_crl;
223 const uschar *tls_require_ciphers;
225 uschar *exp_tls_certificate;
226 uschar *exp_tls_privatekey;
227 uschar *exp_tls_verify_certificates;
229 uschar *exp_tls_require_ciphers;
230 const uschar *exp_tls_verify_cert_hostnames;
231 #ifndef DISABLE_EVENT
232 uschar *event_action;
235 char * const * dane_data;
236 const int * dane_data_len;
239 tls_support *tlsp; /* set in tls_init() */
244 } exim_gnutls_state_st;
246 static const exim_gnutls_state_st exim_gnutls_state_init = {
247 /* all elements not explicitly intialised here get 0/NULL/FALSE */
252 /* Not only do we have our own APIs which don't pass around state, assuming
253 it's held in globals, GnuTLS doesn't appear to let us register callback data
254 for callbacks, or as part of the session, so we have to keep a "this is the
255 context we're currently dealing with" pointer and rely upon being
256 single-threaded to keep from processing data on an inbound TLS connection while
257 talking to another TLS connection for an outbound check. This does mean that
258 there's no way for heart-beats to be responded to, for the duration of the
260 XXX But see gnutls_session_get_ptr()
263 static exim_gnutls_state_st state_server = {
264 /* all elements not explicitly intialised here get 0/NULL/FALSE */
269 /* dh_params are initialised once within the lifetime of a process using TLS;
270 if we used TLS in a long-lived daemon, we'd have to reconsider this. But we
271 don't want to repeat this. */
273 static gnutls_dh_params_t dh_server_params = NULL;
275 static int ssl_session_timeout = 7200; /* Two hours */
277 static const uschar * const exim_default_gnutls_priority = US"NORMAL";
279 /* Guard library core initialisation */
281 static BOOL exim_gnutls_base_init_done = FALSE;
284 static BOOL gnutls_buggy_ocsp = FALSE;
285 static BOOL exim_testharness_disable_ocsp_validity_check = FALSE;
288 #ifdef EXIM_HAVE_ALPN
289 static int server_seen_alpn = -1; /* count of names */
291 #ifdef EXIM_HAVE_TLS_RESUME
292 static gnutls_datum_t server_sessticket_key;
296 /* ------------------------------------------------------------------------ */
299 #define MAX_HOST_LEN 255
301 /* Set this to control gnutls_global_set_log_level(); values 0 to 9 will setup
302 the library logging; a value less than 0 disables the calls to set up logging
303 callbacks. GNuTLS also looks for an environment variable - except not for
304 setuid binaries, making it useless - "GNUTLS_DEBUG_LEVEL".
305 Allegedly the testscript line "GNUTLS_DEBUG_LEVEL=9 sudo exim ..." would work,
306 but the env var must be added to /etc/sudoers too. */
307 #ifndef EXIM_GNUTLS_LIBRARY_LOG_LEVEL
308 # define EXIM_GNUTLS_LIBRARY_LOG_LEVEL -1
311 #ifndef EXIM_CLIENT_DH_MIN_BITS
312 # define EXIM_CLIENT_DH_MIN_BITS 1024
315 /* With GnuTLS 2.12.x+ we have gnutls_sec_param_to_pk_bits() with which we
316 can ask for a bit-strength. Without that, we stick to the constant we had
318 #ifndef EXIM_SERVER_DH_BITS_PRE2_12
319 # define EXIM_SERVER_DH_BITS_PRE2_12 1024
322 #define Expand_check_tlsvar(Varname, errstr) \
323 expand_check(state->Varname, US #Varname, &state->exp_##Varname, errstr)
325 #if GNUTLS_VERSION_NUMBER >= 0x020c00
326 # define HAVE_GNUTLS_SESSION_CHANNEL_BINDING
327 # define HAVE_GNUTLS_SEC_PARAM_CONSTANTS
328 # define HAVE_GNUTLS_RND
329 /* The security fix we provide with the gnutls_allow_auto_pkcs11 option
330 * (4.82 PP/09) introduces a compatibility regression. The symbol simply
331 * isn't available sometimes, so this needs to become a conditional
332 * compilation; the sanest way to deal with this being a problem on
333 * older OSes is to block it in the Local/Makefile with this compiler
335 # ifndef AVOID_GNUTLS_PKCS11
336 # define HAVE_GNUTLS_PKCS11
337 # endif /* AVOID_GNUTLS_PKCS11 */
340 #if GNUTLS_VERSION_NUMBER >= 0x030404
341 # define HAVE_GNUTLS_PRF_RFC5705
346 /* ------------------------------------------------------------------------ */
347 /* Callback declarations */
349 #if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
350 static void exim_gnutls_logger_cb(int level, const char *message);
353 static int exim_sni_handling_cb(gnutls_session_t session);
355 #ifdef EXIM_HAVE_TLS_RESUME
357 tls_server_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
358 unsigned incoming, const gnutls_datum_t * msg);
362 /*************************************************
364 *************************************************/
366 /* Called from lots of places when errors occur before actually starting to do
367 the TLS handshake, that is, while the session is still in clear. Always returns
368 DEFER for a server and FAIL for a client so that most calls can use "return
369 tls_error(...)" to do this processing and then give an appropriate return. A
370 single function is used for both server and client, because it is called from
371 some shared functions.
374 prefix text to include in the logged error
375 msg additional error string (may be NULL)
376 usually obtained from gnutls_strerror()
377 host NULL if setting up a server;
378 the connected host if setting up a client
379 errstr pointer to returned error string
381 Returns: OK/DEFER/FAIL
385 tls_error(const uschar *prefix, const uschar *msg, const host_item *host,
389 *errstr = string_sprintf("(%s)%s%s", prefix, msg ? ": " : "", msg ? msg : US"");
390 return host ? FAIL : DEFER;
395 tls_error_gnu(exim_gnutls_state_st * state, const uschar *prefix, int err,
398 return tls_error(prefix,
399 state && err == GNUTLS_E_FATAL_ALERT_RECEIVED
400 ? US gnutls_alert_get_name(gnutls_alert_get(state->session))
401 : US gnutls_strerror(err),
402 state ? state->host : NULL,
407 tls_error_sys(const uschar *prefix, int err, const host_item *host,
410 return tls_error(prefix, US strerror(err), host, errstr);
414 /* ------------------------------------------------------------------------ */
420 tls_is_buggy_ocsp(void)
423 uschar maj, mid, mic;
425 s = CUS gnutls_check_version(NULL);
429 while (*s && *s != '.') s++;
437 while (*s && *s != '.') s++;
439 return mic <= (mid == 3 ? 16 : 3);
449 tls_g_init(uschar ** errstr)
452 DEBUG(D_tls) debug_printf("GnuTLS global init required\n");
454 #if defined(HAVE_GNUTLS_PKCS11) && !defined(GNUTLS_AUTO_PKCS11_MANUAL)
455 /* By default, gnutls_global_init will init PKCS11 support in auto mode,
456 which loads modules from a config file, which sounds good and may be wanted
457 by some sysadmin, but also means in common configurations that GNOME keyring
458 environment variables are used and so breaks for users calling mailq.
459 To prevent this, we init PKCS11 first, which is the documented approach. */
461 if (!gnutls_allow_auto_pkcs11)
462 if ((rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL)))
463 return tls_error_gnu(NULL, US"gnutls_pkcs11_init", rc, errstr);
466 #ifndef GNUTLS_AUTO_GLOBAL_INIT
467 if ((rc = gnutls_global_init()))
468 return tls_error_gnu(NULL, US"gnutls_global_init", rc, errstr);
471 #if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
474 gnutls_global_set_log_function(exim_gnutls_logger_cb);
475 /* arbitrarily chosen level; bump up to 9 for more */
476 gnutls_global_set_log_level(EXIM_GNUTLS_LIBRARY_LOG_LEVEL);
481 if (tls_ocsp_file && (gnutls_buggy_ocsp = tls_is_buggy_ocsp()))
482 log_write(0, LOG_MAIN, "OCSP unusable with this GnuTLS library version");
485 exim_gnutls_base_init_done = TRUE;
491 /* Daemon-call before each connection. Nothing to do for GnuTLS. */
494 tls_per_lib_daemon_tick(void)
498 /* Daemon one-time initialisation */
501 tls_per_lib_daemon_init(void)
503 uschar * dummy_errstr;
504 static BOOL once = FALSE;
506 if (!exim_gnutls_base_init_done)
507 tls_g_init(&dummy_errstr);
513 #ifdef EXIM_HAVE_TLS_RESUME
514 /* We are dependent on the GnuTLS implementation of the Session Ticket
515 encryption; both the strength and the key rotation period. We hope that
516 the strength at least matches that of the ciphersuite (but GnuTLS does not
519 gnutls_session_ticket_key_generate(&server_sessticket_key); /* >= 2.10.0 */
520 if (f.running_in_test_harness) ssl_session_timeout = 6;
523 tls_daemon_creds_reload();
527 /* ------------------------------------------------------------------------ */
529 /*************************************************
530 * Deal with logging errors during I/O *
531 *************************************************/
533 /* We have to get the identity of the peer from saved data.
536 state the current GnuTLS exim state container
537 rc the GnuTLS error code, or 0 if it's a local error
538 when text identifying read or write
539 text local error text when rc is 0
545 record_io_error(exim_gnutls_state_st *state, int rc, uschar *when, uschar *text)
550 msg = rc == GNUTLS_E_FATAL_ALERT_RECEIVED
551 ? string_sprintf("A TLS fatal alert has been received: %s",
552 US gnutls_alert_get_name(gnutls_alert_get(state->session)))
553 #ifdef GNUTLS_E_PREMATURE_TERMINATION
554 : rc == GNUTLS_E_PREMATURE_TERMINATION && errno
555 ? string_sprintf("%s: syscall: %s", US gnutls_strerror(rc), strerror(errno))
557 : US gnutls_strerror(rc);
559 (void) tls_error(when, msg, state->host, &errstr);
562 log_write(0, LOG_MAIN, "H=%s [%s] TLS error on connection %s",
563 state->host->name, state->host->address, errstr);
566 uschar * conn_info = smtp_get_connection_info();
567 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0) conn_info += 5;
568 /* I'd like to get separated H= here, but too hard for now */
569 log_write(0, LOG_MAIN, "TLS error on %s %s", conn_info, errstr);
576 /*************************************************
577 * Set various Exim expansion vars *
578 *************************************************/
580 #define exim_gnutls_cert_err(Label) \
583 if (rc != GNUTLS_E_SUCCESS) \
585 DEBUG(D_tls) debug_printf("TLS: cert problem: %s: %s\n", \
586 (Label), gnutls_strerror(rc)); \
592 import_cert(const gnutls_datum_t * cert, gnutls_x509_crt_t * crtp)
596 rc = gnutls_x509_crt_init(crtp);
597 exim_gnutls_cert_err(US"gnutls_x509_crt_init (crt)");
599 rc = gnutls_x509_crt_import(*crtp, cert, GNUTLS_X509_FMT_DER);
600 exim_gnutls_cert_err(US"failed to import certificate [gnutls_x509_crt_import(cert)]");
605 #undef exim_gnutls_cert_err
608 /* We set various Exim global variables from the state, once a session has
609 been established. With TLS callouts, may need to change this to stack
610 variables, or just re-call it with the server state after client callout
613 Make sure anything set here is unset in tls_getc().
617 tls_bits strength indicator
618 tls_certificate_verified bool indicator
619 tls_channelbinding for some SASL mechanisms
622 tls_peercert pointer to library internal
624 tls_sni a (UTF-8) string
625 tls_ourcert pointer to library internal
628 state the relevant exim_gnutls_state_st *
632 extract_exim_vars_from_tls_state(exim_gnutls_state_st * state)
634 tls_support * tlsp = state->tlsp;
636 tlsp->active.sock = state->fd_out;
637 tlsp->active.tls_ctx = state;
639 DEBUG(D_tls) debug_printf("cipher: %s\n", state->ciphersuite);
641 tlsp->certificate_verified = state->peer_cert_verified;
643 tlsp->dane_verified = state->peer_dane_verified;
646 /* note that tls_channelbinding is not saved to the spool file, since it's
647 only available for use for authenticators while this TLS session is running. */
649 tlsp->channelbinding = NULL;
650 #ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
652 gnutls_datum_t channel = {.data = NULL, .size = 0};
655 # ifdef HAVE_GNUTLS_EXPORTER
656 if (gnutls_protocol_get_version(state->session) >= GNUTLS_TLS1_3)
658 rc = gnutls_session_channel_binding(state->session, GNUTLS_CB_TLS_EXPORTER, &channel);
659 tlsp->channelbind_exporter = TRUE;
662 # elif defined(HAVE_GNUTLS_PRF_RFC5705)
663 /* Older libraries may not have GNUTLS_TLS1_3 defined! */
664 if (gnutls_protocol_get_version(state->session) > GNUTLS_TLS1_2)
666 uschar * buf = store_get(32, state->host ? GET_TAINTED : GET_UNTAINTED);
667 rc = gnutls_prf_rfc5705(state->session,
668 (size_t)24, "EXPORTER-Channel-Binding", (size_t)0, "",
675 rc = gnutls_session_channel_binding(state->session, GNUTLS_CB_TLS_UNIQUE, &channel);
678 { DEBUG(D_tls) debug_printf("extracting channel binding: %s\n", gnutls_strerror(rc)); }
681 int old_pool = store_pool;
682 /* Declare the taintedness of the binding info. On server, untainted; on
683 client, tainted if we used the Finish msg from the server. */
685 store_pool = POOL_PERM;
686 tlsp->channelbinding = b64encode_taint(CUS channel.data, (int)channel.size,
687 !tlsp->channelbind_exporter && state->host ? GET_TAINTED : GET_UNTAINTED);
688 store_pool = old_pool;
689 DEBUG(D_tls) debug_printf("Have channel bindings cached for possible auth usage\n");
694 /* peercert is set in peer_status() */
695 tlsp->peerdn = state->peerdn;
697 /* do not corrupt sni sent by client; record sni rxd by server */
699 tlsp->sni = state->received_sni;
701 /* record our certificate */
703 const gnutls_datum_t * cert = gnutls_certificate_get_ours(state->session);
704 gnutls_x509_crt_t crt;
706 tlsp->ourcert = cert && import_cert(cert, &crt)==0 ? crt : NULL;
713 /*************************************************
714 * Setup up DH parameters *
715 *************************************************/
717 /* Generating the D-H parameters may take a long time. They only need to
718 be re-generated every so often, depending on security policy. What we do is to
719 keep these parameters in a file in the spool directory. If the file does not
720 exist, we generate them. This means that it is easy to cause a regeneration.
722 The new file is written as a temporary file and renamed, so that an incomplete
723 file is never present. If two processes both compute some new parameters, you
724 waste a bit of effort, but it doesn't seem worth messing around with locking to
727 Returns: OK/DEFER/FAIL
731 init_server_dh(uschar ** errstr)
734 unsigned int dh_bits;
736 uschar filename_buf[PATH_MAX];
737 uschar *filename = NULL;
739 uschar *exp_tls_dhparam;
740 BOOL use_file_in_spool = FALSE;
741 host_item *host = NULL; /* dummy for macros */
743 DEBUG(D_tls) debug_printf("Initialising GnuTLS server params\n");
745 if ((rc = gnutls_dh_params_init(&dh_server_params)))
746 return tls_error_gnu(NULL, US"gnutls_dh_params_init", rc, errstr);
751 if (!expand_check(tls_dhparam, US"tls_dhparam", &exp_tls_dhparam, errstr))
754 if (!exp_tls_dhparam)
756 DEBUG(D_tls) debug_printf("Loading default hard-coded DH params\n");
757 m.data = US std_dh_prime_default();
758 m.size = Ustrlen(m.data);
760 else if (Ustrcmp(exp_tls_dhparam, "historic") == 0)
761 use_file_in_spool = TRUE;
762 else if (Ustrcmp(exp_tls_dhparam, "none") == 0)
764 DEBUG(D_tls) debug_printf("Requested no DH parameters\n");
767 else if (exp_tls_dhparam[0] != '/')
769 if (!(m.data = US std_dh_prime_named(exp_tls_dhparam)))
770 return tls_error(US"No standard prime named", exp_tls_dhparam, NULL, errstr);
771 m.size = Ustrlen(m.data);
774 filename = exp_tls_dhparam;
778 if ((rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM)))
779 return tls_error_gnu(NULL, US"gnutls_dh_params_import_pkcs3", rc, errstr);
780 DEBUG(D_tls) debug_printf("Loaded fixed standard D-H parameters\n");
784 #ifdef HAVE_GNUTLS_SEC_PARAM_CONSTANTS
785 /* If you change this constant, also change dh_param_fn_ext so that we can use a
786 different filename and ensure we have sufficient bits. */
788 if (!(dh_bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL)))
789 return tls_error(US"gnutls_sec_param_to_pk_bits() failed", NULL, NULL, errstr);
791 debug_printf("GnuTLS tells us that for D-H PK, NORMAL is %d bits\n",
794 dh_bits = EXIM_SERVER_DH_BITS_PRE2_12;
796 debug_printf("GnuTLS lacks gnutls_sec_param_to_pk_bits(), using %d bits\n",
800 /* Some clients have hard-coded limits. */
801 if (dh_bits > tls_dh_max_bits)
804 debug_printf("tls_dh_max_bits clamping override, using %d bits instead\n",
806 dh_bits = tls_dh_max_bits;
809 if (use_file_in_spool)
811 if (!string_format(filename_buf, sizeof(filename_buf),
812 "%s/gnutls-params-%d", spool_directory, dh_bits))
813 return tls_error(US"overlong filename", NULL, NULL, errstr);
814 filename = filename_buf;
817 /* Open the cache file for reading and if successful, read it and set up the
820 if ((fd = Uopen(filename, O_RDONLY, 0)) >= 0)
826 if (fstat(fd, &statbuf) < 0) /* EIO */
830 return tls_error_sys(US"TLS cache stat failed", saved_errno, NULL, errstr);
832 if (!S_ISREG(statbuf.st_mode))
835 return tls_error(US"TLS cache not a file", NULL, NULL, errstr);
837 if (!(fp = fdopen(fd, "rb")))
841 return tls_error_sys(US"fdopen(TLS cache stat fd) failed",
842 saved_errno, NULL, errstr);
845 m.size = statbuf.st_size;
846 if (!(m.data = store_malloc(m.size)))
849 return tls_error_sys(US"malloc failed", errno, NULL, errstr);
851 if (!(sz = fread(m.data, m.size, 1, fp)))
856 return tls_error_sys(US"fread failed", saved_errno, NULL, errstr);
860 rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM);
863 return tls_error_gnu(NULL, US"gnutls_dh_params_import_pkcs3", rc, errstr);
864 DEBUG(D_tls) debug_printf("read D-H parameters from file \"%s\"\n", filename);
867 /* If the file does not exist, fall through to compute new data and cache it.
868 If there was any other opening error, it is serious. */
870 else if (errno == ENOENT)
874 debug_printf("D-H parameter cache file \"%s\" does not exist\n", filename);
877 return tls_error(string_open_failed("\"%s\" for reading", filename),
880 /* If ret < 0, either the cache file does not exist, or the data it contains
881 is not useful. One particular case of this is when upgrading from an older
882 release of Exim in which the data was stored in a different format. We don't
883 try to be clever and support both formats; we just regenerate new data in this
889 unsigned int dh_bits_gen = dh_bits;
891 if ((PATH_MAX - Ustrlen(filename)) < 10)
892 return tls_error(US"Filename too long to generate replacement",
893 filename, NULL, errstr);
895 temp_fn = string_copy(US"exim-dh.XXXXXXX");
896 if ((fd = mkstemp(CS temp_fn)) < 0) /* modifies temp_fn */
897 return tls_error_sys(US"Unable to open temp file", errno, NULL, errstr);
898 (void)exim_chown(temp_fn, exim_uid, exim_gid); /* Probably not necessary */
900 /* GnuTLS overshoots!
901 * If we ask for 2236, we might get 2237 or more.
902 * But there's no way to ask GnuTLS how many bits there really are.
903 * We can ask how many bits were used in a TLS session, but that's it!
904 * The prime itself is hidden behind too much abstraction.
905 * So we ask for less, and proceed on a wing and a prayer.
906 * First attempt, subtracted 3 for 2233 and got 2240.
908 if (dh_bits >= EXIM_CLIENT_DH_MIN_BITS + 10)
910 dh_bits_gen = dh_bits - 10;
912 debug_printf("being paranoid about DH generation, make it '%d' bits'\n",
917 debug_printf("requesting generation of %d bit Diffie-Hellman prime ...\n",
919 if ((rc = gnutls_dh_params_generate2(dh_server_params, dh_bits_gen)))
920 return tls_error_gnu(NULL, US"gnutls_dh_params_generate2", rc, errstr);
922 /* gnutls_dh_params_export_pkcs3() will tell us the exact size, every time,
923 and I confirmed that a NULL call to get the size first is how the GnuTLS
924 sample apps handle this. */
928 if ( (rc = gnutls_dh_params_export_pkcs3(dh_server_params,
929 GNUTLS_X509_FMT_PEM, m.data, &sz))
930 && rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
931 return tls_error_gnu(NULL, US"gnutls_dh_params_export_pkcs3(NULL) sizing",
934 if (!(m.data = store_malloc(m.size)))
935 return tls_error_sys(US"memory allocation failed", errno, NULL, errstr);
937 /* this will return a size 1 less than the allocation size above */
938 if ((rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM,
942 return tls_error_gnu(NULL, US"gnutls_dh_params_export_pkcs3() real", rc, errstr);
944 m.size = sz; /* shrink by 1, probably */
946 if ((sz = write_to_fd_buf(fd, m.data, (size_t) m.size)) != m.size)
949 return tls_error_sys(US"TLS cache write D-H params failed",
950 errno, NULL, errstr);
953 if ((sz = write_to_fd_buf(fd, US"\n", 1)) != 1)
954 return tls_error_sys(US"TLS cache write D-H params final newline failed",
955 errno, NULL, errstr);
957 if ((rc = close(fd)))
958 return tls_error_sys(US"TLS cache write close() failed", errno, NULL, errstr);
960 if (Urename(temp_fn, filename) < 0)
961 return tls_error_sys(string_sprintf("failed to rename \"%s\" as \"%s\"",
962 temp_fn, filename), errno, NULL, errstr);
964 DEBUG(D_tls) debug_printf("wrote D-H parameters to file \"%s\"\n", filename);
967 DEBUG(D_tls) debug_printf("initialized server D-H parameters\n");
974 /* Create and install a selfsigned certificate, for use in server mode. */
977 tls_install_selfsign(exim_gnutls_state_st * state, uschar ** errstr)
979 gnutls_x509_crt_t cert = NULL;
981 gnutls_x509_privkey_t pkey = NULL;
982 const uschar * where;
985 #ifndef SUPPORT_SELFSIGN
986 where = US"library too old";
987 rc = GNUTLS_E_NO_CERTIFICATE_FOUND;
991 DEBUG(D_tls) debug_printf("TLS: generating selfsigned server cert\n");
992 where = US"initialising pkey";
993 if ((rc = gnutls_x509_privkey_init(&pkey))) goto err;
995 where = US"initialising cert";
996 if ((rc = gnutls_x509_crt_init(&cert))) goto err;
998 where = US"generating pkey"; /* Hangs on 2.12.23 */
999 if ((rc = gnutls_x509_privkey_generate(pkey, GNUTLS_PK_RSA,
1000 #ifdef SUPPORT_PARAM_TO_PK_BITS
1001 # ifndef GNUTLS_SEC_PARAM_MEDIUM
1002 # define GNUTLS_SEC_PARAM_MEDIUM GNUTLS_SEC_PARAM_HIGH
1004 gnutls_sec_param_to_pk_bits(GNUTLS_PK_RSA, GNUTLS_SEC_PARAM_MEDIUM),
1011 where = US"configuring cert";
1013 if ( (rc = gnutls_x509_crt_set_version(cert, 3))
1014 || (rc = gnutls_x509_crt_set_serial(cert, &now, sizeof(now)))
1015 || (rc = gnutls_x509_crt_set_activation_time(cert, now = time(NULL)))
1016 || (rc = gnutls_x509_crt_set_expiration_time(cert, (long)2 * 60 * 60)) /* 2 hour */
1017 || (rc = gnutls_x509_crt_set_key(cert, pkey))
1019 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
1020 GNUTLS_OID_X520_COUNTRY_NAME, 0, "UK", 2))
1021 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
1022 GNUTLS_OID_X520_ORGANIZATION_NAME, 0, "Exim Developers", 15))
1023 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
1024 GNUTLS_OID_X520_COMMON_NAME, 0,
1025 smtp_active_hostname, Ustrlen(smtp_active_hostname)))
1029 where = US"signing cert";
1030 if ((rc = gnutls_x509_crt_sign(cert, cert, pkey))) goto err;
1032 where = US"installing selfsign cert";
1034 if ((rc = gnutls_certificate_set_x509_key(state->lib_state.x509_cred,
1041 if (cert) gnutls_x509_crt_deinit(cert);
1042 if (pkey) gnutls_x509_privkey_deinit(pkey);
1046 rc = tls_error_gnu(state, where, rc, errstr);
1053 /* Add certificate and key, from files.
1056 Zero or negative: good. Negate value for certificate index if < 0.
1057 Greater than zero: FAIL or DEFER code.
1061 tls_add_certfile(exim_gnutls_state_st * state, const host_item * host,
1062 const uschar * certfile, const uschar * keyfile, uschar ** errstr)
1064 int rc = gnutls_certificate_set_x509_key_file(state->lib_state.x509_cred,
1065 CCS certfile, CCS keyfile, GNUTLS_X509_FMT_PEM);
1067 return tls_error_gnu(state,
1068 string_sprintf("cert/key setup: cert=%s key=%s", certfile, keyfile),
1074 #if !defined(DISABLE_OCSP) && !defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
1075 /* Load an OCSP proof from file for sending by the server. Called
1076 on getting a status-request handshake message, for earlier versions
1080 server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
1081 gnutls_datum_t * ocsp_response)
1084 DEBUG(D_tls) debug_printf("OCSP stapling callback: %s\n", US ptr);
1086 if ((ret = gnutls_load_file(ptr, ocsp_response)) < 0)
1088 DEBUG(D_tls) debug_printf("Failed to load ocsp stapling file %s\n",
1090 tls_in.ocsp = OCSP_NOT_RESP;
1091 return GNUTLS_E_NO_CERTIFICATE_STATUS;
1094 tls_in.ocsp = OCSP_VFY_NOT_TRIED;
1100 #ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
1101 /* Make a note that we saw a status-request */
1103 tls_server_clienthello_ext(void * ctx, unsigned tls_id,
1104 const uschar * data, unsigned size)
1106 /* The values for tls_id are documented here:
1107 https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml */
1110 case 5: /* Status Request */
1111 DEBUG(D_tls) debug_printf("Seen status_request extension from client\n");
1112 tls_in.ocsp = OCSP_NOT_RESP;
1114 #ifdef EXIM_HAVE_ALPN
1115 case 16: /* Application Layer Protocol Notification */
1116 /* The format of "data" here doesn't seem to be documented, but appears
1117 to be a 2-byte field with a (redundant, given the "size" arg) total length
1118 then a sequence of one-byte size then string (not nul-term) names. The
1119 latter is as described in OpenSSL documentation. */
1121 DEBUG(D_tls) debug_printf("Seen ALPN extension from client (s=%u):", size);
1122 for (const uschar * s = data+2; s-data < size-1; s += *s + 1)
1125 DEBUG(D_tls) debug_printf(" '%.*s'", (int)*s, s+1);
1127 DEBUG(D_tls) debug_printf("\n");
1128 if (server_seen_alpn > 1)
1130 DEBUG(D_tls) debug_printf("TLS: too many ALPNs presented in handshake\n");
1131 return GNUTLS_E_NO_APPLICATION_PROTOCOL;
1139 /* Callback for client-hello, on server, if we think we might serve stapled-OCSP */
1141 tls_server_clienthello_cb(gnutls_session_t session, unsigned int htype,
1142 unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
1144 /* Call fn for each extension seen. 3.6.3 onwards */
1145 return gnutls_ext_raw_parse(NULL, tls_server_clienthello_ext, msg,
1146 GNUTLS_EXT_RAW_FLAG_TLS_CLIENT_HELLO);
1150 # ifdef notdef_crashes
1151 /* Make a note that we saw a status-response */
1153 tls_server_servercerts_ext(void * ctx, unsigned tls_id,
1154 const unsigned char *data, unsigned size)
1156 /* debug_printf("%s %u\n", __FUNCTION__, tls_id); */
1157 /* https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml */
1158 if (FALSE && tls_id == 5) /* status_request */
1160 DEBUG(D_tls) debug_printf("Seen status_request extension\n");
1161 tls_in.ocsp = exim_testharness_disable_ocsp_validity_check
1162 ? OCSP_VFY_NOT_TRIED : OCSP_VFIED; /* We know that GnuTLS verifies responses */
1168 /* Callback for certificates packet, on server, if we think we might serve stapled-OCSP */
1170 tls_server_servercerts_cb(gnutls_session_t session, unsigned int htype,
1171 unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
1173 /* Call fn for each extension seen. 3.6.3 onwards */
1174 # ifdef notdef_crashes
1176 return gnutls_ext_raw_parse(NULL, tls_server_servercerts_ext, msg, 0);
1179 #endif /*SUPPORT_GNUTLS_EXT_RAW_PARSE*/
1181 /*XXX in tls1.3 the cert-status travel as an extension next to the cert, in the
1182 "Handshake Protocol: Certificate" record.
1183 So we need to spot the Certificate handshake message, parse it and spot any status_request extension(s)
1185 This is different to tls1.2 - where it is a separate record (wireshark term) / handshake message (gnutls term).
1188 #if defined(EXIM_HAVE_TLS_RESUME) || defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
1189 /* Callback for certificate-status, on server. We sent stapled OCSP. */
1191 tls_server_certstatus_cb(gnutls_session_t session, unsigned int htype,
1192 unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
1194 DEBUG(D_tls) debug_printf("Sending certificate-status\n"); /*XXX we get this for tls1.2 but not for 1.3 */
1195 # ifdef SUPPORT_SRV_OCSP_STACK
1196 tls_in.ocsp = exim_testharness_disable_ocsp_validity_check
1197 ? OCSP_VFY_NOT_TRIED : OCSP_VFIED; /* We know that GnuTLS verifies responses */
1199 tls_in.ocsp = OCSP_VFY_NOT_TRIED;
1204 /* Callback for handshake messages, on server */
1206 tls_server_hook_cb(gnutls_session_t sess, u_int htype, unsigned when,
1207 unsigned incoming, const gnutls_datum_t * msg)
1209 /* debug_printf("%s: htype %u\n", __FUNCTION__, htype); */
1212 # ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
1213 case GNUTLS_HANDSHAKE_CLIENT_HELLO:
1214 return tls_server_clienthello_cb(sess, htype, when, incoming, msg);
1215 case GNUTLS_HANDSHAKE_CERTIFICATE_PKT:
1216 return tls_server_servercerts_cb(sess, htype, when, incoming, msg);
1218 case GNUTLS_HANDSHAKE_CERTIFICATE_STATUS:
1219 return tls_server_certstatus_cb(sess, htype, when, incoming, msg);
1220 # ifdef EXIM_HAVE_TLS_RESUME
1221 case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET:
1222 return tls_server_ticket_cb(sess, htype, when, incoming, msg);
1231 #if !defined(DISABLE_OCSP) && defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
1233 tls_server_testharness_ocsp_fiddle(void)
1235 extern char ** environ;
1236 if (environ) for (uschar ** p = USS environ; *p; p++)
1237 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
1239 DEBUG(D_tls) debug_printf("Permitting known bad OCSP response\n");
1240 exim_testharness_disable_ocsp_validity_check = TRUE;
1245 /**************************************************
1246 * One-time init credentials for server and client *
1247 **************************************************/
1250 creds_basic_init(gnutls_certificate_credentials_t x509_cred, BOOL server)
1252 #ifdef SUPPORT_SRV_OCSP_STACK
1253 gnutls_certificate_set_flags(x509_cred, GNUTLS_CERTIFICATE_API_V2);
1255 # if !defined(DISABLE_OCSP) && defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
1256 if (server && tls_ocsp_file)
1258 if (f.running_in_test_harness)
1259 tls_server_testharness_ocsp_fiddle();
1261 if (exim_testharness_disable_ocsp_validity_check)
1262 gnutls_certificate_set_flags(x509_cred,
1263 GNUTLS_CERTIFICATE_API_V2 | GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK);
1268 debug_printf("TLS: basic cred init, %s\n", server ? "server" : "client");
1272 creds_load_server_certs(exim_gnutls_state_st * state, const uschar * cert,
1273 const uschar * pkey, const uschar * ocsp, uschar ** errstr)
1275 const uschar * clist = cert;
1276 const uschar * klist = pkey;
1277 const uschar * olist;
1278 int csep = 0, ksep = 0, osep = 0, cnt = 0, rc;
1279 uschar * cfile, * kfile, * ofile;
1280 #ifndef DISABLE_OCSP
1281 # ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
1282 gnutls_x509_crt_fmt_t ocsp_fmt = GNUTLS_X509_FMT_DER;
1285 if (!expand_check(ocsp, US"tls_ocsp_file", &ofile, errstr))
1290 while (cfile = string_nextinlist(&clist, &csep, NULL, 0))
1292 if (!(kfile = string_nextinlist(&klist, &ksep, NULL, 0)))
1293 return tls_error(US"cert/key setup: out of keys", NULL, NULL, errstr);
1294 else if ((rc = tls_add_certfile(state, NULL, cfile, kfile, errstr)) > 0)
1298 int gnutls_cert_index = -rc;
1299 DEBUG(D_tls) debug_printf("TLS: cert/key %d %s registered\n",
1300 gnutls_cert_index, cfile);
1302 #ifndef DISABLE_OCSP
1305 /* Set the OCSP stapling server info */
1306 if (gnutls_buggy_ocsp)
1309 debug_printf("GnuTLS library is buggy for OCSP; avoiding\n");
1311 else if ((ofile = string_nextinlist(&olist, &osep, NULL, 0)))
1313 DEBUG(D_tls) debug_printf("OCSP response file %d = %s\n",
1314 gnutls_cert_index, ofile);
1315 # ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
1316 if (Ustrncmp(ofile, US"PEM ", 4) == 0)
1318 ocsp_fmt = GNUTLS_X509_FMT_PEM;
1321 else if (Ustrncmp(ofile, US"DER ", 4) == 0)
1323 ocsp_fmt = GNUTLS_X509_FMT_DER;
1327 if ((rc = gnutls_certificate_set_ocsp_status_request_file2(
1328 state->lib_state.x509_cred, CCS ofile, gnutls_cert_index,
1330 return tls_error_gnu(state,
1331 US"gnutls_certificate_set_ocsp_status_request_file2",
1334 debug_printf(" %d response%s loaded\n", rc, rc>1 ? "s":"");
1336 /* Arrange callbacks for OCSP request observability */
1339 gnutls_handshake_set_hook_function(state->session,
1340 GNUTLS_HANDSHAKE_ANY, GNUTLS_HOOK_POST, tls_server_hook_cb);
1342 state->lib_state.ocsp_hook = TRUE;
1346 # if defined(SUPPORT_SRV_OCSP_STACK)
1347 if ((rc = gnutls_certificate_set_ocsp_status_request_function2(
1348 state->lib_state.x509_cred, gnutls_cert_index,
1349 server_ocsp_stapling_cb, ofile)))
1350 return tls_error_gnu(state,
1351 US"gnutls_certificate_set_ocsp_status_request_function2",
1359 debug_printf("oops; multiple OCSP files not supported\n");
1362 gnutls_certificate_set_ocsp_status_request_function(
1363 state->lib_state.x509_cred, server_ocsp_stapling_cb, ofile);
1365 # endif /* SUPPORT_GNUTLS_EXT_RAW_PARSE */
1368 DEBUG(D_tls) debug_printf("ran out of OCSP response files in list\n");
1370 #endif /* DISABLE_OCSP */
1376 creds_load_client_certs(exim_gnutls_state_st * state, const host_item * host,
1377 const uschar * cert, const uschar * pkey, uschar ** errstr)
1379 int rc = tls_add_certfile(state, host, cert, pkey, errstr);
1380 if (rc > 0) return rc;
1381 DEBUG(D_tls) debug_printf("TLS: cert/key registered\n");
1386 creds_load_cabundle(exim_gnutls_state_st * state, const uschar * bundle,
1387 const host_item * host, uschar ** errstr)
1390 struct stat statbuf;
1392 #ifdef SUPPORT_SYSDEFAULT_CABUNDLE
1393 if (Ustrcmp(bundle, "system") == 0 || Ustrncmp(bundle, "system,", 7) == 0)
1394 cert_count = gnutls_certificate_set_x509_system_trust(state->lib_state.x509_cred);
1398 if (Ustat(bundle, &statbuf) < 0)
1400 log_write(0, LOG_MAIN|LOG_PANIC, "could not stat '%s' "
1401 "(tls_verify_certificates): %s", bundle, strerror(errno));
1405 #ifndef SUPPORT_CA_DIR
1406 /* The test suite passes in /dev/null; we could check for that path explicitly,
1407 but who knows if someone has some weird FIFO which always dumps some certs, or
1408 other weirdness. The thing we really want to check is that it's not a
1409 directory, since while OpenSSL supports that, GnuTLS does not.
1410 So s/!S_ISREG/S_ISDIR/ and change some messaging ... */
1411 if (S_ISDIR(statbuf.st_mode))
1413 log_write(0, LOG_MAIN|LOG_PANIC,
1414 "tls_verify_certificates \"%s\" is a directory", bundle);
1419 DEBUG(D_tls) debug_printf("verify certificates = %s size=" OFF_T_FMT "\n",
1420 bundle, statbuf.st_size);
1422 if (statbuf.st_size == 0)
1425 debug_printf("cert file empty, no certs, no verification, ignoring any CRL\n");
1431 #ifdef SUPPORT_CA_DIR
1432 (statbuf.st_mode & S_IFMT) == S_IFDIR
1434 gnutls_certificate_set_x509_trust_dir(state->lib_state.x509_cred,
1435 CS bundle, GNUTLS_X509_FMT_PEM)
1438 gnutls_certificate_set_x509_trust_file(state->lib_state.x509_cred,
1439 CS bundle, GNUTLS_X509_FMT_PEM);
1441 #ifdef SUPPORT_CA_DIR
1442 /* Mimic the behaviour with OpenSSL of not advertising a usable-cert list
1443 when using the directory-of-certs config model. */
1445 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
1447 gnutls_certificate_send_x509_rdn_sequence(state->session, 1);
1449 state->lib_state.ca_rdn_emulate = TRUE;
1454 return tls_error_gnu(state, US"setting certificate trust", cert_count, errstr);
1456 debug_printf("Added %d certificate authorities\n", cert_count);
1463 creds_load_crl(exim_gnutls_state_st * state, const uschar * crl, uschar ** errstr)
1466 DEBUG(D_tls) debug_printf("loading CRL file = %s\n", crl);
1467 if ((cert_count = gnutls_certificate_set_x509_crl_file(state->lib_state.x509_cred,
1468 CS crl, GNUTLS_X509_FMT_PEM)) < 0)
1469 return tls_error_gnu(state, US"gnutls_certificate_set_x509_crl_file",
1470 cert_count, errstr);
1472 DEBUG(D_tls) debug_printf("Processed %d CRLs\n", cert_count);
1478 creds_load_pristring(exim_gnutls_state_st * state, const uschar * p,
1479 const char ** errpos)
1483 p = exim_default_gnutls_priority;
1485 debug_printf("GnuTLS using default session cipher/priority \"%s\"\n", p);
1487 return gnutls_priority_init( (gnutls_priority_t *) &state->lib_state.pri_cache,
1492 tls_server_creds_init(void)
1494 uschar * dummy_errstr;
1495 unsigned lifetime = 0;
1497 state_server.lib_state = null_tls_preload;
1498 if (gnutls_certificate_allocate_credentials(
1499 (gnutls_certificate_credentials_t *) &state_server.lib_state.x509_cred))
1501 state_server.lib_state.x509_cred = NULL;
1504 creds_basic_init(state_server.lib_state.x509_cred, TRUE);
1506 #if defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT)
1507 /* If tls_certificate has any $ indicating expansions, it is not good.
1508 If tls_privatekey is set but has $, not good. Likewise for tls_ocsp_file.
1509 If all good (and tls_certificate set), load the cert(s). */
1511 if ( opt_set_and_noexpand(tls_certificate)
1512 # ifndef DISABLE_OCSP
1513 && opt_unset_or_noexpand(tls_ocsp_file)
1515 && opt_unset_or_noexpand(tls_privatekey))
1517 /* Set watches on the filenames. The implementation does de-duplication
1518 so we can just blindly do them all.
1521 if ( tls_set_watch(tls_certificate, TRUE)
1522 # ifndef DISABLE_OCSP
1523 && tls_set_watch(tls_ocsp_file, TRUE)
1525 && tls_set_watch(tls_privatekey, TRUE))
1527 DEBUG(D_tls) debug_printf("TLS: preloading server certs\n");
1528 if (creds_load_server_certs(&state_server, tls_certificate,
1529 tls_privatekey && *tls_privatekey ? tls_privatekey : tls_certificate,
1530 # ifdef DISABLE_OCSP
1535 &dummy_errstr) == 0)
1536 state_server.lib_state.conn_certs = TRUE;
1539 else if ( !tls_certificate && !tls_privatekey
1540 # ifndef DISABLE_OCSP
1544 { /* Generate & preload a selfsigned cert. No files to watch. */
1545 if ((tls_install_selfsign(&state_server, &dummy_errstr)) == OK)
1547 state_server.lib_state.conn_certs = TRUE;
1548 lifetime = f.running_in_test_harness ? 2 : 60 * 60; /* 1 hour */
1552 DEBUG(D_tls) debug_printf("TLS: not preloading server certs\n");
1554 /* If tls_verify_certificates is non-empty and has no $, load CAs.
1555 If none was configured and we can't handle "system", treat as empty. */
1557 if ( opt_set_and_noexpand(tls_verify_certificates)
1558 #ifndef SUPPORT_SYSDEFAULT_CABUNDLE
1559 && Ustrcmp(tls_verify_certificates, "system") != 0
1563 if (tls_set_watch(tls_verify_certificates, FALSE))
1565 DEBUG(D_tls) debug_printf("TLS: preloading CA bundle for server\n");
1566 if (creds_load_cabundle(&state_server, tls_verify_certificates,
1567 NULL, &dummy_errstr) != OK)
1569 state_server.lib_state.cabundle = TRUE;
1571 /* If CAs loaded and tls_crl is non-empty and has no $, load it */
1573 if (opt_set_and_noexpand(tls_crl))
1575 if (tls_set_watch(tls_crl, FALSE))
1577 DEBUG(D_tls) debug_printf("TLS: preloading CRL for server\n");
1578 if (creds_load_crl(&state_server, tls_crl, &dummy_errstr) != OK)
1580 state_server.lib_state.crl = TRUE;
1584 DEBUG(D_tls) debug_printf("TLS: not preloading CRL for server\n");
1588 DEBUG(D_tls) debug_printf("TLS: not preloading CA bundle for server\n");
1589 #endif /* EXIM_HAVE_INOTIFY */
1591 /* If tls_require_ciphers is non-empty and has no $, load the
1592 ciphers priority cache. If unset, load with the default.
1593 (server-only as the client one depends on non/DANE) */
1595 if (!tls_require_ciphers || opt_set_and_noexpand(tls_require_ciphers))
1597 const char * dummy_errpos;
1598 DEBUG(D_tls) debug_printf("TLS: preloading cipher list for server: %s\n",
1599 tls_require_ciphers);
1600 if ( creds_load_pristring(&state_server, tls_require_ciphers, &dummy_errpos)
1602 state_server.lib_state.pri_string = TRUE;
1605 DEBUG(D_tls) debug_printf("TLS: not preloading cipher list for server\n");
1610 /* Preload whatever creds are static, onto a transport. The client can then
1611 just copy the pointer as it starts up. */
1613 /*XXX this is not called for a cmdline send. But one needing to use >1 conn would benefit,
1614 and there seems little downside. */
1617 tls_client_creds_init(transport_instance * t, BOOL watch)
1619 smtp_transport_options_block * ob = t->options_block;
1620 exim_gnutls_state_st tpt_dummy_state;
1621 host_item * dummy_host = (host_item *)1;
1622 uschar * dummy_errstr;
1624 if ( !exim_gnutls_base_init_done
1625 && tls_g_init(&dummy_errstr) != OK)
1628 ob->tls_preload = null_tls_preload;
1629 if (gnutls_certificate_allocate_credentials(
1630 (struct gnutls_certificate_credentials_st **)&ob->tls_preload.x509_cred))
1632 ob->tls_preload.x509_cred = NULL;
1635 creds_basic_init(ob->tls_preload.x509_cred, FALSE);
1637 tpt_dummy_state.session = NULL;
1638 tpt_dummy_state.lib_state = ob->tls_preload;
1640 #if defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT)
1641 if ( opt_set_and_noexpand(ob->tls_certificate)
1642 && opt_unset_or_noexpand(ob->tls_privatekey))
1645 || ( tls_set_watch(ob->tls_certificate, FALSE)
1646 && tls_set_watch(ob->tls_privatekey, FALSE)
1649 const uschar * pkey = ob->tls_privatekey;
1652 debug_printf("TLS: preloading client certs for transport '%s'\n", t->name);
1654 /* The state->lib_state.x509_cred is used for the certs load, and is the sole
1655 structure element used. So we can set up a dummy. The hoat arg only
1656 selects a retcode in case of fail, so any value */
1658 if (creds_load_client_certs(&tpt_dummy_state, dummy_host,
1659 ob->tls_certificate, pkey ? pkey : ob->tls_certificate,
1660 &dummy_errstr) == OK)
1661 ob->tls_preload.conn_certs = TRUE;
1666 debug_printf("TLS: not preloading client certs, for transport '%s'\n", t->name);
1668 /* If tls_verify_certificates is non-empty and has no $, load CAs.
1669 If none was configured and we can't handle "system", treat as empty. */
1671 if ( opt_set_and_noexpand(ob->tls_verify_certificates)
1672 #ifndef SUPPORT_SYSDEFAULT_CABUNDLE
1673 && Ustrcmp(ob->tls_verify_certificates, "system") != 0
1677 if (!watch || tls_set_watch(ob->tls_verify_certificates, FALSE))
1680 debug_printf("TLS: preloading CA bundle for transport '%s'\n", t->name);
1681 if (creds_load_cabundle(&tpt_dummy_state, ob->tls_verify_certificates,
1682 dummy_host, &dummy_errstr) != OK)
1684 ob->tls_preload.cabundle = TRUE;
1686 if (opt_set_and_noexpand(ob->tls_crl))
1688 if (!watch || tls_set_watch(ob->tls_crl, FALSE))
1690 DEBUG(D_tls) debug_printf("TLS: preloading CRL for transport '%s'\n", t->name);
1691 if (creds_load_crl(&tpt_dummy_state, ob->tls_crl, &dummy_errstr) != OK)
1693 ob->tls_preload.crl = TRUE;
1697 DEBUG(D_tls) debug_printf("TLS: not preloading CRL, for transport '%s'\n", t->name);
1702 debug_printf("TLS: not preloading CA bundle, for transport '%s'\n", t->name);
1704 /* We do not preload tls_require_ciphers to to the transport as it implicitly
1705 depends on DANE or plain usage. */
1711 #if defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT)
1712 /* Invalidate the creds cached, by dropping the current ones.
1713 Call when we notice one of the source files has changed. */
1716 tls_server_creds_invalidate(void)
1718 if (state_server.lib_state.pri_cache)
1719 gnutls_priority_deinit(state_server.lib_state.pri_cache);
1720 state_server.lib_state.pri_cache = NULL;
1722 if (state_server.lib_state.x509_cred)
1723 gnutls_certificate_free_credentials(state_server.lib_state.x509_cred);
1724 state_server.lib_state = null_tls_preload;
1729 tls_client_creds_invalidate(transport_instance * t)
1731 smtp_transport_options_block * ob = t->options_block;
1732 if (ob->tls_preload.x509_cred)
1733 gnutls_certificate_free_credentials(ob->tls_preload.x509_cred);
1734 ob->tls_preload = null_tls_preload;
1739 /*************************************************
1740 * Variables re-expanded post-SNI *
1741 *************************************************/
1743 /* Called from both server and client code, via tls_init(), and also from
1744 the SNI callback after receiving an SNI, if tls_certificate includes "tls_sni".
1746 We can tell the two apart by state->received_sni being non-NULL in callback.
1748 The callback should not call us unless state->trigger_sni_changes is true,
1749 which we are responsible for setting on the first pass through.
1752 state exim_gnutls_state_st *
1753 errstr error string pointer
1755 Returns: OK/DEFER/FAIL
1759 tls_expand_session_files(exim_gnutls_state_st * state, uschar ** errstr)
1762 const host_item *host = state->host; /* macro should be reconsidered? */
1763 const uschar *saved_tls_certificate = NULL;
1764 const uschar *saved_tls_privatekey = NULL;
1765 const uschar *saved_tls_verify_certificates = NULL;
1766 const uschar *saved_tls_crl = NULL;
1769 /* We check for tls_sni *before* expansion. */
1770 if (!host) /* server */
1771 if (!state->received_sni)
1773 if ( state->tls_certificate
1774 && ( Ustrstr(state->tls_certificate, US"tls_sni")
1775 || Ustrstr(state->tls_certificate, US"tls_in_sni")
1776 || Ustrstr(state->tls_certificate, US"tls_out_sni")
1779 DEBUG(D_tls) debug_printf("We will re-expand TLS session files if we receive SNI\n");
1780 state->trigger_sni_changes = TRUE;
1783 else /* SNI callback case */
1785 /* useful for debugging */
1786 saved_tls_certificate = state->exp_tls_certificate;
1787 saved_tls_privatekey = state->exp_tls_privatekey;
1788 saved_tls_verify_certificates = state->exp_tls_verify_certificates;
1789 saved_tls_crl = state->exp_tls_crl;
1792 if (!state->lib_state.x509_cred)
1794 if ((rc = gnutls_certificate_allocate_credentials(
1795 (gnutls_certificate_credentials_t *) &state->lib_state.x509_cred)))
1796 return tls_error_gnu(state, US"gnutls_certificate_allocate_credentials",
1798 creds_basic_init(state->lib_state.x509_cred, !host);
1802 /* remember: Expand_check_tlsvar() is expand_check() but fiddling with
1803 state members, assuming consistent naming; and expand_check() returns
1804 false if expansion failed, unless expansion was forced to fail. */
1806 /* check if we at least have a certificate, before doing expensive
1809 if (!state->lib_state.conn_certs)
1811 if (!Expand_check_tlsvar(tls_certificate, errstr))
1814 /* certificate is mandatory in server, optional in client */
1816 if ( !state->exp_tls_certificate
1817 || !*state->exp_tls_certificate
1820 return tls_install_selfsign(state, errstr);
1822 DEBUG(D_tls) debug_printf("TLS: no client certificate specified; okay\n");
1824 if (state->tls_privatekey && !Expand_check_tlsvar(tls_privatekey, errstr))
1827 /* tls_privatekey is optional, defaulting to same file as certificate */
1829 if (!state->tls_privatekey || !*state->tls_privatekey)
1831 state->tls_privatekey = state->tls_certificate;
1832 state->exp_tls_privatekey = state->exp_tls_certificate;
1835 if (state->exp_tls_certificate && *state->exp_tls_certificate)
1838 DEBUG(D_tls) debug_printf("certificate file = %s\nkey file = %s\n",
1839 state->exp_tls_certificate, state->exp_tls_privatekey);
1841 if (state->received_sni)
1842 if ( Ustrcmp(state->exp_tls_certificate, saved_tls_certificate) == 0
1843 && Ustrcmp(state->exp_tls_privatekey, saved_tls_privatekey) == 0
1846 DEBUG(D_tls) debug_printf("TLS SNI: cert and key unchanged\n");
1847 load = FALSE; /* avoid re-loading the same certs */
1849 else /* unload the pre-SNI certs before loading new ones */
1851 DEBUG(D_tls) debug_printf("TLS SNI: have a changed cert/key pair\n");
1852 gnutls_certificate_free_keys(state->lib_state.x509_cred);
1857 ? creds_load_client_certs(state, host, state->exp_tls_certificate,
1858 state->exp_tls_privatekey, errstr)
1859 : creds_load_server_certs(state, state->exp_tls_certificate,
1860 state->exp_tls_privatekey,
1873 debug_printf("%s certs were preloaded\n", host ? "client" : "server");
1875 if (!state->tls_privatekey) state->tls_privatekey = state->tls_certificate;
1876 state->exp_tls_certificate = US state->tls_certificate;
1877 state->exp_tls_privatekey = US state->tls_privatekey;
1879 #ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
1880 if (state->lib_state.ocsp_hook)
1881 gnutls_handshake_set_hook_function(state->session,
1882 GNUTLS_HANDSHAKE_ANY, GNUTLS_HOOK_POST, tls_server_hook_cb);
1887 /* Set the trusted CAs file if one is provided, and then add the CRL if one is
1888 provided. Experiment shows that, if the certificate file is empty, an unhelpful
1889 error message is provided. However, if we just refrain from setting anything up
1890 in that case, certificate verification fails, which seems to be the correct
1892 If none was configured and we can't handle "system", treat as empty. */
1894 if (!state->lib_state.cabundle)
1896 if (state->tls_verify_certificates && *state->tls_verify_certificates)
1898 if (!Expand_check_tlsvar(tls_verify_certificates, errstr))
1900 #ifndef SUPPORT_SYSDEFAULT_CABUNDLE
1901 if (Ustrcmp(state->exp_tls_verify_certificates, "system") == 0)
1902 state->exp_tls_verify_certificates = NULL;
1904 if (state->tls_crl && *state->tls_crl)
1905 if (!Expand_check_tlsvar(tls_crl, errstr))
1908 if (!(state->exp_tls_verify_certificates &&
1909 *state->exp_tls_verify_certificates))
1912 debug_printf("TLS: tls_verify_certificates expanded empty, ignoring\n");
1913 /* With no tls_verify_certificates, we ignore tls_crl too */
1920 debug_printf("TLS: tls_verify_certificates not set or empty, ignoring\n");
1923 rc = creds_load_cabundle(state, state->exp_tls_verify_certificates, host, errstr);
1924 if (rc != OK) return rc;
1929 debug_printf("%s CA bundle was preloaded\n", host ? "client" : "server");
1930 state->exp_tls_verify_certificates = US state->tls_verify_certificates;
1932 #ifdef SUPPORT_CA_DIR
1933 /* Mimic the behaviour with OpenSSL of not advertising a usable-cert list
1934 when using the directory-of-certs config model. */
1935 if (state->lib_state.ca_rdn_emulate)
1936 gnutls_certificate_send_x509_rdn_sequence(state->session, 1);
1941 if (!state->lib_state.crl)
1943 if ( state->tls_crl && *state->tls_crl
1944 && state->exp_tls_crl && *state->exp_tls_crl)
1945 return creds_load_crl(state, state->exp_tls_crl, errstr);
1950 debug_printf("%s CRL was preloaded\n", host ? "client" : "server");
1951 state->exp_tls_crl = US state->tls_crl;
1960 /*************************************************
1961 * Set X.509 state variables *
1962 *************************************************/
1964 /* In GnuTLS, the registered cert/key are not replaced by a later
1965 set of a cert/key, so for SNI support we need a whole new x509_cred
1966 structure. Which means various other non-re-expanded pieces of state
1967 need to be re-set in the new struct, so the setting logic is pulled
1971 state exim_gnutls_state_st *
1972 errstr error string pointer
1974 Returns: OK/DEFER/FAIL
1978 tls_set_remaining_x509(exim_gnutls_state_st *state, uschar ** errstr)
1981 const host_item *host = state->host; /* macro should be reconsidered? */
1983 /* Create D-H parameters, or read them from the cache file. This function does
1984 its own SMTP error messaging. This only happens for the server, TLS D-H ignores
1985 client-side params. */
1989 if (!dh_server_params)
1990 if ((rc = init_server_dh(errstr)) != OK) return rc;
1992 /* Unnecessary & discouraged with 3.6.0 or later, according to docs. But without it,
1993 no DHE- ciphers are advertised. */
1994 gnutls_certificate_set_dh_params(state->lib_state.x509_cred, dh_server_params);
1997 /* Link the credentials to the session. */
1999 if ((rc = gnutls_credentials_set(state->session,
2000 GNUTLS_CRD_CERTIFICATE, state->lib_state.x509_cred)))
2001 return tls_error_gnu(state, US"gnutls_credentials_set", rc, errstr);
2006 /*************************************************
2007 * Initialize for GnuTLS *
2008 *************************************************/
2011 /* Called from both server and client code. In the case of a server, errors
2012 before actual TLS negotiation return DEFER.
2015 host connected host, if client; NULL if server
2016 ob tranport options block, if client; NULL if server
2017 require_ciphers tls_require_ciphers setting
2018 caller_state returned state-info structure
2019 errstr error string pointer
2021 Returns: OK/DEFER/FAIL
2026 const host_item *host,
2027 smtp_transport_options_block * ob,
2028 const uschar * require_ciphers,
2029 exim_gnutls_state_st **caller_state,
2033 exim_gnutls_state_st * state;
2037 if ( !exim_gnutls_base_init_done
2038 && (rc = tls_g_init(errstr)) != OK)
2043 /* For client-side sessions we allocate a context. This lets us run
2044 several in parallel. */
2046 int old_pool = store_pool;
2047 store_pool = POOL_PERM;
2048 state = store_get(sizeof(exim_gnutls_state_st), GET_UNTAINTED);
2049 store_pool = old_pool;
2051 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
2052 state->lib_state = ob->tls_preload;
2054 DEBUG(D_tls) debug_printf("initialising GnuTLS client session\n");
2055 rc = gnutls_init(&state->session, GNUTLS_CLIENT);
2057 state->tls_certificate = ob->tls_certificate;
2058 state->tls_privatekey = ob->tls_privatekey;
2059 state->tls_sni = ob->tls_sni;
2060 state->tls_verify_certificates = ob->tls_verify_certificates;
2061 state->tls_crl = ob->tls_crl;
2065 /* Server operations always use the one state_server context. It is not
2066 shared because we have forked a fresh process for every receive. However it
2067 can get re-used for successive TLS sessions on a single TCP connection. */
2069 state = &state_server;
2071 DEBUG(D_tls) debug_printf("initialising GnuTLS server session\n");
2072 rc = gnutls_init(&state->session, GNUTLS_SERVER);
2074 state->tls_certificate = tls_certificate;
2075 state->tls_privatekey = tls_privatekey;
2076 state->tls_sni = NULL;
2077 state->tls_verify_certificates = tls_verify_certificates;
2078 state->tls_crl = tls_crl;
2081 return tls_error_gnu(state, US"gnutls_init", rc, errstr);
2083 state->tls_require_ciphers = require_ciphers;
2086 /* This handles the variables that might get re-expanded after TLS SNI;
2087 tls_certificate, tls_privatekey, tls_verify_certificates, tls_crl */
2090 debug_printf("Expanding various TLS configuration options for session credentials\n");
2091 if ((rc = tls_expand_session_files(state, errstr)) != OK) return rc;
2093 /* These are all other parts of the x509_cred handling, since SNI in GnuTLS
2094 requires a new structure afterwards. */
2096 if ((rc = tls_set_remaining_x509(state, errstr)) != OK) return rc;
2098 /* set SNI in client, only */
2101 if (!expand_check(state->tls_sni, US"tls_out_sni", &state->tlsp->sni, errstr))
2103 if (state->tlsp->sni && *state->tlsp->sni)
2106 debug_printf("Setting TLS client SNI to \"%s\"\n", state->tlsp->sni);
2107 sz = Ustrlen(state->tlsp->sni);
2108 if ((rc = gnutls_server_name_set(state->session,
2109 GNUTLS_NAME_DNS, state->tlsp->sni, sz)))
2110 return tls_error_gnu(state, US"gnutls_server_name_set", rc, errstr);
2113 else if (state->tls_sni)
2114 DEBUG(D_tls) debug_printf("*** PROBABLY A BUG *** " \
2115 "have an SNI set for a server [%s]\n", state->tls_sni);
2117 if (!state->lib_state.pri_string)
2119 const uschar * p = NULL;
2120 const char * errpos;
2122 /* This is the priority string support,
2123 http://www.gnutls.org/manual/html_node/Priority-Strings.html
2124 and replaces gnutls_require_kx, gnutls_require_mac & gnutls_require_protocols.
2125 This was backwards incompatible, but means Exim no longer needs to track
2126 all algorithms and provide string forms for them. */
2128 if (state->tls_require_ciphers && *state->tls_require_ciphers)
2130 if (!Expand_check_tlsvar(tls_require_ciphers, errstr))
2132 if (state->exp_tls_require_ciphers && *state->exp_tls_require_ciphers)
2134 p = state->exp_tls_require_ciphers;
2135 DEBUG(D_tls) debug_printf("GnuTLS session cipher/priority \"%s\"\n", p);
2139 if ((rc = creds_load_pristring(state, p, &errpos)))
2140 return tls_error_gnu(state, string_sprintf(
2141 "gnutls_priority_init(%s) failed at offset %ld, \"%.6s..\"",
2142 p, (long)(errpos - CS p), errpos),
2147 DEBUG(D_tls) debug_printf("cipher list preloaded\n");
2148 state->exp_tls_require_ciphers = US state->tls_require_ciphers;
2152 if ((rc = gnutls_priority_set(state->session, state->lib_state.pri_cache)))
2153 return tls_error_gnu(state, US"gnutls_priority_set", rc, errstr);
2155 /* This also sets the server ticket expiration time to the same, and
2156 the STEK rotation time to 3x. */
2158 gnutls_db_set_cache_expiration(state->session, ssl_session_timeout);
2160 /* Reduce security in favour of increased compatibility, if the admin
2161 decides to make that trade-off. */
2162 if (gnutls_compat_mode)
2164 #if LIBGNUTLS_VERSION_NUMBER >= 0x020104
2165 DEBUG(D_tls) debug_printf("lowering GnuTLS security, compatibility mode\n");
2166 gnutls_session_enable_compatibility_mode(state->session);
2168 DEBUG(D_tls) debug_printf("Unable to set gnutls_compat_mode - GnuTLS version too old\n");
2172 *caller_state = state;
2178 /*************************************************
2179 * Extract peer information *
2180 *************************************************/
2182 static const uschar *
2183 cipher_stdname_kcm(gnutls_kx_algorithm_t kx, gnutls_cipher_algorithm_t cipher,
2184 gnutls_mac_algorithm_t mac)
2187 gnutls_kx_algorithm_t kx_i;
2188 gnutls_cipher_algorithm_t cipher_i;
2189 gnutls_mac_algorithm_t mac_i;
2192 gnutls_cipher_suite_info(i, cs_id, &kx_i, &cipher_i, &mac_i, NULL);
2194 if (kx_i == kx && cipher_i == cipher && mac_i == mac)
2195 return cipher_stdname(cs_id[0], cs_id[1]);
2201 /* Called from both server and client code.
2202 Only this is allowed to set state->peerdn and state->have_set_peerdn
2203 and we use that to detect double-calls.
2205 NOTE: the state blocks last while the TLS connection is up, which is fine
2206 for logging in the server side, but for the client side, we log after teardown
2207 in src/deliver.c. While the session is up, we can twist about states and
2208 repoint tls_* globals, but those variables used for logging or other variable
2209 expansion that happens _after_ delivery need to have a longer life-time.
2211 So for those, we get the data from POOL_PERM; the re-invoke guard keeps us from
2212 doing this more than once per generation of a state context. We set them in
2213 the state context, and repoint tls_* to them. After the state goes away, the
2214 tls_* copies of the pointers remain valid and client delivery logging is happy.
2216 tls_certificate_verified is a BOOL, so the tls_peerdn and tls_cipher issues
2220 state exim_gnutls_state_st *
2221 errstr pointer to error string
2223 Returns: OK/DEFER/FAIL
2227 peer_status(exim_gnutls_state_st * state, uschar ** errstr)
2229 gnutls_session_t session = state->session;
2230 const gnutls_datum_t * cert_list;
2232 unsigned int cert_list_size = 0;
2233 gnutls_protocol_t protocol;
2234 gnutls_cipher_algorithm_t cipher;
2235 gnutls_kx_algorithm_t kx;
2236 gnutls_mac_algorithm_t mac;
2237 gnutls_certificate_type_t ct;
2238 gnutls_x509_crt_t crt;
2242 if (state->have_set_peerdn)
2244 state->have_set_peerdn = TRUE;
2246 state->peerdn = NULL;
2249 cipher = gnutls_cipher_get(session);
2250 protocol = gnutls_protocol_get_version(session);
2251 mac = gnutls_mac_get(session);
2253 #ifdef GNUTLS_TLS1_3
2254 protocol >= GNUTLS_TLS1_3 ? 0 :
2256 gnutls_kx_get(session);
2258 old_pool = store_pool;
2260 tls_support * tlsp = state->tlsp;
2261 store_pool = POOL_PERM;
2263 #ifdef SUPPORT_GNUTLS_SESS_DESC
2266 uschar * s = US gnutls_session_get_desc(session), c;
2268 /* Nikos M suggests we use this by preference. It returns like:
2269 (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
2271 For partial back-compat, put a colon after the TLS version, replace the
2272 )-( grouping with __, replace in-group - with _ and append the :keysize. */
2274 /* debug_printf("peer_status: gnutls_session_get_desc %s\n", s); */
2276 for (s++; (c = *s) && c != ')'; s++) g = string_catn(g, s, 1);
2278 tlsp->ver = string_copyn(g->s, g->ptr);
2279 for (uschar * p = US tlsp->ver; *p; p++)
2280 if (*p == '-') { *p = '\0'; break; } /* TLS1.0-PKIX -> TLS1.0 */
2282 g = string_catn(g, US":", 1);
2283 if (*s) s++; /* now on _ between groups */
2286 for (*++s && ++s; (c = *s) && c != ')'; s++)
2287 g = string_catn(g, c == '-' ? US"_" : s, 1);
2288 /* now on ) closing group */
2289 if ((c = *s) && *++s == '-') g = string_catn(g, US"__", 2);
2290 /* now on _ between groups */
2292 g = string_catn(g, US":", 1);
2293 g = string_cat(g, string_sprintf("%d", (int) gnutls_cipher_get_key_size(cipher) * 8));
2294 state->ciphersuite = string_from_gstring(g);
2297 state->ciphersuite = string_sprintf("%s:%s:%d",
2298 gnutls_protocol_get_name(protocol),
2299 gnutls_cipher_suite_get_name(kx, cipher, mac),
2300 (int) gnutls_cipher_get_key_size(cipher) * 8);
2302 /* I don't see a way that spaces could occur, in the current GnuTLS
2303 code base, but it was a concern in the old code and perhaps older GnuTLS
2304 releases did return "TLS 1.0"; play it safe, just in case. */
2306 for (uschar * p = state->ciphersuite; *p; p++) if (isspace(*p)) *p = '-';
2307 tlsp->ver = string_copyn(state->ciphersuite,
2308 Ustrchr(state->ciphersuite, ':') - state->ciphersuite);
2311 /* debug_printf("peer_status: ciphersuite %s\n", state->ciphersuite); */
2313 tlsp->cipher = state->ciphersuite;
2314 tlsp->bits = gnutls_cipher_get_key_size(cipher) * 8;
2316 tlsp->cipher_stdname = cipher_stdname_kcm(kx, cipher, mac);
2318 store_pool = old_pool;
2321 cert_list = gnutls_certificate_get_peers(session, &cert_list_size);
2323 if (!cert_list || cert_list_size == 0)
2325 DEBUG(D_tls) debug_printf("TLS: no certificate from peer (%p & %d)\n",
2326 cert_list, cert_list_size);
2327 if (state->verify_requirement >= VERIFY_REQUIRED)
2328 return tls_error(US"certificate verification failed",
2329 US"no certificate received from peer", state->host, errstr);
2333 if ((ct = gnutls_certificate_type_get(session)) != GNUTLS_CRT_X509)
2335 const uschar * ctn = US gnutls_certificate_type_get_name(ct);
2337 debug_printf("TLS: peer cert not X.509 but instead \"%s\"\n", ctn);
2338 if (state->verify_requirement >= VERIFY_REQUIRED)
2339 return tls_error(US"certificate verification not possible, unhandled type",
2340 ctn, state->host, errstr);
2344 #define exim_gnutls_peer_err(Label) \
2346 if (rc != GNUTLS_E_SUCCESS) \
2348 DEBUG(D_tls) debug_printf("TLS: peer cert problem: %s: %s\n", \
2349 (Label), gnutls_strerror(rc)); \
2350 if (state->verify_requirement >= VERIFY_REQUIRED) \
2351 return tls_error_gnu(state, (Label), rc, errstr); \
2356 rc = import_cert(&cert_list[0], &crt);
2357 exim_gnutls_peer_err(US"cert 0");
2359 state->tlsp->peercert = state->peercert = crt;
2362 rc = gnutls_x509_crt_get_dn(crt, NULL, &sz);
2363 if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
2365 exim_gnutls_peer_err(US"getting size for cert DN failed");
2366 return FAIL; /* should not happen */
2368 dn_buf = store_get_perm(sz, GET_TAINTED);
2369 rc = gnutls_x509_crt_get_dn(crt, CS dn_buf, &sz);
2370 exim_gnutls_peer_err(US"failed to extract certificate DN [gnutls_x509_crt_get_dn(cert 0)]");
2372 state->peerdn = dn_buf;
2375 #undef exim_gnutls_peer_err
2381 /*************************************************
2382 * Verify peer certificate *
2383 *************************************************/
2385 /* Called from both server and client code.
2386 *Should* be using a callback registered with
2387 gnutls_certificate_set_verify_function() to fail the handshake if we dislike
2388 the peer information, but that's too new for some OSes.
2391 state exim_gnutls_state_st *
2392 errstr where to put an error message
2395 FALSE if the session should be rejected
2396 TRUE if the cert is okay or we just don't care
2400 verify_certificate(exim_gnutls_state_st * state, uschar ** errstr)
2405 DEBUG(D_tls) debug_printf("TLS: checking peer certificate\n");
2407 rc = peer_status(state, errstr);
2409 if (state->verify_requirement == VERIFY_NONE)
2412 if (rc != OK || !state->peerdn)
2414 verify = GNUTLS_CERT_INVALID;
2415 *errstr = US"certificate not supplied";
2421 if (state->verify_requirement == VERIFY_DANE && state->host)
2423 /* Using dane_verify_session_crt() would be easy, as it does it all for us
2424 including talking to a DNS resolver. But we want to do that bit ourselves
2425 as the testsuite intercepts and fakes its own DNS environment. */
2430 const gnutls_datum_t * certlist =
2431 gnutls_certificate_get_peers(state->session, &lsize);
2432 int usage = tls_out.tlsa_usage;
2434 # ifdef GNUTLS_BROKEN_DANE_VALIDATION
2435 /* Split the TLSA records into two sets, TA and EE selectors. Run the
2436 dane-verification separately so that we know which selector verified;
2437 then we know whether to do name-verification (needed for TA but not EE). */
2439 if (usage == ((1<<DANESSL_USAGE_DANE_TA) | (1<<DANESSL_USAGE_DANE_EE)))
2440 { /* a mixed-usage bundle */
2445 for (nrec = 0; state->dane_data_len[nrec]; ) nrec++;
2448 dd = store_get(nrec * sizeof(uschar *), GET_UNTAINTED);
2449 ddl = store_get(nrec * sizeof(int), GET_UNTAINTED);
2452 if ((rc = dane_state_init(&s, 0)))
2455 for (usage = DANESSL_USAGE_DANE_EE;
2456 usage >= DANESSL_USAGE_DANE_TA; usage--)
2457 { /* take records with this usage */
2458 for (j = i = 0; i < nrec; i++)
2459 if (state->dane_data[i][0] == usage)
2461 dd[j] = state->dane_data[i];
2462 ddl[j++] = state->dane_data_len[i];
2469 if ((rc = dane_raw_tlsa(s, &r, (char * const *)dd, ddl, 1, 0)))
2472 if ((rc = dane_verify_crt_raw(s, certlist, lsize,
2473 gnutls_certificate_type_get(state->session),
2475 usage == DANESSL_USAGE_DANE_EE
2476 ? DANE_VFLAG_ONLY_CHECK_EE_USAGE : 0,
2480 debug_printf("TLSA record problem: %s\n", dane_strerror(rc));
2482 else if (verify == 0) /* verification passed */
2490 if (rc) goto tlsa_prob;
2495 if ( (rc = dane_state_init(&s, 0))
2496 || (rc = dane_raw_tlsa(s, &r, state->dane_data, state->dane_data_len,
2498 || (rc = dane_verify_crt_raw(s, certlist, lsize,
2499 gnutls_certificate_type_get(state->session),
2501 # ifdef GNUTLS_BROKEN_DANE_VALIDATION
2502 usage == (1 << DANESSL_USAGE_DANE_EE)
2503 ? DANE_VFLAG_ONLY_CHECK_EE_USAGE : 0,
2512 if (verify != 0) /* verification failed */
2515 (void) dane_verification_status_print(verify, &str, 0);
2516 *errstr = US str.data; /* don't bother to free */
2520 # ifdef GNUTLS_BROKEN_DANE_VALIDATION
2521 /* If a TA-mode TLSA record was used for verification we must additionally
2522 verify the cert name (but not the CA chain). For EE-mode, skip it. */
2524 if (usage & (1 << DANESSL_USAGE_DANE_EE))
2527 state->peer_dane_verified = state->peer_cert_verified = TRUE;
2530 # ifdef GNUTLS_BROKEN_DANE_VALIDATION
2531 /* Assume that the name on the A-record is the one that should be matching
2532 the cert. An alternate view is that the domain part of the email address
2533 is also permissible. */
2535 if (gnutls_x509_crt_check_hostname(state->tlsp->peercert,
2536 CS state->host->name))
2538 state->peer_dane_verified = state->peer_cert_verified = TRUE;
2543 #endif /*SUPPORT_DANE*/
2545 rc = gnutls_certificate_verify_peers2(state->session, &verify);
2548 /* Handle the result of verification. INVALID is set if any others are. */
2550 if (rc < 0 || verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED))
2552 state->peer_cert_verified = FALSE;
2555 #ifdef GNUTLS_CERT_VFY_STATUS_PRINT
2560 if (gnutls_certificate_verification_status_print(verify,
2561 gnutls_certificate_type_get(state->session), &txt, 0)
2562 == GNUTLS_E_SUCCESS)
2564 debug_printf("%s\n", txt.data);
2565 gnutls_free(txt.data);
2569 *errstr = verify & GNUTLS_CERT_REVOKED
2570 ? US"certificate revoked" : US"certificate invalid";
2574 debug_printf("TLS certificate verification failed (%s): peerdn=\"%s\"\n",
2575 *errstr, state->peerdn ? state->peerdn : US"<unset>");
2577 if (state->verify_requirement >= VERIFY_REQUIRED)
2580 debug_printf("TLS verify failure overridden (host in tls_try_verify_hosts)\n");
2585 /* Client side, check the server's certificate name versus the name on the
2586 A-record for the connection we made. What to do for server side - what name
2587 to use for client? We document that there is no such checking for server
2590 if ( state->exp_tls_verify_cert_hostnames
2591 && !gnutls_x509_crt_check_hostname(state->tlsp->peercert,
2592 CS state->exp_tls_verify_cert_hostnames)
2596 debug_printf("TLS certificate verification failed: cert name mismatch\n");
2597 if (state->verify_requirement >= VERIFY_REQUIRED)
2602 state->peer_cert_verified = TRUE;
2603 DEBUG(D_tls) debug_printf("TLS certificate verified: peerdn=\"%s\"\n",
2604 state->peerdn ? state->peerdn : US"<unset>");
2608 state->tlsp->peerdn = state->peerdn;
2613 *errstr = string_sprintf("TLSA record problem: %s",
2614 rc == DANE_E_REQUESTED_DATA_NOT_AVAILABLE ? "none usable" : dane_strerror(rc));
2618 gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_BAD_CERTIFICATE);
2625 /* ------------------------------------------------------------------------ */
2628 /* Logging function which can be registered with
2629 * gnutls_global_set_log_function()
2630 * gnutls_global_set_log_level() 0..9
2632 #if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
2634 exim_gnutls_logger_cb(int level, const char *message)
2636 size_t len = strlen(message);
2639 DEBUG(D_tls) debug_printf("GnuTLS<%d> empty debug message\n", level);
2642 DEBUG(D_tls) debug_printf("GnuTLS<%d>: %s%s", level, message,
2643 message[len-1] == '\n' ? "" : "\n");
2648 /* Called after client hello, should handle SNI work.
2649 This will always set tls_sni (state->received_sni) if available,
2650 and may trigger presenting different certificates,
2651 if state->trigger_sni_changes is TRUE.
2653 Should be registered with
2654 gnutls_handshake_set_post_client_hello_function()
2656 "This callback must return 0 on success or a gnutls error code to terminate the
2659 For inability to get SNI information, we return 0.
2660 We only return non-zero if re-setup failed.
2661 Only used for server-side TLS.
2665 exim_sni_handling_cb(gnutls_session_t session)
2667 char sni_name[MAX_HOST_LEN];
2668 size_t data_len = MAX_HOST_LEN;
2669 exim_gnutls_state_st *state = &state_server;
2670 unsigned int sni_type;
2672 uschar * dummy_errstr;
2674 rc = gnutls_server_name_get(session, sni_name, &data_len, &sni_type, 0);
2675 if (rc != GNUTLS_E_SUCCESS)
2678 if (rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
2679 debug_printf("TLS: no SNI presented in handshake\n");
2681 debug_printf("TLS failure: gnutls_server_name_get(): %s [%d]\n",
2682 gnutls_strerror(rc), rc);
2686 if (sni_type != GNUTLS_NAME_DNS)
2688 DEBUG(D_tls) debug_printf("TLS: ignoring SNI of unhandled type %u\n", sni_type);
2692 /* We now have a UTF-8 string in sni_name */
2693 old_pool = store_pool;
2694 store_pool = POOL_PERM;
2695 state->received_sni = string_copy_taint(US sni_name, GET_TAINTED);
2696 store_pool = old_pool;
2698 /* We set this one now so that variable expansions below will work */
2699 state->tlsp->sni = state->received_sni;
2701 DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", sni_name,
2702 state->trigger_sni_changes ? "" : " (unused for certificate selection)");
2704 if (!state->trigger_sni_changes)
2707 if ((rc = tls_expand_session_files(state, &dummy_errstr)) != OK)
2709 /* If the setup of certs/etc failed before handshake, TLS would not have
2710 been offered. The best we can do now is abort. */
2711 return GNUTLS_E_APPLICATION_ERROR_MIN;
2714 rc = tls_set_remaining_x509(state, &dummy_errstr);
2715 if (rc != OK) return GNUTLS_E_APPLICATION_ERROR_MIN;
2722 #ifndef DISABLE_EVENT
2724 We use this callback to get observability and detail-level control
2725 for an exim TLS connection (either direction), raising a tls:cert event
2726 for each cert in the chain presented by the peer. Any event
2727 can deny verification.
2729 Return 0 for the handshake to continue or non-zero to terminate.
2733 verify_cb(gnutls_session_t session)
2735 const gnutls_datum_t * cert_list;
2736 unsigned int cert_list_size = 0;
2737 gnutls_x509_crt_t crt;
2740 exim_gnutls_state_st * state = gnutls_session_get_ptr(session);
2742 if ((cert_list = gnutls_certificate_get_peers(session, &cert_list_size)))
2743 while (cert_list_size--)
2745 if ((rc = import_cert(&cert_list[cert_list_size], &crt)) != GNUTLS_E_SUCCESS)
2747 DEBUG(D_tls) debug_printf("TLS: peer cert problem: depth %d: %s\n",
2748 cert_list_size, gnutls_strerror(rc));
2752 state->tlsp->peercert = crt;
2753 if ((yield = event_raise(state->event_action,
2754 US"tls:cert", string_sprintf("%d", cert_list_size), &errno)))
2756 log_write(0, LOG_MAIN,
2757 "SSL verify denied by event-action: depth=%d: %s",
2758 cert_list_size, yield);
2759 return 1; /* reject */
2761 state->tlsp->peercert = NULL;
2771 ddump(gnutls_datum_t * d)
2773 gstring * g = string_get((d->size+1) * 2);
2774 uschar * s = d->data;
2775 for (unsigned i = d->size; i > 0; i--, s++)
2777 g = string_catn(g, US "0123456789abcdef" + (*s >> 4), 1);
2778 g = string_catn(g, US "0123456789abcdef" + (*s & 0xf), 1);
2784 post_handshake_debug(exim_gnutls_state_st * state)
2786 #ifdef SUPPORT_GNUTLS_SESS_DESC
2787 debug_printf("%s\n", gnutls_session_get_desc(state->session));
2790 #ifdef SUPPORT_GNUTLS_KEYLOG
2791 # ifdef EXIM_HAVE_TLS1_3
2792 if (gnutls_protocol_get_version(state->session) < GNUTLS_TLS1_3)
2797 gnutls_datum_t c, s;
2799 /* For TLS1.2 we only want the client random and the master secret */
2800 gnutls_session_get_random(state->session, &c, &s);
2801 gnutls_session_get_master_secret(state->session, &s);
2804 debug_printf("CLIENT_RANDOM %.*s %.*s\n", (int)gc->ptr, gc->s, (int)gs->ptr, gs->s);
2807 debug_printf("To get keying info for TLS1.3 is hard:\n"
2808 " Set environment variable SSLKEYLOGFILE to a filename relative to the spool directory,\n"
2809 " and make sure it is writable by the Exim runtime user.\n"
2810 " Add SSLKEYLOGFILE to keep_environment in the exim config.\n"
2811 " Start Exim as root.\n"
2812 " If using sudo, add SSLKEYLOGFILE to env_keep in /etc/sudoers\n"
2813 " (works for TLS1.2 also, and saves cut-paste into file).\n"
2814 " Trying to use add_environment for this will not work\n");
2819 #ifdef EXIM_HAVE_TLS_RESUME
2821 tls_server_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
2822 unsigned incoming, const gnutls_datum_t * msg)
2824 DEBUG(D_tls) debug_printf("newticket cb\n");
2825 tls_in.resumption |= RESUME_CLIENT_REQUESTED;
2830 tls_server_resume_prehandshake(exim_gnutls_state_st * state)
2832 /* Should the server offer session resumption? */
2833 tls_in.resumption = RESUME_SUPPORTED;
2834 if (verify_check_host(&tls_resumption_hosts) == OK)
2837 /* GnuTLS appears to not do ticket overlap, but does emit a fresh ticket when
2838 an offered resumption is unacceptable. We lose one resumption per ticket
2839 lifetime, and sessions cannot be indefinitely re-used. There seems to be no
2840 way (3.6.7) of changing the default number of 2 TLS1.3 tickets issued, but at
2841 least they go out in a single packet. */
2843 if (!(rc = gnutls_session_ticket_enable_server(state->session,
2844 &server_sessticket_key)))
2845 tls_in.resumption |= RESUME_SERVER_TICKET;
2848 debug_printf("enabling session tickets: %s\n", US gnutls_strerror(rc));
2850 /* Try to tell if we see a ticket request */
2851 gnutls_handshake_set_hook_function(state->session,
2852 GNUTLS_HANDSHAKE_ANY, GNUTLS_HOOK_POST, tls_server_hook_cb);
2857 tls_server_resume_posthandshake(exim_gnutls_state_st * state)
2859 if (gnutls_session_resumption_requested(state->session))
2861 /* This tells us the client sent a full ticket. We use a
2862 callback on session-ticket request, elsewhere, to tell
2863 if a client asked for a ticket. */
2865 tls_in.resumption |= RESUME_CLIENT_SUGGESTED;
2866 DEBUG(D_tls) debug_printf("client requested resumption\n");
2868 if (gnutls_session_is_resumed(state->session))
2870 tls_in.resumption |= RESUME_USED;
2871 DEBUG(D_tls) debug_printf("Session resumed\n");
2874 #endif /* EXIM_HAVE_TLS_RESUME */
2877 #ifdef EXIM_HAVE_ALPN
2878 /* Expand and convert an Exim list to a gnutls_datum list. False return for fail.
2879 NULL plist return for silent no-ALPN.
2883 tls_alpn_plist(uschar ** tls_alpn, const gnutls_datum_t ** plist, unsigned * plen,
2888 if (!expand_check(*tls_alpn, US"tls_alpn", &exp_alpn, errstr))
2893 DEBUG(D_tls) debug_printf("Setting TLS ALPN forced to fail, not sending\n");
2898 const uschar * list = exp_alpn;
2904 while (string_nextinlist(&list, &sep, NULL, 0)) cnt++;
2906 p = store_get(sizeof(gnutls_datum_t) * cnt, exp_alpn);
2908 for (int i = 0; s = string_nextinlist(&list, &sep, NULL, 0); i++)
2909 { p[i].data = s; p[i].size = Ustrlen(s); }
2910 *plist = (*plen = cnt) ? p : NULL;
2916 tls_server_set_acceptable_alpns(exim_gnutls_state_st * state, uschar ** errstr)
2918 uschar * local_alpn = string_copy(tls_alpn);
2920 const gnutls_datum_t * plist;
2923 if (tls_alpn_plist(&local_alpn, &plist, &plen, errstr) && plist)
2925 /* This seems to be only mandatory if the client sends an ALPN extension;
2926 not trying ALPN is ok. Need to decide how to support server-side must-alpn. */
2928 server_seen_alpn = 0;
2929 if (!(rc = gnutls_alpn_set_protocols(state->session, plist, plen,
2930 GNUTLS_ALPN_MANDATORY)))
2931 gnutls_handshake_set_hook_function(state->session,
2932 GNUTLS_HANDSHAKE_ANY, GNUTLS_HOOK_POST, tls_server_hook_cb);
2935 debug_printf("setting alpn protocols: %s\n", US gnutls_strerror(rc));
2938 #endif /* EXIM_HAVE_ALPN */
2940 /* ------------------------------------------------------------------------ */
2941 /* Exported functions */
2946 /*************************************************
2947 * Start a TLS session in a server *
2948 *************************************************/
2950 /* This is called when Exim is running as a server, after having received
2951 the STARTTLS command. It must respond to that command, and then negotiate
2955 errstr pointer to error string
2957 Returns: OK on success
2958 DEFER for errors before the start of the negotiation
2959 FAIL for errors during the negotiation; the server can't
2964 tls_server_start(uschar ** errstr)
2967 exim_gnutls_state_st * state = NULL;
2969 /* Check for previous activation */
2970 if (tls_in.active.sock >= 0)
2972 tls_error(US"STARTTLS received after TLS started", US "", NULL, errstr);
2973 smtp_printf("554 Already in TLS\r\n", FALSE);
2977 /* Initialize the library. If it fails, it will already have logged the error
2978 and sent an SMTP response. */
2980 DEBUG(D_tls) debug_printf("initialising GnuTLS as a server\n");
2983 #ifdef MEASURE_TIMING
2985 gettimeofday(&t0, NULL);
2988 if ((rc = tls_init(NULL, NULL,
2989 tls_require_ciphers, &state, &tls_in, errstr)) != OK) return rc;
2991 #ifdef MEASURE_TIMING
2992 report_time_since(&t0, US"server tls_init (delta)");
2996 #ifdef EXIM_HAVE_ALPN
2997 tls_server_set_acceptable_alpns(state, errstr);
3000 #ifdef EXIM_HAVE_TLS_RESUME
3001 tls_server_resume_prehandshake(state);
3004 /* If this is a host for which certificate verification is mandatory or
3005 optional, set up appropriately. */
3007 if (verify_check_host(&tls_verify_hosts) == OK)
3010 debug_printf("TLS: a client certificate will be required\n");
3011 state->verify_requirement = VERIFY_REQUIRED;
3012 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
3014 else if (verify_check_host(&tls_try_verify_hosts) == OK)
3017 debug_printf("TLS: a client certificate will be requested but not required\n");
3018 state->verify_requirement = VERIFY_OPTIONAL;
3019 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
3024 debug_printf("TLS: a client certificate will not be requested\n");
3025 state->verify_requirement = VERIFY_NONE;
3026 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
3029 #ifndef DISABLE_EVENT
3032 state->event_action = event_action;
3033 gnutls_session_set_ptr(state->session, state);
3034 gnutls_certificate_set_verify_function(state->lib_state.x509_cred, verify_cb);
3038 /* Register SNI handling; always, even if not in tls_certificate, so that the
3039 expansion variable $tls_sni is always available. */
3041 gnutls_handshake_set_post_client_hello_function(state->session,
3042 exim_sni_handling_cb);
3044 /* Set context and tell client to go ahead, except in the case of TLS startup
3045 on connection, where outputting anything now upsets the clients and tends to
3046 make them disconnect. We need to have an explicit fflush() here, to force out
3047 the response. Other smtp_printf() calls do not need it, because in non-TLS
3048 mode, the fflush() happens when smtp_getc() is called. */
3050 if (!state->tlsp->on_connect)
3052 smtp_printf("220 TLS go ahead\r\n", FALSE);
3056 /* Now negotiate the TLS session. We put our own timer on it, since it seems
3057 that the GnuTLS library doesn't.
3058 From 3.1.0 there is gnutls_handshake_set_timeout() - but it requires you
3059 to set (and clear down afterwards) up a pull-timeout callback function that does
3060 a select, so we're no better off unless avoiding signals becomes an issue. */
3062 gnutls_transport_set_ptr2(state->session,
3063 (gnutls_transport_ptr_t)(long) fileno(smtp_in),
3064 (gnutls_transport_ptr_t)(long) fileno(smtp_out));
3065 state->fd_in = fileno(smtp_in);
3066 state->fd_out = fileno(smtp_out);
3068 sigalrm_seen = FALSE;
3069 if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
3071 rc = gnutls_handshake(state->session);
3072 while (rc == GNUTLS_E_AGAIN || rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen);
3075 if (rc != GNUTLS_E_SUCCESS)
3077 DEBUG(D_tls) debug_printf(" error %d from gnutls_handshake: %s\n",
3078 rc, gnutls_strerror(rc));
3080 /* It seems that, except in the case of a timeout, we have to close the
3081 connection right here; otherwise if the other end is running OpenSSL it hangs
3082 until the server times out. */
3086 tls_error(US"gnutls_handshake", US"timed out", NULL, errstr);
3087 #ifndef DISABLE_EVENT
3088 (void) event_raise(event_action, US"tls:fail:connect", *errstr, NULL);
3090 gnutls_db_remove_session(state->session);
3094 tls_error_gnu(state, US"gnutls_handshake", rc, errstr);
3095 #ifndef DISABLE_EVENT
3096 (void) event_raise(event_action, US"tls:fail:connect", *errstr, NULL);
3098 (void) gnutls_alert_send_appropriate(state->session, rc);
3099 gnutls_deinit(state->session);
3101 shutdown(state->fd_out, SHUT_WR);
3102 for (int i = 1024; fgetc(smtp_in) != EOF && i > 0; ) i--; /* drain skt */
3103 (void)fclose(smtp_out);
3104 (void)fclose(smtp_in);
3105 smtp_out = smtp_in = NULL;
3111 #ifdef GNUTLS_SFLAGS_EXT_MASTER_SECRET
3112 if (gnutls_session_get_flags(state->session) & GNUTLS_SFLAGS_EXT_MASTER_SECRET)
3113 tls_in.ext_master_secret = TRUE;
3116 #ifdef EXIM_HAVE_TLS_RESUME
3117 tls_server_resume_posthandshake(state);
3120 DEBUG(D_tls) post_handshake_debug(state);
3122 #ifdef EXIM_HAVE_ALPN
3123 if (server_seen_alpn > 0)
3126 { /* The client offered ALPN. See what was negotiated. */
3127 gnutls_datum_t p = {.size = 0};
3128 int rc = gnutls_alpn_get_selected_protocol(state->session, &p);
3130 debug_printf("ALPN negotiated: %.*s\n", (int)p.size, p.data);
3132 debug_printf("getting alpn protocol: %s\n", US gnutls_strerror(rc));
3136 else if (server_seen_alpn == 0)
3137 if (verify_check_host(&hosts_require_alpn) == OK)
3139 gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_NO_APPLICATION_PROTOCOL);
3140 tls_error(US"handshake", US"ALPN required but not negotiated", NULL, errstr);
3144 DEBUG(D_tls) debug_printf("TLS: no ALPN presented in handshake\n");
3146 DEBUG(D_tls) debug_printf("TLS: was not watching for ALPN\n");
3149 /* Verify after the fact */
3151 if (!verify_certificate(state, errstr))
3153 if (state->verify_requirement != VERIFY_OPTIONAL)
3155 (void) tls_error(US"certificate verification failed", *errstr, NULL, errstr);
3159 debug_printf("TLS: continuing on only because verification was optional, after: %s\n",
3163 /* Sets various Exim expansion variables; always safe within server */
3165 extract_exim_vars_from_tls_state(state);
3167 /* TLS has been set up. Adjust the input functions to read via TLS,
3168 and initialize appropriately. */
3170 state->xfer_buffer = store_malloc(ssl_xfer_buffer_size);
3172 receive_getc = tls_getc;
3173 receive_getbuf = tls_getbuf;
3174 receive_get_cache = tls_get_cache;
3175 receive_hasc = tls_hasc;
3176 receive_ungetc = tls_ungetc;
3177 receive_feof = tls_feof;
3178 receive_ferror = tls_ferror;
3187 tls_client_setup_hostname_checks(host_item * host, exim_gnutls_state_st * state,
3188 smtp_transport_options_block * ob)
3190 if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
3192 state->exp_tls_verify_cert_hostnames =
3194 string_domain_utf8_to_alabel(host->certname, NULL);
3199 debug_printf("TLS: server cert verification includes hostname: \"%s\"\n",
3200 state->exp_tls_verify_cert_hostnames);
3208 /* Given our list of RRs from the TLSA lookup, build a lookup block in
3209 GnuTLS-DANE's preferred format. Hang it on the state str for later
3210 use in DANE verification.
3212 We point at the dnsa data not copy it, so it must remain valid until
3213 after verification is done.*/
3216 dane_tlsa_load(exim_gnutls_state_st * state, dns_answer * dnsa)
3220 const char ** dane_data;
3221 int * dane_data_len;
3224 for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
3225 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
3226 ) if (rr->type == T_TLSA) i++;
3228 dane_data = store_get(i * sizeof(uschar *), GET_UNTAINTED);
3229 dane_data_len = store_get(i * sizeof(int), GET_UNTAINTED);
3232 for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
3233 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
3234 ) if (rr->type == T_TLSA && rr->size > 3)
3236 const uschar * p = rr->data;
3237 /*XXX need somehow to mark rr and its data as tainted. Doues this mean copying it? */
3238 uint8_t usage = p[0], sel = p[1], type = p[2];
3241 debug_printf("TLSA: %d %d %d size %d\n", usage, sel, type, rr->size);
3243 if ( (usage != DANESSL_USAGE_DANE_TA && usage != DANESSL_USAGE_DANE_EE)
3244 || (sel != 0 && sel != 1)
3249 case 0: /* Full: cannot check at present */
3251 case 1: if (rr->size != 3 + 256/8) continue; /* sha2-256 */
3253 case 2: if (rr->size != 3 + 512/8) continue; /* sha2-512 */
3258 tls_out.tlsa_usage |= 1<<usage;
3259 dane_data[i] = CS p;
3260 dane_data_len[i++] = rr->size;
3263 if (!i) return FALSE;
3265 dane_data[i] = NULL;
3266 dane_data_len[i] = 0;
3268 state->dane_data = (char * const *)dane_data;
3269 state->dane_data_len = dane_data_len;
3276 #ifdef EXIM_HAVE_TLS_RESUME
3277 /* On the client, get any stashed session for the given IP from hints db
3278 and apply it to the ssl-connection for attempted resumption. Although
3279 there is a gnutls_session_ticket_enable_client() interface it is
3280 documented as unnecessary (as of 3.6.7) as "session tickets are emabled
3281 by deafult". There seems to be no way to disable them, so even hosts not
3282 enabled by the transport option will be sent a ticket request. We will
3283 however avoid storing and retrieving session information. */
3286 tls_retrieve_session(tls_support * tlsp, gnutls_session_t session,
3287 smtp_connect_args * conn_args, smtp_transport_options_block * ob)
3289 tlsp->resumption = RESUME_SUPPORTED;
3291 if (!conn_args->have_lbserver)
3292 { DEBUG(D_tls) debug_printf("resumption not supported on continued-connection\n"); }
3293 else if (verify_check_given_host(CUSS &ob->tls_resumption_hosts, conn_args->host) == OK)
3295 dbdata_tls_session * dt;
3297 open_db dbblock, * dbm_file;
3299 tlsp->host_resumable = TRUE;
3300 tls_client_resmption_key(tlsp, conn_args, ob);
3302 tlsp->resumption |= RESUME_CLIENT_REQUESTED;
3303 if ((dbm_file = dbfn_open(US"tls", O_RDONLY, &dbblock, FALSE, FALSE)))
3305 /* We'd like to filter the retrieved session for ticket advisory expiry,
3306 but 3.6.1 seems to give no access to that */
3308 if ((dt = dbfn_read_with_length(dbm_file, tlsp->resume_index, &len)))
3309 if (!(rc = gnutls_session_set_data(session,
3310 CUS dt->session, (size_t)len - sizeof(dbdata_tls_session))))
3312 DEBUG(D_tls) debug_printf("good session\n");
3313 tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
3315 else DEBUG(D_tls) debug_printf("setting session resumption data: %s\n",
3316 US gnutls_strerror(rc));
3317 dbfn_close(dbm_file);
3324 tls_save_session(tls_support * tlsp, gnutls_session_t session, const host_item * host)
3326 /* TLS 1.2 - we get both the callback and the direct posthandshake call,
3327 but this flag is not set until the second. TLS 1.3 it's the other way about.
3328 Keep both calls as the session data cannot be extracted before handshake
3331 if (gnutls_session_get_flags(session) & GNUTLS_SFLAGS_SESSION_TICKET)
3336 DEBUG(D_tls) debug_printf("server offered session ticket\n");
3337 tlsp->ticket_received = TRUE;
3338 tlsp->resumption |= RESUME_SERVER_TICKET;
3340 if (tlsp->host_resumable)
3341 if (!(rc = gnutls_session_get_data2(session, &tkt)))
3343 open_db dbblock, * dbm_file;
3344 int dlen = sizeof(dbdata_tls_session) + tkt.size;
3345 dbdata_tls_session * dt = store_get(dlen, GET_TAINTED);
3347 DEBUG(D_tls) debug_printf("session data size %u\n", (unsigned)tkt.size);
3348 memcpy(dt->session, tkt.data, tkt.size);
3349 gnutls_free(tkt.data);
3351 if ((dbm_file = dbfn_open(US"tls", O_RDWR, &dbblock, FALSE, FALSE)))
3353 /* key for the db is the IP */
3354 dbfn_write(dbm_file, tlsp->resume_index, dt, dlen);
3355 dbfn_close(dbm_file);
3358 debug_printf("wrote session db (len %u)\n", (unsigned)dlen);
3362 debug_printf("extract session data: %s\n", US gnutls_strerror(rc));
3367 /* With a TLS1.3 session, the ticket(s) are not seen until
3368 the first data read is attempted. And there's often two of them.
3369 Pick them up with this callback. We are also called for 1.2
3373 tls_client_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
3374 unsigned incoming, const gnutls_datum_t * msg)
3376 exim_gnutls_state_st * state = gnutls_session_get_ptr(sess);
3377 tls_support * tlsp = state->tlsp;
3379 DEBUG(D_tls) debug_printf("newticket cb\n");
3381 if (!tlsp->ticket_received)
3382 tls_save_session(tlsp, sess, state->host);
3388 tls_client_resume_prehandshake(exim_gnutls_state_st * state,
3389 tls_support * tlsp, smtp_connect_args * conn_args,
3390 smtp_transport_options_block * ob)
3392 gnutls_session_set_ptr(state->session, state);
3393 gnutls_handshake_set_hook_function(state->session,
3394 GNUTLS_HANDSHAKE_NEW_SESSION_TICKET, GNUTLS_HOOK_POST, tls_client_ticket_cb);
3396 tls_retrieve_session(tlsp, state->session, conn_args, ob);
3400 tls_client_resume_posthandshake(exim_gnutls_state_st * state,
3401 tls_support * tlsp, host_item * host)
3403 if (gnutls_session_is_resumed(state->session))
3405 DEBUG(D_tls) debug_printf("Session resumed\n");
3406 tlsp->resumption |= RESUME_USED;
3409 tls_save_session(tlsp, state->session, host);
3411 #endif /* !DISABLE_TLS_RESUME */
3414 /*************************************************
3415 * Start a TLS session in a client *
3416 *************************************************/
3418 /* Called from the smtp transport after STARTTLS has been accepted.
3421 cctx connection context
3422 conn_args connection details
3423 cookie datum for randomness (not used)
3424 tlsp record details of channel configuration here; must be non-NULL
3425 errstr error string pointer
3427 Returns: TRUE for success with TLS session context set in smtp context,
3432 tls_client_start(client_conn_ctx * cctx, smtp_connect_args * conn_args,
3433 void * cookie ARG_UNUSED,
3434 tls_support * tlsp, uschar ** errstr)
3436 host_item * host = conn_args->host; /* for msgs and option-tests */
3437 transport_instance * tb = conn_args->tblock; /* always smtp or NULL */
3438 smtp_transport_options_block * ob = tb
3439 ? (smtp_transport_options_block *)tb->options_block
3440 : &smtp_transport_option_defaults;
3442 exim_gnutls_state_st * state = NULL;
3443 uschar * cipher_list = NULL;
3445 #ifndef DISABLE_OCSP
3447 verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK;
3448 BOOL request_ocsp = require_ocsp ? TRUE
3449 : verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
3452 DEBUG(D_tls) debug_printf("initialising GnuTLS as a client on fd %d\n", cctx->sock);
3455 /* If dane is flagged, have either request or require dane for this host, and
3456 a TLSA record found. Therefore, dane verify required. Which implies cert must
3457 be requested and supplied, dane verify must pass, and cert verify irrelevant
3458 (incl. hostnames), and (caller handled) require_tls and sni=$domain */
3460 if (conn_args->dane && ob->dane_require_tls_ciphers)
3462 /* not using Expand_check_tlsvar because not yet in state */
3463 if (!expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
3464 &cipher_list, errstr))
3466 cipher_list = cipher_list && *cipher_list
3467 ? ob->dane_require_tls_ciphers : ob->tls_require_ciphers;
3472 cipher_list = ob->tls_require_ciphers;
3475 #ifdef MEASURE_TIMING
3477 gettimeofday(&t0, NULL);
3480 if (tls_init(host, ob, cipher_list, &state, tlsp, errstr) != OK)
3483 #ifdef MEASURE_TIMING
3484 report_time_since(&t0, US"client tls_init (delta)");
3489 #ifdef EXIM_HAVE_ALPN
3491 const gnutls_datum_t * plist;
3494 if (!tls_alpn_plist(&ob->tls_alpn, &plist, &plen, errstr))
3497 if (gnutls_alpn_set_protocols(state->session, plist, plen, 0) != 0)
3499 tls_error(US"alpn init", NULL, state->host, errstr);
3503 DEBUG(D_tls) debug_printf("Setting TLS ALPN '%s'\n", ob->tls_alpn);
3506 log_write(0, LOG_MAIN, "ALPN unusable with this GnuTLS library version; ignoring \"%s\"\n",
3511 int dh_min_bits = ob->tls_dh_min_bits;
3512 if (dh_min_bits < EXIM_CLIENT_DH_MIN_MIN_BITS)
3515 debug_printf("WARNING: tls_dh_min_bits far too low,"
3516 " clamping %d up to %d\n",
3517 dh_min_bits, EXIM_CLIENT_DH_MIN_MIN_BITS);
3518 dh_min_bits = EXIM_CLIENT_DH_MIN_MIN_BITS;
3521 DEBUG(D_tls) debug_printf("Setting D-H prime minimum"
3522 " acceptable bits to %d\n",
3524 gnutls_dh_set_prime_bits(state->session, dh_min_bits);
3527 /* Stick to the old behaviour for compatibility if tls_verify_certificates is
3528 set but both tls_verify_hosts and tls_try_verify_hosts are unset. Check only
3529 the specified host patterns if one of them is defined */
3532 if (conn_args->dane && dane_tlsa_load(state, &conn_args->tlsa_dnsa))
3535 debug_printf("TLS: server certificate DANE required\n");
3536 state->verify_requirement = VERIFY_DANE;
3537 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
3541 if ( ( state->exp_tls_verify_certificates
3542 && !ob->tls_verify_hosts
3543 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
3545 || verify_check_given_host(CUSS &ob->tls_verify_hosts, host) == OK
3548 tls_client_setup_hostname_checks(host, state, ob);
3550 debug_printf("TLS: server certificate verification required\n");
3551 state->verify_requirement = VERIFY_REQUIRED;
3552 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
3554 else if (verify_check_given_host(CUSS &ob->tls_try_verify_hosts, host) == OK)
3556 tls_client_setup_hostname_checks(host, state, ob);
3558 debug_printf("TLS: server certificate verification optional\n");
3559 state->verify_requirement = VERIFY_OPTIONAL;
3560 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
3565 debug_printf("TLS: server certificate verification not required\n");
3566 state->verify_requirement = VERIFY_NONE;
3567 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
3570 #ifndef DISABLE_OCSP
3571 /* supported since GnuTLS 3.1.3 */
3574 DEBUG(D_tls) debug_printf("TLS: will request OCSP stapling\n");
3575 if ((rc = gnutls_ocsp_status_request_enable_client(state->session,
3576 NULL, 0, NULL)) != OK)
3578 tls_error_gnu(state, US"cert-status-req", rc, errstr);
3581 tlsp->ocsp = OCSP_NOT_RESP;
3585 #ifdef EXIM_HAVE_TLS_RESUME
3586 tls_client_resume_prehandshake(state, tlsp, conn_args, ob);
3589 #ifndef DISABLE_EVENT
3590 if (tb && tb->event_action)
3592 state->event_action = tb->event_action;
3593 gnutls_session_set_ptr(state->session, state);
3594 gnutls_certificate_set_verify_function(state->lib_state.x509_cred, verify_cb);
3598 gnutls_transport_set_ptr(state->session, (gnutls_transport_ptr_t)(long) cctx->sock);
3599 state->fd_in = cctx->sock;
3600 state->fd_out = cctx->sock;
3602 DEBUG(D_tls) debug_printf("about to gnutls_handshake\n");
3603 /* There doesn't seem to be a built-in timeout on connection. */
3605 sigalrm_seen = FALSE;
3606 ALARM(ob->command_timeout);
3608 rc = gnutls_handshake(state->session);
3609 while (rc == GNUTLS_E_AGAIN || rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen);
3612 if (rc != GNUTLS_E_SUCCESS)
3616 gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_USER_CANCELED);
3617 tls_error(US"gnutls_handshake", US"timed out", state->host, errstr);
3620 tls_error_gnu(state, US"gnutls_handshake", rc, errstr);
3624 DEBUG(D_tls) post_handshake_debug(state);
3628 if (!verify_certificate(state, errstr))
3630 tls_error(US"certificate verification failed", *errstr, state->host, errstr);
3634 #ifdef GNUTLS_SFLAGS_EXT_MASTER_SECRET
3635 if (gnutls_session_get_flags(state->session) & GNUTLS_SFLAGS_EXT_MASTER_SECRET)
3636 tlsp->ext_master_secret = TRUE;
3639 #ifndef DISABLE_OCSP
3644 gnutls_datum_t stapling;
3645 gnutls_ocsp_resp_t resp;
3646 gnutls_datum_t printed;
3650 # ifdef GNUTLS_OCSP_STATUS_REQUEST_GET2
3651 (rc = gnutls_ocsp_status_request_get2(state->session, idx, &stapling)) == 0;
3653 (rc = gnutls_ocsp_status_request_get(state->session, &stapling)) == 0;
3656 if ( (rc= gnutls_ocsp_resp_init(&resp)) == 0
3657 && (rc= gnutls_ocsp_resp_import(resp, &stapling)) == 0
3658 && (rc= gnutls_ocsp_resp_print(resp, GNUTLS_OCSP_PRINT_COMPACT, &printed)) == 0
3661 debug_printf("%.4096s", printed.data);
3662 gnutls_free(printed.data);
3665 (void) tls_error_gnu(state, US"ocsp decode", rc, errstr);
3667 (void) tls_error_gnu(state, US"ocsp decode", rc, errstr);
3670 if (gnutls_ocsp_status_request_is_checked(state->session, 0) == 0)
3672 tlsp->ocsp = OCSP_FAILED;
3673 tls_error(US"certificate status check failed", NULL, state->host, errstr);
3679 DEBUG(D_tls) debug_printf("Passed OCSP checking\n");
3680 tlsp->ocsp = OCSP_VFIED;
3685 #ifdef EXIM_HAVE_TLS_RESUME
3686 tls_client_resume_posthandshake(state, tlsp, host);
3689 #ifdef EXIM_HAVE_ALPN
3690 if (ob->tls_alpn) /* We requested. See what was negotiated. */
3692 gnutls_datum_t p = {.size = 0};
3694 if (gnutls_alpn_get_selected_protocol(state->session, &p) == 0)
3695 { DEBUG(D_tls) debug_printf("ALPN negotiated: '%.*s'\n", (int)p.size, p.data); }
3696 else if (verify_check_given_host(CUSS &ob->hosts_require_alpn, host) == OK)
3698 gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_NO_APPLICATION_PROTOCOL);
3699 tls_error(US"handshake", US"ALPN required but not negotiated", state->host, errstr);
3703 DEBUG(D_tls) debug_printf("No ALPN negotiated");
3707 /* Sets various Exim expansion variables; may need to adjust for ACL callouts */
3709 extract_exim_vars_from_tls_state(state);
3711 cctx->tls_ctx = state;
3720 ct_ctx client TLS context pointer, or NULL for the one global server context
3724 tls_shutdown_wr(void * ct_ctx)
3726 exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
3727 tls_support * tlsp = state->tlsp;
3729 if (!tlsp || tlsp->active.sock < 0) return; /* TLS was not active */
3731 tls_write(ct_ctx, NULL, 0, FALSE); /* flush write buffer */
3733 HDEBUG(D_transport|D_tls|D_acl|D_v) debug_printf_indent(" SMTP(TLS shutdown)>>\n");
3734 gnutls_bye(state->session, GNUTLS_SHUT_WR);
3737 /*************************************************
3738 * Close down a TLS session *
3739 *************************************************/
3741 /* This is also called from within a delivery subprocess forked from the
3742 daemon, to shut down the TLS library, without actually doing a shutdown (which
3743 would tamper with the TLS session in the parent process).
3746 ct_ctx client context pointer, or NULL for the one global server context
3747 do_shutdown 0 no data-flush or TLS close-alert
3748 1 if TLS close-alert is to be sent,
3749 2 if also response to be waited for (2s timeout)
3755 tls_close(void * ct_ctx, int do_shutdown)
3757 exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
3758 tls_support * tlsp = state->tlsp;
3760 if (!tlsp || tlsp->active.sock < 0) return; /* TLS was not active */
3764 DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS%s\n",
3765 do_shutdown > TLS_SHUTDOWN_NOWAIT ? " (with response-wait)" : "");
3767 tls_write(ct_ctx, NULL, 0, FALSE); /* flush write buffer */
3769 #ifdef EXIM_TCP_CORK
3770 if (do_shutdown == TLS_SHUTDOWN_WAIT)
3771 (void) setsockopt(tlsp->active.sock, IPPROTO_TCP, EXIM_TCP_CORK, US &off, sizeof(off));
3774 /* The library seems to have no way to only wait for a peer's
3775 shutdown, so handle the same as TLS_SHUTDOWN_WAIT */
3778 gnutls_bye(state->session,
3779 do_shutdown > TLS_SHUTDOWN_NOWAIT ? GNUTLS_SHUT_RDWR : GNUTLS_SHUT_WR);
3783 if (!ct_ctx) /* server */
3785 receive_getc = smtp_getc;
3786 receive_getbuf = smtp_getbuf;
3787 receive_get_cache = smtp_get_cache;
3788 receive_hasc = smtp_hasc;
3789 receive_ungetc = smtp_ungetc;
3790 receive_feof = smtp_feof;
3791 receive_ferror = smtp_ferror;
3794 gnutls_deinit(state->session);
3795 tlsp->active.sock = -1;
3796 tlsp->active.tls_ctx = NULL;
3797 /* Leave bits, peercert, cipher, peerdn, certificate_verified set, for logging */
3798 tlsp->channelbinding = NULL;
3801 if (state->xfer_buffer) store_free(state->xfer_buffer);
3808 tls_refill(unsigned lim)
3810 exim_gnutls_state_st * state = &state_server;
3813 DEBUG(D_tls) debug_printf("Calling gnutls_record_recv(session=%p, buffer=%p, buffersize=%u)\n",
3814 state->session, state->xfer_buffer, ssl_xfer_buffer_size);
3816 sigalrm_seen = FALSE;
3817 if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
3821 inbytes = gnutls_record_recv(state->session, state->xfer_buffer,
3822 MIN(ssl_xfer_buffer_size, lim));
3823 while (inbytes == GNUTLS_E_AGAIN);
3825 if (smtp_receive_timeout > 0) ALARM_CLR(0);
3827 if (had_command_timeout) /* set by signal handler */
3828 smtp_command_timeout_exit(); /* does not return */
3829 if (had_command_sigterm)
3830 smtp_command_sigterm_exit();
3831 if (had_data_timeout)
3832 smtp_data_timeout_exit();
3833 if (had_data_sigint)
3834 smtp_data_sigint_exit();
3836 /* Timeouts do not get this far. A zero-byte return appears to mean that the
3837 TLS session has been closed down, not that the socket itself has been closed
3838 down. Revert to non-TLS handling. */
3842 DEBUG(D_tls) debug_printf("Got tls read timeout\n");
3843 state->xfer_error = TRUE;
3847 else if (inbytes == 0)
3849 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
3850 tls_close(NULL, TLS_NO_SHUTDOWN);
3854 /* Handle genuine errors */
3856 else if (inbytes < 0)
3858 DEBUG(D_tls) debug_printf("%s: err from gnutls_record_recv\n", __FUNCTION__);
3859 record_io_error(state, (int) inbytes, US"recv", NULL);
3860 state->xfer_error = TRUE;
3863 #ifndef DISABLE_DKIM
3864 dkim_exim_verify_feed(state->xfer_buffer, inbytes);
3866 state->xfer_buffer_hwm = (int) inbytes;
3867 state->xfer_buffer_lwm = 0;
3871 /*************************************************
3872 * TLS version of getc *
3873 *************************************************/
3875 /* This gets the next byte from the TLS input buffer. If the buffer is empty,
3876 it refills the buffer via the GnuTLS reading function.
3877 Only used by the server-side TLS.
3879 This feeds DKIM and should be used for all message-body reads.
3881 Arguments: lim Maximum amount to read/buffer
3882 Returns: the next character or EOF
3886 tls_getc(unsigned lim)
3888 exim_gnutls_state_st * state = &state_server;
3890 if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
3891 if (!tls_refill(lim))
3892 return state->xfer_error ? EOF : smtp_getc(lim);
3894 /* Something in the buffer; return next uschar */
3896 return state->xfer_buffer[state->xfer_buffer_lwm++];
3902 exim_gnutls_state_st * state = &state_server;
3903 return state->xfer_buffer_lwm < state->xfer_buffer_hwm;
3907 tls_getbuf(unsigned * len)
3909 exim_gnutls_state_st * state = &state_server;
3913 if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
3914 if (!tls_refill(*len))
3916 if (!state->xfer_error) return smtp_getbuf(len);
3921 if ((size = state->xfer_buffer_hwm - state->xfer_buffer_lwm) > *len)
3923 buf = &state->xfer_buffer[state->xfer_buffer_lwm];
3924 state->xfer_buffer_lwm += size;
3930 /* Get up to the given number of bytes from any cached data, and feed to dkim. */
3932 tls_get_cache(unsigned lim)
3934 #ifndef DISABLE_DKIM
3935 exim_gnutls_state_st * state = &state_server;
3936 int n = state->xfer_buffer_hwm - state->xfer_buffer_lwm;
3940 dkim_exim_verify_feed(state->xfer_buffer+state->xfer_buffer_lwm, n);
3946 tls_could_getc(void)
3948 return state_server.xfer_buffer_lwm < state_server.xfer_buffer_hwm
3949 || gnutls_record_check_pending(state_server.session) > 0;
3953 /*************************************************
3954 * Read bytes from TLS channel *
3955 *************************************************/
3957 /* This does not feed DKIM, so if the caller uses this for reading message body,
3958 then the caller must feed DKIM.
3961 ct_ctx client context pointer, or NULL for the one global server context
3965 Returns: the number of bytes read
3966 -1 after a failed read, including EOF
3970 tls_read(void * ct_ctx, uschar *buff, size_t len)
3972 exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
3978 if (state->xfer_buffer_lwm < state->xfer_buffer_hwm)
3980 debug_printf("*** PROBABLY A BUG *** " \
3981 "tls_read() called with data in the tls_getc() buffer, %d ignored\n",
3982 state->xfer_buffer_hwm - state->xfer_buffer_lwm);
3985 debug_printf("Calling gnutls_record_recv(session=%p, buffer=%p, len=" SIZE_T_FMT ")\n",
3986 state->session, buff, len);
3990 inbytes = gnutls_record_recv(state->session, buff, len);
3991 while (inbytes == GNUTLS_E_AGAIN);
3993 if (inbytes > 0) return inbytes;
3996 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
4000 DEBUG(D_tls) debug_printf("%s: err from gnutls_record_recv\n", __FUNCTION__);
4001 record_io_error(state, (int)inbytes, US"recv", NULL);
4010 /*************************************************
4011 * Write bytes down TLS channel *
4012 *************************************************/
4016 ct_ctx client context pointer, or NULL for the one global server context
4019 more more data expected soon
4021 Calling with len zero and more unset will flush buffered writes. The buff
4022 argument can be null for that case.
4024 Returns: the number of bytes after a successful write,
4025 -1 after a failed write
4029 tls_write(void * ct_ctx, const uschar * buff, size_t len, BOOL more)
4033 exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
4036 if (more && !state->corked)
4038 DEBUG(D_tls) debug_printf("gnutls_record_cork(session=%p)\n", state->session);
4039 gnutls_record_cork(state->session);
4040 state->corked = TRUE;
4044 DEBUG(D_tls) debug_printf("%s(%p, " SIZE_T_FMT "%s)\n", __FUNCTION__,
4045 buff, left, more ? ", more" : "");
4049 DEBUG(D_tls) debug_printf("gnutls_record_send(session=%p, buffer=%p, left=" SIZE_T_FMT ")\n",
4050 state->session, buff, left);
4054 outbytes = gnutls_record_send(state->session, buff, left);
4055 while (outbytes == GNUTLS_E_AGAIN);
4057 DEBUG(D_tls) debug_printf("outbytes=" SSIZE_T_FMT "\n", outbytes);
4061 #ifdef GNUTLS_E_PREMATURE_TERMINATION
4062 if ( outbytes == GNUTLS_E_PREMATURE_TERMINATION && errno == ECONNRESET
4063 && !ct_ctx && f.smtp_in_quit
4065 { /* Outlook, dammit */
4066 if (LOGGING(protocol_detail))
4067 log_write(0, LOG_MAIN, "[%s] after QUIT, client reset TCP before"
4068 " SMTP response and TLS close\n", sender_host_address);
4070 DEBUG(D_tls) debug_printf("[%s] SSL_write: after QUIT,"
4071 " client reset TCP before TLS close\n", sender_host_address);
4076 DEBUG(D_tls) debug_printf("%s: gnutls_record_send err\n", __FUNCTION__);
4077 record_io_error(state, outbytes, US"send", NULL);
4083 record_io_error(state, 0, US"send", US"TLS channel closed on write");
4094 debug_printf("Whoops! Wrote more bytes (" SIZE_T_FMT ") than INT_MAX\n",
4100 if (!more && state->corked)
4102 DEBUG(D_tls) debug_printf("gnutls_record_uncork(session=%p)\n", state->session);
4104 /* We can't use GNUTLS_RECORD_WAIT here, as it retries on
4105 GNUTLS_E_AGAIN || GNUTLS_E_INTR, which would break our timeout set by alarm().
4106 The GNUTLS_E_AGAIN should not happen ever, as our sockets are blocking anyway.
4107 But who knows. (That all relies on the fact that GNUTLS_E_INTR and GNUTLS_E_AGAIN
4108 match the EINTR and EAGAIN errno values.) */
4109 outbytes = gnutls_record_uncork(state->session, 0);
4110 while (outbytes == GNUTLS_E_AGAIN);
4114 record_io_error(state, len, US"uncork", NULL);
4118 state->corked = FALSE;
4128 /*************************************************
4129 * Random number generation *
4130 *************************************************/
4132 /* Pseudo-random number generation. The result is not expected to be
4133 cryptographically strong but not so weak that someone will shoot themselves
4134 in the foot using it as a nonce in input in some email header scheme or
4135 whatever weirdness they'll twist this into. The result should handle fork()
4136 and avoid repeating sequences. OpenSSL handles that for us.
4140 Returns a random number in range [0, max-1]
4143 #ifdef HAVE_GNUTLS_RND
4145 vaguely_random_number(int max)
4149 uschar smallbuf[sizeof(r)];
4154 needed_len = sizeof(r);
4155 /* Don't take 8 times more entropy than needed if int is 8 octets and we were
4156 asked for a number less than 10. */
4158 for (r = max, i = 0; r; ++i)
4164 i = gnutls_rnd(GNUTLS_RND_NONCE, smallbuf, needed_len);
4167 DEBUG(D_all) debug_printf("gnutls_rnd() failed, using fallback\n");
4168 return vaguely_random_number_fallback(max);
4171 for (uschar * p = smallbuf; needed_len; --needed_len, ++p)
4174 /* We don't particularly care about weighted results; if someone wants
4175 * smooth distribution and cares enough then they should submit a patch then. */
4178 #else /* HAVE_GNUTLS_RND */
4180 vaguely_random_number(int max)
4182 return vaguely_random_number_fallback(max);
4184 #endif /* HAVE_GNUTLS_RND */
4189 /*************************************************
4190 * Let tls_require_ciphers be checked at startup *
4191 *************************************************/
4193 /* The tls_require_ciphers option, if set, must be something which the
4196 Returns: NULL on success, or error message
4200 tls_validate_require_cipher(void)
4203 uschar *expciphers = NULL;
4204 gnutls_priority_t priority_cache;
4206 uschar * dummy_errstr;
4208 #ifdef GNUTLS_AUTO_GLOBAL_INIT
4209 # define validate_check_rc(Label) do { \
4210 if (rc != GNUTLS_E_SUCCESS) { if (exim_gnutls_base_init_done) \
4211 return string_sprintf("%s failed: %s", (Label), gnutls_strerror(rc)); } } while (0)
4212 # define return_deinit(Label) do { return (Label); } while (0)
4214 # define validate_check_rc(Label) do { \
4215 if (rc != GNUTLS_E_SUCCESS) { if (exim_gnutls_base_init_done) gnutls_global_deinit(); \
4216 return string_sprintf("%s failed: %s", (Label), gnutls_strerror(rc)); } } while (0)
4217 # define return_deinit(Label) do { gnutls_global_deinit(); return (Label); } while (0)
4220 if (exim_gnutls_base_init_done)
4221 log_write(0, LOG_MAIN|LOG_PANIC,
4222 "already initialised GnuTLS, Exim developer bug");
4224 #if defined(HAVE_GNUTLS_PKCS11) && !defined(GNUTLS_AUTO_PKCS11_MANUAL)
4225 if (!gnutls_allow_auto_pkcs11)
4227 rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
4228 validate_check_rc(US"gnutls_pkcs11_init");
4231 #ifndef GNUTLS_AUTO_GLOBAL_INIT
4232 rc = gnutls_global_init();
4233 validate_check_rc(US"gnutls_global_init()");
4235 exim_gnutls_base_init_done = TRUE;
4237 if (!(tls_require_ciphers && *tls_require_ciphers))
4238 return_deinit(NULL);
4240 if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers,
4242 return_deinit(US"failed to expand tls_require_ciphers");
4244 if (!(expciphers && *expciphers))
4245 return_deinit(NULL);
4248 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
4250 rc = gnutls_priority_init(&priority_cache, CS expciphers, &errpos);
4251 validate_check_rc(string_sprintf(
4252 "gnutls_priority_init(%s) failed at offset %ld, \"%.8s..\"",
4253 expciphers, (long)(errpos - CS expciphers), errpos));
4255 #undef return_deinit
4256 #undef validate_check_rc
4257 #ifndef GNUTLS_AUTO_GLOBAL_INIT
4258 gnutls_global_deinit();
4267 /*************************************************
4268 * Report the library versions. *
4269 *************************************************/
4271 /* See a description in tls-openssl.c for an explanation of why this exists.
4273 Arguments: string to append to
4278 tls_version_report(gstring * g)
4280 return string_fmt_append(g,
4281 "Library version: GnuTLS: Compile: %s\n"
4284 gnutls_check_version(NULL));
4287 #endif /*!MACRO_PREDEF*/
4290 /* End of tls-gnu.c */