Commit | Line | Data |
---|---|---|
420a0d19 CE |
1 | /************************************************* |
2 | * Exim - an Internet mail transport agent * | |
3 | *************************************************/ | |
4 | ||
2ea97746 | 5 | /* Copyright (c) University of Cambridge 1995 - 2018 */ |
420a0d19 CE |
6 | /* See the file NOTICE for conditions of use and distribution. */ |
7 | ||
8 | /* This module provides TLS (aka SSL) support for Exim. The code for OpenSSL is | |
9 | based on a patch that was originally contributed by Steve Haslam. It was | |
10 | adapted from stunnel, a GPL program by Michal Trojnara. The code for GNU TLS is | |
2ea97746 | 11 | based on a patch contributed by Nikos Mavrogiannopoulos. Because these packages |
420a0d19 CE |
12 | are so very different, the functions for each are kept in separate files. The |
13 | relevant file is #included as required, after any any common functions. | |
14 | ||
15 | No cryptographic code is included in Exim. All this module does is to call | |
16 | functions from the OpenSSL or GNU TLS libraries. */ | |
17 | ||
18 | ||
19 | #include "exim.h" | |
20 | #include "transports/smtp.h" | |
21 | ||
2ea97746 CE |
22 | #if defined(MACRO_PREDEF) && defined(SUPPORT_TLS) |
23 | # ifndef USE_GNUTLS | |
24 | # include "macro_predef.h" | |
25 | # include "tls-openssl.c" | |
26 | # endif | |
27 | #endif | |
28 | ||
29 | #ifndef MACRO_PREDEF | |
30 | ||
420a0d19 CE |
31 | /* This module is compiled only when it is specifically requested in the |
32 | build-time configuration. However, some compilers don't like compiling empty | |
33 | modules, so keep them happy with a dummy when skipping the rest. Make it | |
34 | reference itself to stop picky compilers complaining that it is unused, and put | |
35 | in a dummy argument to stop even pickier compilers complaining about infinite | |
36 | loops. */ | |
37 | ||
38 | #ifndef SUPPORT_TLS | |
39 | static void dummy(int x) { dummy(x-1); } | |
40 | #else | |
41 | ||
42 | /* Static variables that are used for buffering data by both sets of | |
43 | functions and the common functions below. | |
44 | ||
45 | We're moving away from this; GnuTLS is already using a state, which | |
46 | can switch, so we can do TLS callouts during ACLs. */ | |
47 | ||
48 | static const int ssl_xfer_buffer_size = 4096; | |
49 | #ifndef USE_GNUTLS | |
50 | static uschar *ssl_xfer_buffer = NULL; | |
51 | static int ssl_xfer_buffer_lwm = 0; | |
52 | static int ssl_xfer_buffer_hwm = 0; | |
2ea97746 CE |
53 | static int ssl_xfer_eof = FALSE; |
54 | static BOOL ssl_xfer_error = FALSE; | |
420a0d19 CE |
55 | #endif |
56 | ||
57 | uschar *tls_channelbinding_b64 = NULL; | |
58 | ||
59 | ||
60 | /************************************************* | |
61 | * Expand string; give error on failure * | |
62 | *************************************************/ | |
63 | ||
64 | /* If expansion is forced to fail, set the result NULL and return TRUE. | |
65 | Other failures return FALSE. For a server, an SMTP response is given. | |
66 | ||
67 | Arguments: | |
68 | s the string to expand; if NULL just return TRUE | |
69 | name name of string being expanded (for error) | |
70 | result where to put the result | |
71 | ||
72 | Returns: TRUE if OK; result may still be NULL after forced failure | |
73 | */ | |
74 | ||
75 | static BOOL | |
2ea97746 | 76 | expand_check(const uschar *s, const uschar *name, uschar **result, uschar ** errstr) |
420a0d19 | 77 | { |
2ea97746 CE |
78 | if (!s) |
79 | *result = NULL; | |
80 | else if ( !(*result = expand_string(US s)) /* need to clean up const more */ | |
81 | && !f.expand_string_forcedfail | |
82 | ) | |
420a0d19 | 83 | { |
2ea97746 CE |
84 | *errstr = US"Internal error"; |
85 | log_write(0, LOG_MAIN|LOG_PANIC, "expansion of %s failed: %s", name, | |
86 | expand_string_message); | |
87 | return FALSE; | |
420a0d19 CE |
88 | } |
89 | return TRUE; | |
90 | } | |
91 | ||
92 | ||
2ea97746 CE |
93 | /************************************************* |
94 | * Timezone environment flipping * | |
95 | *************************************************/ | |
96 | ||
97 | static uschar * | |
98 | to_tz(uschar * tz) | |
99 | { | |
100 | uschar * old = US getenv("TZ"); | |
101 | (void) setenv("TZ", CCS tz, 1); | |
102 | tzset(); | |
103 | return old; | |
104 | } | |
105 | ||
106 | static void | |
107 | restore_tz(uschar * tz) | |
108 | { | |
109 | if (tz) | |
110 | (void) setenv("TZ", CCS tz, 1); | |
111 | else | |
112 | (void) os_unsetenv(US"TZ"); | |
113 | tzset(); | |
114 | } | |
115 | ||
420a0d19 CE |
116 | /************************************************* |
117 | * Many functions are package-specific * | |
118 | *************************************************/ | |
119 | ||
120 | #ifdef USE_GNUTLS | |
2ea97746 CE |
121 | # include "tls-gnu.c" |
122 | # include "tlscert-gnu.c" | |
420a0d19 | 123 | |
2ea97746 CE |
124 | # define ssl_xfer_buffer (state_server.xfer_buffer) |
125 | # define ssl_xfer_buffer_lwm (state_server.xfer_buffer_lwm) | |
126 | # define ssl_xfer_buffer_hwm (state_server.xfer_buffer_hwm) | |
127 | # define ssl_xfer_eof (state_server.xfer_eof) | |
128 | # define ssl_xfer_error (state_server.xfer_error) | |
420a0d19 CE |
129 | |
130 | #else | |
2ea97746 CE |
131 | # include "tls-openssl.c" |
132 | # include "tlscert-openssl.c" | |
420a0d19 CE |
133 | #endif |
134 | ||
135 | ||
136 | ||
137 | /************************************************* | |
138 | * TLS version of ungetc * | |
139 | *************************************************/ | |
140 | ||
141 | /* Puts a character back in the input buffer. Only ever | |
142 | called once. | |
143 | Only used by the server-side TLS. | |
144 | ||
145 | Arguments: | |
146 | ch the character | |
147 | ||
148 | Returns: the character | |
149 | */ | |
150 | ||
151 | int | |
152 | tls_ungetc(int ch) | |
153 | { | |
154 | ssl_xfer_buffer[--ssl_xfer_buffer_lwm] = ch; | |
155 | return ch; | |
156 | } | |
157 | ||
158 | ||
159 | ||
160 | /************************************************* | |
161 | * TLS version of feof * | |
162 | *************************************************/ | |
163 | ||
164 | /* Tests for a previous EOF | |
165 | Only used by the server-side TLS. | |
166 | ||
167 | Arguments: none | |
168 | Returns: non-zero if the eof flag is set | |
169 | */ | |
170 | ||
171 | int | |
172 | tls_feof(void) | |
173 | { | |
2ea97746 | 174 | return (int)ssl_xfer_eof; |
420a0d19 CE |
175 | } |
176 | ||
177 | ||
178 | ||
179 | /************************************************* | |
180 | * TLS version of ferror * | |
181 | *************************************************/ | |
182 | ||
183 | /* Tests for a previous read error, and returns with errno | |
184 | restored to what it was when the error was detected. | |
185 | Only used by the server-side TLS. | |
186 | ||
187 | >>>>> Hmm. Errno not handled yet. Where do we get it from? >>>>> | |
188 | ||
189 | Arguments: none | |
190 | Returns: non-zero if the error flag is set | |
191 | */ | |
192 | ||
193 | int | |
194 | tls_ferror(void) | |
195 | { | |
2ea97746 | 196 | return (int)ssl_xfer_error; |
420a0d19 CE |
197 | } |
198 | ||
199 | ||
200 | /************************************************* | |
201 | * TLS version of smtp_buffered * | |
202 | *************************************************/ | |
203 | ||
204 | /* Tests for unused chars in the TLS input buffer. | |
205 | Only used by the server-side TLS. | |
206 | ||
207 | Arguments: none | |
208 | Returns: TRUE/FALSE | |
209 | */ | |
210 | ||
211 | BOOL | |
212 | tls_smtp_buffered(void) | |
213 | { | |
214 | return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm; | |
215 | } | |
216 | ||
217 | ||
218 | #endif /* SUPPORT_TLS */ | |
219 | ||
220 | void | |
221 | tls_modify_variables(tls_support * dest_tsp) | |
222 | { | |
223 | modify_variable(US"tls_bits", &dest_tsp->bits); | |
224 | modify_variable(US"tls_certificate_verified", &dest_tsp->certificate_verified); | |
225 | modify_variable(US"tls_cipher", &dest_tsp->cipher); | |
226 | modify_variable(US"tls_peerdn", &dest_tsp->peerdn); | |
227 | #if defined(SUPPORT_TLS) && !defined(USE_GNUTLS) | |
228 | modify_variable(US"tls_sni", &dest_tsp->sni); | |
229 | #endif | |
230 | } | |
231 | ||
232 | ||
233 | #ifdef SUPPORT_TLS | |
234 | /************************************************ | |
235 | * TLS certificate name operations * | |
236 | ************************************************/ | |
237 | ||
238 | /* Convert an rfc4514 DN to an exim comma-sep list. | |
239 | Backslashed commas need to be replaced by doublecomma | |
240 | for Exim's list quoting. We modify the given string | |
241 | inplace. | |
242 | */ | |
243 | ||
244 | static void | |
245 | dn_to_list(uschar * dn) | |
246 | { | |
247 | uschar * cp; | |
248 | for (cp = dn; *cp; cp++) | |
249 | if (cp[0] == '\\' && cp[1] == ',') | |
250 | *cp++ = ','; | |
251 | } | |
252 | ||
253 | ||
254 | /* Extract fields of a given type from an RFC4514- | |
255 | format Distinguished Name. Return an Exim list. | |
256 | NOTE: We modify the supplied dn string during operation. | |
257 | ||
258 | Arguments: | |
259 | dn Distinguished Name string | |
2ea97746 | 260 | mod list containing optional output list-sep and |
420a0d19 CE |
261 | field selector match, comma-separated |
262 | Return: | |
263 | allocated string with list of matching fields, | |
264 | field type stripped | |
265 | */ | |
266 | ||
267 | uschar * | |
2ea97746 | 268 | tls_field_from_dn(uschar * dn, const uschar * mod) |
420a0d19 CE |
269 | { |
270 | int insep = ','; | |
271 | uschar outsep = '\n'; | |
272 | uschar * ele; | |
273 | uschar * match = NULL; | |
274 | int len; | |
2ea97746 | 275 | gstring * list = NULL; |
420a0d19 CE |
276 | |
277 | while ((ele = string_nextinlist(&mod, &insep, NULL, 0))) | |
278 | if (ele[0] != '>') | |
279 | match = ele; /* field tag to match */ | |
280 | else if (ele[1]) | |
2ea97746 | 281 | outsep = ele[1]; /* nondefault output separator */ |
420a0d19 CE |
282 | |
283 | dn_to_list(dn); | |
284 | insep = ','; | |
2ea97746 CE |
285 | len = match ? Ustrlen(match) : -1; |
286 | while ((ele = string_nextinlist(CUSS &dn, &insep, NULL, 0))) | |
287 | if ( !match | |
288 | || Ustrncmp(ele, match, len) == 0 && ele[len] == '=' | |
289 | ) | |
420a0d19 | 290 | list = string_append_listele(list, outsep, ele+len+1); |
2ea97746 | 291 | return string_from_gstring(list); |
420a0d19 CE |
292 | } |
293 | ||
294 | ||
420a0d19 CE |
295 | /* Compare a domain name with a possibly-wildcarded name. Wildcards |
296 | are restricted to a single one, as the first element of patterns | |
297 | having at least three dot-separated elements. Case-independent. | |
298 | Return TRUE for a match | |
299 | */ | |
300 | static BOOL | |
301 | is_name_match(const uschar * name, const uschar * pat) | |
302 | { | |
303 | uschar * cp; | |
304 | return *pat == '*' /* possible wildcard match */ | |
305 | ? *++pat == '.' /* starts star, dot */ | |
306 | && !Ustrchr(++pat, '*') /* has no more stars */ | |
307 | && Ustrchr(pat, '.') /* and has another dot. */ | |
308 | && (cp = Ustrchr(name, '.'))/* The name has at least one dot */ | |
309 | && strcmpic(++cp, pat) == 0 /* and we only compare after it. */ | |
310 | : !Ustrchr(pat+1, '*') | |
311 | && strcmpic(name, pat) == 0; | |
312 | } | |
313 | ||
314 | /* Compare a list of names with the dnsname elements | |
315 | of the Subject Alternate Name, if any, and the | |
316 | Subject otherwise. | |
317 | ||
318 | Arguments: | |
319 | namelist names to compare | |
320 | cert certificate | |
321 | ||
322 | Returns: | |
323 | TRUE/FALSE | |
324 | */ | |
325 | ||
326 | BOOL | |
2ea97746 | 327 | tls_is_name_for_cert(const uschar * namelist, void * cert) |
420a0d19 CE |
328 | { |
329 | uschar * altnames = tls_cert_subject_altname(cert, US"dns"); | |
330 | uschar * subjdn; | |
331 | uschar * certname; | |
332 | int cmp_sep = 0; | |
333 | uschar * cmpname; | |
334 | ||
335 | if ((altnames = tls_cert_subject_altname(cert, US"dns"))) | |
336 | { | |
337 | int alt_sep = '\n'; | |
338 | while ((cmpname = string_nextinlist(&namelist, &cmp_sep, NULL, 0))) | |
339 | { | |
2ea97746 | 340 | const uschar * an = altnames; |
420a0d19 CE |
341 | while ((certname = string_nextinlist(&an, &alt_sep, NULL, 0))) |
342 | if (is_name_match(cmpname, certname)) | |
343 | return TRUE; | |
344 | } | |
345 | } | |
346 | ||
347 | else if ((subjdn = tls_cert_subject(cert, NULL))) | |
348 | { | |
349 | int sn_sep = ','; | |
350 | ||
351 | dn_to_list(subjdn); | |
352 | while ((cmpname = string_nextinlist(&namelist, &cmp_sep, NULL, 0))) | |
353 | { | |
2ea97746 | 354 | const uschar * sn = subjdn; |
420a0d19 CE |
355 | while ((certname = string_nextinlist(&sn, &sn_sep, NULL, 0))) |
356 | if ( *certname++ == 'C' | |
357 | && *certname++ == 'N' | |
358 | && *certname++ == '=' | |
359 | && is_name_match(cmpname, certname) | |
360 | ) | |
361 | return TRUE; | |
362 | } | |
363 | } | |
364 | return FALSE; | |
365 | } | |
420a0d19 | 366 | #endif /*SUPPORT_TLS*/ |
2ea97746 | 367 | #endif /*!MACRO_PREDEF*/ |
420a0d19 CE |
368 | |
369 | /* vi: aw ai sw=2 | |
370 | */ | |
371 | /* End of tls.c */ |