X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/5c8cda3a8089ff340224e6ab147d4bbe18dca0e2..a3c1395faebdb088bcef9cdb55bb42a791433ccd:/src/src/tls-gnu.c diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index a9a82e88f..b2659d7a7 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -395,6 +395,15 @@ DEBUG(D_tls) dh_bits); #endif +/* Some clients have hard-coded limits. */ +if (dh_bits > tls_dh_max_bits) + { + DEBUG(D_tls) + debug_printf("tls_dh_max_bits clamping override, using %d bits instead.\n", + tls_dh_max_bits); + dh_bits = tls_dh_max_bits; + } + if (!string_format(filename, sizeof(filename), "%s/gnutls-params-%d", spool_directory, dh_bits)) return tls_error(US"overlong filename", NULL, NULL); @@ -503,8 +512,13 @@ if (rc < 0) m.data = malloc(m.size); if (m.data == NULL) return tls_error(US"memory allocation failed", strerror(errno), NULL); + /* this will return a size 1 less than the allocation size above; I + originally used sz so as to avoid type compatibility errors, as gnutls_datum + uses "unsigned int" for the size field, but this call takes separate data + and size fields, with the latter being a size_t*. For now, we live with + the error as being safer than throwing away type information. */ rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM, - m.data, &sz); + m.data, &m.size); if (rc != GNUTLS_E_SUCCESS) { free(m.data); @@ -578,7 +592,7 @@ if (!state->host) { if (!state->received_sni) { - if (Ustrstr(state->tls_certificate, US"tls_sni")) + if (state->tls_certificate && Ustrstr(state->tls_certificate, US"tls_sni")) { DEBUG(D_tls) debug_printf("We will re-expand TLS session files if we receive SNI.\n"); state->trigger_sni_changes = TRUE; @@ -695,16 +709,18 @@ if (Ustat(state->exp_tls_verify_certificates, &statbuf) < 0) return DEFER; } -if (!S_ISREG(statbuf.st_mode)) +/* The test suite passes in /dev/null; we could check for that path explicitly, +but who knows if someone has some weird FIFO which always dumps some certs, or +other weirdness. The thing we really want to check is that it's not a +directory, since while OpenSSL supports that, GnuTLS does not. +So s/!S_ISREG/S_ISDIR/ and change some messsaging ... */ +if (S_ISDIR(statbuf.st_mode)) { DEBUG(D_tls) - debug_printf("verify certificates path is not a file: \"%s\"\n%s\n", - state->exp_tls_verify_certificates, - S_ISDIR(statbuf.st_mode) - ? " it's a directory, that's OpenSSL, this is GnuTLS" - : " (not a directory either)"); + debug_printf("verify certificates path is a dir: \"%s\"\n", + state->exp_tls_verify_certificates); log_write(0, LOG_MAIN|LOG_PANIC, - "tls_verify_certificates \"%s\" is not a file", + "tls_verify_certificates \"%s\" is a directory", state->exp_tls_verify_certificates); return DEFER; } @@ -868,6 +884,7 @@ state->host = host; state->tls_certificate = certificate; state->tls_privatekey = privatekey; +state->tls_require_ciphers = require_ciphers; state->tls_sni = sni; state->tls_verify_certificates = cas; state->tls_crl = crl; @@ -1181,7 +1198,14 @@ return TRUE; static void exim_gnutls_logger_cb(int level, const char *message) { - DEBUG(D_tls) debug_printf("GnuTLS<%d>: %s\n", level, message); + size_t len = strlen(message); + if (len < 1) + { + DEBUG(D_tls) debug_printf("GnuTLS<%d> empty debug message\n", level); + return; + } + DEBUG(D_tls) debug_printf("GnuTLS<%d>: %s%s", level, message, + message[len-1] == '\n' ? "" : "\n"); } #endif @@ -1365,7 +1389,8 @@ if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout); do { rc = gnutls_handshake(state->session); - } while ((rc == GNUTLS_E_AGAIN) || (rc == GNUTLS_E_INTERRUPTED)); + } while ((rc == GNUTLS_E_AGAIN) || + (rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen)); alarm(0); if (rc != GNUTLS_E_SUCCESS) @@ -1500,7 +1525,8 @@ alarm(timeout); do { rc = gnutls_handshake(state->session); - } while ((rc == GNUTLS_E_AGAIN) || (rc == GNUTLS_E_INTERRUPTED)); + } while ((rc == GNUTLS_E_AGAIN) || + (rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen)); alarm(0); if (rc != GNUTLS_E_SUCCESS) @@ -1817,6 +1843,64 @@ vaguely_random_number(int max) +/************************************************* +* Let tls_require_ciphers be checked at startup * +*************************************************/ + +/* The tls_require_ciphers option, if set, must be something which the +library can parse. + +Returns: NULL on success, or error message +*/ + +uschar * +tls_validate_require_cipher(void) +{ +int rc; +uschar *expciphers = NULL; +gnutls_priority_t priority_cache; +const char *errpos; + +#define validate_check_rc(Label) do { \ + if (rc != GNUTLS_E_SUCCESS) { if (exim_gnutls_base_init_done) gnutls_global_deinit(); \ + return string_sprintf("%s failed: %s", (Label), gnutls_strerror(rc)); } } while (0) +#define return_deinit(Label) do { gnutls_global_deinit(); return (Label); } while (0) + +if (exim_gnutls_base_init_done) + log_write(0, LOG_MAIN|LOG_PANIC, + "already initialised GnuTLS, Exim developer bug"); + +rc = gnutls_global_init(); +validate_check_rc(US"gnutls_global_init()"); +exim_gnutls_base_init_done = TRUE; + +if (!(tls_require_ciphers && *tls_require_ciphers)) + return_deinit(NULL); + +if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers)) + return_deinit(US"failed to expand tls_require_ciphers"); + +if (!(expciphers && *expciphers)) + return_deinit(NULL); + +DEBUG(D_tls) + debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers); + +rc = gnutls_priority_init(&priority_cache, CS expciphers, &errpos); +validate_check_rc(string_sprintf( + "gnutls_priority_init(%s) failed at offset %ld, \"%.8s..\"", + expciphers, errpos - CS expciphers, errpos)); + +#undef return_deinit +#undef validate_check_rc +gnutls_global_deinit(); + +return NULL; +} + + + + /************************************************* * Report the library versions. * *************************************************/