/* Copyright (c) University of Cambridge 1995 - 2018 */
/* Copyright (c) Phil Pennock 2012 */
/* See the file NOTICE for conditions of use and distribution. */
+/* SPDX-License-Identifier: GPL-2.0-or-later */
/* This file provides TLS/SSL support for Exim using the GnuTLS library,
one of the available supported implementations. This file is #included into
the connected host if setting up a client
errstr pointer to returned error string
-Returns: OK/DEFER/FAIL
+Returns: DEFER/FAIL
*/
static int
}
+/* Returns: DEFER/FAIL */
static int
tls_error_gnu(exim_gnutls_state_st * state, const uschar *prefix, int err,
uschar ** errstr)
{
return tls_error(prefix,
state && err == GNUTLS_E_FATAL_ALERT_RECEIVED
- ? US gnutls_alert_get_name(gnutls_alert_get(state->session))
+ ? string_sprintf("rxd alert: %s",
+ US gnutls_alert_get_name(gnutls_alert_get(state->session)))
: US gnutls_strerror(err),
state ? state->host : NULL,
errstr);
/* The format of "data" here doesn't seem to be documented, but appears
to be a 2-byte field with a (redundant, given the "size" arg) total length
then a sequence of one-byte size then string (not nul-term) names. The
- latter is as described in OpenSSL documentation. */
+ latter is as described in OpenSSL documentation.
+ Note that we do not get called for a match_fail, making it hard to log
+ a single bad ALPN being offered (the common case). */
+ {
+ gstring * g = NULL;
DEBUG(D_tls) debug_printf("Seen ALPN extension from client (s=%u):", size);
for (const uschar * s = data+2; s-data < size-1; s += *s + 1)
{
server_seen_alpn++;
+ g = string_append_listele_n(g, ':', s+1, *s);
DEBUG(D_tls) debug_printf(" '%.*s'", (int)*s, s+1);
}
DEBUG(D_tls) debug_printf("\n");
if (server_seen_alpn > 1)
{
+ log_write(0, LOG_MAIN, "TLS ALPN (%s) rejected", string_from_gstring(g));
DEBUG(D_tls) debug_printf("TLS: too many ALPNs presented in handshake\n");
return GNUTLS_E_NO_APPLICATION_PROTOCOL;
}
break;
+ }
#endif
}
return 0;
debug_printf("TLS: basic cred init, %s\n", server ? "server" : "client");
}
+/* Returns OK/DEFER/FAIL */
static int
creds_load_server_certs(exim_gnutls_state_st * state, const uschar * cert,
const uschar * pkey, const uschar * ocsp, uschar ** errstr)
if (!(kfile = string_nextinlist(&klist, &ksep, NULL, 0)))
return tls_error(US"cert/key setup: out of keys", NULL, NULL, errstr);
- else if ((rc = tls_add_certfile(state, NULL, cfile, kfile, errstr)) > 0)
+ else if ((rc = tls_add_certfile(state, NULL, cfile, kfile, errstr)) > OK)
return rc;
else
{
}
#endif /* DISABLE_OCSP */
}
-return 0;
+return OK;
}
static int
int rc = tls_add_certfile(state, host, cert, pkey, errstr);
if (rc > 0) return rc;
DEBUG(D_tls) debug_printf("TLS: cert/key registered\n");
-return 0;
+return OK;
}
static int
if (!state->lib_state.conn_certs)
{
- if (!Expand_check_tlsvar(tls_certificate, errstr))
+ if ( !Expand_check_tlsvar(tls_certificate, errstr)
+ || f.expand_string_forcedfail)
+ {
+ if (f.expand_string_forcedfail)
+ *errstr = US"expansion of tls_certificate failed";
return DEFER;
+ }
/* certificate is mandatory in server, optional in client */
else
DEBUG(D_tls) debug_printf("TLS: no client certificate specified; okay\n");
- if (state->tls_privatekey && !Expand_check_tlsvar(tls_privatekey, errstr))
+ if ( state->tls_privatekey && !Expand_check_tlsvar(tls_privatekey, errstr)
+ || f.expand_string_forcedfail
+ )
+ {
+ if (f.expand_string_forcedfail)
+ *errstr = US"expansion of tls_privatekey failed";
return DEFER;
+ }
/* tls_privatekey is optional, defaulting to same file as certificate */
tls_ocsp_file,
#endif
errstr)
- ) ) return rc;
+ ) )
+ {
+ DEBUG(D_tls) debug_printf("load-cert: '%s'\n", *errstr);
+ return rc;
+ }
}
}
else
for (s++; (c = *s) && c != ')'; s++) g = string_catn(g, s, 1);
- tlsp->ver = string_copyn(g->s, g->ptr);
+ tlsp->ver = string_copy_from_gstring(g);
for (uschar * p = US tlsp->ver; *p; p++)
if (*p == '-') { *p = '\0'; break; } /* TLS1.0-PKIX -> TLS1.0 */
{
/* If the setup of certs/etc failed before handshake, TLS would not have
been offered. The best we can do now is abort. */
- return GNUTLS_E_APPLICATION_ERROR_MIN;
+ DEBUG(D_tls) debug_printf("expansion for SNI-dependent session files failed\n");
+ return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
}
rc = tls_set_remaining_x509(state, &dummy_errstr);
-if (rc != OK) return GNUTLS_E_APPLICATION_ERROR_MIN;
+if (rc != OK) return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
return 0;
}
if ((cert_list = gnutls_certificate_get_peers(session, &cert_list_size)))
while (cert_list_size--)
- {
- if ((rc = import_cert(&cert_list[cert_list_size], &crt)) != GNUTLS_E_SUCCESS)
{
- DEBUG(D_tls) debug_printf("TLS: peer cert problem: depth %d: %s\n",
- cert_list_size, gnutls_strerror(rc));
- break;
- }
+ if ((rc = import_cert(&cert_list[cert_list_size], &crt)) != GNUTLS_E_SUCCESS)
+ {
+ DEBUG(D_tls) debug_printf("TLS: peer cert problem: depth %d: %s\n",
+ cert_list_size, gnutls_strerror(rc));
+ break;
+ }
- state->tlsp->peercert = crt;
- if ((yield = event_raise(state->event_action,
- US"tls:cert", string_sprintf("%d", cert_list_size), &errno)))
- {
- log_write(0, LOG_MAIN,
- "SSL verify denied by event-action: depth=%d: %s",
- cert_list_size, yield);
- return 1; /* reject */
+ state->tlsp->peercert = crt;
+ if ((yield = event_raise(state->event_action,
+ US"tls:cert", string_sprintf("%d", cert_list_size), &errno)))
+ {
+ log_write(0, LOG_MAIN,
+ "SSL verify denied by event-action: depth=%d: %s",
+ cert_list_size, yield);
+ return 1; /* reject */
+ }
+ state->tlsp->peercert = NULL;
}
- state->tlsp->peercert = NULL;
- }
return 0;
}