X-Git-Url: https://vcs.fsf.org/?a=blobdiff_plain;f=src%2Fsrc%2Ftls.c;h=55295108c1315038968945d09e6a2c871f8b82d2;hb=ef8176594c130feebefad040420fbc4d637e9571;hp=75c46e9e4560b65f641718bc319cfa15ba5bc3a3;hpb=812a604525eef4993d6ed165d455c8309ae72c36;p=exim.git diff --git a/src/src/tls.c b/src/src/tls.c index 75c46e9e4..55295108c 100644 --- a/src/src/tls.c +++ b/src/src/tls.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2012 */ +/* Copyright (c) University of Cambridge 1995 - 2016 */ /* See the file NOTICE for conditions of use and distribution. */ /* This module provides TLS (aka SSL) support for Exim. The code for OpenSSL is @@ -80,23 +80,46 @@ return TRUE; } +/************************************************* +* Timezone environment flipping * +*************************************************/ + +static uschar * +to_tz(uschar * tz) +{ +uschar * old = US getenv("TZ"); +(void) setenv("TZ", CCS tz, 1); +tzset(); +return old; +} + +static void +restore_tz(uschar * tz) +{ +if (tz) + (void) setenv("TZ", CCS tz, 1); +else + (void) os_unsetenv(US"TZ"); +tzset(); +} + /************************************************* * Many functions are package-specific * *************************************************/ #ifdef USE_GNUTLS -#include "tls-gnu.c" -#include "tlscert-gnu.c" +# include "tls-gnu.c" +# include "tlscert-gnu.c" -#define ssl_xfer_buffer (state_server.xfer_buffer) -#define ssl_xfer_buffer_lwm (state_server.xfer_buffer_lwm) -#define ssl_xfer_buffer_hwm (state_server.xfer_buffer_hwm) -#define ssl_xfer_eof (state_server.xfer_eof) -#define ssl_xfer_error (state_server.xfer_error) +# define ssl_xfer_buffer (state_server.xfer_buffer) +# define ssl_xfer_buffer_lwm (state_server.xfer_buffer_lwm) +# define ssl_xfer_buffer_hwm (state_server.xfer_buffer_hwm) +# define ssl_xfer_eof (state_server.xfer_eof) +# define ssl_xfer_error (state_server.xfer_error) #else -#include "tls-openssl.c" -#include "tlscert-openssl.c" +# include "tls-openssl.c" +# include "tlscert-openssl.c" #endif @@ -196,6 +219,8 @@ modify_variable(US"tls_sni", &dest_tsp->sni); #endif } + +#ifdef SUPPORT_TLS /************************************************ * TLS certificate name operations * ************************************************/ @@ -222,7 +247,7 @@ NOTE: We modify the supplied dn string during operation. Arguments: dn Distinguished Name string - mod string containing optional list-sep and + mod list containing optional output list-sep and field selector match, comma-separated Return: allocated string with list of matching fields, @@ -230,7 +255,7 @@ Return: */ uschar * -tls_field_from_dn(uschar * dn, uschar * mod) +tls_field_from_dn(uschar * dn, const uschar * mod) { int insep = ','; uschar outsep = '\n'; @@ -239,22 +264,96 @@ uschar * match = NULL; int len; uschar * list = NULL; -while (ele = string_nextinlist(&mod, &insep, NULL, 0)) +while ((ele = string_nextinlist(&mod, &insep, NULL, 0))) if (ele[0] != '>') match = ele; /* field tag to match */ else if (ele[1]) - outsep = ele[1]; /* nondefault separator */ + outsep = ele[1]; /* nondefault output separator */ dn_to_list(dn); insep = ','; -len = Ustrlen(match); -while (ele = string_nextinlist(&dn, &insep, NULL, 0)) - if (Ustrncmp(ele, match, len) == 0 && ele[len] == '=') +len = match ? Ustrlen(match) : -1; +while ((ele = string_nextinlist(CUSS &dn, &insep, NULL, 0))) + if ( !match + || Ustrncmp(ele, match, len) == 0 && ele[len] == '=' + ) list = string_append_listele(list, outsep, ele+len+1); return list; } +/* Compare a domain name with a possibly-wildcarded name. Wildcards +are restricted to a single one, as the first element of patterns +having at least three dot-separated elements. Case-independent. +Return TRUE for a match +*/ +static BOOL +is_name_match(const uschar * name, const uschar * pat) +{ +uschar * cp; +return *pat == '*' /* possible wildcard match */ + ? *++pat == '.' /* starts star, dot */ + && !Ustrchr(++pat, '*') /* has no more stars */ + && Ustrchr(pat, '.') /* and has another dot. */ + && (cp = Ustrchr(name, '.'))/* The name has at least one dot */ + && strcmpic(++cp, pat) == 0 /* and we only compare after it. */ + : !Ustrchr(pat+1, '*') + && strcmpic(name, pat) == 0; +} + +/* Compare a list of names with the dnsname elements +of the Subject Alternate Name, if any, and the +Subject otherwise. + +Arguments: + namelist names to compare + cert certificate + +Returns: + TRUE/FALSE +*/ + +BOOL +tls_is_name_for_cert(const uschar * namelist, void * cert) +{ +uschar * altnames = tls_cert_subject_altname(cert, US"dns"); +uschar * subjdn; +uschar * certname; +int cmp_sep = 0; +uschar * cmpname; + +if ((altnames = tls_cert_subject_altname(cert, US"dns"))) + { + int alt_sep = '\n'; + while ((cmpname = string_nextinlist(&namelist, &cmp_sep, NULL, 0))) + { + const uschar * an = altnames; + while ((certname = string_nextinlist(&an, &alt_sep, NULL, 0))) + if (is_name_match(cmpname, certname)) + return TRUE; + } + } + +else if ((subjdn = tls_cert_subject(cert, NULL))) + { + int sn_sep = ','; + + dn_to_list(subjdn); + while ((cmpname = string_nextinlist(&namelist, &cmp_sep, NULL, 0))) + { + const uschar * sn = subjdn; + while ((certname = string_nextinlist(&sn, &sn_sep, NULL, 0))) + if ( *certname++ == 'C' + && *certname++ == 'N' + && *certname++ == '=' + && is_name_match(cmpname, certname) + ) + return TRUE; + } + } +return FALSE; +} +#endif /*SUPPORT_TLS*/ /* vi: aw ai sw=2 */