Commit | Line | Data |
---|---|---|
059ec3d9 PH |
1 | /************************************************* |
2 | * Exim - an Internet mail transport agent * | |
3 | *************************************************/ | |
4 | ||
c4ceed07 | 5 | /* Copyright (c) University of Cambridge 1995 - 2012 */ |
059ec3d9 PH |
6 | /* See the file NOTICE for conditions of use and distribution. */ |
7 | ||
8 | /* This module provides TLS (aka SSL) support for Exim. The code for OpenSSL is | |
9 | based on a patch that was originally contributed by Steve Haslam. It was | |
10 | adapted from stunnel, a GPL program by Michal Trojnara. The code for GNU TLS is | |
11 | based on a patch contributed by Nikos Mavroyanopoulos. Because these packages | |
12 | are so very different, the functions for each are kept in separate files. The | |
13 | relevant file is #included as required, after any any common functions. | |
14 | ||
15 | No cryptographic code is included in Exim. All this module does is to call | |
16 | functions from the OpenSSL or GNU TLS libraries. */ | |
17 | ||
18 | ||
19 | #include "exim.h" | |
20 | ||
21 | /* This module is compiled only when it is specifically requested in the | |
22 | build-time configuration. However, some compilers don't like compiling empty | |
23 | modules, so keep them happy with a dummy when skipping the rest. Make it | |
24 | reference itself to stop picky compilers complaining that it is unused, and put | |
25 | in a dummy argument to stop even pickier compilers complaining about infinite | |
26 | loops. */ | |
27 | ||
28 | #ifndef SUPPORT_TLS | |
29 | static void dummy(int x) { dummy(x-1); } | |
30 | #else | |
31 | ||
32 | /* Static variables that are used for buffering data by both sets of | |
4fe99a6c | 33 | functions and the common functions below. |
059ec3d9 | 34 | |
4fe99a6c PP |
35 | We're moving away from this; GnuTLS is already using a state, which |
36 | can switch, so we can do TLS callouts during ACLs. */ | |
059ec3d9 | 37 | |
17c76198 | 38 | static const int ssl_xfer_buffer_size = 4096; |
4fe99a6c PP |
39 | #ifndef USE_GNUTLS |
40 | static uschar *ssl_xfer_buffer = NULL; | |
059ec3d9 PH |
41 | static int ssl_xfer_buffer_lwm = 0; |
42 | static int ssl_xfer_buffer_hwm = 0; | |
43 | static int ssl_xfer_eof = 0; | |
44 | static int ssl_xfer_error = 0; | |
4fe99a6c | 45 | #endif |
059ec3d9 | 46 | |
44bbabb5 | 47 | uschar *tls_channelbinding_b64 = NULL; |
059ec3d9 PH |
48 | |
49 | ||
50 | /************************************************* | |
51 | * Expand string; give error on failure * | |
52 | *************************************************/ | |
53 | ||
54 | /* If expansion is forced to fail, set the result NULL and return TRUE. | |
55 | Other failures return FALSE. For a server, an SMTP response is given. | |
56 | ||
57 | Arguments: | |
58 | s the string to expand; if NULL just return TRUE | |
59 | name name of string being expanded (for error) | |
60 | result where to put the result | |
61 | ||
62 | Returns: TRUE if OK; result may still be NULL after forced failure | |
63 | */ | |
64 | ||
65 | static BOOL | |
17c76198 | 66 | expand_check(const uschar *s, const uschar *name, uschar **result) |
059ec3d9 PH |
67 | { |
68 | if (s == NULL) *result = NULL; else | |
69 | { | |
17c76198 | 70 | *result = expand_string(US s); /* need to clean up const some more */ |
059ec3d9 PH |
71 | if (*result == NULL && !expand_string_forcedfail) |
72 | { | |
73 | log_write(0, LOG_MAIN|LOG_PANIC, "expansion of %s failed: %s", name, | |
74 | expand_string_message); | |
75 | return FALSE; | |
76 | } | |
77 | } | |
78 | return TRUE; | |
79 | } | |
80 | ||
81 | ||
82 | /************************************************* | |
83 | * Many functions are package-specific * | |
84 | *************************************************/ | |
85 | ||
86 | #ifdef USE_GNUTLS | |
87 | #include "tls-gnu.c" | |
4fe99a6c | 88 | |
389ca47a JH |
89 | #define ssl_xfer_buffer (state_server.xfer_buffer) |
90 | #define ssl_xfer_buffer_lwm (state_server.xfer_buffer_lwm) | |
91 | #define ssl_xfer_buffer_hwm (state_server.xfer_buffer_hwm) | |
92 | #define ssl_xfer_eof (state_server.xfer_eof) | |
93 | #define ssl_xfer_error (state_server.xfer_error) | |
4fe99a6c | 94 | |
059ec3d9 PH |
95 | #else |
96 | #include "tls-openssl.c" | |
97 | #endif | |
98 | ||
99 | ||
100 | ||
101 | /************************************************* | |
102 | * TLS version of ungetc * | |
103 | *************************************************/ | |
104 | ||
105 | /* Puts a character back in the input buffer. Only ever | |
106 | called once. | |
389ca47a | 107 | Only used by the server-side TLS. |
059ec3d9 PH |
108 | |
109 | Arguments: | |
110 | ch the character | |
111 | ||
112 | Returns: the character | |
113 | */ | |
114 | ||
115 | int | |
116 | tls_ungetc(int ch) | |
117 | { | |
118 | ssl_xfer_buffer[--ssl_xfer_buffer_lwm] = ch; | |
119 | return ch; | |
120 | } | |
121 | ||
122 | ||
123 | ||
124 | /************************************************* | |
125 | * TLS version of feof * | |
126 | *************************************************/ | |
127 | ||
128 | /* Tests for a previous EOF | |
389ca47a | 129 | Only used by the server-side TLS. |
059ec3d9 PH |
130 | |
131 | Arguments: none | |
132 | Returns: non-zero if the eof flag is set | |
133 | */ | |
134 | ||
135 | int | |
136 | tls_feof(void) | |
137 | { | |
138 | return ssl_xfer_eof; | |
139 | } | |
140 | ||
141 | ||
142 | ||
143 | /************************************************* | |
144 | * TLS version of ferror * | |
145 | *************************************************/ | |
146 | ||
147 | /* Tests for a previous read error, and returns with errno | |
148 | restored to what it was when the error was detected. | |
389ca47a | 149 | Only used by the server-side TLS. |
059ec3d9 PH |
150 | |
151 | >>>>> Hmm. Errno not handled yet. Where do we get it from? >>>>> | |
152 | ||
153 | Arguments: none | |
154 | Returns: non-zero if the error flag is set | |
155 | */ | |
156 | ||
157 | int | |
158 | tls_ferror(void) | |
159 | { | |
160 | return ssl_xfer_error; | |
161 | } | |
162 | ||
58eb016e PH |
163 | |
164 | /************************************************* | |
165 | * TLS version of smtp_buffered * | |
166 | *************************************************/ | |
167 | ||
168 | /* Tests for unused chars in the TLS input buffer. | |
389ca47a | 169 | Only used by the server-side TLS. |
58eb016e PH |
170 | |
171 | Arguments: none | |
172 | Returns: TRUE/FALSE | |
173 | */ | |
174 | ||
175 | BOOL | |
176 | tls_smtp_buffered(void) | |
177 | { | |
178 | return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm; | |
179 | } | |
180 | ||
181 | ||
059ec3d9 PH |
182 | #endif /* SUPPORT_TLS */ |
183 | ||
35aba663 JH |
184 | void |
185 | tls_modify_variables(tls_support * dest_tsp) | |
186 | { | |
187 | modify_variable(US"tls_bits", &dest_tsp->bits); | |
188 | modify_variable(US"tls_certificate_verified", &dest_tsp->certificate_verified); | |
189 | modify_variable(US"tls_cipher", &dest_tsp->cipher); | |
190 | modify_variable(US"tls_peerdn", &dest_tsp->peerdn); | |
191 | #if defined(SUPPORT_TLS) && !defined(USE_GNUTLS) | |
192 | modify_variable(US"tls_sni", &dest_tsp->sni); | |
193 | #endif | |
194 | } | |
195 | ||
059ec3d9 | 196 | /* End of tls.c */ |