Commit | Line | Data |
---|---|---|
059ec3d9 PH |
1 | /************************************************* |
2 | * Exim - an Internet mail transport agent * | |
3 | *************************************************/ | |
4 | ||
c4ceed07 | 5 | /* Copyright (c) University of Cambridge 1995 - 2012 */ |
059ec3d9 PH |
6 | /* See the file NOTICE for conditions of use and distribution. */ |
7 | ||
8 | /* This module provides TLS (aka SSL) support for Exim. The code for OpenSSL is | |
9 | based on a patch that was originally contributed by Steve Haslam. It was | |
10 | adapted from stunnel, a GPL program by Michal Trojnara. The code for GNU TLS is | |
11 | based on a patch contributed by Nikos Mavroyanopoulos. Because these packages | |
12 | are so very different, the functions for each are kept in separate files. The | |
13 | relevant file is #included as required, after any any common functions. | |
14 | ||
15 | No cryptographic code is included in Exim. All this module does is to call | |
16 | functions from the OpenSSL or GNU TLS libraries. */ | |
17 | ||
18 | ||
19 | #include "exim.h" | |
65867078 | 20 | #include "transports/smtp.h" |
059ec3d9 PH |
21 | |
22 | /* This module is compiled only when it is specifically requested in the | |
23 | build-time configuration. However, some compilers don't like compiling empty | |
24 | modules, so keep them happy with a dummy when skipping the rest. Make it | |
25 | reference itself to stop picky compilers complaining that it is unused, and put | |
26 | in a dummy argument to stop even pickier compilers complaining about infinite | |
27 | loops. */ | |
28 | ||
29 | #ifndef SUPPORT_TLS | |
30 | static void dummy(int x) { dummy(x-1); } | |
31 | #else | |
32 | ||
33 | /* Static variables that are used for buffering data by both sets of | |
4fe99a6c | 34 | functions and the common functions below. |
059ec3d9 | 35 | |
4fe99a6c PP |
36 | We're moving away from this; GnuTLS is already using a state, which |
37 | can switch, so we can do TLS callouts during ACLs. */ | |
059ec3d9 | 38 | |
17c76198 | 39 | static const int ssl_xfer_buffer_size = 4096; |
4fe99a6c PP |
40 | #ifndef USE_GNUTLS |
41 | static uschar *ssl_xfer_buffer = NULL; | |
059ec3d9 PH |
42 | static int ssl_xfer_buffer_lwm = 0; |
43 | static int ssl_xfer_buffer_hwm = 0; | |
44 | static int ssl_xfer_eof = 0; | |
45 | static int ssl_xfer_error = 0; | |
4fe99a6c | 46 | #endif |
059ec3d9 | 47 | |
44bbabb5 | 48 | uschar *tls_channelbinding_b64 = NULL; |
059ec3d9 PH |
49 | |
50 | ||
51 | /************************************************* | |
52 | * Expand string; give error on failure * | |
53 | *************************************************/ | |
54 | ||
55 | /* If expansion is forced to fail, set the result NULL and return TRUE. | |
56 | Other failures return FALSE. For a server, an SMTP response is given. | |
57 | ||
58 | Arguments: | |
59 | s the string to expand; if NULL just return TRUE | |
60 | name name of string being expanded (for error) | |
61 | result where to put the result | |
62 | ||
63 | Returns: TRUE if OK; result may still be NULL after forced failure | |
64 | */ | |
65 | ||
66 | static BOOL | |
17c76198 | 67 | expand_check(const uschar *s, const uschar *name, uschar **result) |
059ec3d9 PH |
68 | { |
69 | if (s == NULL) *result = NULL; else | |
70 | { | |
17c76198 | 71 | *result = expand_string(US s); /* need to clean up const some more */ |
059ec3d9 PH |
72 | if (*result == NULL && !expand_string_forcedfail) |
73 | { | |
74 | log_write(0, LOG_MAIN|LOG_PANIC, "expansion of %s failed: %s", name, | |
75 | expand_string_message); | |
76 | return FALSE; | |
77 | } | |
78 | } | |
79 | return TRUE; | |
80 | } | |
81 | ||
82 | ||
83 | /************************************************* | |
84 | * Many functions are package-specific * | |
85 | *************************************************/ | |
86 | ||
87 | #ifdef USE_GNUTLS | |
88 | #include "tls-gnu.c" | |
9d1c15ef | 89 | #include "tlscert-gnu.c" |
4fe99a6c | 90 | |
389ca47a JH |
91 | #define ssl_xfer_buffer (state_server.xfer_buffer) |
92 | #define ssl_xfer_buffer_lwm (state_server.xfer_buffer_lwm) | |
93 | #define ssl_xfer_buffer_hwm (state_server.xfer_buffer_hwm) | |
94 | #define ssl_xfer_eof (state_server.xfer_eof) | |
95 | #define ssl_xfer_error (state_server.xfer_error) | |
4fe99a6c | 96 | |
059ec3d9 PH |
97 | #else |
98 | #include "tls-openssl.c" | |
9d1c15ef | 99 | #include "tlscert-openssl.c" |
059ec3d9 PH |
100 | #endif |
101 | ||
102 | ||
103 | ||
104 | /************************************************* | |
105 | * TLS version of ungetc * | |
106 | *************************************************/ | |
107 | ||
108 | /* Puts a character back in the input buffer. Only ever | |
109 | called once. | |
389ca47a | 110 | Only used by the server-side TLS. |
059ec3d9 PH |
111 | |
112 | Arguments: | |
113 | ch the character | |
114 | ||
115 | Returns: the character | |
116 | */ | |
117 | ||
118 | int | |
119 | tls_ungetc(int ch) | |
120 | { | |
121 | ssl_xfer_buffer[--ssl_xfer_buffer_lwm] = ch; | |
122 | return ch; | |
123 | } | |
124 | ||
125 | ||
126 | ||
127 | /************************************************* | |
128 | * TLS version of feof * | |
129 | *************************************************/ | |
130 | ||
131 | /* Tests for a previous EOF | |
389ca47a | 132 | Only used by the server-side TLS. |
059ec3d9 PH |
133 | |
134 | Arguments: none | |
135 | Returns: non-zero if the eof flag is set | |
136 | */ | |
137 | ||
138 | int | |
139 | tls_feof(void) | |
140 | { | |
141 | return ssl_xfer_eof; | |
142 | } | |
143 | ||
144 | ||
145 | ||
146 | /************************************************* | |
147 | * TLS version of ferror * | |
148 | *************************************************/ | |
149 | ||
150 | /* Tests for a previous read error, and returns with errno | |
151 | restored to what it was when the error was detected. | |
389ca47a | 152 | Only used by the server-side TLS. |
059ec3d9 PH |
153 | |
154 | >>>>> Hmm. Errno not handled yet. Where do we get it from? >>>>> | |
155 | ||
156 | Arguments: none | |
157 | Returns: non-zero if the error flag is set | |
158 | */ | |
159 | ||
160 | int | |
161 | tls_ferror(void) | |
162 | { | |
163 | return ssl_xfer_error; | |
164 | } | |
165 | ||
58eb016e PH |
166 | |
167 | /************************************************* | |
168 | * TLS version of smtp_buffered * | |
169 | *************************************************/ | |
170 | ||
171 | /* Tests for unused chars in the TLS input buffer. | |
389ca47a | 172 | Only used by the server-side TLS. |
58eb016e PH |
173 | |
174 | Arguments: none | |
175 | Returns: TRUE/FALSE | |
176 | */ | |
177 | ||
178 | BOOL | |
179 | tls_smtp_buffered(void) | |
180 | { | |
181 | return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm; | |
182 | } | |
183 | ||
184 | ||
059ec3d9 PH |
185 | #endif /* SUPPORT_TLS */ |
186 | ||
35aba663 JH |
187 | void |
188 | tls_modify_variables(tls_support * dest_tsp) | |
189 | { | |
190 | modify_variable(US"tls_bits", &dest_tsp->bits); | |
191 | modify_variable(US"tls_certificate_verified", &dest_tsp->certificate_verified); | |
192 | modify_variable(US"tls_cipher", &dest_tsp->cipher); | |
193 | modify_variable(US"tls_peerdn", &dest_tsp->peerdn); | |
194 | #if defined(SUPPORT_TLS) && !defined(USE_GNUTLS) | |
195 | modify_variable(US"tls_sni", &dest_tsp->sni); | |
196 | #endif | |
197 | } | |
198 | ||
059ec3d9 | 199 | /* End of tls.c */ |