1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) University of Cambridge 1995 - 2018 */
6 /* See the file NOTICE for conditions of use and distribution. */
8 /* Copyright (c) Phil Pennock 2012 */
10 /* This file provides TLS/SSL support for Exim using the GnuTLS library,
11 one of the available supported implementations. This file is #included into
12 tls.c when USE_GNUTLS has been set.
14 The code herein is a revamp of GnuTLS integration using the current APIs; the
15 original tls-gnu.c was based on a patch which was contributed by Nikos
16 Mavrogiannopoulos. The revamp is partially a rewrite, partially cut&paste as
19 APIs current as of GnuTLS 2.12.18; note that the GnuTLS manual is for GnuTLS 3,
20 which is not widely deployed by OS vendors. Will note issues below, which may
21 assist in updating the code in the future. Another sources of hints is
22 mod_gnutls for Apache (SNI callback registration and handling).
24 Keeping client and server variables more split than before and is currently
25 the norm, in anticipation of TLS in ACL callouts.
27 I wanted to switch to gnutls_certificate_set_verify_function() so that
28 certificate rejection could happen during handshake where it belongs, rather
29 than being dropped afterwards, but that was introduced in 2.10.0 and Debian
30 (6.0.5) is still on 2.8.6. So for now we have to stick with sub-par behaviour.
32 (I wasn't looking for libraries quite that old, when updating to get rid of
33 compiler warnings of deprecated APIs. If it turns out that a lot of the rest
34 require current GnuTLS, then we'll drop support for the ancient libraries).
37 #include <gnutls/gnutls.h>
38 /* needed for cert checks in verification and DN extraction: */
39 #include <gnutls/x509.h>
40 /* man-page is incorrect, gnutls_rnd() is not in gnutls.h: */
41 #include <gnutls/crypto.h>
43 /* needed to disable PKCS11 autoload unless requested */
44 #if GNUTLS_VERSION_NUMBER >= 0x020c00
45 # include <gnutls/pkcs11.h>
46 # define SUPPORT_PARAM_TO_PK_BITS
48 #if GNUTLS_VERSION_NUMBER < 0x030103 && !defined(DISABLE_OCSP)
49 # warning "GnuTLS library version too old; define DISABLE_OCSP in Makefile"
52 #if GNUTLS_VERSION_NUMBER < 0x020a00 && !defined(DISABLE_EVENT)
53 # warning "GnuTLS library version too old; tls:cert event unsupported"
54 # define DISABLE_EVENT
56 #if GNUTLS_VERSION_NUMBER >= 0x030306
57 # define SUPPORT_CA_DIR
59 # undef SUPPORT_CA_DIR
61 #if GNUTLS_VERSION_NUMBER >= 0x030014
62 # define SUPPORT_SYSDEFAULT_CABUNDLE
64 #if GNUTLS_VERSION_NUMBER >= 0x030104
65 # define GNUTLS_CERT_VFY_STATUS_PRINT
67 #if GNUTLS_VERSION_NUMBER >= 0x030109
70 #if GNUTLS_VERSION_NUMBER >= 0x03010a
71 # define SUPPORT_GNUTLS_SESS_DESC
73 #if GNUTLS_VERSION_NUMBER >= 0x030300
74 # define GNUTLS_AUTO_GLOBAL_INIT
75 # define GNUTLS_AUTO_PKCS11_MANUAL
77 #if (GNUTLS_VERSION_NUMBER >= 0x030404) \
78 || (GNUTLS_VERSION_NUMBER >= 0x030311) && (GNUTLS_VERSION_NUMBER & 0xffff00 == 0x030300)
80 # define EXIM_HAVE_OCSP
83 #if GNUTLS_VERSION_NUMBER >= 0x030500
84 # define SUPPORT_GNUTLS_KEYLOG
86 #if GNUTLS_VERSION_NUMBER >= 0x030506 && !defined(DISABLE_OCSP)
87 # define SUPPORT_SRV_OCSP_STACK
89 #if GNUTLS_VERSION_NUMBER >= 0x030600
90 # define GNUTLS_AUTO_DHPARAMS
92 #if GNUTLS_VERSION_NUMBER >= 0x030603
93 # define EXIM_HAVE_TLS1_3
94 # define SUPPORT_GNUTLS_EXT_RAW_PARSE
95 # define GNUTLS_OCSP_STATUS_REQUEST_GET2
99 # if GNUTLS_VERSION_NUMBER >= 0x030000
100 # define DANESSL_USAGE_DANE_TA 2
101 # define DANESSL_USAGE_DANE_EE 3
103 # error GnuTLS version too early for DANE
105 # if GNUTLS_VERSION_NUMBER < 0x999999
106 # define GNUTLS_BROKEN_DANE_VALIDATION
110 #ifdef EXPERIMENTAL_TLS_RESUME
111 # if GNUTLS_VERSION_NUMBER < 0x030603
112 # error GNUTLS version too early for session-resumption
117 # include <gnutls/ocsp.h>
120 # include <gnutls/dane.h>
123 #include "tls-cipher-stdname.c"
130 # ifdef EXPERIMENTAL_TLS_RESUME
131 builtin_macro_create_var(US"_RESUME_DECODE", RESUME_DECODE_STRING );
133 # ifdef EXIM_HAVE_TLS1_3
134 builtin_macro_create(US"_HAVE_TLS1_3");
136 # ifdef EXIM_HAVE_OCSP
137 builtin_macro_create(US"_HAVE_TLS_OCSP");
139 # ifdef SUPPORT_SRV_OCSP_STACK
140 builtin_macro_create(US"_HAVE_TLS_OCSP_LIST");
149 gnutls_global_set_audit_log_function()
152 gnutls_certificate_verify_peers2(): is new, drop the 2 for old version
155 /* Local static variables for GnuTLS */
157 /* Values for verify_requirement */
159 enum peer_verify_requirement
160 { VERIFY_NONE, VERIFY_OPTIONAL, VERIFY_REQUIRED, VERIFY_DANE };
162 /* This holds most state for server or client; with this, we can set up an
163 outbound TLS-enabled connection in an ACL callout, while not stomping all
164 over the TLS variables available for expansion.
166 Some of these correspond to variables in globals.c; those variables will
167 be set to point to content in one of these instances, as appropriate for
168 the stage of the process lifetime.
170 Not handled here: global tls_channelbinding_b64.
173 typedef struct exim_gnutls_state {
174 gnutls_session_t session;
175 gnutls_certificate_credentials_t x509_cred;
176 gnutls_priority_t priority_cache;
177 enum peer_verify_requirement verify_requirement;
180 BOOL peer_cert_verified;
181 BOOL peer_dane_verified;
182 BOOL trigger_sni_changes;
183 BOOL have_set_peerdn;
184 const struct host_item *host; /* NULL if server */
185 gnutls_x509_crt_t peercert;
188 uschar *received_sni;
190 const uschar *tls_certificate;
191 const uschar *tls_privatekey;
192 const uschar *tls_sni; /* client send only, not received */
193 const uschar *tls_verify_certificates;
194 const uschar *tls_crl;
195 const uschar *tls_require_ciphers;
197 uschar *exp_tls_certificate;
198 uschar *exp_tls_privatekey;
199 uschar *exp_tls_verify_certificates;
201 uschar *exp_tls_require_ciphers;
202 const uschar *exp_tls_verify_cert_hostnames;
203 #ifndef DISABLE_EVENT
204 uschar *event_action;
207 char * const * dane_data;
208 const int * dane_data_len;
211 tls_support *tlsp; /* set in tls_init() */
216 BOOL xfer_eof; /*XXX never gets set! */
218 } exim_gnutls_state_st;
220 static const exim_gnutls_state_st exim_gnutls_state_init = {
221 /* all elements not explicitly intialised here get 0/NULL/FALSE */
226 /* Not only do we have our own APIs which don't pass around state, assuming
227 it's held in globals, GnuTLS doesn't appear to let us register callback data
228 for callbacks, or as part of the session, so we have to keep a "this is the
229 context we're currently dealing with" pointer and rely upon being
230 single-threaded to keep from processing data on an inbound TLS connection while
231 talking to another TLS connection for an outbound check. This does mean that
232 there's no way for heart-beats to be responded to, for the duration of the
234 XXX But see gnutls_session_get_ptr()
237 static exim_gnutls_state_st state_server;
239 #ifndef GNUTLS_AUTO_DHPARAMS
240 /* dh_params are initialised once within the lifetime of a process using TLS;
241 if we used TLS in a long-lived daemon, we'd have to reconsider this. But we
242 don't want to repeat this. */
244 static gnutls_dh_params_t dh_server_params = NULL;
247 static int ssl_session_timeout = 7200; /* Two hours */
249 static const uschar * const exim_default_gnutls_priority = US"NORMAL";
251 /* Guard library core initialisation */
253 static BOOL exim_gnutls_base_init_done = FALSE;
256 static BOOL gnutls_buggy_ocsp = FALSE;
257 static BOOL exim_testharness_disable_ocsp_validity_check = FALSE;
260 #ifdef EXPERIMENTAL_TLS_RESUME
261 static gnutls_datum_t server_sessticket_key;
264 /* ------------------------------------------------------------------------ */
267 #define MAX_HOST_LEN 255
269 /* Set this to control gnutls_global_set_log_level(); values 0 to 9 will setup
270 the library logging; a value less than 0 disables the calls to set up logging
271 callbacks. GNuTLS also looks for an environment variable - except not for
272 setuid binaries, making it useless - "GNUTLS_DEBUG_LEVEL".
273 Allegedly the testscript line "GNUTLS_DEBUG_LEVEL=9 sudo exim ..." would work,
274 but the env var must be added to /etc/sudoers too. */
275 #ifndef EXIM_GNUTLS_LIBRARY_LOG_LEVEL
276 # define EXIM_GNUTLS_LIBRARY_LOG_LEVEL -1
279 #ifndef EXIM_CLIENT_DH_MIN_BITS
280 # define EXIM_CLIENT_DH_MIN_BITS 1024
283 /* With GnuTLS 2.12.x+ we have gnutls_sec_param_to_pk_bits() with which we
284 can ask for a bit-strength. Without that, we stick to the constant we had
286 #ifndef EXIM_SERVER_DH_BITS_PRE2_12
287 # define EXIM_SERVER_DH_BITS_PRE2_12 1024
290 #define expand_check_tlsvar(Varname, errstr) \
291 expand_check(state->Varname, US #Varname, &state->exp_##Varname, errstr)
293 #if GNUTLS_VERSION_NUMBER >= 0x020c00
294 # define HAVE_GNUTLS_SESSION_CHANNEL_BINDING
295 # define HAVE_GNUTLS_SEC_PARAM_CONSTANTS
296 # define HAVE_GNUTLS_RND
297 /* The security fix we provide with the gnutls_allow_auto_pkcs11 option
298 * (4.82 PP/09) introduces a compatibility regression. The symbol simply
299 * isn't available sometimes, so this needs to become a conditional
300 * compilation; the sanest way to deal with this being a problem on
301 * older OSes is to block it in the Local/Makefile with this compiler
303 # ifndef AVOID_GNUTLS_PKCS11
304 # define HAVE_GNUTLS_PKCS11
305 # endif /* AVOID_GNUTLS_PKCS11 */
311 /* ------------------------------------------------------------------------ */
312 /* Callback declarations */
314 #if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
315 static void exim_gnutls_logger_cb(int level, const char *message);
318 static int exim_sni_handling_cb(gnutls_session_t session);
320 #ifdef EXPERIMENTAL_TLS_RESUME
322 tls_server_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
323 unsigned incoming, const gnutls_datum_t * msg);
327 /* Daemon one-time initialisation */
329 tls_daemon_init(void)
331 #ifdef EXPERIMENTAL_TLS_RESUME
332 /* We are dependent on the GnuTLS implementation of the Session Ticket
333 encryption; both the strength and the key rotation period. We hope that
334 the strength at least matches that of the ciphersuite (but GnuTLS does not
337 static BOOL once = FALSE;
340 gnutls_session_ticket_key_generate(&server_sessticket_key); /* >= 2.10.0 */
341 if (f.running_in_test_harness) ssl_session_timeout = 6;
345 /* ------------------------------------------------------------------------ */
346 /* Static functions */
348 /*************************************************
350 *************************************************/
352 /* Called from lots of places when errors occur before actually starting to do
353 the TLS handshake, that is, while the session is still in clear. Always returns
354 DEFER for a server and FAIL for a client so that most calls can use "return
355 tls_error(...)" to do this processing and then give an appropriate return. A
356 single function is used for both server and client, because it is called from
357 some shared functions.
360 prefix text to include in the logged error
361 msg additional error string (may be NULL)
362 usually obtained from gnutls_strerror()
363 host NULL if setting up a server;
364 the connected host if setting up a client
365 errstr pointer to returned error string
367 Returns: OK/DEFER/FAIL
371 tls_error(const uschar *prefix, const uschar *msg, const host_item *host,
375 *errstr = string_sprintf("(%s)%s%s", prefix, msg ? ": " : "", msg ? msg : US"");
376 return host ? FAIL : DEFER;
381 tls_error_gnu(const uschar *prefix, int err, const host_item *host,
384 return tls_error(prefix, US gnutls_strerror(err), host, errstr);
388 tls_error_sys(const uschar *prefix, int err, const host_item *host,
391 return tls_error(prefix, US strerror(err), host, errstr);
395 /*************************************************
396 * Deal with logging errors during I/O *
397 *************************************************/
399 /* We have to get the identity of the peer from saved data.
402 state the current GnuTLS exim state container
403 rc the GnuTLS error code, or 0 if it's a local error
404 when text identifying read or write
405 text local error text when rc is 0
411 record_io_error(exim_gnutls_state_st *state, int rc, uschar *when, uschar *text)
416 if (rc == GNUTLS_E_FATAL_ALERT_RECEIVED)
417 msg = string_sprintf("A TLS fatal alert has been received: %s",
418 US gnutls_alert_get_name(gnutls_alert_get(state->session)));
420 msg = US gnutls_strerror(rc);
422 (void) tls_error(when, msg, state->host, &errstr);
425 log_write(0, LOG_MAIN, "H=%s [%s] TLS error on connection %s",
426 state->host->name, state->host->address, errstr);
429 uschar * conn_info = smtp_get_connection_info();
430 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0) conn_info += 5;
431 /* I'd like to get separated H= here, but too hard for now */
432 log_write(0, LOG_MAIN, "TLS error on %s %s", conn_info, errstr);
439 /*************************************************
440 * Set various Exim expansion vars *
441 *************************************************/
443 #define exim_gnutls_cert_err(Label) \
446 if (rc != GNUTLS_E_SUCCESS) \
448 DEBUG(D_tls) debug_printf("TLS: cert problem: %s: %s\n", \
449 (Label), gnutls_strerror(rc)); \
455 import_cert(const gnutls_datum_t * cert, gnutls_x509_crt_t * crtp)
459 rc = gnutls_x509_crt_init(crtp);
460 exim_gnutls_cert_err(US"gnutls_x509_crt_init (crt)");
462 rc = gnutls_x509_crt_import(*crtp, cert, GNUTLS_X509_FMT_DER);
463 exim_gnutls_cert_err(US"failed to import certificate [gnutls_x509_crt_import(cert)]");
468 #undef exim_gnutls_cert_err
471 /* We set various Exim global variables from the state, once a session has
472 been established. With TLS callouts, may need to change this to stack
473 variables, or just re-call it with the server state after client callout
476 Make sure anything set here is unset in tls_getc().
480 tls_bits strength indicator
481 tls_certificate_verified bool indicator
482 tls_channelbinding_b64 for some SASL mechanisms
484 tls_peercert pointer to library internal
486 tls_sni a (UTF-8) string
487 tls_ourcert pointer to library internal
490 state the relevant exim_gnutls_state_st *
494 extract_exim_vars_from_tls_state(exim_gnutls_state_st * state)
496 #ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
499 gnutls_datum_t channel;
501 tls_support * tlsp = state->tlsp;
503 tlsp->active.sock = state->fd_out;
504 tlsp->active.tls_ctx = state;
506 DEBUG(D_tls) debug_printf("cipher: %s\n", state->ciphersuite);
508 tlsp->certificate_verified = state->peer_cert_verified;
510 tlsp->dane_verified = state->peer_dane_verified;
513 /* note that tls_channelbinding_b64 is not saved to the spool file, since it's
514 only available for use for authenticators while this TLS session is running. */
516 tls_channelbinding_b64 = NULL;
517 #ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
520 if ((rc = gnutls_session_channel_binding(state->session, GNUTLS_CB_TLS_UNIQUE, &channel)))
521 { DEBUG(D_tls) debug_printf("Channel binding error: %s\n", gnutls_strerror(rc)); }
524 old_pool = store_pool;
525 store_pool = POOL_PERM;
526 tls_channelbinding_b64 = b64encode(CUS channel.data, (int)channel.size);
527 store_pool = old_pool;
528 DEBUG(D_tls) debug_printf("Have channel bindings cached for possible auth usage.\n");
532 /* peercert is set in peer_status() */
533 tlsp->peerdn = state->peerdn;
534 tlsp->sni = state->received_sni;
536 /* record our certificate */
538 const gnutls_datum_t * cert = gnutls_certificate_get_ours(state->session);
539 gnutls_x509_crt_t crt;
541 tlsp->ourcert = cert && import_cert(cert, &crt)==0 ? crt : NULL;
548 #ifndef GNUTLS_AUTO_DHPARAMS
549 /*************************************************
550 * Setup up DH parameters *
551 *************************************************/
553 /* Generating the D-H parameters may take a long time. They only need to
554 be re-generated every so often, depending on security policy. What we do is to
555 keep these parameters in a file in the spool directory. If the file does not
556 exist, we generate them. This means that it is easy to cause a regeneration.
558 The new file is written as a temporary file and renamed, so that an incomplete
559 file is never present. If two processes both compute some new parameters, you
560 waste a bit of effort, but it doesn't seem worth messing around with locking to
563 Returns: OK/DEFER/FAIL
567 init_server_dh(uschar ** errstr)
570 unsigned int dh_bits;
571 gnutls_datum_t m = {.data = NULL, .size = 0};
572 uschar filename_buf[PATH_MAX];
573 uschar *filename = NULL;
575 uschar *exp_tls_dhparam;
576 BOOL use_file_in_spool = FALSE;
577 host_item *host = NULL; /* dummy for macros */
579 DEBUG(D_tls) debug_printf("Initialising GnuTLS server params.\n");
581 if ((rc = gnutls_dh_params_init(&dh_server_params)))
582 return tls_error_gnu(US"gnutls_dh_params_init", rc, host, errstr);
584 if (!expand_check(tls_dhparam, US"tls_dhparam", &exp_tls_dhparam, errstr))
587 if (!exp_tls_dhparam)
589 DEBUG(D_tls) debug_printf("Loading default hard-coded DH params\n");
590 m.data = US std_dh_prime_default();
591 m.size = Ustrlen(m.data);
593 else if (Ustrcmp(exp_tls_dhparam, "historic") == 0)
594 use_file_in_spool = TRUE;
595 else if (Ustrcmp(exp_tls_dhparam, "none") == 0)
597 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
600 else if (exp_tls_dhparam[0] != '/')
602 if (!(m.data = US std_dh_prime_named(exp_tls_dhparam)))
603 return tls_error(US"No standard prime named", exp_tls_dhparam, NULL, errstr);
604 m.size = Ustrlen(m.data);
607 filename = exp_tls_dhparam;
611 if ((rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM)))
612 return tls_error_gnu(US"gnutls_dh_params_import_pkcs3", rc, host, errstr);
613 DEBUG(D_tls) debug_printf("Loaded fixed standard D-H parameters\n");
617 #ifdef HAVE_GNUTLS_SEC_PARAM_CONSTANTS
618 /* If you change this constant, also change dh_param_fn_ext so that we can use a
619 different filename and ensure we have sufficient bits. */
621 if (!(dh_bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL)))
622 return tls_error(US"gnutls_sec_param_to_pk_bits() failed", NULL, NULL, errstr);
624 debug_printf("GnuTLS tells us that for D-H PK, NORMAL is %d bits.\n",
627 dh_bits = EXIM_SERVER_DH_BITS_PRE2_12;
629 debug_printf("GnuTLS lacks gnutls_sec_param_to_pk_bits(), using %d bits.\n",
633 /* Some clients have hard-coded limits. */
634 if (dh_bits > tls_dh_max_bits)
637 debug_printf("tls_dh_max_bits clamping override, using %d bits instead.\n",
639 dh_bits = tls_dh_max_bits;
642 if (use_file_in_spool)
644 if (!string_format(filename_buf, sizeof(filename_buf),
645 "%s/gnutls-params-%d", spool_directory, dh_bits))
646 return tls_error(US"overlong filename", NULL, NULL, errstr);
647 filename = filename_buf;
650 /* Open the cache file for reading and if successful, read it and set up the
653 if ((fd = Uopen(filename, O_RDONLY, 0)) >= 0)
659 if (fstat(fd, &statbuf) < 0) /* EIO */
663 return tls_error_sys(US"TLS cache stat failed", saved_errno, NULL, errstr);
665 if (!S_ISREG(statbuf.st_mode))
668 return tls_error(US"TLS cache not a file", NULL, NULL, errstr);
670 if (!(fp = fdopen(fd, "rb")))
674 return tls_error_sys(US"fdopen(TLS cache stat fd) failed",
675 saved_errno, NULL, errstr);
678 m.size = statbuf.st_size;
679 if (!(m.data = store_malloc(m.size)))
682 return tls_error_sys(US"malloc failed", errno, NULL, errstr);
684 if (!(sz = fread(m.data, m.size, 1, fp)))
689 return tls_error_sys(US"fread failed", saved_errno, NULL, errstr);
693 rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM);
696 return tls_error_gnu(US"gnutls_dh_params_import_pkcs3", rc, host, errstr);
697 DEBUG(D_tls) debug_printf("read D-H parameters from file \"%s\"\n", filename);
700 /* If the file does not exist, fall through to compute new data and cache it.
701 If there was any other opening error, it is serious. */
703 else if (errno == ENOENT)
707 debug_printf("D-H parameter cache file \"%s\" does not exist\n", filename);
710 return tls_error(string_open_failed(errno, "\"%s\" for reading", filename),
713 /* If ret < 0, either the cache file does not exist, or the data it contains
714 is not useful. One particular case of this is when upgrading from an older
715 release of Exim in which the data was stored in a different format. We don't
716 try to be clever and support both formats; we just regenerate new data in this
722 unsigned int dh_bits_gen = dh_bits;
724 if ((PATH_MAX - Ustrlen(filename)) < 10)
725 return tls_error(US"Filename too long to generate replacement",
726 filename, NULL, errstr);
728 temp_fn = string_copy(US"%s.XXXXXXX");
729 if ((fd = mkstemp(CS temp_fn)) < 0) /* modifies temp_fn */
730 return tls_error_sys(US"Unable to open temp file", errno, NULL, errstr);
731 (void)exim_chown(temp_fn, exim_uid, exim_gid); /* Probably not necessary */
733 /* GnuTLS overshoots! If we ask for 2236, we might get 2237 or more. But
734 there's no way to ask GnuTLS how many bits there really are. We can ask
735 how many bits were used in a TLS session, but that's it! The prime itself
736 is hidden behind too much abstraction. So we ask for less, and proceed on
737 a wing and a prayer. First attempt, subtracted 3 for 2233 and got 2240. */
739 if (dh_bits >= EXIM_CLIENT_DH_MIN_BITS + 10)
741 dh_bits_gen = dh_bits - 10;
743 debug_printf("being paranoid about DH generation, make it '%d' bits'\n",
748 debug_printf("requesting generation of %d bit Diffie-Hellman prime ...\n",
750 if ((rc = gnutls_dh_params_generate2(dh_server_params, dh_bits_gen)))
751 return tls_error_gnu(US"gnutls_dh_params_generate2", rc, host, errstr);
753 /* gnutls_dh_params_export_pkcs3() will tell us the exact size, every time,
754 and I confirmed that a NULL call to get the size first is how the GnuTLS
755 sample apps handle this. */
759 if ( (rc = gnutls_dh_params_export_pkcs3(dh_server_params,
760 GNUTLS_X509_FMT_PEM, m.data, &sz))
761 && rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
762 return tls_error_gnu(US"gnutls_dh_params_export_pkcs3(NULL) sizing",
765 if (!(m.data = store_malloc(m.size)))
766 return tls_error_sys(US"memory allocation failed", errno, NULL, errstr);
768 /* this will return a size 1 less than the allocation size above */
769 if ((rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM,
773 return tls_error_gnu(US"gnutls_dh_params_export_pkcs3() real", rc, host, errstr);
775 m.size = sz; /* shrink by 1, probably */
777 if ((sz = write_to_fd_buf(fd, m.data, (size_t) m.size)) != m.size)
780 return tls_error_sys(US"TLS cache write D-H params failed",
781 errno, NULL, errstr);
784 if ((sz = write_to_fd_buf(fd, US"\n", 1)) != 1)
785 return tls_error_sys(US"TLS cache write D-H params final newline failed",
786 errno, NULL, errstr);
788 if ((rc = close(fd)))
789 return tls_error_sys(US"TLS cache write close() failed", errno, NULL, errstr);
791 if (Urename(temp_fn, filename) < 0)
792 return tls_error_sys(string_sprintf("failed to rename \"%s\" as \"%s\"",
793 temp_fn, filename), errno, NULL, errstr);
795 DEBUG(D_tls) debug_printf("wrote D-H parameters to file \"%s\"\n", filename);
798 DEBUG(D_tls) debug_printf("initialized server D-H parameters\n");
806 /* Create and install a selfsigned certificate, for use in server mode */
809 tls_install_selfsign(exim_gnutls_state_st * state, uschar ** errstr)
811 gnutls_x509_crt_t cert = NULL;
813 gnutls_x509_privkey_t pkey = NULL;
814 const uschar * where;
817 where = US"initialising pkey";
818 if ((rc = gnutls_x509_privkey_init(&pkey))) goto err;
820 where = US"initialising cert";
821 if ((rc = gnutls_x509_crt_init(&cert))) goto err;
823 where = US"generating pkey";
824 if ((rc = gnutls_x509_privkey_generate(pkey, GNUTLS_PK_RSA,
825 #ifdef SUPPORT_PARAM_TO_PK_BITS
826 # ifndef GNUTLS_SEC_PARAM_MEDIUM
827 # define GNUTLS_SEC_PARAM_MEDIUM GNUTLS_SEC_PARAM_HIGH
829 gnutls_sec_param_to_pk_bits(GNUTLS_PK_RSA, GNUTLS_SEC_PARAM_MEDIUM),
836 where = US"configuring cert";
838 if ( (rc = gnutls_x509_crt_set_version(cert, 3))
839 || (rc = gnutls_x509_crt_set_serial(cert, &now, sizeof(now)))
840 || (rc = gnutls_x509_crt_set_activation_time(cert, now = time(NULL)))
841 || (rc = gnutls_x509_crt_set_expiration_time(cert, now + 60 * 60)) /* 1 hr */
842 || (rc = gnutls_x509_crt_set_key(cert, pkey))
844 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
845 GNUTLS_OID_X520_COUNTRY_NAME, 0, "UK", 2))
846 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
847 GNUTLS_OID_X520_ORGANIZATION_NAME, 0, "Exim Developers", 15))
848 || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
849 GNUTLS_OID_X520_COMMON_NAME, 0,
850 smtp_active_hostname, Ustrlen(smtp_active_hostname)))
854 where = US"signing cert";
855 if ((rc = gnutls_x509_crt_sign(cert, cert, pkey))) goto err;
857 where = US"installing selfsign cert";
859 if ((rc = gnutls_certificate_set_x509_key(state->x509_cred, &cert, 1, pkey)))
865 if (cert) gnutls_x509_crt_deinit(cert);
866 if (pkey) gnutls_x509_privkey_deinit(pkey);
870 rc = tls_error_gnu(where, rc, NULL, errstr);
877 /* Add certificate and key, from files.
880 Zero or negative: good. Negate value for certificate index if < 0.
881 Greater than zero: FAIL or DEFER code.
885 tls_add_certfile(exim_gnutls_state_st * state, const host_item * host,
886 uschar * certfile, uschar * keyfile, uschar ** errstr)
888 int rc = gnutls_certificate_set_x509_key_file(state->x509_cred,
889 CS certfile, CS keyfile, GNUTLS_X509_FMT_PEM);
891 return tls_error_gnu(
892 string_sprintf("cert/key setup: cert=%s key=%s", certfile, keyfile),
898 #if !defined(DISABLE_OCSP) && !defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
899 /* Load an OCSP proof from file for sending by the server. Called
900 on getting a status-request handshake message, for earlier versions
904 server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
905 gnutls_datum_t * ocsp_response)
908 DEBUG(D_tls) debug_printf("OCSP stapling callback: %s\n", US ptr);
910 if ((ret = gnutls_load_file(ptr, ocsp_response)) < 0)
912 DEBUG(D_tls) debug_printf("Failed to load ocsp stapling file %s\n",
914 tls_in.ocsp = OCSP_NOT_RESP;
915 return GNUTLS_E_NO_CERTIFICATE_STATUS;
918 tls_in.ocsp = OCSP_VFY_NOT_TRIED;
924 #ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
925 /* Make a note that we saw a status-request */
927 tls_server_clienthello_ext(void * ctx, unsigned tls_id,
928 const unsigned char *data, unsigned size)
930 /* https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml */
931 if (tls_id == 5) /* status_request */
933 DEBUG(D_tls) debug_printf("Seen status_request extension from client\n");
934 tls_in.ocsp = OCSP_NOT_RESP;
939 /* Callback for client-hello, on server, if we think we might serve stapled-OCSP */
941 tls_server_clienthello_cb(gnutls_session_t session, unsigned int htype,
942 unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
944 /* Call fn for each extension seen. 3.6.3 onwards */
945 return gnutls_ext_raw_parse(NULL, tls_server_clienthello_ext, msg,
946 GNUTLS_EXT_RAW_FLAG_TLS_CLIENT_HELLO);
950 /* Make a note that we saw a status-response */
952 tls_server_servercerts_ext(void * ctx, unsigned tls_id,
953 const unsigned char *data, unsigned size)
955 /* debug_printf("%s %u\n", __FUNCTION__, tls_id); */
956 /* https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml */
957 if (FALSE && tls_id == 5) /* status_request */
959 DEBUG(D_tls) debug_printf("Seen status_request extension\n");
960 tls_in.ocsp = exim_testharness_disable_ocsp_validity_check
961 ? OCSP_VFY_NOT_TRIED : OCSP_VFIED; /* We know that GnuTLS verifies responses */
966 /* Callback for certificates packet, on server, if we think we might serve stapled-OCSP */
968 tls_server_servercerts_cb(gnutls_session_t session, unsigned int htype,
969 unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
971 /* Call fn for each extension seen. 3.6.3 onwards */
974 return gnutls_ext_raw_parse(NULL, tls_server_servercerts_ext, msg, 0);
979 /*XXX in tls1.3 the cert-status travel as an extension next to the cert, in the
980 "Handshake Protocol: Certificate" record.
981 So we need to spot the Certificate handshake message, parse it and spot any status_request extension(s)
983 This is different to tls1.2 - where it is a separate record (wireshake term) / handshake message (gnutls term).
986 #if defined(EXPERIMENTAL_TLS_RESUME) || defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
987 /* Callback for certificate-status, on server. We sent stapled OCSP. */
989 tls_server_certstatus_cb(gnutls_session_t session, unsigned int htype,
990 unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
992 DEBUG(D_tls) debug_printf("Sending certificate-status\n"); /*XXX we get this for tls1.2 but not for 1.3 */
993 #ifdef SUPPORT_SRV_OCSP_STACK
994 tls_in.ocsp = exim_testharness_disable_ocsp_validity_check
995 ? OCSP_VFY_NOT_TRIED : OCSP_VFIED; /* We know that GnuTLS verifies responses */
997 tls_in.ocsp = OCSP_VFY_NOT_TRIED;
1002 /* Callback for handshake messages, on server */
1004 tls_server_hook_cb(gnutls_session_t sess, u_int htype, unsigned when,
1005 unsigned incoming, const gnutls_datum_t * msg)
1007 /* debug_printf("%s: htype %u\n", __FUNCTION__, htype); */
1010 # ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
1011 case GNUTLS_HANDSHAKE_CLIENT_HELLO:
1012 return tls_server_clienthello_cb(sess, htype, when, incoming, msg);
1013 case GNUTLS_HANDSHAKE_CERTIFICATE_PKT:
1014 return tls_server_servercerts_cb(sess, htype, when, incoming, msg);
1016 case GNUTLS_HANDSHAKE_CERTIFICATE_STATUS:
1017 return tls_server_certstatus_cb(sess, htype, when, incoming, msg);
1018 # ifdef EXPERIMENTAL_TLS_RESUME
1019 case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET:
1020 return tls_server_ticket_cb(sess, htype, when, incoming, msg);
1029 #if !defined(DISABLE_OCSP) && defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
1031 tls_server_testharness_ocsp_fiddle(void)
1033 extern char ** environ;
1034 if (environ) for (uschar ** p = USS environ; *p; p++)
1035 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
1037 DEBUG(D_tls) debug_printf("Permitting known bad OCSP response\n");
1038 exim_testharness_disable_ocsp_validity_check = TRUE;
1043 /*************************************************
1044 * Variables re-expanded post-SNI *
1045 *************************************************/
1047 /* Called from both server and client code, via tls_init(), and also from
1048 the SNI callback after receiving an SNI, if tls_certificate includes "tls_sni".
1050 We can tell the two apart by state->received_sni being non-NULL in callback.
1052 The callback should not call us unless state->trigger_sni_changes is true,
1053 which we are responsible for setting on the first pass through.
1056 state exim_gnutls_state_st *
1057 errstr error string pointer
1059 Returns: OK/DEFER/FAIL
1063 tls_expand_session_files(exim_gnutls_state_st * state, uschar ** errstr)
1065 struct stat statbuf;
1067 const host_item *host = state->host; /* macro should be reconsidered? */
1068 uschar *saved_tls_certificate = NULL;
1069 uschar *saved_tls_privatekey = NULL;
1070 uschar *saved_tls_verify_certificates = NULL;
1071 uschar *saved_tls_crl = NULL;
1074 /* We check for tls_sni *before* expansion. */
1075 if (!host) /* server */
1076 if (!state->received_sni)
1078 if ( state->tls_certificate
1079 && ( Ustrstr(state->tls_certificate, US"tls_sni")
1080 || Ustrstr(state->tls_certificate, US"tls_in_sni")
1081 || Ustrstr(state->tls_certificate, US"tls_out_sni")
1084 DEBUG(D_tls) debug_printf("We will re-expand TLS session files if we receive SNI.\n");
1085 state->trigger_sni_changes = TRUE;
1090 /* useful for debugging */
1091 saved_tls_certificate = state->exp_tls_certificate;
1092 saved_tls_privatekey = state->exp_tls_privatekey;
1093 saved_tls_verify_certificates = state->exp_tls_verify_certificates;
1094 saved_tls_crl = state->exp_tls_crl;
1097 if ((rc = gnutls_certificate_allocate_credentials(&state->x509_cred)))
1098 return tls_error_gnu(US"gnutls_certificate_allocate_credentials",
1101 #ifdef SUPPORT_SRV_OCSP_STACK
1102 gnutls_certificate_set_flags(state->x509_cred, GNUTLS_CERTIFICATE_API_V2);
1104 # if !defined(DISABLE_OCSP) && defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
1105 if (!host && tls_ocsp_file)
1107 if (f.running_in_test_harness)
1108 tls_server_testharness_ocsp_fiddle();
1110 if (exim_testharness_disable_ocsp_validity_check)
1111 gnutls_certificate_set_flags(state->x509_cred,
1112 GNUTLS_CERTIFICATE_API_V2 | GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK);
1117 /* remember: expand_check_tlsvar() is expand_check() but fiddling with
1118 state members, assuming consistent naming; and expand_check() returns
1119 false if expansion failed, unless expansion was forced to fail. */
1121 /* check if we at least have a certificate, before doing expensive
1124 if (!expand_check_tlsvar(tls_certificate, errstr))
1127 /* certificate is mandatory in server, optional in client */
1129 if ( !state->exp_tls_certificate
1130 || !*state->exp_tls_certificate
1133 return tls_install_selfsign(state, errstr);
1135 DEBUG(D_tls) debug_printf("TLS: no client certificate specified; okay\n");
1137 if (state->tls_privatekey && !expand_check_tlsvar(tls_privatekey, errstr))
1140 /* tls_privatekey is optional, defaulting to same file as certificate */
1142 if (!state->tls_privatekey || !*state->tls_privatekey)
1144 state->tls_privatekey = state->tls_certificate;
1145 state->exp_tls_privatekey = state->exp_tls_certificate;
1149 if (state->exp_tls_certificate && *state->exp_tls_certificate)
1151 DEBUG(D_tls) debug_printf("certificate file = %s\nkey file = %s\n",
1152 state->exp_tls_certificate, state->exp_tls_privatekey);
1154 if (state->received_sni)
1155 if ( Ustrcmp(state->exp_tls_certificate, saved_tls_certificate) == 0
1156 && Ustrcmp(state->exp_tls_privatekey, saved_tls_privatekey) == 0
1159 DEBUG(D_tls) debug_printf("TLS SNI: cert and key unchanged\n");
1163 DEBUG(D_tls) debug_printf("TLS SNI: have a changed cert/key pair.\n");
1166 if (!host) /* server */
1168 const uschar * clist = state->exp_tls_certificate;
1169 const uschar * klist = state->exp_tls_privatekey;
1170 const uschar * olist;
1171 int csep = 0, ksep = 0, osep = 0, cnt = 0;
1172 uschar * cfile, * kfile, * ofile;
1173 #ifndef DISABLE_OCSP
1174 # ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
1175 gnutls_x509_crt_fmt_t ocsp_fmt = GNUTLS_X509_FMT_DER;
1178 if (!expand_check(tls_ocsp_file, US"tls_ocsp_file", &ofile, errstr))
1183 while (cfile = string_nextinlist(&clist, &csep, NULL, 0))
1185 if (!(kfile = string_nextinlist(&klist, &ksep, NULL, 0)))
1186 return tls_error(US"cert/key setup: out of keys", NULL, host, errstr);
1187 else if (0 < (rc = tls_add_certfile(state, host, cfile, kfile, errstr)))
1191 int gnutls_cert_index = -rc;
1192 DEBUG(D_tls) debug_printf("TLS: cert/key %d %s registered\n",
1193 gnutls_cert_index, cfile);
1195 #ifndef DISABLE_OCSP
1198 /* Set the OCSP stapling server info */
1199 if (gnutls_buggy_ocsp)
1202 debug_printf("GnuTLS library is buggy for OCSP; avoiding\n");
1204 else if ((ofile = string_nextinlist(&olist, &osep, NULL, 0)))
1206 DEBUG(D_tls) debug_printf("OCSP response file %d = %s\n",
1207 gnutls_cert_index, ofile);
1208 # ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
1209 if (Ustrncmp(ofile, US"PEM ", 4) == 0)
1211 ocsp_fmt = GNUTLS_X509_FMT_PEM;
1214 else if (Ustrncmp(ofile, US"DER ", 4) == 0)
1216 ocsp_fmt = GNUTLS_X509_FMT_DER;
1220 if ((rc = gnutls_certificate_set_ocsp_status_request_file2(
1221 state->x509_cred, CCS ofile, gnutls_cert_index,
1223 return tls_error_gnu(
1224 US"gnutls_certificate_set_ocsp_status_request_file2",
1227 debug_printf(" %d response%s loaded\n", rc, rc>1 ? "s":"");
1229 /* Arrange callbacks for OCSP request observability */
1231 gnutls_handshake_set_hook_function(state->session,
1232 GNUTLS_HANDSHAKE_ANY, GNUTLS_HOOK_POST, tls_server_hook_cb);
1235 # if defined(SUPPORT_SRV_OCSP_STACK)
1236 if ((rc = gnutls_certificate_set_ocsp_status_request_function2(
1237 state->x509_cred, gnutls_cert_index,
1238 server_ocsp_stapling_cb, ofile)))
1239 return tls_error_gnu(
1240 US"gnutls_certificate_set_ocsp_status_request_function2",
1248 debug_printf("oops; multiple OCSP files not supported\n");
1251 gnutls_certificate_set_ocsp_status_request_function(
1252 state->x509_cred, server_ocsp_stapling_cb, ofile);
1254 # endif /* SUPPORT_GNUTLS_EXT_RAW_PARSE */
1257 DEBUG(D_tls) debug_printf("ran out of OCSP response files in list\n");
1259 #endif /* DISABLE_OCSP */
1264 if (0 < (rc = tls_add_certfile(state, host,
1265 state->exp_tls_certificate, state->exp_tls_privatekey, errstr)))
1267 DEBUG(D_tls) debug_printf("TLS: cert/key registered\n");
1270 } /* tls_certificate */
1273 /* Set the trusted CAs file if one is provided, and then add the CRL if one is
1274 provided. Experiment shows that, if the certificate file is empty, an unhelpful
1275 error message is provided. However, if we just refrain from setting anything up
1276 in that case, certificate verification fails, which seems to be the correct
1279 if (state->tls_verify_certificates && *state->tls_verify_certificates)
1281 if (!expand_check_tlsvar(tls_verify_certificates, errstr))
1283 #ifndef SUPPORT_SYSDEFAULT_CABUNDLE
1284 if (Ustrcmp(state->exp_tls_verify_certificates, "system") == 0)
1285 state->exp_tls_verify_certificates = NULL;
1287 if (state->tls_crl && *state->tls_crl)
1288 if (!expand_check_tlsvar(tls_crl, errstr))
1291 if (!(state->exp_tls_verify_certificates &&
1292 *state->exp_tls_verify_certificates))
1295 debug_printf("TLS: tls_verify_certificates expanded empty, ignoring\n");
1296 /* With no tls_verify_certificates, we ignore tls_crl too */
1303 debug_printf("TLS: tls_verify_certificates not set or empty, ignoring\n");
1307 #ifdef SUPPORT_SYSDEFAULT_CABUNDLE
1308 if (Ustrcmp(state->exp_tls_verify_certificates, "system") == 0)
1309 cert_count = gnutls_certificate_set_x509_system_trust(state->x509_cred);
1313 if (Ustat(state->exp_tls_verify_certificates, &statbuf) < 0)
1315 log_write(0, LOG_MAIN|LOG_PANIC, "could not stat '%s' "
1316 "(tls_verify_certificates): %s", state->exp_tls_verify_certificates,
1321 #ifndef SUPPORT_CA_DIR
1322 /* The test suite passes in /dev/null; we could check for that path explicitly,
1323 but who knows if someone has some weird FIFO which always dumps some certs, or
1324 other weirdness. The thing we really want to check is that it's not a
1325 directory, since while OpenSSL supports that, GnuTLS does not.
1326 So s/!S_ISREG/S_ISDIR/ and change some messaging ... */
1327 if (S_ISDIR(statbuf.st_mode))
1330 debug_printf("verify certificates path is a dir: \"%s\"\n",
1331 state->exp_tls_verify_certificates);
1332 log_write(0, LOG_MAIN|LOG_PANIC,
1333 "tls_verify_certificates \"%s\" is a directory",
1334 state->exp_tls_verify_certificates);
1339 DEBUG(D_tls) debug_printf("verify certificates = %s size=" OFF_T_FMT "\n",
1340 state->exp_tls_verify_certificates, statbuf.st_size);
1342 if (statbuf.st_size == 0)
1345 debug_printf("cert file empty, no certs, no verification, ignoring any CRL\n");
1351 #ifdef SUPPORT_CA_DIR
1352 (statbuf.st_mode & S_IFMT) == S_IFDIR
1354 gnutls_certificate_set_x509_trust_dir(state->x509_cred,
1355 CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM)
1358 gnutls_certificate_set_x509_trust_file(state->x509_cred,
1359 CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM);
1361 #ifdef SUPPORT_CA_DIR
1362 /* Mimic the behaviour with OpenSSL of not advertising a usable-cert list
1363 when using the directory-of-certs config model. */
1365 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
1366 gnutls_certificate_send_x509_rdn_sequence(state->session, 1);
1371 return tls_error_gnu(US"setting certificate trust", cert_count, host, errstr);
1373 debug_printf("Added %d certificate authorities.\n", cert_count);
1375 if (state->tls_crl && *state->tls_crl &&
1376 state->exp_tls_crl && *state->exp_tls_crl)
1378 DEBUG(D_tls) debug_printf("loading CRL file = %s\n", state->exp_tls_crl);
1379 if ((cert_count = gnutls_certificate_set_x509_crl_file(state->x509_cred,
1380 CS state->exp_tls_crl, GNUTLS_X509_FMT_PEM)) < 0)
1381 return tls_error_gnu(US"gnutls_certificate_set_x509_crl_file",
1382 cert_count, host, errstr);
1384 DEBUG(D_tls) debug_printf("Processed %d CRLs.\n", cert_count);
1393 /*************************************************
1394 * Set X.509 state variables *
1395 *************************************************/
1397 /* In GnuTLS, the registered cert/key are not replaced by a later
1398 set of a cert/key, so for SNI support we need a whole new x509_cred
1399 structure. Which means various other non-re-expanded pieces of state
1400 need to be re-set in the new struct, so the setting logic is pulled
1404 state exim_gnutls_state_st *
1405 errstr error string pointer
1407 Returns: OK/DEFER/FAIL
1411 tls_set_remaining_x509(exim_gnutls_state_st *state, uschar ** errstr)
1414 const host_item *host = state->host; /* macro should be reconsidered? */
1416 #ifndef GNUTLS_AUTO_DHPARAMS
1417 /* Create D-H parameters, or read them from the cache file. This function does
1418 its own SMTP error messaging. This only happens for the server, TLS D-H ignores
1419 client-side params. */
1423 if (!dh_server_params)
1424 if ((rc = init_server_dh(errstr)) != OK) return rc;
1426 /* Unnecessary & discouraged with 3.6.0 or later */
1427 gnutls_certificate_set_dh_params(state->x509_cred, dh_server_params);
1431 /* Link the credentials to the session. */
1433 if ((rc = gnutls_credentials_set(state->session,
1434 GNUTLS_CRD_CERTIFICATE, state->x509_cred)))
1435 return tls_error_gnu(US"gnutls_credentials_set", rc, host, errstr);
1440 /*************************************************
1441 * Initialize for GnuTLS *
1442 *************************************************/
1445 #ifndef DISABLE_OCSP
1448 tls_is_buggy_ocsp(void)
1451 uschar maj, mid, mic;
1453 s = CUS gnutls_check_version(NULL);
1457 while (*s && *s != '.') s++;
1458 mid = atoi(CCS ++s);
1465 while (*s && *s != '.') s++;
1466 mic = atoi(CCS ++s);
1467 return mic <= (mid == 3 ? 16 : 3);
1476 /* Called from both server and client code. In the case of a server, errors
1477 before actual TLS negotiation return DEFER.
1480 host connected host, if client; NULL if server
1481 certificate certificate file
1482 privatekey private key file
1483 sni TLS SNI to send, sometimes when client; else NULL
1486 require_ciphers tls_require_ciphers setting
1487 caller_state returned state-info structure
1488 errstr error string pointer
1490 Returns: OK/DEFER/FAIL
1495 const host_item *host,
1496 const uschar *certificate,
1497 const uschar *privatekey,
1501 const uschar *require_ciphers,
1502 exim_gnutls_state_st **caller_state,
1506 exim_gnutls_state_st * state;
1509 const char * errpos;
1512 if (!exim_gnutls_base_init_done)
1514 DEBUG(D_tls) debug_printf("GnuTLS global init required.\n");
1516 #if defined(HAVE_GNUTLS_PKCS11) && !defined(GNUTLS_AUTO_PKCS11_MANUAL)
1517 /* By default, gnutls_global_init will init PKCS11 support in auto mode,
1518 which loads modules from a config file, which sounds good and may be wanted
1519 by some sysadmin, but also means in common configurations that GNOME keyring
1520 environment variables are used and so breaks for users calling mailq.
1521 To prevent this, we init PKCS11 first, which is the documented approach. */
1522 if (!gnutls_allow_auto_pkcs11)
1523 if ((rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL)))
1524 return tls_error_gnu(US"gnutls_pkcs11_init", rc, host, errstr);
1527 #ifndef GNUTLS_AUTO_GLOBAL_INIT
1528 if ((rc = gnutls_global_init()))
1529 return tls_error_gnu(US"gnutls_global_init", rc, host, errstr);
1532 #if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
1535 gnutls_global_set_log_function(exim_gnutls_logger_cb);
1536 /* arbitrarily chosen level; bump up to 9 for more */
1537 gnutls_global_set_log_level(EXIM_GNUTLS_LIBRARY_LOG_LEVEL);
1541 #ifndef DISABLE_OCSP
1542 if (tls_ocsp_file && (gnutls_buggy_ocsp = tls_is_buggy_ocsp()))
1543 log_write(0, LOG_MAIN, "OCSP unusable with this GnuTLS library version");
1546 exim_gnutls_base_init_done = TRUE;
1551 /* For client-side sessions we allocate a context. This lets us run
1552 several in parallel. */
1553 int old_pool = store_pool;
1554 store_pool = POOL_PERM;
1555 state = store_get(sizeof(exim_gnutls_state_st), FALSE);
1556 store_pool = old_pool;
1558 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
1560 DEBUG(D_tls) debug_printf("initialising GnuTLS client session\n");
1561 rc = gnutls_init(&state->session, GNUTLS_CLIENT);
1565 state = &state_server;
1566 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
1568 DEBUG(D_tls) debug_printf("initialising GnuTLS server session\n");
1569 rc = gnutls_init(&state->session, GNUTLS_SERVER);
1572 return tls_error_gnu(US"gnutls_init", rc, host, errstr);
1576 state->tls_certificate = certificate;
1577 state->tls_privatekey = privatekey;
1578 state->tls_require_ciphers = require_ciphers;
1579 state->tls_sni = sni;
1580 state->tls_verify_certificates = cas;
1581 state->tls_crl = crl;
1583 /* This handles the variables that might get re-expanded after TLS SNI;
1584 that's tls_certificate, tls_privatekey, tls_verify_certificates, tls_crl */
1587 debug_printf("Expanding various TLS configuration options for session credentials.\n");
1588 if ((rc = tls_expand_session_files(state, errstr)) != OK) return rc;
1590 /* These are all other parts of the x509_cred handling, since SNI in GnuTLS
1591 requires a new structure afterwards. */
1593 if ((rc = tls_set_remaining_x509(state, errstr)) != OK) return rc;
1595 /* set SNI in client, only */
1598 if (!expand_check(sni, US"tls_out_sni", &state->tlsp->sni, errstr))
1600 if (state->tlsp->sni && *state->tlsp->sni)
1603 debug_printf("Setting TLS client SNI to \"%s\"\n", state->tlsp->sni);
1604 sz = Ustrlen(state->tlsp->sni);
1605 if ((rc = gnutls_server_name_set(state->session,
1606 GNUTLS_NAME_DNS, state->tlsp->sni, sz)))
1607 return tls_error_gnu(US"gnutls_server_name_set", rc, host, errstr);
1610 else if (state->tls_sni)
1611 DEBUG(D_tls) debug_printf("*** PROBABLY A BUG *** " \
1612 "have an SNI set for a server [%s]\n", state->tls_sni);
1614 /* This is the priority string support,
1615 http://www.gnutls.org/manual/html_node/Priority-Strings.html
1616 and replaces gnutls_require_kx, gnutls_require_mac & gnutls_require_protocols.
1617 This was backwards incompatible, but means Exim no longer needs to track
1618 all algorithms and provide string forms for them. */
1621 if (state->tls_require_ciphers && *state->tls_require_ciphers)
1623 if (!expand_check_tlsvar(tls_require_ciphers, errstr))
1625 if (state->exp_tls_require_ciphers && *state->exp_tls_require_ciphers)
1627 p = state->exp_tls_require_ciphers;
1628 DEBUG(D_tls) debug_printf("GnuTLS session cipher/priority \"%s\"\n", p);
1633 p = exim_default_gnutls_priority;
1635 debug_printf("GnuTLS using default session cipher/priority \"%s\"\n", p);
1638 if ((rc = gnutls_priority_init(&state->priority_cache, CCS p, &errpos)))
1639 return tls_error_gnu(string_sprintf(
1640 "gnutls_priority_init(%s) failed at offset %ld, \"%.6s..\"",
1641 p, errpos - CS p, errpos),
1644 if ((rc = gnutls_priority_set(state->session, state->priority_cache)))
1645 return tls_error_gnu(US"gnutls_priority_set", rc, host, errstr);
1647 /* This also sets the server ticket expiration time to the same, and
1648 the STEK rotation time to 3x. */
1650 gnutls_db_set_cache_expiration(state->session, ssl_session_timeout);
1652 /* Reduce security in favour of increased compatibility, if the admin
1653 decides to make that trade-off. */
1654 if (gnutls_compat_mode)
1656 #if LIBGNUTLS_VERSION_NUMBER >= 0x020104
1657 DEBUG(D_tls) debug_printf("lowering GnuTLS security, compatibility mode\n");
1658 gnutls_session_enable_compatibility_mode(state->session);
1660 DEBUG(D_tls) debug_printf("Unable to set gnutls_compat_mode - GnuTLS version too old\n");
1664 *caller_state = state;
1670 /*************************************************
1671 * Extract peer information *
1672 *************************************************/
1674 static const uschar *
1675 cipher_stdname_kcm(gnutls_kx_algorithm_t kx, gnutls_cipher_algorithm_t cipher,
1676 gnutls_mac_algorithm_t mac)
1679 gnutls_kx_algorithm_t kx_i;
1680 gnutls_cipher_algorithm_t cipher_i;
1681 gnutls_mac_algorithm_t mac_i;
1684 gnutls_cipher_suite_info(i, cs_id, &kx_i, &cipher_i, &mac_i, NULL);
1686 if (kx_i == kx && cipher_i == cipher && mac_i == mac)
1687 return cipher_stdname(cs_id[0], cs_id[1]);
1693 /* Called from both server and client code.
1694 Only this is allowed to set state->peerdn and state->have_set_peerdn
1695 and we use that to detect double-calls.
1697 NOTE: the state blocks last while the TLS connection is up, which is fine
1698 for logging in the server side, but for the client side, we log after teardown
1699 in src/deliver.c. While the session is up, we can twist about states and
1700 repoint tls_* globals, but those variables used for logging or other variable
1701 expansion that happens _after_ delivery need to have a longer life-time.
1703 So for those, we get the data from POOL_PERM; the re-invoke guard keeps us from
1704 doing this more than once per generation of a state context. We set them in
1705 the state context, and repoint tls_* to them. After the state goes away, the
1706 tls_* copies of the pointers remain valid and client delivery logging is happy.
1708 tls_certificate_verified is a BOOL, so the tls_peerdn and tls_cipher issues
1712 state exim_gnutls_state_st *
1713 errstr pointer to error string
1715 Returns: OK/DEFER/FAIL
1719 peer_status(exim_gnutls_state_st * state, uschar ** errstr)
1721 gnutls_session_t session = state->session;
1722 const gnutls_datum_t * cert_list;
1724 unsigned int cert_list_size = 0;
1725 gnutls_protocol_t protocol;
1726 gnutls_cipher_algorithm_t cipher;
1727 gnutls_kx_algorithm_t kx;
1728 gnutls_mac_algorithm_t mac;
1729 gnutls_certificate_type_t ct;
1730 gnutls_x509_crt_t crt;
1734 if (state->have_set_peerdn)
1736 state->have_set_peerdn = TRUE;
1738 state->peerdn = NULL;
1741 cipher = gnutls_cipher_get(session);
1742 protocol = gnutls_protocol_get_version(session);
1743 mac = gnutls_mac_get(session);
1745 #ifdef GNUTLS_TLS1_3
1746 protocol >= GNUTLS_TLS1_3 ? 0 :
1748 gnutls_kx_get(session);
1750 old_pool = store_pool;
1752 tls_support * tlsp = state->tlsp;
1753 store_pool = POOL_PERM;
1755 #ifdef SUPPORT_GNUTLS_SESS_DESC
1758 uschar * s = US gnutls_session_get_desc(session), c;
1760 /* Nikos M suggests we use this by preference. It returns like:
1761 (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
1763 For partial back-compat, put a colon after the TLS version, replace the
1764 )-( grouping with __, replace in-group - with _ and append the :keysize. */
1766 /* debug_printf("peer_status: gnutls_session_get_desc %s\n", s); */
1768 for (s++; (c = *s) && c != ')'; s++) g = string_catn(g, s, 1);
1769 g = string_catn(g, US":", 1);
1770 if (*s) s++; /* now on _ between groups */
1773 for (*++s && ++s; (c = *s) && c != ')'; s++) g = string_catn(g, c == '-' ? US"_" : s, 1);
1774 /* now on ) closing group */
1775 if ((c = *s) && *++s == '-') g = string_catn(g, US"__", 2);
1776 /* now on _ between groups */
1778 g = string_catn(g, US":", 1);
1779 g = string_cat(g, string_sprintf("%d", (int) gnutls_cipher_get_key_size(cipher) * 8));
1780 state->ciphersuite = string_from_gstring(g);
1783 state->ciphersuite = string_sprintf("%s:%s:%d",
1784 gnutls_protocol_get_name(protocol),
1785 gnutls_cipher_suite_get_name(kx, cipher, mac),
1786 (int) gnutls_cipher_get_key_size(cipher) * 8);
1788 /* I don't see a way that spaces could occur, in the current GnuTLS
1789 code base, but it was a concern in the old code and perhaps older GnuTLS
1790 releases did return "TLS 1.0"; play it safe, just in case. */
1792 for (uschar * p = state->ciphersuite; *p; p++) if (isspace(*p)) *p = '-';
1795 /* debug_printf("peer_status: ciphersuite %s\n", state->ciphersuite); */
1797 tlsp->cipher = state->ciphersuite;
1798 tlsp->bits = gnutls_cipher_get_key_size(cipher) * 8;
1800 tlsp->cipher_stdname = cipher_stdname_kcm(kx, cipher, mac);
1802 store_pool = old_pool;
1805 cert_list = gnutls_certificate_get_peers(session, &cert_list_size);
1807 if (!cert_list || cert_list_size == 0)
1809 DEBUG(D_tls) debug_printf("TLS: no certificate from peer (%p & %d)\n",
1810 cert_list, cert_list_size);
1811 if (state->verify_requirement >= VERIFY_REQUIRED)
1812 return tls_error(US"certificate verification failed",
1813 US"no certificate received from peer", state->host, errstr);
1817 if ((ct = gnutls_certificate_type_get(session)) != GNUTLS_CRT_X509)
1819 const uschar * ctn = US gnutls_certificate_type_get_name(ct);
1821 debug_printf("TLS: peer cert not X.509 but instead \"%s\"\n", ctn);
1822 if (state->verify_requirement >= VERIFY_REQUIRED)
1823 return tls_error(US"certificate verification not possible, unhandled type",
1824 ctn, state->host, errstr);
1828 #define exim_gnutls_peer_err(Label) \
1830 if (rc != GNUTLS_E_SUCCESS) \
1832 DEBUG(D_tls) debug_printf("TLS: peer cert problem: %s: %s\n", \
1833 (Label), gnutls_strerror(rc)); \
1834 if (state->verify_requirement >= VERIFY_REQUIRED) \
1835 return tls_error_gnu((Label), rc, state->host, errstr); \
1840 rc = import_cert(&cert_list[0], &crt);
1841 exim_gnutls_peer_err(US"cert 0");
1843 state->tlsp->peercert = state->peercert = crt;
1846 rc = gnutls_x509_crt_get_dn(crt, NULL, &sz);
1847 if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
1849 exim_gnutls_peer_err(US"getting size for cert DN failed");
1850 return FAIL; /* should not happen */
1852 dn_buf = store_get_perm(sz, TRUE); /* tainted */
1853 rc = gnutls_x509_crt_get_dn(crt, CS dn_buf, &sz);
1854 exim_gnutls_peer_err(US"failed to extract certificate DN [gnutls_x509_crt_get_dn(cert 0)]");
1856 state->peerdn = dn_buf;
1859 #undef exim_gnutls_peer_err
1865 /*************************************************
1866 * Verify peer certificate *
1867 *************************************************/
1869 /* Called from both server and client code.
1870 *Should* be using a callback registered with
1871 gnutls_certificate_set_verify_function() to fail the handshake if we dislike
1872 the peer information, but that's too new for some OSes.
1875 state exim_gnutls_state_st *
1876 errstr where to put an error message
1879 FALSE if the session should be rejected
1880 TRUE if the cert is okay or we just don't care
1884 verify_certificate(exim_gnutls_state_st * state, uschar ** errstr)
1889 DEBUG(D_tls) debug_printf("TLS: checking peer certificate\n");
1891 rc = peer_status(state, errstr);
1893 if (state->verify_requirement == VERIFY_NONE)
1896 if (rc != OK || !state->peerdn)
1898 verify = GNUTLS_CERT_INVALID;
1899 *errstr = US"certificate not supplied";
1905 if (state->verify_requirement == VERIFY_DANE && state->host)
1907 /* Using dane_verify_session_crt() would be easy, as it does it all for us
1908 including talking to a DNS resolver. But we want to do that bit ourselves
1909 as the testsuite intercepts and fakes its own DNS environment. */
1914 const gnutls_datum_t * certlist =
1915 gnutls_certificate_get_peers(state->session, &lsize);
1916 int usage = tls_out.tlsa_usage;
1918 # ifdef GNUTLS_BROKEN_DANE_VALIDATION
1919 /* Split the TLSA records into two sets, TA and EE selectors. Run the
1920 dane-verification separately so that we know which selector verified;
1921 then we know whether to do name-verification (needed for TA but not EE). */
1923 if (usage == ((1<<DANESSL_USAGE_DANE_TA) | (1<<DANESSL_USAGE_DANE_EE)))
1924 { /* a mixed-usage bundle */
1929 for(nrec = 0; state->dane_data_len[nrec]; ) nrec++;
1932 dd = store_get(nrec * sizeof(uschar *), FALSE);
1933 ddl = store_get(nrec * sizeof(int), FALSE);
1936 if ((rc = dane_state_init(&s, 0)))
1939 for (usage = DANESSL_USAGE_DANE_EE;
1940 usage >= DANESSL_USAGE_DANE_TA; usage--)
1941 { /* take records with this usage */
1942 for (j = i = 0; i < nrec; i++)
1943 if (state->dane_data[i][0] == usage)
1945 dd[j] = state->dane_data[i];
1946 ddl[j++] = state->dane_data_len[i];
1953 if ((rc = dane_raw_tlsa(s, &r, (char * const *)dd, ddl, 1, 0)))
1956 if ((rc = dane_verify_crt_raw(s, certlist, lsize,
1957 gnutls_certificate_type_get(state->session),
1959 usage == DANESSL_USAGE_DANE_EE
1960 ? DANE_VFLAG_ONLY_CHECK_EE_USAGE : 0,
1964 debug_printf("TLSA record problem: %s\n", dane_strerror(rc));
1966 else if (verify == 0) /* verification passed */
1974 if (rc) goto tlsa_prob;
1979 if ( (rc = dane_state_init(&s, 0))
1980 || (rc = dane_raw_tlsa(s, &r, state->dane_data, state->dane_data_len,
1982 || (rc = dane_verify_crt_raw(s, certlist, lsize,
1983 gnutls_certificate_type_get(state->session),
1985 # ifdef GNUTLS_BROKEN_DANE_VALIDATION
1986 usage == (1 << DANESSL_USAGE_DANE_EE)
1987 ? DANE_VFLAG_ONLY_CHECK_EE_USAGE : 0,
1996 if (verify != 0) /* verification failed */
1999 (void) dane_verification_status_print(verify, &str, 0);
2000 *errstr = US str.data; /* don't bother to free */
2004 # ifdef GNUTLS_BROKEN_DANE_VALIDATION
2005 /* If a TA-mode TLSA record was used for verification we must additionally
2006 verify the cert name (but not the CA chain). For EE-mode, skip it. */
2008 if (usage & (1 << DANESSL_USAGE_DANE_EE))
2011 state->peer_dane_verified = state->peer_cert_verified = TRUE;
2014 # ifdef GNUTLS_BROKEN_DANE_VALIDATION
2015 /* Assume that the name on the A-record is the one that should be matching
2016 the cert. An alternate view is that the domain part of the email address
2017 is also permissible. */
2019 if (gnutls_x509_crt_check_hostname(state->tlsp->peercert,
2020 CS state->host->name))
2022 state->peer_dane_verified = state->peer_cert_verified = TRUE;
2027 #endif /*SUPPORT_DANE*/
2029 rc = gnutls_certificate_verify_peers2(state->session, &verify);
2032 /* Handle the result of verification. INVALID is set if any others are. */
2034 if (rc < 0 || verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED))
2036 state->peer_cert_verified = FALSE;
2039 #ifdef GNUTLS_CERT_VFY_STATUS_PRINT
2044 if (gnutls_certificate_verification_status_print(verify,
2045 gnutls_certificate_type_get(state->session), &txt, 0)
2046 == GNUTLS_E_SUCCESS)
2048 debug_printf("%s\n", txt.data);
2049 gnutls_free(txt.data);
2053 *errstr = verify & GNUTLS_CERT_REVOKED
2054 ? US"certificate revoked" : US"certificate invalid";
2058 debug_printf("TLS certificate verification failed (%s): peerdn=\"%s\"\n",
2059 *errstr, state->peerdn ? state->peerdn : US"<unset>");
2061 if (state->verify_requirement >= VERIFY_REQUIRED)
2064 debug_printf("TLS verify failure overridden (host in tls_try_verify_hosts)\n");
2069 /* Client side, check the server's certificate name versus the name on the
2070 A-record for the connection we made. What to do for server side - what name
2071 to use for client? We document that there is no such checking for server
2074 if ( state->exp_tls_verify_cert_hostnames
2075 && !gnutls_x509_crt_check_hostname(state->tlsp->peercert,
2076 CS state->exp_tls_verify_cert_hostnames)
2080 debug_printf("TLS certificate verification failed: cert name mismatch\n");
2081 if (state->verify_requirement >= VERIFY_REQUIRED)
2086 state->peer_cert_verified = TRUE;
2087 DEBUG(D_tls) debug_printf("TLS certificate verified: peerdn=\"%s\"\n",
2088 state->peerdn ? state->peerdn : US"<unset>");
2092 state->tlsp->peerdn = state->peerdn;
2097 *errstr = string_sprintf("TLSA record problem: %s",
2098 rc == DANE_E_REQUESTED_DATA_NOT_AVAILABLE ? "none usable" : dane_strerror(rc));
2102 gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_BAD_CERTIFICATE);
2109 /* ------------------------------------------------------------------------ */
2112 /* Logging function which can be registered with
2113 * gnutls_global_set_log_function()
2114 * gnutls_global_set_log_level() 0..9
2116 #if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
2118 exim_gnutls_logger_cb(int level, const char *message)
2120 size_t len = strlen(message);
2123 DEBUG(D_tls) debug_printf("GnuTLS<%d> empty debug message\n", level);
2126 DEBUG(D_tls) debug_printf("GnuTLS<%d>: %s%s", level, message,
2127 message[len-1] == '\n' ? "" : "\n");
2132 /* Called after client hello, should handle SNI work.
2133 This will always set tls_sni (state->received_sni) if available,
2134 and may trigger presenting different certificates,
2135 if state->trigger_sni_changes is TRUE.
2137 Should be registered with
2138 gnutls_handshake_set_post_client_hello_function()
2140 "This callback must return 0 on success or a gnutls error code to terminate the
2143 For inability to get SNI information, we return 0.
2144 We only return non-zero if re-setup failed.
2145 Only used for server-side TLS.
2149 exim_sni_handling_cb(gnutls_session_t session)
2151 char sni_name[MAX_HOST_LEN];
2152 size_t data_len = MAX_HOST_LEN;
2153 exim_gnutls_state_st *state = &state_server;
2154 unsigned int sni_type;
2156 uschar * dummy_errstr;
2158 rc = gnutls_server_name_get(session, sni_name, &data_len, &sni_type, 0);
2159 if (rc != GNUTLS_E_SUCCESS)
2162 if (rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
2163 debug_printf("TLS: no SNI presented in handshake.\n");
2165 debug_printf("TLS failure: gnutls_server_name_get(): %s [%d]\n",
2166 gnutls_strerror(rc), rc);
2170 if (sni_type != GNUTLS_NAME_DNS)
2172 DEBUG(D_tls) debug_printf("TLS: ignoring SNI of unhandled type %u\n", sni_type);
2176 /* We now have a UTF-8 string in sni_name */
2177 old_pool = store_pool;
2178 store_pool = POOL_PERM;
2179 state->received_sni = string_copy_taint(US sni_name, TRUE);
2180 store_pool = old_pool;
2182 /* We set this one now so that variable expansions below will work */
2183 state->tlsp->sni = state->received_sni;
2185 DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", sni_name,
2186 state->trigger_sni_changes ? "" : " (unused for certificate selection)");
2188 if (!state->trigger_sni_changes)
2191 if ((rc = tls_expand_session_files(state, &dummy_errstr)) != OK)
2193 /* If the setup of certs/etc failed before handshake, TLS would not have
2194 been offered. The best we can do now is abort. */
2195 return GNUTLS_E_APPLICATION_ERROR_MIN;
2198 rc = tls_set_remaining_x509(state, &dummy_errstr);
2199 if (rc != OK) return GNUTLS_E_APPLICATION_ERROR_MIN;
2206 #ifndef DISABLE_EVENT
2208 We use this callback to get observability and detail-level control
2209 for an exim TLS connection (either direction), raising a tls:cert event
2210 for each cert in the chain presented by the peer. Any event
2211 can deny verification.
2213 Return 0 for the handshake to continue or non-zero to terminate.
2217 verify_cb(gnutls_session_t session)
2219 const gnutls_datum_t * cert_list;
2220 unsigned int cert_list_size = 0;
2221 gnutls_x509_crt_t crt;
2224 exim_gnutls_state_st * state = gnutls_session_get_ptr(session);
2226 if ((cert_list = gnutls_certificate_get_peers(session, &cert_list_size)))
2227 while (cert_list_size--)
2229 if ((rc = import_cert(&cert_list[cert_list_size], &crt)) != GNUTLS_E_SUCCESS)
2231 DEBUG(D_tls) debug_printf("TLS: peer cert problem: depth %d: %s\n",
2232 cert_list_size, gnutls_strerror(rc));
2236 state->tlsp->peercert = crt;
2237 if ((yield = event_raise(state->event_action,
2238 US"tls:cert", string_sprintf("%d", cert_list_size))))
2240 log_write(0, LOG_MAIN,
2241 "SSL verify denied by event-action: depth=%d: %s",
2242 cert_list_size, yield);
2243 return 1; /* reject */
2245 state->tlsp->peercert = NULL;
2255 ddump(gnutls_datum_t * d)
2257 gstring * g = string_get((d->size+1) * 2);
2258 uschar * s = d->data;
2259 for (unsigned i = d->size; i > 0; i--, s++)
2261 g = string_catn(g, US "0123456789abcdef" + (*s >> 4), 1);
2262 g = string_catn(g, US "0123456789abcdef" + (*s & 0xf), 1);
2268 post_handshake_debug(exim_gnutls_state_st * state)
2270 #ifdef SUPPORT_GNUTLS_SESS_DESC
2271 debug_printf("%s\n", gnutls_session_get_desc(state->session));
2274 #ifdef SUPPORT_GNUTLS_KEYLOG
2275 # ifdef EXIM_HAVE_TLS1_3
2276 if (gnutls_protocol_get_version(state->session) < GNUTLS_TLS1_3)
2281 gnutls_datum_t c, s;
2283 /* For TLS1.2 we only want the client random and the master secret */
2284 gnutls_session_get_random(state->session, &c, &s);
2285 gnutls_session_get_master_secret(state->session, &s);
2288 debug_printf("CLIENT_RANDOM %.*s %.*s\n", (int)gc->ptr, gc->s, (int)gs->ptr, gs->s);
2291 debug_printf("To get keying info for TLS1.3 is hard:\n"
2292 " set environment variable SSLKEYLOGFILE to a filename writable by uid exim\n"
2293 " add SSLKEYLOGFILE to keep_environment in the exim config\n"
2294 " run exim as root\n"
2295 " if using sudo, add SSLKEYLOGFILE to env_keep in /etc/sudoers\n"
2296 " (works for TLS1.2 also, and saves cut-paste into file)"
2297 " Trying to use add_environment for this will not work\n");
2302 #ifdef EXPERIMENTAL_TLS_RESUME
2304 tls_server_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
2305 unsigned incoming, const gnutls_datum_t * msg)
2307 DEBUG(D_tls) debug_printf("newticket cb\n");
2308 tls_in.resumption |= RESUME_CLIENT_REQUESTED;
2313 tls_server_resume_prehandshake(exim_gnutls_state_st * state)
2315 /* Should the server offer session resumption? */
2316 tls_in.resumption = RESUME_SUPPORTED;
2317 if (verify_check_host(&tls_resumption_hosts) == OK)
2320 /* GnuTLS appears to not do ticket overlap, but does emit a fresh ticket when
2321 an offered resumption is unacceptable. We lose one resumption per ticket
2322 lifetime, and sessions cannot be indefinitely re-used. There seems to be no
2323 way (3.6.7) of changing the default number of 2 TLS1.3 tickets issued, but at
2324 least they go out in a single packet. */
2326 if (!(rc = gnutls_session_ticket_enable_server(state->session,
2327 &server_sessticket_key)))
2328 tls_in.resumption |= RESUME_SERVER_TICKET;
2331 debug_printf("enabling session tickets: %s\n", US gnutls_strerror(rc));
2333 /* Try to tell if we see a ticket request */
2334 gnutls_handshake_set_hook_function(state->session,
2335 GNUTLS_HANDSHAKE_ANY, GNUTLS_HOOK_POST, tls_server_hook_cb);
2340 tls_server_resume_posthandshake(exim_gnutls_state_st * state)
2342 if (gnutls_session_resumption_requested(state->session))
2344 /* This tells us the client sent a full ticket. We use a
2345 callback on session-ticket request, elsewhere, to tell
2346 if a client asked for a ticket. */
2348 tls_in.resumption |= RESUME_CLIENT_SUGGESTED;
2349 DEBUG(D_tls) debug_printf("client requested resumption\n");
2351 if (gnutls_session_is_resumed(state->session))
2353 tls_in.resumption |= RESUME_USED;
2354 DEBUG(D_tls) debug_printf("Session resumed\n");
2358 /* ------------------------------------------------------------------------ */
2359 /* Exported functions */
2364 /*************************************************
2365 * Start a TLS session in a server *
2366 *************************************************/
2368 /* This is called when Exim is running as a server, after having received
2369 the STARTTLS command. It must respond to that command, and then negotiate
2373 require_ciphers list of allowed ciphers or NULL
2374 errstr pointer to error string
2376 Returns: OK on success
2377 DEFER for errors before the start of the negotiation
2378 FAIL for errors during the negotiation; the server can't
2383 tls_server_start(const uschar * require_ciphers, uschar ** errstr)
2386 exim_gnutls_state_st * state = NULL;
2388 /* Check for previous activation */
2389 if (tls_in.active.sock >= 0)
2391 tls_error(US"STARTTLS received after TLS started", US "", NULL, errstr);
2392 smtp_printf("554 Already in TLS\r\n", FALSE);
2396 /* Initialize the library. If it fails, it will already have logged the error
2397 and sent an SMTP response. */
2399 DEBUG(D_tls) debug_printf("initialising GnuTLS as a server\n");
2401 if ((rc = tls_init(NULL, tls_certificate, tls_privatekey,
2402 NULL, tls_verify_certificates, tls_crl,
2403 require_ciphers, &state, &tls_in, errstr)) != OK) return rc;
2405 #ifdef EXPERIMENTAL_TLS_RESUME
2406 tls_server_resume_prehandshake(state);
2409 /* If this is a host for which certificate verification is mandatory or
2410 optional, set up appropriately. */
2412 if (verify_check_host(&tls_verify_hosts) == OK)
2415 debug_printf("TLS: a client certificate will be required.\n");
2416 state->verify_requirement = VERIFY_REQUIRED;
2417 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
2419 else if (verify_check_host(&tls_try_verify_hosts) == OK)
2422 debug_printf("TLS: a client certificate will be requested but not required.\n");
2423 state->verify_requirement = VERIFY_OPTIONAL;
2424 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
2429 debug_printf("TLS: a client certificate will not be requested.\n");
2430 state->verify_requirement = VERIFY_NONE;
2431 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
2434 #ifndef DISABLE_EVENT
2437 state->event_action = event_action;
2438 gnutls_session_set_ptr(state->session, state);
2439 gnutls_certificate_set_verify_function(state->x509_cred, verify_cb);
2443 /* Register SNI handling; always, even if not in tls_certificate, so that the
2444 expansion variable $tls_sni is always available. */
2446 gnutls_handshake_set_post_client_hello_function(state->session,
2447 exim_sni_handling_cb);
2449 /* Set context and tell client to go ahead, except in the case of TLS startup
2450 on connection, where outputting anything now upsets the clients and tends to
2451 make them disconnect. We need to have an explicit fflush() here, to force out
2452 the response. Other smtp_printf() calls do not need it, because in non-TLS
2453 mode, the fflush() happens when smtp_getc() is called. */
2455 if (!state->tlsp->on_connect)
2457 smtp_printf("220 TLS go ahead\r\n", FALSE);
2461 /* Now negotiate the TLS session. We put our own timer on it, since it seems
2462 that the GnuTLS library doesn't.
2463 From 3.1.0 there is gnutls_handshake_set_timeout() - but it requires you
2464 to set (and clear down afterwards) up a pull-timeout callback function that does
2465 a select, so we're no better off unless avoiding signals becomes an issue. */
2467 gnutls_transport_set_ptr2(state->session,
2468 (gnutls_transport_ptr_t)(long) fileno(smtp_in),
2469 (gnutls_transport_ptr_t)(long) fileno(smtp_out));
2470 state->fd_in = fileno(smtp_in);
2471 state->fd_out = fileno(smtp_out);
2473 sigalrm_seen = FALSE;
2474 if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
2476 rc = gnutls_handshake(state->session);
2477 while (rc == GNUTLS_E_AGAIN || rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen);
2480 if (rc != GNUTLS_E_SUCCESS)
2482 /* It seems that, except in the case of a timeout, we have to close the
2483 connection right here; otherwise if the other end is running OpenSSL it hangs
2484 until the server times out. */
2488 tls_error(US"gnutls_handshake", US"timed out", NULL, errstr);
2489 gnutls_db_remove_session(state->session);
2493 tls_error_gnu(US"gnutls_handshake", rc, NULL, errstr);
2494 (void) gnutls_alert_send_appropriate(state->session, rc);
2495 gnutls_deinit(state->session);
2496 gnutls_certificate_free_credentials(state->x509_cred);
2498 shutdown(state->fd_out, SHUT_WR);
2499 for (int i = 1024; fgetc(smtp_in) != EOF && i > 0; ) i--; /* drain skt */
2500 (void)fclose(smtp_out);
2501 (void)fclose(smtp_in);
2502 smtp_out = smtp_in = NULL;
2508 #ifdef EXPERIMENTAL_TLS_RESUME
2509 tls_server_resume_posthandshake(state);
2512 DEBUG(D_tls) post_handshake_debug(state);
2514 /* Verify after the fact */
2516 if (!verify_certificate(state, errstr))
2518 if (state->verify_requirement != VERIFY_OPTIONAL)
2520 (void) tls_error(US"certificate verification failed", *errstr, NULL, errstr);
2524 debug_printf("TLS: continuing on only because verification was optional, after: %s\n",
2528 /* Sets various Exim expansion variables; always safe within server */
2530 extract_exim_vars_from_tls_state(state);
2532 /* TLS has been set up. Adjust the input functions to read via TLS,
2533 and initialize appropriately. */
2535 state->xfer_buffer = store_malloc(ssl_xfer_buffer_size);
2537 receive_getc = tls_getc;
2538 receive_getbuf = tls_getbuf;
2539 receive_get_cache = tls_get_cache;
2540 receive_ungetc = tls_ungetc;
2541 receive_feof = tls_feof;
2542 receive_ferror = tls_ferror;
2543 receive_smtp_buffered = tls_smtp_buffered;
2552 tls_client_setup_hostname_checks(host_item * host, exim_gnutls_state_st * state,
2553 smtp_transport_options_block * ob)
2555 if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
2557 state->exp_tls_verify_cert_hostnames =
2559 string_domain_utf8_to_alabel(host->name, NULL);
2564 debug_printf("TLS: server cert verification includes hostname: \"%s\".\n",
2565 state->exp_tls_verify_cert_hostnames);
2573 /* Given our list of RRs from the TLSA lookup, build a lookup block in
2574 GnuTLS-DANE's preferred format. Hang it on the state str for later
2575 use in DANE verification.
2577 We point at the dnsa data not copy it, so it must remain valid until
2578 after verification is done.*/
2581 dane_tlsa_load(exim_gnutls_state_st * state, dns_answer * dnsa)
2585 const char ** dane_data;
2586 int * dane_data_len;
2589 for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
2590 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
2591 ) if (rr->type == T_TLSA) i++;
2593 dane_data = store_get(i * sizeof(uschar *), FALSE);
2594 dane_data_len = store_get(i * sizeof(int), FALSE);
2597 for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
2598 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
2599 ) if (rr->type == T_TLSA && rr->size > 3)
2601 const uschar * p = rr->data;
2602 /*XXX need somehow to mark rr and its data as tainted. Doues this mean copying it? */
2603 uint8_t usage = p[0], sel = p[1], type = p[2];
2606 debug_printf("TLSA: %d %d %d size %d\n", usage, sel, type, rr->size);
2608 if ( (usage != DANESSL_USAGE_DANE_TA && usage != DANESSL_USAGE_DANE_EE)
2609 || (sel != 0 && sel != 1)
2614 case 0: /* Full: cannot check at present */
2616 case 1: if (rr->size != 3 + 256/8) continue; /* sha2-256 */
2618 case 2: if (rr->size != 3 + 512/8) continue; /* sha2-512 */
2623 tls_out.tlsa_usage |= 1<<usage;
2624 dane_data[i] = CS p;
2625 dane_data_len[i++] = rr->size;
2628 if (!i) return FALSE;
2630 dane_data[i] = NULL;
2631 dane_data_len[i] = 0;
2633 state->dane_data = (char * const *)dane_data;
2634 state->dane_data_len = dane_data_len;
2641 #ifdef EXPERIMENTAL_TLS_RESUME
2642 /* On the client, get any stashed session for the given IP from hints db
2643 and apply it to the ssl-connection for attempted resumption. Although
2644 there is a gnutls_session_ticket_enable_client() interface it is
2645 documented as unnecessary (as of 3.6.7) as "session tickets are emabled
2646 by deafult". There seems to be no way to disable them, so even hosts not
2647 enabled by the transport option will be sent a ticket request. We will
2648 however avoid storing and retrieving session information. */
2651 tls_retrieve_session(tls_support * tlsp, gnutls_session_t session,
2652 host_item * host, smtp_transport_options_block * ob)
2654 tlsp->resumption = RESUME_SUPPORTED;
2655 if (verify_check_given_host(CUSS &ob->tls_resumption_hosts, host) == OK)
2657 dbdata_tls_session * dt;
2659 open_db dbblock, * dbm_file;
2662 debug_printf("check for resumable session for %s\n", host->address);
2663 tlsp->host_resumable = TRUE;
2664 tlsp->resumption |= RESUME_CLIENT_REQUESTED;
2665 if ((dbm_file = dbfn_open(US"tls", O_RDONLY, &dbblock, FALSE, FALSE)))
2667 /* Key for the db is the IP. We'd like to filter the retrieved session
2668 for ticket advisory expiry, but 3.6.1 seems to give no access to that */
2670 if ((dt = dbfn_read_with_length(dbm_file, host->address, &len)))
2671 if (!(rc = gnutls_session_set_data(session,
2672 CUS dt->session, (size_t)len - sizeof(dbdata_tls_session))))
2674 DEBUG(D_tls) debug_printf("good session\n");
2675 tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
2677 else DEBUG(D_tls) debug_printf("setting session resumption data: %s\n",
2678 US gnutls_strerror(rc));
2679 dbfn_close(dbm_file);
2686 tls_save_session(tls_support * tlsp, gnutls_session_t session, const host_item * host)
2688 /* TLS 1.2 - we get both the callback and the direct posthandshake call,
2689 but this flag is not set until the second. TLS 1.3 it's the other way about.
2690 Keep both calls as the session data cannot be extracted before handshake
2693 if (gnutls_session_get_flags(session) & GNUTLS_SFLAGS_SESSION_TICKET)
2698 DEBUG(D_tls) debug_printf("server offered session ticket\n");
2699 tlsp->ticket_received = TRUE;
2700 tlsp->resumption |= RESUME_SERVER_TICKET;
2702 if (tlsp->host_resumable)
2703 if (!(rc = gnutls_session_get_data2(session, &tkt)))
2705 open_db dbblock, * dbm_file;
2706 int dlen = sizeof(dbdata_tls_session) + tkt.size;
2707 dbdata_tls_session * dt = store_get(dlen, TRUE);
2709 DEBUG(D_tls) debug_printf("session data size %u\n", (unsigned)tkt.size);
2710 memcpy(dt->session, tkt.data, tkt.size);
2711 gnutls_free(tkt.data);
2713 if ((dbm_file = dbfn_open(US"tls", O_RDWR, &dbblock, FALSE, FALSE)))
2715 /* key for the db is the IP */
2716 dbfn_delete(dbm_file, host->address);
2717 dbfn_write(dbm_file, host->address, dt, dlen);
2718 dbfn_close(dbm_file);
2721 debug_printf("wrote session db (len %u)\n", (unsigned)dlen);
2725 debug_printf("extract session data: %s\n", US gnutls_strerror(rc));
2730 /* With a TLS1.3 session, the ticket(s) are not seen until
2731 the first data read is attempted. And there's often two of them.
2732 Pick them up with this callback. We are also called for 1.2
2736 tls_client_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
2737 unsigned incoming, const gnutls_datum_t * msg)
2739 exim_gnutls_state_st * state = gnutls_session_get_ptr(sess);
2740 tls_support * tlsp = state->tlsp;
2742 DEBUG(D_tls) debug_printf("newticket cb\n");
2744 if (!tlsp->ticket_received)
2745 tls_save_session(tlsp, sess, state->host);
2751 tls_client_resume_prehandshake(exim_gnutls_state_st * state,
2752 tls_support * tlsp, host_item * host,
2753 smtp_transport_options_block * ob)
2755 gnutls_session_set_ptr(state->session, state);
2756 gnutls_handshake_set_hook_function(state->session,
2757 GNUTLS_HANDSHAKE_NEW_SESSION_TICKET, GNUTLS_HOOK_POST, tls_client_ticket_cb);
2759 tls_retrieve_session(tlsp, state->session, host, ob);
2763 tls_client_resume_posthandshake(exim_gnutls_state_st * state,
2764 tls_support * tlsp, host_item * host)
2766 if (gnutls_session_is_resumed(state->session))
2768 DEBUG(D_tls) debug_printf("Session resumed\n");
2769 tlsp->resumption |= RESUME_USED;
2772 tls_save_session(tlsp, state->session, host);
2774 #endif /* EXPERIMENTAL_TLS_RESUME */
2777 /*************************************************
2778 * Start a TLS session in a client *
2779 *************************************************/
2781 /* Called from the smtp transport after STARTTLS has been accepted.
2784 cctx connection context
2785 conn_args connection details
2786 cookie datum for randomness (not used)
2787 tlsp record details of channel configuration here; must be non-NULL
2788 errstr error string pointer
2790 Returns: TRUE for success with TLS session context set in smtp context,
2795 tls_client_start(client_conn_ctx * cctx, smtp_connect_args * conn_args,
2796 void * cookie ARG_UNUSED,
2797 tls_support * tlsp, uschar ** errstr)
2799 host_item * host = conn_args->host; /* for msgs and option-tests */
2800 transport_instance * tb = conn_args->tblock; /* always smtp or NULL */
2801 smtp_transport_options_block * ob = tb
2802 ? (smtp_transport_options_block *)tb->options_block
2803 : &smtp_transport_option_defaults;
2805 exim_gnutls_state_st * state = NULL;
2806 uschar * cipher_list = NULL;
2808 #ifndef DISABLE_OCSP
2810 verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK;
2811 BOOL request_ocsp = require_ocsp ? TRUE
2812 : verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
2815 DEBUG(D_tls) debug_printf("initialising GnuTLS as a client on fd %d\n", cctx->sock);
2818 /* If dane is flagged, have either request or require dane for this host, and
2819 a TLSA record found. Therefore, dane verify required. Which implies cert must
2820 be requested and supplied, dane verify must pass, and cert verify irrelevant
2821 (incl. hostnames), and (caller handled) require_tls */
2823 if (conn_args->dane && ob->dane_require_tls_ciphers)
2825 /* not using expand_check_tlsvar because not yet in state */
2826 if (!expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
2827 &cipher_list, errstr))
2829 cipher_list = cipher_list && *cipher_list
2830 ? ob->dane_require_tls_ciphers : ob->tls_require_ciphers;
2835 cipher_list = ob->tls_require_ciphers;
2837 if (tls_init(host, ob->tls_certificate, ob->tls_privatekey,
2838 ob->tls_sni, ob->tls_verify_certificates, ob->tls_crl,
2839 cipher_list, &state, tlsp, errstr) != OK)
2843 int dh_min_bits = ob->tls_dh_min_bits;
2844 if (dh_min_bits < EXIM_CLIENT_DH_MIN_MIN_BITS)
2847 debug_printf("WARNING: tls_dh_min_bits far too low,"
2848 " clamping %d up to %d\n",
2849 dh_min_bits, EXIM_CLIENT_DH_MIN_MIN_BITS);
2850 dh_min_bits = EXIM_CLIENT_DH_MIN_MIN_BITS;
2853 DEBUG(D_tls) debug_printf("Setting D-H prime minimum"
2854 " acceptable bits to %d\n",
2856 gnutls_dh_set_prime_bits(state->session, dh_min_bits);
2859 /* Stick to the old behaviour for compatibility if tls_verify_certificates is
2860 set but both tls_verify_hosts and tls_try_verify_hosts are unset. Check only
2861 the specified host patterns if one of them is defined */
2864 if (conn_args->dane && dane_tlsa_load(state, &conn_args->tlsa_dnsa))
2867 debug_printf("TLS: server certificate DANE required.\n");
2868 state->verify_requirement = VERIFY_DANE;
2869 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
2873 if ( ( state->exp_tls_verify_certificates
2874 && !ob->tls_verify_hosts
2875 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
2877 || verify_check_given_host(CUSS &ob->tls_verify_hosts, host) == OK
2880 tls_client_setup_hostname_checks(host, state, ob);
2882 debug_printf("TLS: server certificate verification required.\n");
2883 state->verify_requirement = VERIFY_REQUIRED;
2884 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
2886 else if (verify_check_given_host(CUSS &ob->tls_try_verify_hosts, host) == OK)
2888 tls_client_setup_hostname_checks(host, state, ob);
2890 debug_printf("TLS: server certificate verification optional.\n");
2891 state->verify_requirement = VERIFY_OPTIONAL;
2892 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
2897 debug_printf("TLS: server certificate verification not required.\n");
2898 state->verify_requirement = VERIFY_NONE;
2899 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
2902 #ifndef DISABLE_OCSP
2903 /* supported since GnuTLS 3.1.3 */
2906 DEBUG(D_tls) debug_printf("TLS: will request OCSP stapling\n");
2907 if ((rc = gnutls_ocsp_status_request_enable_client(state->session,
2908 NULL, 0, NULL)) != OK)
2910 tls_error_gnu(US"cert-status-req", rc, state->host, errstr);
2913 tlsp->ocsp = OCSP_NOT_RESP;
2917 #ifdef EXPERIMENTAL_TLS_RESUME
2918 tls_client_resume_prehandshake(state, tlsp, host, ob);
2921 #ifndef DISABLE_EVENT
2922 if (tb && tb->event_action)
2924 state->event_action = tb->event_action;
2925 gnutls_session_set_ptr(state->session, state);
2926 gnutls_certificate_set_verify_function(state->x509_cred, verify_cb);
2930 gnutls_transport_set_ptr(state->session, (gnutls_transport_ptr_t)(long) cctx->sock);
2931 state->fd_in = cctx->sock;
2932 state->fd_out = cctx->sock;
2934 DEBUG(D_tls) debug_printf("about to gnutls_handshake\n");
2935 /* There doesn't seem to be a built-in timeout on connection. */
2937 sigalrm_seen = FALSE;
2938 ALARM(ob->command_timeout);
2940 rc = gnutls_handshake(state->session);
2941 while (rc == GNUTLS_E_AGAIN || rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen);
2944 if (rc != GNUTLS_E_SUCCESS)
2948 gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_USER_CANCELED);
2949 tls_error(US"gnutls_handshake", US"timed out", state->host, errstr);
2952 tls_error_gnu(US"gnutls_handshake", rc, state->host, errstr);
2956 DEBUG(D_tls) post_handshake_debug(state);
2960 if (!verify_certificate(state, errstr))
2962 tls_error(US"certificate verification failed", *errstr, state->host, errstr);
2966 #ifndef DISABLE_OCSP
2971 gnutls_datum_t stapling;
2972 gnutls_ocsp_resp_t resp;
2973 gnutls_datum_t printed;
2977 # ifdef GNUTLS_OCSP_STATUS_REQUEST_GET2
2978 (rc = gnutls_ocsp_status_request_get2(state->session, idx, &stapling)) == 0;
2980 (rc = gnutls_ocsp_status_request_get(state->session, &stapling)) == 0;
2983 if ( (rc= gnutls_ocsp_resp_init(&resp)) == 0
2984 && (rc= gnutls_ocsp_resp_import(resp, &stapling)) == 0
2985 && (rc= gnutls_ocsp_resp_print(resp, GNUTLS_OCSP_PRINT_COMPACT, &printed)) == 0
2988 debug_printf("%.4096s", printed.data);
2989 gnutls_free(printed.data);
2992 (void) tls_error_gnu(US"ocsp decode", rc, state->host, errstr);
2994 (void) tls_error_gnu(US"ocsp decode", rc, state->host, errstr);
2997 if (gnutls_ocsp_status_request_is_checked(state->session, 0) == 0)
2999 tlsp->ocsp = OCSP_FAILED;
3000 tls_error(US"certificate status check failed", NULL, state->host, errstr);
3006 DEBUG(D_tls) debug_printf("Passed OCSP checking\n");
3007 tlsp->ocsp = OCSP_VFIED;
3012 #ifdef EXPERIMENTAL_TLS_RESUME
3013 tls_client_resume_posthandshake(state, tlsp, host);
3016 /* Sets various Exim expansion variables; may need to adjust for ACL callouts */
3018 extract_exim_vars_from_tls_state(state);
3020 cctx->tls_ctx = state;
3027 /*************************************************
3028 * Close down a TLS session *
3029 *************************************************/
3031 /* This is also called from within a delivery subprocess forked from the
3032 daemon, to shut down the TLS library, without actually doing a shutdown (which
3033 would tamper with the TLS session in the parent process).
3036 ct_ctx client context pointer, or NULL for the one global server context
3037 shutdown 1 if TLS close-alert is to be sent,
3038 2 if also response to be waited for
3044 tls_close(void * ct_ctx, int shutdown)
3046 exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
3047 tls_support * tlsp = state->tlsp;
3049 if (!tlsp || tlsp->active.sock < 0) return; /* TLS was not active */
3053 DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS%s\n",
3054 shutdown > 1 ? " (with response-wait)" : "");
3057 gnutls_bye(state->session, shutdown > 1 ? GNUTLS_SHUT_RDWR : GNUTLS_SHUT_WR);
3061 if (!ct_ctx) /* server */
3063 receive_getc = smtp_getc;
3064 receive_getbuf = smtp_getbuf;
3065 receive_get_cache = smtp_get_cache;
3066 receive_ungetc = smtp_ungetc;
3067 receive_feof = smtp_feof;
3068 receive_ferror = smtp_ferror;
3069 receive_smtp_buffered = smtp_buffered;
3072 gnutls_deinit(state->session);
3073 gnutls_certificate_free_credentials(state->x509_cred);
3075 tlsp->active.sock = -1;
3076 tlsp->active.tls_ctx = NULL;
3077 /* Leave bits, peercert, cipher, peerdn, certificate_verified set, for logging */
3078 tls_channelbinding_b64 = NULL;
3081 if (state->xfer_buffer) store_free(state->xfer_buffer);
3082 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
3089 tls_refill(unsigned lim)
3091 exim_gnutls_state_st * state = &state_server;
3094 DEBUG(D_tls) debug_printf("Calling gnutls_record_recv(%p, %p, %u)\n",
3095 state->session, state->xfer_buffer, ssl_xfer_buffer_size);
3097 sigalrm_seen = FALSE;
3098 if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
3101 inbytes = gnutls_record_recv(state->session, state->xfer_buffer,
3102 MIN(ssl_xfer_buffer_size, lim));
3103 while (inbytes == GNUTLS_E_AGAIN);
3105 if (smtp_receive_timeout > 0) ALARM_CLR(0);
3107 if (had_command_timeout) /* set by signal handler */
3108 smtp_command_timeout_exit(); /* does not return */
3109 if (had_command_sigterm)
3110 smtp_command_sigterm_exit();
3111 if (had_data_timeout)
3112 smtp_data_timeout_exit();
3113 if (had_data_sigint)
3114 smtp_data_sigint_exit();
3116 /* Timeouts do not get this far. A zero-byte return appears to mean that the
3117 TLS session has been closed down, not that the socket itself has been closed
3118 down. Revert to non-TLS handling. */
3122 DEBUG(D_tls) debug_printf("Got tls read timeout\n");
3123 state->xfer_error = TRUE;
3127 else if (inbytes == 0)
3129 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
3130 tls_close(NULL, TLS_NO_SHUTDOWN);
3134 /* Handle genuine errors */
3136 else if (inbytes < 0)
3138 DEBUG(D_tls) debug_printf("%s: err from gnutls_record_recv\n", __FUNCTION__);
3139 record_io_error(state, (int) inbytes, US"recv", NULL);
3140 state->xfer_error = TRUE;
3143 #ifndef DISABLE_DKIM
3144 dkim_exim_verify_feed(state->xfer_buffer, inbytes);
3146 state->xfer_buffer_hwm = (int) inbytes;
3147 state->xfer_buffer_lwm = 0;
3151 /*************************************************
3152 * TLS version of getc *
3153 *************************************************/
3155 /* This gets the next byte from the TLS input buffer. If the buffer is empty,
3156 it refills the buffer via the GnuTLS reading function.
3157 Only used by the server-side TLS.
3159 This feeds DKIM and should be used for all message-body reads.
3161 Arguments: lim Maximum amount to read/buffer
3162 Returns: the next character or EOF
3166 tls_getc(unsigned lim)
3168 exim_gnutls_state_st * state = &state_server;
3170 if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
3171 if (!tls_refill(lim))
3172 return state->xfer_error ? EOF : smtp_getc(lim);
3174 /* Something in the buffer; return next uschar */
3176 return state->xfer_buffer[state->xfer_buffer_lwm++];
3180 tls_getbuf(unsigned * len)
3182 exim_gnutls_state_st * state = &state_server;
3186 if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
3187 if (!tls_refill(*len))
3189 if (!state->xfer_error) return smtp_getbuf(len);
3194 if ((size = state->xfer_buffer_hwm - state->xfer_buffer_lwm) > *len)
3196 buf = &state->xfer_buffer[state->xfer_buffer_lwm];
3197 state->xfer_buffer_lwm += size;
3206 #ifndef DISABLE_DKIM
3207 exim_gnutls_state_st * state = &state_server;
3208 int n = state->xfer_buffer_hwm - state->xfer_buffer_lwm;
3210 dkim_exim_verify_feed(state->xfer_buffer+state->xfer_buffer_lwm, n);
3216 tls_could_read(void)
3218 return state_server.xfer_buffer_lwm < state_server.xfer_buffer_hwm
3219 || gnutls_record_check_pending(state_server.session) > 0;
3225 /*************************************************
3226 * Read bytes from TLS channel *
3227 *************************************************/
3229 /* This does not feed DKIM, so if the caller uses this for reading message body,
3230 then the caller must feed DKIM.
3233 ct_ctx client context pointer, or NULL for the one global server context
3237 Returns: the number of bytes read
3238 -1 after a failed read, including EOF
3242 tls_read(void * ct_ctx, uschar *buff, size_t len)
3244 exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
3250 if (state->xfer_buffer_lwm < state->xfer_buffer_hwm)
3252 debug_printf("*** PROBABLY A BUG *** " \
3253 "tls_read() called with data in the tls_getc() buffer, %d ignored\n",
3254 state->xfer_buffer_hwm - state->xfer_buffer_lwm);
3257 debug_printf("Calling gnutls_record_recv(%p, %p, " SIZE_T_FMT ")\n",
3258 state->session, buff, len);
3261 inbytes = gnutls_record_recv(state->session, buff, len);
3262 while (inbytes == GNUTLS_E_AGAIN);
3264 if (inbytes > 0) return inbytes;
3267 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
3271 DEBUG(D_tls) debug_printf("%s: err from gnutls_record_recv\n", __FUNCTION__);
3272 record_io_error(state, (int)inbytes, US"recv", NULL);
3281 /*************************************************
3282 * Write bytes down TLS channel *
3283 *************************************************/
3287 ct_ctx client context pointer, or NULL for the one global server context
3290 more more data expected soon
3292 Returns: the number of bytes after a successful write,
3293 -1 after a failed write
3297 tls_write(void * ct_ctx, const uschar * buff, size_t len, BOOL more)
3301 exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
3303 static BOOL corked = FALSE;
3305 if (more && !corked) gnutls_record_cork(state->session);
3308 DEBUG(D_tls) debug_printf("%s(%p, " SIZE_T_FMT "%s)\n", __FUNCTION__,
3309 buff, left, more ? ", more" : "");
3313 DEBUG(D_tls) debug_printf("gnutls_record_send(SSL, %p, " SIZE_T_FMT ")\n",
3317 outbytes = gnutls_record_send(state->session, buff, left);
3318 while (outbytes == GNUTLS_E_AGAIN);
3320 DEBUG(D_tls) debug_printf("outbytes=" SSIZE_T_FMT "\n", outbytes);
3323 DEBUG(D_tls) debug_printf("%s: gnutls_record_send err\n", __FUNCTION__);
3324 record_io_error(state, outbytes, US"send", NULL);
3329 record_io_error(state, 0, US"send", US"TLS channel closed on write");
3340 debug_printf("Whoops! Wrote more bytes (" SIZE_T_FMT ") than INT_MAX\n",
3348 if (!more) (void) gnutls_record_uncork(state->session, 0);
3359 /*************************************************
3360 * Random number generation *
3361 *************************************************/
3363 /* Pseudo-random number generation. The result is not expected to be
3364 cryptographically strong but not so weak that someone will shoot themselves
3365 in the foot using it as a nonce in input in some email header scheme or
3366 whatever weirdness they'll twist this into. The result should handle fork()
3367 and avoid repeating sequences. OpenSSL handles that for us.
3371 Returns a random number in range [0, max-1]
3374 #ifdef HAVE_GNUTLS_RND
3376 vaguely_random_number(int max)
3380 uschar smallbuf[sizeof(r)];
3385 needed_len = sizeof(r);
3386 /* Don't take 8 times more entropy than needed if int is 8 octets and we were
3387 asked for a number less than 10. */
3389 for (r = max, i = 0; r; ++i)
3395 i = gnutls_rnd(GNUTLS_RND_NONCE, smallbuf, needed_len);
3398 DEBUG(D_all) debug_printf("gnutls_rnd() failed, using fallback.\n");
3399 return vaguely_random_number_fallback(max);
3402 for (uschar * p = smallbuf; needed_len; --needed_len, ++p)
3405 /* We don't particularly care about weighted results; if someone wants
3406 * smooth distribution and cares enough then they should submit a patch then. */
3409 #else /* HAVE_GNUTLS_RND */
3411 vaguely_random_number(int max)
3413 return vaguely_random_number_fallback(max);
3415 #endif /* HAVE_GNUTLS_RND */
3420 /*************************************************
3421 * Let tls_require_ciphers be checked at startup *
3422 *************************************************/
3424 /* The tls_require_ciphers option, if set, must be something which the
3427 Returns: NULL on success, or error message
3431 tls_validate_require_cipher(void)
3434 uschar *expciphers = NULL;
3435 gnutls_priority_t priority_cache;
3437 uschar * dummy_errstr;
3439 #ifdef GNUTLS_AUTO_GLOBAL_INIT
3440 # define validate_check_rc(Label) do { \
3441 if (rc != GNUTLS_E_SUCCESS) { if (exim_gnutls_base_init_done) \
3442 return string_sprintf("%s failed: %s", (Label), gnutls_strerror(rc)); } } while (0)
3443 # define return_deinit(Label) do { return (Label); } while (0)
3445 # define validate_check_rc(Label) do { \
3446 if (rc != GNUTLS_E_SUCCESS) { if (exim_gnutls_base_init_done) gnutls_global_deinit(); \
3447 return string_sprintf("%s failed: %s", (Label), gnutls_strerror(rc)); } } while (0)
3448 # define return_deinit(Label) do { gnutls_global_deinit(); return (Label); } while (0)
3451 if (exim_gnutls_base_init_done)
3452 log_write(0, LOG_MAIN|LOG_PANIC,
3453 "already initialised GnuTLS, Exim developer bug");
3455 #if defined(HAVE_GNUTLS_PKCS11) && !defined(GNUTLS_AUTO_PKCS11_MANUAL)
3456 if (!gnutls_allow_auto_pkcs11)
3458 rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
3459 validate_check_rc(US"gnutls_pkcs11_init");
3462 #ifndef GNUTLS_AUTO_GLOBAL_INIT
3463 rc = gnutls_global_init();
3464 validate_check_rc(US"gnutls_global_init()");
3466 exim_gnutls_base_init_done = TRUE;
3468 if (!(tls_require_ciphers && *tls_require_ciphers))
3469 return_deinit(NULL);
3471 if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers,
3473 return_deinit(US"failed to expand tls_require_ciphers");
3475 if (!(expciphers && *expciphers))
3476 return_deinit(NULL);
3479 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
3481 rc = gnutls_priority_init(&priority_cache, CS expciphers, &errpos);
3482 validate_check_rc(string_sprintf(
3483 "gnutls_priority_init(%s) failed at offset %ld, \"%.8s..\"",
3484 expciphers, errpos - CS expciphers, errpos));
3486 #undef return_deinit
3487 #undef validate_check_rc
3488 #ifndef GNUTLS_AUTO_GLOBAL_INIT
3489 gnutls_global_deinit();
3498 /*************************************************
3499 * Report the library versions. *
3500 *************************************************/
3502 /* See a description in tls-openssl.c for an explanation of why this exists.
3504 Arguments: a FILE* to print the results to
3509 tls_version_report(FILE *f)
3511 fprintf(f, "Library version: GnuTLS: Compile: %s\n"
3514 gnutls_check_version(NULL));
3517 #endif /*!MACRO_PREDEF*/
3520 /* End of tls-gnu.c */
git://git.exim.org / exim.git / blob