X-Git-Url: https://vcs.fsf.org/?a=blobdiff_plain;f=src%2Fsrc%2Fsmtp_out.c;h=12ed5bc612e3fd639056c97ebb479877c41ec5eb;hb=568092148bf6ade68174fa1ccf34b8c37d9064e9;hp=9221aa8680dd5985987574abf0d84424dbf7671d;hpb=0ab63f3dea522591218c0d65c78a686b7fa64db6;p=exim.git

diff --git a/src/src/smtp_out.c b/src/src/smtp_out.c
index 9221aa868..12ed5bc61 100644
--- a/src/src/smtp_out.c
+++ b/src/src/smtp_out.c
@@ -2,7 +2,7 @@
 *     Exim - an Internet mail transport agent    *
 *************************************************/
 
-/* Copyright (c) University of Cambridge 1995 - 2016 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
 /* See the file NOTICE for conditions of use and distribution. */
 
 /* A number of functions for driving outgoing SMTP calls. */
@@ -45,13 +45,24 @@ if (!istring) return TRUE;
 
 if (!(expint = expand_string(istring)))
   {
-  if (expand_string_forcedfail) return TRUE;
+  if (f.expand_string_forcedfail) return TRUE;
   addr->transport_return = PANIC;
   addr->message = string_sprintf("failed to expand \"interface\" "
       "option for %s: %s", msg, expand_string_message);
   return FALSE;
   }
 
+if (is_tainted(expint))
+  {
+  log_write(0, LOG_MAIN|LOG_PANIC,
+    "attempt to use tainted value '%s' from '%s' for interface",
+    expint, istring);
+  addr->transport_return = PANIC;
+  addr->message = string_sprintf("failed to expand \"interface\" "
+      "option for %s: configuration error", msg);
+  return FALSE;
+  }
+
 while (isspace(*expint)) expint++;
 if (*expint == 0) return TRUE;
 
@@ -144,28 +155,86 @@ return TRUE;
 static void
 tfo_out_check(int sock)
 {
-# if defined(TCP_INFO) && defined(EXIM_HAVE_TCPI_UNACKED)
+# ifdef __FreeBSD__
+struct tcp_info tinfo;
+int val;
+socklen_t len = sizeof(val);
+
+/* The observability as of 12.1 is not useful as a client, only telling us that
+a TFO option was used on SYN.  It could have been a TFO-R, or ignored by the
+server. */
+
+/*
+if (tcp_out_fastopen == TFO_ATTEMPTED_NODATA || tcp_out_fastopen == TFO_ATTEMPTED_DATA)
+  if (getsockopt(sock, IPPROTO_TCP, TCP_FASTOPEN, &val, &len) == 0 && val != 0) {}
+*/
+switch (tcp_out_fastopen)
+  {
+  case TFO_ATTEMPTED_NODATA:	tcp_out_fastopen = TFO_USED_NODATA; break;
+  case TFO_ATTEMPTED_DATA:	tcp_out_fastopen = TFO_USED_DATA; break;
+  default: break; /* compiler quietening */
+  }
+
+# else	/* Linux & Apple */
+#  if defined(TCP_INFO) && defined(EXIM_HAVE_TCPI_UNACKED)
 struct tcp_info tinfo;
 socklen_t len = sizeof(tinfo);
 
-if (getsockopt(sock, IPPROTO_TCP, TCP_INFO, &tinfo, &len) == 0)
+switch (tcp_out_fastopen)
   {
-  /* This is a somewhat dubious detection method; totally undocumented so likely
-  to fail in future kernels.  There seems to be no documented way. */
+    /* This is a somewhat dubious detection method; totally undocumented so likely
+    to fail in future kernels.  There seems to be no documented way.  What we really
+    want to know is if the server sent smtp-banner data before our ACK of his SYN,ACK
+    hit him.  What this (possibly?) detects is whether we sent a TFO cookie with our
+    SYN, as distinct from a TFO request.  This gets a false-positive when the server
+    key is rotated; we send the old one (which this test sees) but the server returns
+    the new one and does not send its SMTP banner before we ACK his SYN,ACK.
+     To force that rotation case:
+     '# echo -n "00000000-00000000-00000000-0000000" >/proc/sys/net/ipv4/tcp_fastopen_key'
+    The kernel seems to be counting unack'd packets. */
+
+  case TFO_ATTEMPTED_NODATA:
+    if (  getsockopt(sock, IPPROTO_TCP, TCP_INFO, &tinfo, &len) == 0
+       && tinfo.tcpi_state == TCP_SYN_SENT
+       && tinfo.tcpi_unacked > 1
+       )
+      {
+      DEBUG(D_transport|D_v)
+	debug_printf("TCP_FASTOPEN tcpi_unacked %d\n", tinfo.tcpi_unacked);
+      tcp_out_fastopen = TFO_USED_NODATA;
+      }
+    break;
 
-  if (tinfo.tcpi_unacked > 1)
-    {
-    DEBUG(D_transport|D_v) debug_printf("TCP_FASTOPEN mode connection\n");
-    tcp_out_fastopen = TRUE;
-    }
+    /* When called after waiting for received data we should be able
+    to tell if data we sent was accepted. */
+
+  case TFO_ATTEMPTED_DATA:
+    if (  getsockopt(sock, IPPROTO_TCP, TCP_INFO, &tinfo, &len) == 0
+       && tinfo.tcpi_state == TCP_ESTABLISHED
+       )
+      if (tinfo.tcpi_options & TCPI_OPT_SYN_DATA)
+	{
+	DEBUG(D_transport|D_v) debug_printf("TFO: data was acked\n");
+	tcp_out_fastopen = TFO_USED_DATA;
+	}
+      else
+	{
+	DEBUG(D_transport|D_v) debug_printf("TFO: had to retransmit\n");
+	tcp_out_fastopen = TFO_NOT_USED;
+	}
+    break;
+
+  default: break; /* compiler quietening */
   }
-# endif
+#  endif
+# endif	/* Linux & Apple */
 }
 #endif
 
 
 /* Arguments as for smtp_connect(), plus
-  early_data	if non-NULL, data to be sent - preferably in the TCP SYN segment
+  early_data	if non-NULL, idenmpotent data to be sent -
+		preferably in the TCP SYN segment
 
 Returns:      connected socket number, or -1 with errno set
 */
@@ -182,6 +251,8 @@ int dscp_level;
 int dscp_option;
 int sock;
 int save_errno = 0;
+const blob * fastopen_blob = NULL;
+
 
 #ifndef DISABLE_EVENT
 deliver_host_address = host->address;
@@ -227,22 +298,29 @@ if (interface && ip_bind(sock, host_af, interface, 0) < 0)
 
 /* Connect to the remote host, and add keepalive to the socket before returning
 it, if requested.  If the build supports TFO, request it - and if the caller
-requested some early-data then include that in the TFO request. */
+requested some early-data then include that in the TFO request.  If there is
+early-data but no TFO support, send it after connecting. */
 
 else
   {
-  const blob * fastopen = NULL;
-
 #ifdef TCP_FASTOPEN
-  if (verify_check_given_host(&ob->hosts_try_fastopen, host) == OK)
-    fastopen = early_data ? early_data : &tcp_fastopen_nodata;
+  if (verify_check_given_host(CUSS &ob->hosts_try_fastopen, host) == OK)
+    fastopen_blob = early_data ? early_data : &tcp_fastopen_nodata;
 #endif
 
-  if (ip_connect(sock, host_af, host->address, port, timeout, fastopen) < 0)
+  if (ip_connect(sock, host_af, host->address, port, timeout, fastopen_blob) < 0)
     save_errno = errno;
-  else if (early_data && !fastopen && early_data->data && early_data->len)
+  else if (early_data && !fastopen_blob && early_data->data && early_data->len)
+    {
+    HDEBUG(D_transport|D_acl|D_v)
+      debug_printf("sending %ld nonTFO early-data\n", (long)early_data->len);
+
+#ifdef TCP_QUICKACK
+    (void) setsockopt(sock, IPPROTO_TCP, TCP_QUICKACK, US &off, sizeof(off));
+#endif
     if (send(sock, early_data->data, early_data->len, 0) < 0)
       save_errno = errno;
+    }
   }
 
 /* Either bind() or connect() failed */
@@ -251,7 +329,7 @@ if (save_errno != 0)
   {
   HDEBUG(D_transport|D_acl|D_v)
     {
-    debug_printf_indent("failed: %s", CUstrerror(save_errno));
+    debug_printf_indent(" failed: %s", CUstrerror(save_errno));
     if (save_errno == ETIMEDOUT)
       debug_printf(" (timeout=%s)", readconf_printtime(timeout));
     debug_printf("\n");
@@ -261,13 +339,14 @@ if (save_errno != 0)
   return -1;
   }
 
-/* Both bind() and connect() succeeded */
+/* Both bind() and connect() succeeded, and any early-data */
 
 else
   {
   union sockaddr_46 interface_sock;
   EXIM_SOCKLEN_T size = sizeof(interface_sock);
-  HDEBUG(D_transport|D_acl|D_v) debug_printf_indent("connected\n");
+
+  HDEBUG(D_transport|D_acl|D_v) debug_printf_indent(" connected\n");
   if (getsockname(sock, (struct sockaddr *)(&interface_sock), &size) == 0)
     sending_ip_address = host_ntoa(-1, &interface_sock, NULL, &sending_port);
   else
@@ -277,6 +356,7 @@ else
     close(sock);
     return -1;
     }
+
   if (ob->keepalive) ip_keepalive(sock, host->address, TRUE);
 #ifdef TCP_FASTOPEN
   tfo_out_check(sock);
@@ -313,45 +393,62 @@ non-IPv6 systems, to enable the code to be less messy. However, on such systems
 host->address will always be an IPv4 address.
 
 Arguments:
-  host        host item containing name and address and port
-  host_af     AF_INET or AF_INET6
-  interface   outgoing interface address or NULL
-  timeout     timeout value or 0
-  tb          transport
+  sc	      details for making connection: host, af, interface, transport
+  early_data  if non-NULL, data to be sent - preferably in the TCP SYN segment
 
 Returns:      connected socket number, or -1 with errno set
 */
 
 int
-smtp_connect(host_item *host, int host_af, uschar *interface,
-  int timeout, transport_instance * tb)
+smtp_connect(smtp_connect_args * sc, const blob * early_data)
 {
-int port = host->port;
-#ifdef SUPPORT_SOCKS
-smtp_transport_options_block * ob =
-  (smtp_transport_options_block *)tb->options_block;
-#endif
+int port = sc->host->port;
+smtp_transport_options_block * ob = sc->ob;
 
-callout_address = string_sprintf("[%s]:%d", host->address, port);
+callout_address = string_sprintf("[%s]:%d", sc->host->address, port);
 
 HDEBUG(D_transport|D_acl|D_v)
   {
   uschar * s = US" ";
-  if (interface) s = string_sprintf(" from %s ", interface);
+  if (sc->interface) s = string_sprintf(" from %s ", sc->interface);
 #ifdef SUPPORT_SOCKS
   if (ob->socks_proxy) s = string_sprintf("%svia proxy ", s);
 #endif
-  debug_printf_indent("Connecting to %s %s%s... ", host->name, callout_address, s);
+  debug_printf_indent("Connecting to %s %s%s... ", sc->host->name, callout_address, s);
   }
 
 /* Create and connect the socket */
 
 #ifdef SUPPORT_SOCKS
 if (ob->socks_proxy)
-  return socks_sock_connect(host, host_af, port, interface, tb, timeout);
+  {
+  int sock = socks_sock_connect(sc->host, sc->host_af, port, sc->interface,
+				sc->tblock, ob->connect_timeout);
+  
+  if (sock >= 0)
+    {
+    if (early_data && early_data->data && early_data->len)
+      if (send(sock, early_data->data, early_data->len, 0) < 0)
+	{
+	int save_errno = errno;
+	HDEBUG(D_transport|D_acl|D_v)
+	  {
+	  debug_printf_indent("failed: %s", CUstrerror(save_errno));
+	  if (save_errno == ETIMEDOUT)
+	    debug_printf(" (timeout=%s)", readconf_printtime(ob->connect_timeout));
+	  debug_printf("\n");
+	  }
+	(void)close(sock);
+	sock = -1;
+	errno = save_errno;
+	}
+    }
+  return sock;
+  }
 #endif
 
-return smtp_sock_connect(host, host_af, port, interface, tb, timeout, NULL);
+return smtp_sock_connect(sc->host, sc->host_af, port, sc->interface,
+			  sc->tblock, ob->connect_timeout, early_data);
 }
 
 
@@ -380,18 +477,39 @@ BOOL more = mode == SCMD_MORE;
 HDEBUG(D_transport|D_acl) debug_printf_indent("cmd buf flush %d bytes%s\n", n,
   more ? " (more expected)" : "");
 
-#ifdef SUPPORT_TLS
-if (tls_out.active == outblock->sock)
-  rc = tls_write(FALSE, outblock->buffer, n, more);
+#ifndef DISABLE_TLS
+if (outblock->cctx->tls_ctx)
+  rc = tls_write(outblock->cctx->tls_ctx, outblock->buffer, n, more);
 else
 #endif
-  rc = send(outblock->sock, outblock->buffer, n,
+
+  {
+  if (outblock->conn_args)
+    {
+    blob early_data = { .data = outblock->buffer, .len = n };
+
+    /* We ignore the more-flag if we're doing a connect with early-data, which
+    means we won't get BDAT+data. A pity, but wise due to the idempotency
+    requirement: TFO with data can, in rare cases, replay the data to the
+    receiver. */
+
+    if (  (outblock->cctx->sock = smtp_connect(outblock->conn_args, &early_data))
+       < 0)
+      return FALSE;
+    outblock->conn_args = NULL;
+    rc = n;
+    }
+  else
+    {
+    rc = send(outblock->cctx->sock, outblock->buffer, n,
 #ifdef MSG_MORE
-	    more ? MSG_MORE : 0
+	      more ? MSG_MORE : 0
 #else
-	    0
+	      0
 #endif
-	   );
+	     );
+    }
+  }
 
 if (rc <= 0)
   {
@@ -414,7 +532,7 @@ return TRUE;
 any error message.
 
 Arguments:
-  outblock   contains buffer for pipelining, and socket
+  sx	     SMTP connection, contains buffer for pipelining, and socket
   mode       buffer, write-with-more-likely, write
   format     a format, starting with one of
              of HELO, MAIL FROM, RCPT TO, DATA, ".", or QUIT.
@@ -427,36 +545,43 @@ Returns:     0 if command added to pipelining buffer, with nothing transmitted
 */
 
 int
-smtp_write_command(smtp_outblock * outblock, int mode, const char *format, ...)
+smtp_write_command(void * sx, int mode, const char *format, ...)
 {
-int count;
+smtp_outblock * outblock = &((smtp_context *)sx)->outblock;
 int rc = 0;
-va_list ap;
 
 if (format)
   {
+  gstring gs = { .size = big_buffer_size, .ptr = 0, .s = big_buffer };
+  va_list ap;
+
+  /* Use taint-unchecked routines for writing into big_buffer, trusting that
+  we'll never expand the results.  Actually, the error-message use - leaving
+  the results in big_buffer for potential later use - is uncomfortably distant.
+  XXX Would be better to assume all smtp commands are short, use normal pool
+  alloc rather than big_buffer, and another global for the data-for-error. */
+
   va_start(ap, format);
-  if (!string_vformat(big_buffer, big_buffer_size, CS format, ap))
+  if (!string_vformat(&gs, SVFMT_TAINT_NOCHK, CS format, ap))
     log_write(0, LOG_MAIN|LOG_PANIC_DIE, "overlong write_command in outgoing "
       "SMTP");
   va_end(ap);
-  count = Ustrlen(big_buffer);
+  string_from_gstring(&gs);
 
-  if (count > outblock->buffersize)
+  if (gs.ptr > outblock->buffersize)
     log_write(0, LOG_MAIN|LOG_PANIC_DIE, "overlong write_command in outgoing "
       "SMTP");
 
-  if (count > outblock->buffersize - (outblock->ptr - outblock->buffer))
+  if (gs.ptr > outblock->buffersize - (outblock->ptr - outblock->buffer))
     {
     rc = outblock->cmd_count;                 /* flush resets */
     if (!flush_buffer(outblock, SCMD_FLUSH)) return -1;
     }
 
-  Ustrncpy(CS outblock->ptr, big_buffer, count);
-  outblock->ptr += count;
+  Ustrncpy(outblock->ptr, gs.s, gs.ptr);
+  outblock->ptr += gs.ptr;
   outblock->cmd_count++;
-  count -= 2;
-  big_buffer[count] = 0;     /* remove \r\n for error message */
+  gs.ptr -= 2; string_from_gstring(&gs); /* remove \r\n for error message */
 
   /* We want to hide the actual data sent in AUTH transactions from reflections
   and logs. While authenticating, a flag is set in the outblock to enable this.
@@ -504,19 +629,19 @@ Arguments:
   inblock   the SMTP input block (contains holding buffer, socket, etc.)
   buffer    where to put the line
   size      space available for the line
-  timeout   the timeout to use when reading a packet
+  timelimit deadline for reading the lime, seconds past epoch
 
 Returns:    length of a line that has been put in the buffer
             -1 otherwise, with errno set
 */
 
 static int
-read_response_line(smtp_inblock *inblock, uschar *buffer, int size, int timeout)
+read_response_line(smtp_inblock *inblock, uschar *buffer, int size, time_t timelimit)
 {
 uschar *p = buffer;
 uschar *ptr = inblock->ptr;
 uschar *ptrend = inblock->ptrend;
-int sock = inblock->sock;
+client_conn_ctx * cctx = inblock->cctx;
 
 /* Loop for reading multiple packets or reading another packet after emptying
 a previously-read one. */
@@ -554,9 +679,9 @@ for (;;)
 
   /* Need to read a new input packet. */
 
-  if((rc = ip_recv(sock, inblock->buffer, inblock->buffersize, timeout)) <= 0)
+  if((rc = ip_recv(cctx, inblock->buffer, inblock->buffersize, timelimit)) <= 0)
     {
-    DEBUG(D_deliver|D_transport|D_acl)
+    DEBUG(D_deliver|D_transport|D_acl|D_v)
       debug_printf_indent(errno ? "  SMTP(%s)<<\n" : "  SMTP(closed)<<\n",
 	strerror(errno));
     break;
@@ -593,7 +718,8 @@ also returned after a reading error. In this case buffer[0] will be zero, and
 the error code will be in errno.
 
 Arguments:
-  inblock   the SMTP input block (contains holding buffer, socket, etc.)
+  sx        the SMTP connection (contains input block with holding buffer,
+		socket, etc.)
   buffer    where to put the response
   size      the size of the buffer
   okdigit   the expected first digit of the response
@@ -601,26 +727,43 @@ Arguments:
 
 Returns:    TRUE if a valid, non-error response was received; else FALSE
 */
+/*XXX could move to smtp transport; no other users */
 
 BOOL
-smtp_read_response(smtp_inblock *inblock, uschar *buffer, int size, int okdigit,
+smtp_read_response(void * sx0, uschar * buffer, int size, int okdigit,
    int timeout)
 {
-uschar *ptr = buffer;
-int count;
+smtp_context * sx = sx0;
+uschar * ptr = buffer;
+int count = 0;
+time_t timelimit = time(NULL) + timeout;
 
 errno = 0;  /* Ensure errno starts out zero */
 
+#ifndef DISABLE_PIPE_CONNECT
+if (sx->pending_BANNER || sx->pending_EHLO)
+  {
+  int rc;
+  if ((rc = smtp_reap_early_pipe(sx, &count)) != OK)
+    {
+    DEBUG(D_transport) debug_printf("failed reaping pipelined cmd responsess\n");
+    buffer[0] = '\0';
+    if (rc == DEFER) errno = ERRNO_TLSFAILURE;
+    return FALSE;
+    }
+  }
+#endif
+
 /* This is a loop to read and concatenate the lines that make up a multi-line
 response. */
 
 for (;;)
   {
-  if ((count = read_response_line(inblock, ptr, size, timeout)) < 0)
+  if ((count = read_response_line(&sx->inblock, ptr, size, timelimit)) < 0)
     return FALSE;
 
   HDEBUG(D_transport|D_acl|D_v)
-    debug_printf_indent("  %s %s\n", (ptr == buffer)? "SMTP<<" : "      ", ptr);
+    debug_printf_indent("  %s %s\n", ptr == buffer ? "SMTP<<" : "      ", ptr);
 
   /* Check the format of the response: it must start with three digits; if
   these are followed by a space or end of line, the response is complete. If
@@ -654,6 +797,10 @@ for (;;)
   size -= count + 1;
   }
 
+#ifdef TCP_FASTOPEN
+  tfo_out_check(sx->cctx.sock);
+#endif
+
 /* Return a value that depends on the SMTP return code. On some systems a
 non-zero value of errno has been seen at this point, so ensure it is zero,
 because the caller of this function looks at errno when FALSE is returned, to