1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) University of Cambridge 1995 - 2014 */
6 /* See the file NOTICE for conditions of use and distribution. */
8 /* Copyright (c) Phil Pennock 2012 */
10 /* This file provides TLS/SSL support for Exim using the GnuTLS library,
11 one of the available supported implementations. This file is #included into
12 tls.c when USE_GNUTLS has been set.
14 The code herein is a revamp of GnuTLS integration using the current APIs; the
15 original tls-gnu.c was based on a patch which was contributed by Nikos
16 Mavroyanopoulos. The revamp is partially a rewrite, partially cut&paste as
19 APIs current as of GnuTLS 2.12.18; note that the GnuTLS manual is for GnuTLS 3,
20 which is not widely deployed by OS vendors. Will note issues below, which may
21 assist in updating the code in the future. Another sources of hints is
22 mod_gnutls for Apache (SNI callback registration and handling).
24 Keeping client and server variables more split than before and is currently
25 the norm, in anticipation of TLS in ACL callouts.
27 I wanted to switch to gnutls_certificate_set_verify_function() so that
28 certificate rejection could happen during handshake where it belongs, rather
29 than being dropped afterwards, but that was introduced in 2.10.0 and Debian
30 (6.0.5) is still on 2.8.6. So for now we have to stick with sub-par behaviour.
32 (I wasn't looking for libraries quite that old, when updating to get rid of
33 compiler warnings of deprecated APIs. If it turns out that a lot of the rest
34 require current GnuTLS, then we'll drop support for the ancient libraries).
37 #include <gnutls/gnutls.h>
38 /* needed for cert checks in verification and DN extraction: */
39 #include <gnutls/x509.h>
40 /* man-page is incorrect, gnutls_rnd() is not in gnutls.h: */
41 #include <gnutls/crypto.h>
42 /* needed to disable PKCS11 autoload unless requested */
43 #if GNUTLS_VERSION_NUMBER >= 0x020c00
44 # include <gnutls/pkcs11.h>
46 #ifdef EXPERIMENTAL_OCSP
47 # include <gnutls/ocsp.h>
53 gnutls_global_set_audit_log_function()
56 gnutls_certificate_verify_peers2(): is new, drop the 2 for old version
59 /* Local static variables for GnuTLS */
61 /* Values for verify_requirement */
63 enum peer_verify_requirement { VERIFY_NONE, VERIFY_OPTIONAL, VERIFY_REQUIRED };
65 /* This holds most state for server or client; with this, we can set up an
66 outbound TLS-enabled connection in an ACL callout, while not stomping all
67 over the TLS variables available for expansion.
69 Some of these correspond to variables in globals.c; those variables will
70 be set to point to content in one of these instances, as appropriate for
71 the stage of the process lifetime.
73 Not handled here: global tls_channelbinding_b64.
76 typedef struct exim_gnutls_state {
77 gnutls_session_t session;
78 gnutls_certificate_credentials_t x509_cred;
79 gnutls_priority_t priority_cache;
80 enum peer_verify_requirement verify_requirement;
83 BOOL peer_cert_verified;
84 BOOL trigger_sni_changes;
86 const struct host_item *host;
87 gnutls_x509_crt_t peercert;
92 const uschar *tls_certificate;
93 const uschar *tls_privatekey;
94 const uschar *tls_sni; /* client send only, not received */
95 const uschar *tls_verify_certificates;
96 const uschar *tls_crl;
97 const uschar *tls_require_ciphers;
98 uschar *exp_tls_certificate;
99 uschar *exp_tls_privatekey;
101 uschar *exp_tls_verify_certificates;
103 uschar *exp_tls_require_ciphers;
105 tls_support *tlsp; /* set in tls_init() */
112 } exim_gnutls_state_st;
114 static const exim_gnutls_state_st exim_gnutls_state_init = {
115 NULL, NULL, NULL, VERIFY_NONE, -1, -1, FALSE, FALSE, FALSE,
116 NULL, NULL, NULL, NULL,
117 NULL, NULL, NULL, NULL, NULL, NULL,
118 NULL, NULL, NULL, NULL, NULL, NULL,
123 /* Not only do we have our own APIs which don't pass around state, assuming
124 it's held in globals, GnuTLS doesn't appear to let us register callback data
125 for callbacks, or as part of the session, so we have to keep a "this is the
126 context we're currently dealing with" pointer and rely upon being
127 single-threaded to keep from processing data on an inbound TLS connection while
128 talking to another TLS connection for an outbound check. This does mean that
129 there's no way for heart-beats to be responded to, for the duration of the
130 second connection. */
132 static exim_gnutls_state_st state_server, state_client;
134 /* dh_params are initialised once within the lifetime of a process using TLS;
135 if we used TLS in a long-lived daemon, we'd have to reconsider this. But we
136 don't want to repeat this. */
138 static gnutls_dh_params_t dh_server_params = NULL;
140 /* No idea how this value was chosen; preserving it. Default is 3600. */
142 static const int ssl_session_timeout = 200;
144 static const char * const exim_default_gnutls_priority = "NORMAL";
146 /* Guard library core initialisation */
148 static BOOL exim_gnutls_base_init_done = FALSE;
151 /* ------------------------------------------------------------------------ */
154 #define MAX_HOST_LEN 255
156 /* Set this to control gnutls_global_set_log_level(); values 0 to 9 will setup
157 the library logging; a value less than 0 disables the calls to set up logging
159 #ifndef EXIM_GNUTLS_LIBRARY_LOG_LEVEL
160 #define EXIM_GNUTLS_LIBRARY_LOG_LEVEL -1
163 #ifndef EXIM_CLIENT_DH_MIN_BITS
164 #define EXIM_CLIENT_DH_MIN_BITS 1024
167 /* With GnuTLS 2.12.x+ we have gnutls_sec_param_to_pk_bits() with which we
168 can ask for a bit-strength. Without that, we stick to the constant we had
170 #ifndef EXIM_SERVER_DH_BITS_PRE2_12
171 #define EXIM_SERVER_DH_BITS_PRE2_12 1024
174 #define exim_gnutls_err_check(Label) do { \
175 if (rc != GNUTLS_E_SUCCESS) { return tls_error((Label), gnutls_strerror(rc), host); } } while (0)
177 #define expand_check_tlsvar(Varname) expand_check(state->Varname, US #Varname, &state->exp_##Varname)
179 #if GNUTLS_VERSION_NUMBER >= 0x020c00
180 #define HAVE_GNUTLS_SESSION_CHANNEL_BINDING
181 #define HAVE_GNUTLS_SEC_PARAM_CONSTANTS
182 #define HAVE_GNUTLS_RND
183 /* The security fix we provide with the gnutls_allow_auto_pkcs11 option
184 * (4.82 PP/09) introduces a compatibility regression. The symbol simply
185 * isn't available sometimes, so this needs to become a conditional
186 * compilation; the sanest way to deal with this being a problem on
187 * older OSes is to block it in the Local/Makefile with this compiler
189 #ifndef AVOID_GNUTLS_PKCS11
190 #define HAVE_GNUTLS_PKCS11
191 #endif /* AVOID_GNUTLS_PKCS11 */
197 /* ------------------------------------------------------------------------ */
198 /* Callback declarations */
200 #if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
201 static void exim_gnutls_logger_cb(int level, const char *message);
204 static int exim_sni_handling_cb(gnutls_session_t session);
209 /* ------------------------------------------------------------------------ */
210 /* Static functions */
212 /*************************************************
214 *************************************************/
216 /* Called from lots of places when errors occur before actually starting to do
217 the TLS handshake, that is, while the session is still in clear. Always returns
218 DEFER for a server and FAIL for a client so that most calls can use "return
219 tls_error(...)" to do this processing and then give an appropriate return. A
220 single function is used for both server and client, because it is called from
221 some shared functions.
224 prefix text to include in the logged error
225 msg additional error string (may be NULL)
226 usually obtained from gnutls_strerror()
227 host NULL if setting up a server;
228 the connected host if setting up a client
230 Returns: OK/DEFER/FAIL
234 tls_error(const uschar *prefix, const char *msg, const host_item *host)
238 log_write(0, LOG_MAIN, "TLS error on connection to %s [%s] (%s)%s%s",
239 host->name, host->address, prefix, msg ? ": " : "", msg ? msg : "");
244 uschar *conn_info = smtp_get_connection_info();
245 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0)
247 log_write(0, LOG_MAIN, "TLS error on %s (%s)%s%s",
248 conn_info, prefix, msg ? ": " : "", msg ? msg : "");
256 /*************************************************
257 * Deal with logging errors during I/O *
258 *************************************************/
260 /* We have to get the identity of the peer from saved data.
263 state the current GnuTLS exim state container
264 rc the GnuTLS error code, or 0 if it's a local error
265 when text identifying read or write
266 text local error text when ec is 0
272 record_io_error(exim_gnutls_state_st *state, int rc, uschar *when, uschar *text)
276 if (rc == GNUTLS_E_FATAL_ALERT_RECEIVED)
277 msg = CS string_sprintf("%s: %s", US gnutls_strerror(rc),
278 US gnutls_alert_get_name(gnutls_alert_get(state->session)));
280 msg = gnutls_strerror(rc);
282 tls_error(when, msg, state->host);
288 /*************************************************
289 * Set various Exim expansion vars *
290 *************************************************/
292 #define exim_gnutls_cert_err(Label) do { \
293 if (rc != GNUTLS_E_SUCCESS) { \
294 DEBUG(D_tls) debug_printf("TLS: cert problem: %s: %s\n", (Label), gnutls_strerror(rc)); \
295 return rc; } } while (0)
298 import_cert(const gnutls_datum * cert, gnutls_x509_crt_t * crtp)
302 rc = gnutls_x509_crt_init(crtp);
303 exim_gnutls_cert_err(US"gnutls_x509_crt_init (crt)");
305 rc = gnutls_x509_crt_import(*crtp, cert, GNUTLS_X509_FMT_DER);
306 exim_gnutls_cert_err(US"failed to import certificate [gnutls_x509_crt_import(cert)]");
311 #undef exim_gnutls_cert_err
314 /* We set various Exim global variables from the state, once a session has
315 been established. With TLS callouts, may need to change this to stack
316 variables, or just re-call it with the server state after client callout
319 Make sure anything set here is unset in tls_getc().
323 tls_bits strength indicator
324 tls_certificate_verified bool indicator
325 tls_channelbinding_b64 for some SASL mechanisms
327 tls_peercert pointer to library internal
329 tls_sni a (UTF-8) string
330 tls_ourcert pointer to library internal
333 state the relevant exim_gnutls_state_st *
337 extract_exim_vars_from_tls_state(exim_gnutls_state_st * state)
339 gnutls_cipher_algorithm_t cipher;
340 #ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
343 gnutls_datum_t channel;
345 tls_support * tlsp = state->tlsp;
347 tlsp->active = state->fd_out;
349 cipher = gnutls_cipher_get(state->session);
350 /* returns size in "bytes" */
351 tlsp->bits = gnutls_cipher_get_key_size(cipher) * 8;
353 tlsp->cipher = state->ciphersuite;
355 DEBUG(D_tls) debug_printf("cipher: %s\n", state->ciphersuite);
357 tlsp->certificate_verified = state->peer_cert_verified;
359 /* note that tls_channelbinding_b64 is not saved to the spool file, since it's
360 only available for use for authenticators while this TLS session is running. */
362 tls_channelbinding_b64 = NULL;
363 #ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
366 rc = gnutls_session_channel_binding(state->session, GNUTLS_CB_TLS_UNIQUE, &channel);
368 DEBUG(D_tls) debug_printf("Channel binding error: %s\n", gnutls_strerror(rc));
370 old_pool = store_pool;
371 store_pool = POOL_PERM;
372 tls_channelbinding_b64 = auth_b64encode(channel.data, (int)channel.size);
373 store_pool = old_pool;
374 DEBUG(D_tls) debug_printf("Have channel bindings cached for possible auth usage.\n");
378 /* peercert is set in peer_status() */
379 tlsp->peerdn = state->peerdn;
380 tlsp->sni = state->received_sni;
382 /* record our certificate */
384 const gnutls_datum * cert = gnutls_certificate_get_ours(state->session);
385 gnutls_x509_crt_t crt;
387 tlsp->ourcert = cert && import_cert(cert, &crt)==0 ? crt : NULL;
394 /*************************************************
395 * Setup up DH parameters *
396 *************************************************/
398 /* Generating the D-H parameters may take a long time. They only need to
399 be re-generated every so often, depending on security policy. What we do is to
400 keep these parameters in a file in the spool directory. If the file does not
401 exist, we generate them. This means that it is easy to cause a regeneration.
403 The new file is written as a temporary file and renamed, so that an incomplete
404 file is never present. If two processes both compute some new parameters, you
405 waste a bit of effort, but it doesn't seem worth messing around with locking to
408 Returns: OK/DEFER/FAIL
415 unsigned int dh_bits;
417 uschar filename_buf[PATH_MAX];
418 uschar *filename = NULL;
420 uschar *exp_tls_dhparam;
421 BOOL use_file_in_spool = FALSE;
422 BOOL use_fixed_file = FALSE;
423 host_item *host = NULL; /* dummy for macros */
425 DEBUG(D_tls) debug_printf("Initialising GnuTLS server params.\n");
427 rc = gnutls_dh_params_init(&dh_server_params);
428 exim_gnutls_err_check(US"gnutls_dh_params_init");
433 if (!expand_check(tls_dhparam, US"tls_dhparam", &exp_tls_dhparam))
436 if (!exp_tls_dhparam)
438 DEBUG(D_tls) debug_printf("Loading default hard-coded DH params\n");
439 m.data = US std_dh_prime_default();
440 m.size = Ustrlen(m.data);
442 else if (Ustrcmp(exp_tls_dhparam, "historic") == 0)
443 use_file_in_spool = TRUE;
444 else if (Ustrcmp(exp_tls_dhparam, "none") == 0)
446 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
449 else if (exp_tls_dhparam[0] != '/')
451 m.data = US std_dh_prime_named(exp_tls_dhparam);
453 return tls_error(US"No standard prime named", CS exp_tls_dhparam, NULL);
454 m.size = Ustrlen(m.data);
458 use_fixed_file = TRUE;
459 filename = exp_tls_dhparam;
464 rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM);
465 exim_gnutls_err_check(US"gnutls_dh_params_import_pkcs3");
466 DEBUG(D_tls) debug_printf("Loaded fixed standard D-H parameters\n");
470 #ifdef HAVE_GNUTLS_SEC_PARAM_CONSTANTS
471 /* If you change this constant, also change dh_param_fn_ext so that we can use a
472 different filename and ensure we have sufficient bits. */
473 dh_bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL);
475 return tls_error(US"gnutls_sec_param_to_pk_bits() failed", NULL, NULL);
477 debug_printf("GnuTLS tells us that for D-H PK, NORMAL is %d bits.\n",
480 dh_bits = EXIM_SERVER_DH_BITS_PRE2_12;
482 debug_printf("GnuTLS lacks gnutls_sec_param_to_pk_bits(), using %d bits.\n",
486 /* Some clients have hard-coded limits. */
487 if (dh_bits > tls_dh_max_bits)
490 debug_printf("tls_dh_max_bits clamping override, using %d bits instead.\n",
492 dh_bits = tls_dh_max_bits;
495 if (use_file_in_spool)
497 if (!string_format(filename_buf, sizeof(filename_buf),
498 "%s/gnutls-params-%d", spool_directory, dh_bits))
499 return tls_error(US"overlong filename", NULL, NULL);
500 filename = filename_buf;
503 /* Open the cache file for reading and if successful, read it and set up the
506 fd = Uopen(filename, O_RDONLY, 0);
513 if (fstat(fd, &statbuf) < 0) /* EIO */
517 return tls_error(US"TLS cache stat failed", strerror(saved_errno), NULL);
519 if (!S_ISREG(statbuf.st_mode))
522 return tls_error(US"TLS cache not a file", NULL, NULL);
524 fp = fdopen(fd, "rb");
529 return tls_error(US"fdopen(TLS cache stat fd) failed",
530 strerror(saved_errno), NULL);
533 m.size = statbuf.st_size;
534 m.data = malloc(m.size);
538 return tls_error(US"malloc failed", strerror(errno), NULL);
540 sz = fread(m.data, m.size, 1, fp);
546 return tls_error(US"fread failed", strerror(saved_errno), NULL);
550 rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM);
552 exim_gnutls_err_check(US"gnutls_dh_params_import_pkcs3");
553 DEBUG(D_tls) debug_printf("read D-H parameters from file \"%s\"\n", filename);
556 /* If the file does not exist, fall through to compute new data and cache it.
557 If there was any other opening error, it is serious. */
559 else if (errno == ENOENT)
563 debug_printf("D-H parameter cache file \"%s\" does not exist\n", filename);
566 return tls_error(string_open_failed(errno, "\"%s\" for reading", filename),
569 /* If ret < 0, either the cache file does not exist, or the data it contains
570 is not useful. One particular case of this is when upgrading from an older
571 release of Exim in which the data was stored in a different format. We don't
572 try to be clever and support both formats; we just regenerate new data in this
578 unsigned int dh_bits_gen = dh_bits;
580 if ((PATH_MAX - Ustrlen(filename)) < 10)
581 return tls_error(US"Filename too long to generate replacement",
584 temp_fn = string_copy(US "%s.XXXXXXX");
585 fd = mkstemp(CS temp_fn); /* modifies temp_fn */
587 return tls_error(US"Unable to open temp file", strerror(errno), NULL);
588 (void)fchown(fd, exim_uid, exim_gid); /* Probably not necessary */
590 /* GnuTLS overshoots!
591 * If we ask for 2236, we might get 2237 or more.
592 * But there's no way to ask GnuTLS how many bits there really are.
593 * We can ask how many bits were used in a TLS session, but that's it!
594 * The prime itself is hidden behind too much abstraction.
595 * So we ask for less, and proceed on a wing and a prayer.
596 * First attempt, subtracted 3 for 2233 and got 2240.
598 if (dh_bits >= EXIM_CLIENT_DH_MIN_BITS + 10)
600 dh_bits_gen = dh_bits - 10;
602 debug_printf("being paranoid about DH generation, make it '%d' bits'\n",
607 debug_printf("requesting generation of %d bit Diffie-Hellman prime ...\n",
609 rc = gnutls_dh_params_generate2(dh_server_params, dh_bits_gen);
610 exim_gnutls_err_check(US"gnutls_dh_params_generate2");
612 /* gnutls_dh_params_export_pkcs3() will tell us the exact size, every time,
613 and I confirmed that a NULL call to get the size first is how the GnuTLS
614 sample apps handle this. */
618 rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM,
620 if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
621 exim_gnutls_err_check(US"gnutls_dh_params_export_pkcs3(NULL) sizing");
623 m.data = malloc(m.size);
625 return tls_error(US"memory allocation failed", strerror(errno), NULL);
626 /* this will return a size 1 less than the allocation size above */
627 rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM,
629 if (rc != GNUTLS_E_SUCCESS)
632 exim_gnutls_err_check(US"gnutls_dh_params_export_pkcs3() real");
634 m.size = sz; /* shrink by 1, probably */
636 sz = write_to_fd_buf(fd, m.data, (size_t) m.size);
640 return tls_error(US"TLS cache write D-H params failed",
641 strerror(errno), NULL);
644 sz = write_to_fd_buf(fd, US"\n", 1);
646 return tls_error(US"TLS cache write D-H params final newline failed",
647 strerror(errno), NULL);
651 return tls_error(US"TLS cache write close() failed",
652 strerror(errno), NULL);
654 if (Urename(temp_fn, filename) < 0)
655 return tls_error(string_sprintf("failed to rename \"%s\" as \"%s\"",
656 temp_fn, filename), strerror(errno), NULL);
658 DEBUG(D_tls) debug_printf("wrote D-H parameters to file \"%s\"\n", filename);
661 DEBUG(D_tls) debug_printf("initialized server D-H parameters\n");
668 /*************************************************
669 * Variables re-expanded post-SNI *
670 *************************************************/
672 /* Called from both server and client code, via tls_init(), and also from
673 the SNI callback after receiving an SNI, if tls_certificate includes "tls_sni".
675 We can tell the two apart by state->received_sni being non-NULL in callback.
677 The callback should not call us unless state->trigger_sni_changes is true,
678 which we are responsible for setting on the first pass through.
681 state exim_gnutls_state_st *
683 Returns: OK/DEFER/FAIL
687 tls_expand_session_files(exim_gnutls_state_st *state)
691 const host_item *host = state->host; /* macro should be reconsidered? */
692 uschar *saved_tls_certificate = NULL;
693 uschar *saved_tls_privatekey = NULL;
694 uschar *saved_tls_verify_certificates = NULL;
695 uschar *saved_tls_crl = NULL;
698 /* We check for tls_sni *before* expansion. */
699 if (!host) /* server */
701 if (!state->received_sni)
703 if (state->tls_certificate &&
704 (Ustrstr(state->tls_certificate, US"tls_sni") ||
705 Ustrstr(state->tls_certificate, US"tls_in_sni") ||
706 Ustrstr(state->tls_certificate, US"tls_out_sni")
709 DEBUG(D_tls) debug_printf("We will re-expand TLS session files if we receive SNI.\n");
710 state->trigger_sni_changes = TRUE;
715 /* useful for debugging */
716 saved_tls_certificate = state->exp_tls_certificate;
717 saved_tls_privatekey = state->exp_tls_privatekey;
718 saved_tls_verify_certificates = state->exp_tls_verify_certificates;
719 saved_tls_crl = state->exp_tls_crl;
723 rc = gnutls_certificate_allocate_credentials(&state->x509_cred);
724 exim_gnutls_err_check(US"gnutls_certificate_allocate_credentials");
726 /* remember: expand_check_tlsvar() is expand_check() but fiddling with
727 state members, assuming consistent naming; and expand_check() returns
728 false if expansion failed, unless expansion was forced to fail. */
730 /* check if we at least have a certificate, before doing expensive
733 if (!expand_check_tlsvar(tls_certificate))
736 /* certificate is mandatory in server, optional in client */
738 if ((state->exp_tls_certificate == NULL) ||
739 (*state->exp_tls_certificate == '\0'))
742 return tls_error(US"no TLS server certificate is specified", NULL, NULL);
744 DEBUG(D_tls) debug_printf("TLS: no client certificate specified; okay\n");
747 if (state->tls_privatekey && !expand_check_tlsvar(tls_privatekey))
750 /* tls_privatekey is optional, defaulting to same file as certificate */
752 if (state->tls_privatekey == NULL || *state->tls_privatekey == '\0')
754 state->tls_privatekey = state->tls_certificate;
755 state->exp_tls_privatekey = state->exp_tls_certificate;
759 if (state->exp_tls_certificate && *state->exp_tls_certificate)
761 DEBUG(D_tls) debug_printf("certificate file = %s\nkey file = %s\n",
762 state->exp_tls_certificate, state->exp_tls_privatekey);
764 if (state->received_sni)
766 if ((Ustrcmp(state->exp_tls_certificate, saved_tls_certificate) == 0) &&
767 (Ustrcmp(state->exp_tls_privatekey, saved_tls_privatekey) == 0))
769 DEBUG(D_tls) debug_printf("TLS SNI: cert and key unchanged\n");
773 DEBUG(D_tls) debug_printf("TLS SNI: have a changed cert/key pair.\n");
777 rc = gnutls_certificate_set_x509_key_file(state->x509_cred,
778 CS state->exp_tls_certificate, CS state->exp_tls_privatekey,
779 GNUTLS_X509_FMT_PEM);
780 exim_gnutls_err_check(
781 string_sprintf("cert/key setup: cert=%s key=%s",
782 state->exp_tls_certificate, state->exp_tls_privatekey));
783 DEBUG(D_tls) debug_printf("TLS: cert/key registered\n");
784 } /* tls_certificate */
787 /* Set the OCSP stapling server info */
789 #ifdef EXPERIMENTAL_OCSP
790 if ( !host /* server */
797 if (!expand_check(tls_ocsp_file, US"tls_ocsp_file", &expanded))
800 /* Lazy way; would like callback to emit debug on actual response */
802 rc = gnutls_certificate_set_ocsp_status_request_file(state->x509_cred,
804 exim_gnutls_err_check(US"gnutls_certificate_set_ocsp_status_request_file");
805 DEBUG(D_tls) debug_printf("Set OCSP response file %s\n", expanded);
810 /* Set the trusted CAs file if one is provided, and then add the CRL if one is
811 provided. Experiment shows that, if the certificate file is empty, an unhelpful
812 error message is provided. However, if we just refrain from setting anything up
813 in that case, certificate verification fails, which seems to be the correct
816 if (state->tls_verify_certificates && *state->tls_verify_certificates)
818 if (!expand_check_tlsvar(tls_verify_certificates))
820 if (state->tls_crl && *state->tls_crl)
821 if (!expand_check_tlsvar(tls_crl))
824 if (!(state->exp_tls_verify_certificates &&
825 *state->exp_tls_verify_certificates))
828 debug_printf("TLS: tls_verify_certificates expanded empty, ignoring\n");
829 /* With no tls_verify_certificates, we ignore tls_crl too */
836 debug_printf("TLS: tls_verify_certificates not set or empty, ignoring\n");
840 if (Ustat(state->exp_tls_verify_certificates, &statbuf) < 0)
842 log_write(0, LOG_MAIN|LOG_PANIC, "could not stat %s "
843 "(tls_verify_certificates): %s", state->exp_tls_verify_certificates,
848 /* The test suite passes in /dev/null; we could check for that path explicitly,
849 but who knows if someone has some weird FIFO which always dumps some certs, or
850 other weirdness. The thing we really want to check is that it's not a
851 directory, since while OpenSSL supports that, GnuTLS does not.
852 So s/!S_ISREG/S_ISDIR/ and change some messsaging ... */
853 if (S_ISDIR(statbuf.st_mode))
856 debug_printf("verify certificates path is a dir: \"%s\"\n",
857 state->exp_tls_verify_certificates);
858 log_write(0, LOG_MAIN|LOG_PANIC,
859 "tls_verify_certificates \"%s\" is a directory",
860 state->exp_tls_verify_certificates);
864 DEBUG(D_tls) debug_printf("verify certificates = %s size=" OFF_T_FMT "\n",
865 state->exp_tls_verify_certificates, statbuf.st_size);
867 if (statbuf.st_size == 0)
870 debug_printf("cert file empty, no certs, no verification, ignoring any CRL\n");
874 cert_count = gnutls_certificate_set_x509_trust_file(state->x509_cred,
875 CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM);
879 exim_gnutls_err_check(US"gnutls_certificate_set_x509_trust_file");
881 DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n", cert_count);
883 if (state->tls_crl && *state->tls_crl &&
884 state->exp_tls_crl && *state->exp_tls_crl)
886 DEBUG(D_tls) debug_printf("loading CRL file = %s\n", state->exp_tls_crl);
887 cert_count = gnutls_certificate_set_x509_crl_file(state->x509_cred,
888 CS state->exp_tls_crl, GNUTLS_X509_FMT_PEM);
892 exim_gnutls_err_check(US"gnutls_certificate_set_x509_crl_file");
894 DEBUG(D_tls) debug_printf("Processed %d CRLs.\n", cert_count);
903 /*************************************************
904 * Set X.509 state variables *
905 *************************************************/
907 /* In GnuTLS, the registered cert/key are not replaced by a later
908 set of a cert/key, so for SNI support we need a whole new x509_cred
909 structure. Which means various other non-re-expanded pieces of state
910 need to be re-set in the new struct, so the setting logic is pulled
914 state exim_gnutls_state_st *
916 Returns: OK/DEFER/FAIL
920 tls_set_remaining_x509(exim_gnutls_state_st *state)
923 const host_item *host = state->host; /* macro should be reconsidered? */
925 /* Create D-H parameters, or read them from the cache file. This function does
926 its own SMTP error messaging. This only happens for the server, TLS D-H ignores
927 client-side params. */
931 if (!dh_server_params)
933 rc = init_server_dh();
934 if (rc != OK) return rc;
936 gnutls_certificate_set_dh_params(state->x509_cred, dh_server_params);
939 /* Link the credentials to the session. */
941 rc = gnutls_credentials_set(state->session, GNUTLS_CRD_CERTIFICATE, state->x509_cred);
942 exim_gnutls_err_check(US"gnutls_credentials_set");
947 /*************************************************
948 * Initialize for GnuTLS *
949 *************************************************/
951 /* Called from both server and client code. In the case of a server, errors
952 before actual TLS negotiation return DEFER.
955 host connected host, if client; NULL if server
956 certificate certificate file
957 privatekey private key file
958 sni TLS SNI to send, sometimes when client; else NULL
961 require_ciphers tls_require_ciphers setting
962 caller_state returned state-info structure
964 Returns: OK/DEFER/FAIL
969 const host_item *host,
970 const uschar *certificate,
971 const uschar *privatekey,
975 const uschar *require_ciphers,
976 exim_gnutls_state_st **caller_state)
978 exim_gnutls_state_st *state;
983 BOOL want_default_priorities;
985 if (!exim_gnutls_base_init_done)
987 DEBUG(D_tls) debug_printf("GnuTLS global init required.\n");
989 #ifdef HAVE_GNUTLS_PKCS11
990 /* By default, gnutls_global_init will init PKCS11 support in auto mode,
991 which loads modules from a config file, which sounds good and may be wanted
992 by some sysadmin, but also means in common configurations that GNOME keyring
993 environment variables are used and so breaks for users calling mailq.
994 To prevent this, we init PKCS11 first, which is the documented approach. */
995 if (!gnutls_allow_auto_pkcs11)
997 rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
998 exim_gnutls_err_check(US"gnutls_pkcs11_init");
1002 rc = gnutls_global_init();
1003 exim_gnutls_err_check(US"gnutls_global_init");
1005 #if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
1008 gnutls_global_set_log_function(exim_gnutls_logger_cb);
1009 /* arbitrarily chosen level; bump upto 9 for more */
1010 gnutls_global_set_log_level(EXIM_GNUTLS_LIBRARY_LOG_LEVEL);
1014 exim_gnutls_base_init_done = TRUE;
1019 state = &state_client;
1020 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
1021 state->tlsp = &tls_out;
1022 DEBUG(D_tls) debug_printf("initialising GnuTLS client session\n");
1023 rc = gnutls_init(&state->session, GNUTLS_CLIENT);
1027 state = &state_server;
1028 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
1029 state->tlsp = &tls_in;
1030 DEBUG(D_tls) debug_printf("initialising GnuTLS server session\n");
1031 rc = gnutls_init(&state->session, GNUTLS_SERVER);
1033 exim_gnutls_err_check(US"gnutls_init");
1037 state->tls_certificate = certificate;
1038 state->tls_privatekey = privatekey;
1039 state->tls_require_ciphers = require_ciphers;
1040 state->tls_sni = sni;
1041 state->tls_verify_certificates = cas;
1042 state->tls_crl = crl;
1044 /* This handles the variables that might get re-expanded after TLS SNI;
1045 that's tls_certificate, tls_privatekey, tls_verify_certificates, tls_crl */
1048 debug_printf("Expanding various TLS configuration options for session credentials.\n");
1049 rc = tls_expand_session_files(state);
1050 if (rc != OK) return rc;
1052 /* These are all other parts of the x509_cred handling, since SNI in GnuTLS
1053 requires a new structure afterwards. */
1055 rc = tls_set_remaining_x509(state);
1056 if (rc != OK) return rc;
1058 /* set SNI in client, only */
1061 if (!expand_check(state->tlsp->sni, US"tls_out_sni", &state->exp_tls_sni))
1063 if (state->exp_tls_sni && *state->exp_tls_sni)
1066 debug_printf("Setting TLS client SNI to \"%s\"\n", state->exp_tls_sni);
1067 sz = Ustrlen(state->exp_tls_sni);
1068 rc = gnutls_server_name_set(state->session,
1069 GNUTLS_NAME_DNS, state->exp_tls_sni, sz);
1070 exim_gnutls_err_check(US"gnutls_server_name_set");
1073 else if (state->tls_sni)
1074 DEBUG(D_tls) debug_printf("*** PROBABLY A BUG *** " \
1075 "have an SNI set for a client [%s]\n", state->tls_sni);
1077 /* This is the priority string support,
1078 http://www.gnutls.org/manual/html_node/Priority-Strings.html
1079 and replaces gnutls_require_kx, gnutls_require_mac & gnutls_require_protocols.
1080 This was backwards incompatible, but means Exim no longer needs to track
1081 all algorithms and provide string forms for them. */
1083 want_default_priorities = TRUE;
1085 if (state->tls_require_ciphers && *state->tls_require_ciphers)
1087 if (!expand_check_tlsvar(tls_require_ciphers))
1089 if (state->exp_tls_require_ciphers && *state->exp_tls_require_ciphers)
1091 DEBUG(D_tls) debug_printf("GnuTLS session cipher/priority \"%s\"\n",
1092 state->exp_tls_require_ciphers);
1094 rc = gnutls_priority_init(&state->priority_cache,
1095 CS state->exp_tls_require_ciphers, &errpos);
1096 want_default_priorities = FALSE;
1097 p = state->exp_tls_require_ciphers;
1100 if (want_default_priorities)
1103 debug_printf("GnuTLS using default session cipher/priority \"%s\"\n",
1104 exim_default_gnutls_priority);
1105 rc = gnutls_priority_init(&state->priority_cache,
1106 exim_default_gnutls_priority, &errpos);
1107 p = US exim_default_gnutls_priority;
1110 exim_gnutls_err_check(string_sprintf(
1111 "gnutls_priority_init(%s) failed at offset %ld, \"%.6s..\"",
1112 p, errpos - CS p, errpos));
1114 rc = gnutls_priority_set(state->session, state->priority_cache);
1115 exim_gnutls_err_check(US"gnutls_priority_set");
1117 gnutls_db_set_cache_expiration(state->session, ssl_session_timeout);
1119 /* Reduce security in favour of increased compatibility, if the admin
1120 decides to make that trade-off. */
1121 if (gnutls_compat_mode)
1123 #if LIBGNUTLS_VERSION_NUMBER >= 0x020104
1124 DEBUG(D_tls) debug_printf("lowering GnuTLS security, compatibility mode\n");
1125 gnutls_session_enable_compatibility_mode(state->session);
1127 DEBUG(D_tls) debug_printf("Unable to set gnutls_compat_mode - GnuTLS version too old\n");
1131 *caller_state = state;
1137 /*************************************************
1138 * Extract peer information *
1139 *************************************************/
1141 /* Called from both server and client code.
1142 Only this is allowed to set state->peerdn and state->have_set_peerdn
1143 and we use that to detect double-calls.
1145 NOTE: the state blocks last while the TLS connection is up, which is fine
1146 for logging in the server side, but for the client side, we log after teardown
1147 in src/deliver.c. While the session is up, we can twist about states and
1148 repoint tls_* globals, but those variables used for logging or other variable
1149 expansion that happens _after_ delivery need to have a longer life-time.
1151 So for those, we get the data from POOL_PERM; the re-invoke guard keeps us from
1152 doing this more than once per generation of a state context. We set them in
1153 the state context, and repoint tls_* to them. After the state goes away, the
1154 tls_* copies of the pointers remain valid and client delivery logging is happy.
1156 tls_certificate_verified is a BOOL, so the tls_peerdn and tls_cipher issues
1160 state exim_gnutls_state_st *
1162 Returns: OK/DEFER/FAIL
1166 peer_status(exim_gnutls_state_st *state)
1168 uschar cipherbuf[256];
1169 const gnutls_datum *cert_list;
1171 unsigned int cert_list_size = 0;
1172 gnutls_protocol_t protocol;
1173 gnutls_cipher_algorithm_t cipher;
1174 gnutls_kx_algorithm_t kx;
1175 gnutls_mac_algorithm_t mac;
1176 gnutls_certificate_type_t ct;
1177 gnutls_x509_crt_t crt;
1181 if (state->have_set_peerdn)
1183 state->have_set_peerdn = TRUE;
1185 state->peerdn = NULL;
1188 cipher = gnutls_cipher_get(state->session);
1189 protocol = gnutls_protocol_get_version(state->session);
1190 mac = gnutls_mac_get(state->session);
1191 kx = gnutls_kx_get(state->session);
1193 string_format(cipherbuf, sizeof(cipherbuf),
1195 gnutls_protocol_get_name(protocol),
1196 gnutls_cipher_suite_get_name(kx, cipher, mac),
1197 (int) gnutls_cipher_get_key_size(cipher) * 8);
1199 /* I don't see a way that spaces could occur, in the current GnuTLS
1200 code base, but it was a concern in the old code and perhaps older GnuTLS
1201 releases did return "TLS 1.0"; play it safe, just in case. */
1202 for (p = cipherbuf; *p != '\0'; ++p)
1205 old_pool = store_pool;
1206 store_pool = POOL_PERM;
1207 state->ciphersuite = string_copy(cipherbuf);
1208 store_pool = old_pool;
1209 state->tlsp->cipher = state->ciphersuite;
1212 cert_list = gnutls_certificate_get_peers(state->session, &cert_list_size);
1214 if (cert_list == NULL || cert_list_size == 0)
1216 DEBUG(D_tls) debug_printf("TLS: no certificate from peer (%p & %d)\n",
1217 cert_list, cert_list_size);
1218 if (state->verify_requirement == VERIFY_REQUIRED)
1219 return tls_error(US"certificate verification failed",
1220 "no certificate received from peer", state->host);
1224 ct = gnutls_certificate_type_get(state->session);
1225 if (ct != GNUTLS_CRT_X509)
1227 const char *ctn = gnutls_certificate_type_get_name(ct);
1229 debug_printf("TLS: peer cert not X.509 but instead \"%s\"\n", ctn);
1230 if (state->verify_requirement == VERIFY_REQUIRED)
1231 return tls_error(US"certificate verification not possible, unhandled type",
1236 #define exim_gnutls_peer_err(Label) do { \
1237 if (rc != GNUTLS_E_SUCCESS) { \
1238 DEBUG(D_tls) debug_printf("TLS: peer cert problem: %s: %s\n", (Label), gnutls_strerror(rc)); \
1239 if (state->verify_requirement == VERIFY_REQUIRED) { return tls_error((Label), gnutls_strerror(rc), state->host); } \
1240 return OK; } } while (0)
1242 rc = import_cert(&cert_list[0], &crt);
1243 exim_gnutls_peer_err(US"cert 0");
1245 state->tlsp->peercert = state->peercert = crt;
1248 rc = gnutls_x509_crt_get_dn(crt, NULL, &sz);
1249 if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
1251 exim_gnutls_peer_err(US"getting size for cert DN failed");
1252 return FAIL; /* should not happen */
1254 dn_buf = store_get_perm(sz);
1255 rc = gnutls_x509_crt_get_dn(crt, CS dn_buf, &sz);
1256 exim_gnutls_peer_err(US"failed to extract certificate DN [gnutls_x509_crt_get_dn(cert 0)]");
1258 state->peerdn = dn_buf;
1261 #undef exim_gnutls_peer_err
1267 /*************************************************
1268 * Verify peer certificate *
1269 *************************************************/
1271 /* Called from both server and client code.
1272 *Should* be using a callback registered with
1273 gnutls_certificate_set_verify_function() to fail the handshake if we dislike
1274 the peer information, but that's too new for some OSes.
1277 state exim_gnutls_state_st *
1278 error where to put an error message
1281 FALSE if the session should be rejected
1282 TRUE if the cert is okay or we just don't care
1286 verify_certificate(exim_gnutls_state_st *state, const char **error)
1289 unsigned int verify;
1293 if ((rc = peer_status(state)) != OK)
1295 verify = GNUTLS_CERT_INVALID;
1296 *error = "certificate not supplied";
1299 rc = gnutls_certificate_verify_peers2(state->session, &verify);
1301 /* Handle the result of verification. INVALID seems to be set as well
1302 as REVOKED, but leave the test for both. */
1304 if (rc < 0 || verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED))
1306 state->peer_cert_verified = FALSE;
1308 *error = verify & GNUTLS_CERT_REVOKED
1309 ? "certificate revoked" : "certificate invalid";
1312 debug_printf("TLS certificate verification failed (%s): peerdn=%s\n",
1313 *error, state->peerdn ? state->peerdn : US"<unset>");
1315 if (state->verify_requirement == VERIFY_REQUIRED)
1317 gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_BAD_CERTIFICATE);
1321 debug_printf("TLS verify failure overridden (host in tls_try_verify_hosts)\n");
1325 state->peer_cert_verified = TRUE;
1326 DEBUG(D_tls) debug_printf("TLS certificate verified: peerdn=%s\n",
1327 state->peerdn ? state->peerdn : US"<unset>");
1330 state->tlsp->peerdn = state->peerdn;
1338 /* ------------------------------------------------------------------------ */
1341 /* Logging function which can be registered with
1342 * gnutls_global_set_log_function()
1343 * gnutls_global_set_log_level() 0..9
1345 #if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
1347 exim_gnutls_logger_cb(int level, const char *message)
1349 size_t len = strlen(message);
1352 DEBUG(D_tls) debug_printf("GnuTLS<%d> empty debug message\n", level);
1355 DEBUG(D_tls) debug_printf("GnuTLS<%d>: %s%s", level, message,
1356 message[len-1] == '\n' ? "" : "\n");
1361 /* Called after client hello, should handle SNI work.
1362 This will always set tls_sni (state->received_sni) if available,
1363 and may trigger presenting different certificates,
1364 if state->trigger_sni_changes is TRUE.
1366 Should be registered with
1367 gnutls_handshake_set_post_client_hello_function()
1369 "This callback must return 0 on success or a gnutls error code to terminate the
1372 For inability to get SNI information, we return 0.
1373 We only return non-zero if re-setup failed.
1374 Only used for server-side TLS.
1378 exim_sni_handling_cb(gnutls_session_t session)
1380 char sni_name[MAX_HOST_LEN];
1381 size_t data_len = MAX_HOST_LEN;
1382 exim_gnutls_state_st *state = &state_server;
1383 unsigned int sni_type;
1386 rc = gnutls_server_name_get(session, sni_name, &data_len, &sni_type, 0);
1387 if (rc != GNUTLS_E_SUCCESS)
1390 if (rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
1391 debug_printf("TLS: no SNI presented in handshake.\n");
1393 debug_printf("TLS failure: gnutls_server_name_get(): %s [%d]\n",
1394 gnutls_strerror(rc), rc);
1399 if (sni_type != GNUTLS_NAME_DNS)
1401 DEBUG(D_tls) debug_printf("TLS: ignoring SNI of unhandled type %u\n", sni_type);
1405 /* We now have a UTF-8 string in sni_name */
1406 old_pool = store_pool;
1407 store_pool = POOL_PERM;
1408 state->received_sni = string_copyn(US sni_name, data_len);
1409 store_pool = old_pool;
1411 /* We set this one now so that variable expansions below will work */
1412 state->tlsp->sni = state->received_sni;
1414 DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", sni_name,
1415 state->trigger_sni_changes ? "" : " (unused for certificate selection)");
1417 if (!state->trigger_sni_changes)
1420 rc = tls_expand_session_files(state);
1423 /* If the setup of certs/etc failed before handshake, TLS would not have
1424 been offered. The best we can do now is abort. */
1425 return GNUTLS_E_APPLICATION_ERROR_MIN;
1428 rc = tls_set_remaining_x509(state);
1429 if (rc != OK) return GNUTLS_E_APPLICATION_ERROR_MIN;
1437 /* ------------------------------------------------------------------------ */
1438 /* Exported functions */
1443 /*************************************************
1444 * Start a TLS session in a server *
1445 *************************************************/
1447 /* This is called when Exim is running as a server, after having received
1448 the STARTTLS command. It must respond to that command, and then negotiate
1452 require_ciphers list of allowed ciphers or NULL
1454 Returns: OK on success
1455 DEFER for errors before the start of the negotiation
1456 FAIL for errors during the negotation; the server can't
1461 tls_server_start(const uschar *require_ciphers)
1465 exim_gnutls_state_st *state = NULL;
1467 /* Check for previous activation */
1468 if (tls_in.active >= 0)
1470 tls_error(US"STARTTLS received after TLS started", "", NULL);
1471 smtp_printf("554 Already in TLS\r\n");
1475 /* Initialize the library. If it fails, it will already have logged the error
1476 and sent an SMTP response. */
1478 DEBUG(D_tls) debug_printf("initialising GnuTLS as a server\n");
1480 rc = tls_init(NULL, tls_certificate, tls_privatekey,
1481 NULL, tls_verify_certificates, tls_crl,
1482 require_ciphers, &state);
1483 if (rc != OK) return rc;
1485 /* If this is a host for which certificate verification is mandatory or
1486 optional, set up appropriately. */
1488 if (verify_check_host(&tls_verify_hosts) == OK)
1490 DEBUG(D_tls) debug_printf("TLS: a client certificate will be required.\n");
1491 state->verify_requirement = VERIFY_REQUIRED;
1492 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
1494 else if (verify_check_host(&tls_try_verify_hosts) == OK)
1496 DEBUG(D_tls) debug_printf("TLS: a client certificate will be requested but not required.\n");
1497 state->verify_requirement = VERIFY_OPTIONAL;
1498 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
1502 DEBUG(D_tls) debug_printf("TLS: a client certificate will not be requested.\n");
1503 state->verify_requirement = VERIFY_NONE;
1504 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
1507 /* Register SNI handling; always, even if not in tls_certificate, so that the
1508 expansion variable $tls_sni is always available. */
1510 gnutls_handshake_set_post_client_hello_function(state->session,
1511 exim_sni_handling_cb);
1513 /* Set context and tell client to go ahead, except in the case of TLS startup
1514 on connection, where outputting anything now upsets the clients and tends to
1515 make them disconnect. We need to have an explicit fflush() here, to force out
1516 the response. Other smtp_printf() calls do not need it, because in non-TLS
1517 mode, the fflush() happens when smtp_getc() is called. */
1519 if (!state->tlsp->on_connect)
1521 smtp_printf("220 TLS go ahead\r\n");
1525 /* Now negotiate the TLS session. We put our own timer on it, since it seems
1526 that the GnuTLS library doesn't. */
1528 gnutls_transport_set_ptr2(state->session,
1529 (gnutls_transport_ptr)fileno(smtp_in),
1530 (gnutls_transport_ptr)fileno(smtp_out));
1531 state->fd_in = fileno(smtp_in);
1532 state->fd_out = fileno(smtp_out);
1534 sigalrm_seen = FALSE;
1535 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
1538 rc = gnutls_handshake(state->session);
1539 } while ((rc == GNUTLS_E_AGAIN) ||
1540 (rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen));
1543 if (rc != GNUTLS_E_SUCCESS)
1545 tls_error(US"gnutls_handshake",
1546 sigalrm_seen ? "timed out" : gnutls_strerror(rc), NULL);
1547 /* It seems that, except in the case of a timeout, we have to close the
1548 connection right here; otherwise if the other end is running OpenSSL it hangs
1549 until the server times out. */
1553 (void)fclose(smtp_out);
1554 (void)fclose(smtp_in);
1560 DEBUG(D_tls) debug_printf("gnutls_handshake was successful\n");
1562 /* Verify after the fact */
1564 if ( state->verify_requirement != VERIFY_NONE
1565 && !verify_certificate(state, &error))
1567 if (state->verify_requirement != VERIFY_OPTIONAL)
1569 tls_error(US"certificate verification failed", error, NULL);
1573 debug_printf("TLS: continuing on only because verification was optional, after: %s\n",
1577 /* Figure out peer DN, and if authenticated, etc. */
1579 rc = peer_status(state);
1580 if (rc != OK) return rc;
1582 /* Sets various Exim expansion variables; always safe within server */
1584 extract_exim_vars_from_tls_state(state);
1586 /* TLS has been set up. Adjust the input functions to read via TLS,
1587 and initialize appropriately. */
1589 state->xfer_buffer = store_malloc(ssl_xfer_buffer_size);
1591 receive_getc = tls_getc;
1592 receive_ungetc = tls_ungetc;
1593 receive_feof = tls_feof;
1594 receive_ferror = tls_ferror;
1595 receive_smtp_buffered = tls_smtp_buffered;
1603 /*************************************************
1604 * Start a TLS session in a client *
1605 *************************************************/
1607 /* Called from the smtp transport after STARTTLS has been accepted.
1610 fd the fd of the connection
1611 host connected host (for messages)
1612 addr the first address (not used)
1613 ob smtp transport options
1615 Returns: OK/DEFER/FAIL (because using common functions),
1616 but for a client, DEFER and FAIL have the same meaning
1620 tls_client_start(int fd, host_item *host,
1621 address_item *addr ARG_UNUSED,
1624 smtp_transport_options_block *ob = v_ob;
1627 exim_gnutls_state_st *state = NULL;
1628 #ifdef EXPERIMENTAL_OCSP
1629 BOOL require_ocsp = verify_check_this_host(&ob->hosts_require_ocsp,
1630 NULL, host->name, host->address, NULL) == OK;
1633 DEBUG(D_tls) debug_printf("initialising GnuTLS as a client on fd %d\n", fd);
1635 if ((rc = tls_init(host, ob->tls_certificate, ob->tls_privatekey,
1636 ob->tls_sni, ob->tls_verify_certificates, ob->tls_crl,
1637 ob->tls_require_ciphers, &state)) != OK)
1641 int dh_min_bits = ob->tls_dh_min_bits;
1642 if (dh_min_bits < EXIM_CLIENT_DH_MIN_MIN_BITS)
1645 debug_printf("WARNING: tls_dh_min_bits far too low,"
1646 " clamping %d up to %d\n",
1647 dh_min_bits, EXIM_CLIENT_DH_MIN_MIN_BITS);
1648 dh_min_bits = EXIM_CLIENT_DH_MIN_MIN_BITS;
1651 DEBUG(D_tls) debug_printf("Setting D-H prime minimum"
1652 " acceptable bits to %d\n",
1654 gnutls_dh_set_prime_bits(state->session, dh_min_bits);
1657 /* Stick to the old behaviour for compatibility if tls_verify_certificates is
1658 set but both tls_verify_hosts and tls_try_verify_hosts are unset. Check only
1659 the specified host patterns if one of them is defined */
1661 if (( state->exp_tls_verify_certificates
1662 && !ob->tls_verify_hosts
1663 && !ob->tls_try_verify_hosts
1666 verify_check_host(&ob->tls_verify_hosts) == OK
1669 DEBUG(D_tls) debug_printf("TLS: server certificate verification required.\n");
1670 state->verify_requirement = VERIFY_REQUIRED;
1671 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
1673 else if (verify_check_host(&ob->tls_try_verify_hosts) == OK)
1675 DEBUG(D_tls) debug_printf("TLS: server certificate verification optional.\n");
1676 state->verify_requirement = VERIFY_OPTIONAL;
1677 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
1681 DEBUG(D_tls) debug_printf("TLS: server certificate verification not required.\n");
1682 state->verify_requirement = VERIFY_NONE;
1683 gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
1686 #ifdef EXPERIMENTAL_OCSP /* since GnuTLS 3.1.3 */
1689 DEBUG(D_tls) debug_printf("TLS: will request OCSP stapling\n");
1690 if ((rc = gnutls_ocsp_status_request_enable_client(state->session,
1691 NULL, 0, NULL)) != OK)
1692 return tls_error(US"cert-status-req",
1693 gnutls_strerror(rc), state->host);
1697 gnutls_transport_set_ptr(state->session, (gnutls_transport_ptr)fd);
1701 DEBUG(D_tls) debug_printf("about to gnutls_handshake\n");
1702 /* There doesn't seem to be a built-in timeout on connection. */
1704 sigalrm_seen = FALSE;
1705 alarm(ob->command_timeout);
1708 rc = gnutls_handshake(state->session);
1709 } while ((rc == GNUTLS_E_AGAIN) ||
1710 (rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen));
1713 if (rc != GNUTLS_E_SUCCESS)
1714 return tls_error(US"gnutls_handshake",
1715 sigalrm_seen ? "timed out" : gnutls_strerror(rc), state->host);
1717 DEBUG(D_tls) debug_printf("gnutls_handshake was successful\n");
1721 if (state->verify_requirement != VERIFY_NONE &&
1722 !verify_certificate(state, &error))
1723 return tls_error(US"certificate verification failed", error, state->host);
1725 #ifdef EXPERIMENTAL_OCSP
1730 gnutls_datum_t stapling;
1731 gnutls_ocsp_resp_t resp;
1732 gnutls_datum_t printed;
1733 if ( (rc= gnutls_ocsp_status_request_get(state->session, &stapling)) == 0
1734 && (rc= gnutls_ocsp_resp_init(&resp)) == 0
1735 && (rc= gnutls_ocsp_resp_import(resp, &stapling)) == 0
1736 && (rc= gnutls_ocsp_resp_print(resp, GNUTLS_OCSP_PRINT_FULL, &printed)) == 0
1739 debug_printf("%.4096s", printed.data);
1740 gnutls_free(printed.data);
1743 (void) tls_error(US"ocsp decode", gnutls_strerror(rc), state->host);
1746 if (gnutls_ocsp_status_request_is_checked(state->session, 0) == 0)
1747 return tls_error(US"certificate status check failed", NULL, state->host);
1748 DEBUG(D_tls) debug_printf("Passed OCSP checking\n");
1752 /* Figure out peer DN, and if authenticated, etc. */
1754 if ((rc = peer_status(state)) != OK)
1757 /* Sets various Exim expansion variables; may need to adjust for ACL callouts */
1759 extract_exim_vars_from_tls_state(state);
1767 /*************************************************
1768 * Close down a TLS session *
1769 *************************************************/
1771 /* This is also called from within a delivery subprocess forked from the
1772 daemon, to shut down the TLS library, without actually doing a shutdown (which
1773 would tamper with the TLS session in the parent process).
1775 Arguments: TRUE if gnutls_bye is to be called
1780 tls_close(BOOL is_server, BOOL shutdown)
1782 exim_gnutls_state_st *state = is_server ? &state_server : &state_client;
1784 if (!state->tlsp || state->tlsp->active < 0) return; /* TLS was not active */
1788 DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS\n");
1789 gnutls_bye(state->session, GNUTLS_SHUT_WR);
1792 gnutls_deinit(state->session);
1794 state->tlsp->active = -1;
1795 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
1797 if ((state_server.session == NULL) && (state_client.session == NULL))
1799 gnutls_global_deinit();
1800 exim_gnutls_base_init_done = FALSE;
1808 /*************************************************
1809 * TLS version of getc *
1810 *************************************************/
1812 /* This gets the next byte from the TLS input buffer. If the buffer is empty,
1813 it refills the buffer via the GnuTLS reading function.
1814 Only used by the server-side TLS.
1816 This feeds DKIM and should be used for all message-body reads.
1819 Returns: the next character or EOF
1825 exim_gnutls_state_st *state = &state_server;
1826 if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
1830 DEBUG(D_tls) debug_printf("Calling gnutls_record_recv(%p, %p, %u)\n",
1831 state->session, state->xfer_buffer, ssl_xfer_buffer_size);
1833 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
1834 inbytes = gnutls_record_recv(state->session, state->xfer_buffer,
1835 ssl_xfer_buffer_size);
1838 /* A zero-byte return appears to mean that the TLS session has been
1839 closed down, not that the socket itself has been closed down. Revert to
1840 non-TLS handling. */
1844 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
1846 receive_getc = smtp_getc;
1847 receive_ungetc = smtp_ungetc;
1848 receive_feof = smtp_feof;
1849 receive_ferror = smtp_ferror;
1850 receive_smtp_buffered = smtp_buffered;
1852 gnutls_deinit(state->session);
1853 state->session = NULL;
1854 state->tlsp->active = -1;
1855 state->tlsp->bits = 0;
1856 state->tlsp->certificate_verified = FALSE;
1857 tls_channelbinding_b64 = NULL;
1858 state->tlsp->cipher = NULL;
1859 state->tlsp->peercert = NULL;
1860 state->tlsp->peerdn = NULL;
1865 /* Handle genuine errors */
1867 else if (inbytes < 0)
1869 record_io_error(state, (int) inbytes, US"recv", NULL);
1870 state->xfer_error = 1;
1873 #ifndef DISABLE_DKIM
1874 dkim_exim_verify_feed(state->xfer_buffer, inbytes);
1876 state->xfer_buffer_hwm = (int) inbytes;
1877 state->xfer_buffer_lwm = 0;
1880 /* Something in the buffer; return next uschar */
1882 return state->xfer_buffer[state->xfer_buffer_lwm++];
1888 /*************************************************
1889 * Read bytes from TLS channel *
1890 *************************************************/
1892 /* This does not feed DKIM, so if the caller uses this for reading message body,
1893 then the caller must feed DKIM.
1899 Returns: the number of bytes read
1900 -1 after a failed read
1904 tls_read(BOOL is_server, uschar *buff, size_t len)
1906 exim_gnutls_state_st *state = is_server ? &state_server : &state_client;
1912 if (state->xfer_buffer_lwm < state->xfer_buffer_hwm)
1914 debug_printf("*** PROBABLY A BUG *** " \
1915 "tls_read() called with data in the tls_getc() buffer, %d ignored\n",
1916 state->xfer_buffer_hwm - state->xfer_buffer_lwm);
1919 debug_printf("Calling gnutls_record_recv(%p, %p, " SIZE_T_FMT ")\n",
1920 state->session, buff, len);
1922 inbytes = gnutls_record_recv(state->session, buff, len);
1923 if (inbytes > 0) return inbytes;
1926 DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
1928 else record_io_error(state, (int)inbytes, US"recv", NULL);
1936 /*************************************************
1937 * Write bytes down TLS channel *
1938 *************************************************/
1942 is_server channel specifier
1946 Returns: the number of bytes after a successful write,
1947 -1 after a failed write
1951 tls_write(BOOL is_server, const uschar *buff, size_t len)
1955 exim_gnutls_state_st *state = is_server ? &state_server : &state_client;
1957 DEBUG(D_tls) debug_printf("tls_do_write(%p, " SIZE_T_FMT ")\n", buff, left);
1960 DEBUG(D_tls) debug_printf("gnutls_record_send(SSL, %p, " SIZE_T_FMT ")\n",
1962 outbytes = gnutls_record_send(state->session, buff, left);
1964 DEBUG(D_tls) debug_printf("outbytes=" SSIZE_T_FMT "\n", outbytes);
1967 record_io_error(state, outbytes, US"send", NULL);
1972 record_io_error(state, 0, US"send", US"TLS channel closed on write");
1983 debug_printf("Whoops! Wrote more bytes (" SIZE_T_FMT ") than INT_MAX\n",
1994 /*************************************************
1995 * Random number generation *
1996 *************************************************/
1998 /* Pseudo-random number generation. The result is not expected to be
1999 cryptographically strong but not so weak that someone will shoot themselves
2000 in the foot using it as a nonce in input in some email header scheme or
2001 whatever weirdness they'll twist this into. The result should handle fork()
2002 and avoid repeating sequences. OpenSSL handles that for us.
2006 Returns a random number in range [0, max-1]
2009 #ifdef HAVE_GNUTLS_RND
2011 vaguely_random_number(int max)
2016 uschar smallbuf[sizeof(r)];
2021 needed_len = sizeof(r);
2022 /* Don't take 8 times more entropy than needed if int is 8 octets and we were
2023 * asked for a number less than 10. */
2024 for (r = max, i = 0; r; ++i)
2030 i = gnutls_rnd(GNUTLS_RND_NONCE, smallbuf, needed_len);
2033 DEBUG(D_all) debug_printf("gnutls_rnd() failed, using fallback.\n");
2034 return vaguely_random_number_fallback(max);
2037 for (p = smallbuf; needed_len; --needed_len, ++p)
2043 /* We don't particularly care about weighted results; if someone wants
2044 * smooth distribution and cares enough then they should submit a patch then. */
2047 #else /* HAVE_GNUTLS_RND */
2049 vaguely_random_number(int max)
2051 return vaguely_random_number_fallback(max);
2053 #endif /* HAVE_GNUTLS_RND */
2058 /*************************************************
2059 * Let tls_require_ciphers be checked at startup *
2060 *************************************************/
2062 /* The tls_require_ciphers option, if set, must be something which the
2065 Returns: NULL on success, or error message
2069 tls_validate_require_cipher(void)
2072 uschar *expciphers = NULL;
2073 gnutls_priority_t priority_cache;
2076 #define validate_check_rc(Label) do { \
2077 if (rc != GNUTLS_E_SUCCESS) { if (exim_gnutls_base_init_done) gnutls_global_deinit(); \
2078 return string_sprintf("%s failed: %s", (Label), gnutls_strerror(rc)); } } while (0)
2079 #define return_deinit(Label) do { gnutls_global_deinit(); return (Label); } while (0)
2081 if (exim_gnutls_base_init_done)
2082 log_write(0, LOG_MAIN|LOG_PANIC,
2083 "already initialised GnuTLS, Exim developer bug");
2085 #ifdef HAVE_GNUTLS_PKCS11
2086 if (!gnutls_allow_auto_pkcs11)
2088 rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
2089 validate_check_rc(US"gnutls_pkcs11_init");
2092 rc = gnutls_global_init();
2093 validate_check_rc(US"gnutls_global_init()");
2094 exim_gnutls_base_init_done = TRUE;
2096 if (!(tls_require_ciphers && *tls_require_ciphers))
2097 return_deinit(NULL);
2099 if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers))
2100 return_deinit(US"failed to expand tls_require_ciphers");
2102 if (!(expciphers && *expciphers))
2103 return_deinit(NULL);
2106 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
2108 rc = gnutls_priority_init(&priority_cache, CS expciphers, &errpos);
2109 validate_check_rc(string_sprintf(
2110 "gnutls_priority_init(%s) failed at offset %ld, \"%.8s..\"",
2111 expciphers, errpos - CS expciphers, errpos));
2113 #undef return_deinit
2114 #undef validate_check_rc
2115 gnutls_global_deinit();
2123 /*************************************************
2124 * Report the library versions. *
2125 *************************************************/
2127 /* See a description in tls-openssl.c for an explanation of why this exists.
2129 Arguments: a FILE* to print the results to
2134 tls_version_report(FILE *f)
2136 fprintf(f, "Library version: GnuTLS: Compile: %s\n"
2139 gnutls_check_version(NULL));
2144 /* End of tls-gnu.c */