Fix DISABLE_DKIM build & test. Fix build on systems lacking MAX in standard includes.

[exim.git] / src / src / tls-gnu.c
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c

index 7364a66ff540ab2a9056c443886e5674ce287948..c9dc4d9be02359ad29a8484d27dd485aea72f15e 100644 (file)
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -42,6 +42,7 @@ require current GnuTLS, then we'll drop support for the ancient libraries).
  /* needed to disable PKCS11 autoload unless requested */
  #if GNUTLS_VERSION_NUMBER >= 0x020c00
  # include <gnutls/pkcs11.h>
  /* needed to disable PKCS11 autoload unless requested */
  #if GNUTLS_VERSION_NUMBER >= 0x020c00
  # include <gnutls/pkcs11.h>
+# define SUPPORT_PARAM_TO_PK_BITS
  #endif
  #if GNUTLS_VERSION_NUMBER < 0x030103 && !defined(DISABLE_OCSP)
  # warning "GnuTLS library version too old; define DISABLE_OCSP in Makefile"
  #endif
  #if GNUTLS_VERSION_NUMBER < 0x030103 && !defined(DISABLE_OCSP)
  # warning "GnuTLS library version too old; define DISABLE_OCSP in Makefile"
@@ -413,7 +414,7 @@ if (rc) {
  } else {
    old_pool = store_pool;
    store_pool = POOL_PERM;
  } else {
    old_pool = store_pool;
    store_pool = POOL_PERM;
-  tls_channelbinding_b64 = auth_b64encode(channel.data, (int)channel.size);
+  tls_channelbinding_b64 = b64encode(channel.data, (int)channel.size);
    store_pool = old_pool;
    DEBUG(D_tls) debug_printf("Have channel bindings cached for possible auth usage.\n");
  }
    store_pool = old_pool;
    DEBUG(D_tls) debug_printf("Have channel bindings cached for possible auth usage.\n");
  }
@@ -709,6 +710,74 @@ return OK;
  
  
  
  
  
  
+/* Create and install a selfsigned certificate, for use in server mode */
+
+static int
+tls_install_selfsign(exim_gnutls_state_st * state)
+{
+gnutls_x509_crt_t cert = NULL;
+time_t now;
+gnutls_x509_privkey_t pkey = NULL;
+const uschar * where;
+int rc;
+
+where = US"initialising pkey";
+if ((rc = gnutls_x509_privkey_init(&pkey))) goto err;
+
+where = US"initialising cert";
+if ((rc = gnutls_x509_crt_init(&cert))) goto err;
+
+where = US"generating pkey";
+if ((rc = gnutls_x509_privkey_generate(pkey, GNUTLS_PK_RSA,
+#ifdef SUPPORT_PARAM_TO_PK_BITS
+           gnutls_sec_param_to_pk_bits(GNUTLS_PK_RSA, GNUTLS_SEC_PARAM_LOW),
+#else
+           1024,
+#endif
+           0)))
+  goto err;
+
+where = US"configuring cert";
+now = 0;
+if (  (rc = gnutls_x509_crt_set_version(cert, 3))
+   || (rc = gnutls_x509_crt_set_serial(cert, &now, sizeof(now)))
+   || (rc = gnutls_x509_crt_set_activation_time(cert, now = time(NULL)))
+   || (rc = gnutls_x509_crt_set_expiration_time(cert, now + 60 * 60)) /* 1 hr */
+   || (rc = gnutls_x509_crt_set_key(cert, pkey))
+
+   || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
+             GNUTLS_OID_X520_COUNTRY_NAME, 0, "UK", 2))
+   || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
+             GNUTLS_OID_X520_ORGANIZATION_NAME, 0, "Exim Developers", 15))
+   || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
+             GNUTLS_OID_X520_COMMON_NAME, 0,
+             smtp_active_hostname, Ustrlen(smtp_active_hostname)))
+   )
+  goto err;
+
+where = US"signing cert";
+if ((rc = gnutls_x509_crt_sign(cert, cert, pkey))) goto err;
+
+where = US"installing selfsign cert";
+                                       /* Since: 2.4.0 */
+if ((rc = gnutls_certificate_set_x509_key(state->x509_cred, &cert, 1, pkey)))
+  goto err;
+
+rc = OK;
+
+out:
+  if (cert) gnutls_x509_crt_deinit(cert);
+  if (pkey) gnutls_x509_privkey_deinit(pkey);
+  return rc;
+
+err:
+  rc = tls_error(where, gnutls_strerror(rc), NULL);
+  goto out;
+}
+
+
+
+
  /*************************************************
  *       Variables re-expanded post-SNI           *
  *************************************************/
  /*************************************************
  *       Variables re-expanded post-SNI           *
  *************************************************/
@@ -741,7 +810,6 @@ int cert_count;
  
  /* We check for tls_sni *before* expansion. */
  if (!host)     /* server */
  
  /* We check for tls_sni *before* expansion. */
  if (!host)     /* server */
-  {
    if (!state->received_sni)
      {
      if (state->tls_certificate &&
    if (!state->received_sni)
      {
      if (state->tls_certificate &&
@@ -762,7 +830,6 @@ if (!host)  /* server */
      saved_tls_verify_certificates = state->exp_tls_verify_certificates;
      saved_tls_crl = state->exp_tls_crl;
      }
      saved_tls_verify_certificates = state->exp_tls_verify_certificates;
      saved_tls_crl = state->exp_tls_crl;
      }
-  }
  
  rc = gnutls_certificate_allocate_credentials(&state->x509_cred);
  exim_gnutls_err_check(US"gnutls_certificate_allocate_credentials");
  
  rc = gnutls_certificate_allocate_credentials(&state->x509_cred);
  exim_gnutls_err_check(US"gnutls_certificate_allocate_credentials");
@@ -779,14 +846,13 @@ if (!expand_check_tlsvar(tls_certificate))
  
  /* certificate is mandatory in server, optional in client */
  
  
  /* certificate is mandatory in server, optional in client */
  
-if ((state->exp_tls_certificate == NULL) ||
-    (*state->exp_tls_certificate == '\0'))
-  {
+if (  !state->exp_tls_certificate
+   || !*state->exp_tls_certificate
+   )
    if (!host)
    if (!host)
-    return tls_error(US"no TLS server certificate is specified", NULL, NULL);
+    return tls_install_selfsign(state);
    else
      DEBUG(D_tls) debug_printf("TLS: no client certificate specified; okay\n");
    else
      DEBUG(D_tls) debug_printf("TLS: no client certificate specified; okay\n");
-  }
  
  if (state->tls_privatekey && !expand_check_tlsvar(tls_privatekey))
    return DEFER;
  
  if (state->tls_privatekey && !expand_check_tlsvar(tls_privatekey))
    return DEFER;
@@ -806,9 +872,9 @@ if (state->exp_tls_certificate && *state->exp_tls_certificate)
        state->exp_tls_certificate, state->exp_tls_privatekey);
  
    if (state->received_sni)
        state->exp_tls_certificate, state->exp_tls_privatekey);
  
    if (state->received_sni)
-    {
-    if ((Ustrcmp(state->exp_tls_certificate, saved_tls_certificate) == 0) &&
-        (Ustrcmp(state->exp_tls_privatekey, saved_tls_privatekey) == 0))
+    if (  Ustrcmp(state->exp_tls_certificate, saved_tls_certificate) == 0
+       && Ustrcmp(state->exp_tls_privatekey,  saved_tls_privatekey)  == 0
+       )
        {
        DEBUG(D_tls) debug_printf("TLS SNI: cert and key unchanged\n");
        }
        {
        DEBUG(D_tls) debug_printf("TLS SNI: cert and key unchanged\n");
        }
@@ -816,7 +882,6 @@ if (state->exp_tls_certificate && *state->exp_tls_certificate)
        {
        DEBUG(D_tls) debug_printf("TLS SNI: have a changed cert/key pair.\n");
        }
        {
        DEBUG(D_tls) debug_printf("TLS SNI: have a changed cert/key pair.\n");
        }
-    }
  
    rc = gnutls_certificate_set_x509_key_file(state->x509_cred,
        CS state->exp_tls_certificate, CS state->exp_tls_privatekey,
  
    rc = gnutls_certificate_set_x509_key_file(state->x509_cred,
        CS state->exp_tls_certificate, CS state->exp_tls_privatekey,
@@ -911,7 +976,7 @@ else
    but who knows if someone has some weird FIFO which always dumps some certs, or
    other weirdness.  The thing we really want to check is that it's not a
    directory, since while OpenSSL supports that, GnuTLS does not.
    but who knows if someone has some weird FIFO which always dumps some certs, or
    other weirdness.  The thing we really want to check is that it's not a
    directory, since while OpenSSL supports that, GnuTLS does not.
-  So s/!S_ISREG/S_ISDIR/ and change some messsaging ... */
+  So s/!S_ISREG/S_ISDIR/ and change some messaging ... */
    if (S_ISDIR(statbuf.st_mode))
      {
      DEBUG(D_tls)
    if (S_ISDIR(statbuf.st_mode))
      {
      DEBUG(D_tls)
@@ -1448,7 +1513,7 @@ else
      int sep = 0;
      const uschar * list = state->exp_tls_verify_cert_hostnames;
      uschar * name;
      int sep = 0;
      const uschar * list = state->exp_tls_verify_cert_hostnames;
      uschar * name;
-    while (name = string_nextinlist(&list, &sep, NULL, 0))
+    while ((name = string_nextinlist(&list, &sep, NULL, 0)))
        if (gnutls_x509_crt_check_hostname(state->tlsp->peercert, CS name))
         break;
      if (!name)
        if (gnutls_x509_crt_check_hostname(state->tlsp->peercert, CS name))
         break;
      if (!name)
@@ -1761,10 +1826,8 @@ state->fd_out = fileno(smtp_out);
  sigalrm_seen = FALSE;
  if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
  do
  sigalrm_seen = FALSE;
  if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
  do
-  {
    rc = gnutls_handshake(state->session);
    rc = gnutls_handshake(state->session);
-  } while ((rc == GNUTLS_E_AGAIN) ||
-      (rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen));
+while (rc == GNUTLS_E_AGAIN ||  rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen);
  alarm(0);
  
  if (rc != GNUTLS_E_SUCCESS)
  alarm(0);
  
  if (rc != GNUTLS_E_SUCCESS)
@@ -1816,6 +1879,7 @@ and initialize appropriately. */
  state->xfer_buffer = store_malloc(ssl_xfer_buffer_size);
  
  receive_getc = tls_getc;
  state->xfer_buffer = store_malloc(ssl_xfer_buffer_size);
  
  receive_getc = tls_getc;
+receive_get_cache = tls_get_cache;
  receive_ungetc = tls_ungetc;
  receive_feof = tls_feof;
  receive_ferror = tls_ferror;
  receive_ungetc = tls_ungetc;
  receive_feof = tls_feof;
  receive_ferror = tls_ferror;
@@ -1867,7 +1931,7 @@ tls_client_start(int fd, host_item *host,
      address_item *addr ARG_UNUSED,
      transport_instance *tb
  #ifdef EXPERIMENTAL_DANE
      address_item *addr ARG_UNUSED,
      transport_instance *tb
  #ifdef EXPERIMENTAL_DANE
-    , dne_answer * unused_tlsa_dnsa
+    , dns_answer * unused_tlsa_dnsa
  #endif
      )
  {
  #endif
      )
  {
@@ -2116,6 +2180,7 @@ if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
      DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
  
      receive_getc = smtp_getc;
      DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
  
      receive_getc = smtp_getc;
+    receive_get_cache = smtp_get_cache;
      receive_ungetc = smtp_ungetc;
      receive_feof = smtp_feof;
      receive_ferror = smtp_ferror;
      receive_ungetc = smtp_ungetc;
      receive_feof = smtp_feof;
      receive_ferror = smtp_ferror;
@@ -2154,6 +2219,17 @@ if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
  return state->xfer_buffer[state->xfer_buffer_lwm++];
  }
  
  return state->xfer_buffer[state->xfer_buffer_lwm++];
  }
  
+void
+tls_get_cache()
+{
+#ifndef DISABLE_DKIM
+exim_gnutls_state_st * state = &state_server;
+int n = state->xfer_buffer_hwm - state->xfer_buffer_lwm;
+if (n > 0)
+  dkim_exim_verify_feed(state->xfer_buffer+state->xfer_buffer_lwm, n);
+#endif
+}
+