From 5013d912e961203f2ab2d5f64be90255cda81b80 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Tue, 21 Mar 2017 15:54:00 +0000 Subject: [PATCH] Logging: make cipher info available for continued-TLS connection deliveries --- doc/doc-docbook/spec.xfpt | 11 +++++------ doc/doc-txt/ChangeLog | 3 +-- src/src/deliver.c | 8 ++++++-- src/src/exim.c | 10 ++++++---- src/src/globals.c | 2 +- src/src/globals.h | 2 +- src/src/transport.c | 5 +++-- src/src/transports/smtp.c | 4 ++-- test/log/2013 | 4 ++-- test/log/2113 | 4 ++-- test/stderr/2013 | 4 ++-- test/stderr/2113 | 4 ++-- 12 files changed, 33 insertions(+), 28 deletions(-) diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 128ee8004..c62c1eecf 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -3869,12 +3869,12 @@ by Exim in conjunction with the &%-MC%& option, and passes on the fact that the host to which Exim is connected supports TLS encryption. .new -.vitem &%-MCt%&&~<&'IP&~address'&>&~<&'port'&> +.vitem &%-MCt%&&~<&'IP&~address'&>&~<&'port'&>&~<&'cipher'&> .oindex "&%-MCt%&" This option is not intended for use by external callers. It is used internally by Exim in conjunction with the &%-MC%& option, and passes on the fact that the connection is being proxied by a parent process for handling TLS encryption. -The pair of arguments give the local address and port being proxied. +The arguments give the local address and port being proxied, and the TLS cipher. .wen .vitem &%-Mc%&&~<&'message&~id'&>&~<&'message&~id'&>&~... @@ -35774,10 +35774,9 @@ down a single SMTP connection, an asterisk follows the IP address in the log lines for the second and subsequent messages. .new When two or more messages are delivered down a single TLS connection, the -DNS and TLS-related information logged for the first message delivered +DNS and some TLS-related information logged for the first message delivered will not be present in the log lines for the second and subsequent messages. -A TLS-marker indication of &'X=*'& is added to the log line instead of -cipher information. +TLS cipher information is still available. .wen .cindex "delivery" "cutthrough; logging" @@ -35906,7 +35905,7 @@ the following table: &`T `& on &`<=`& lines: message subject (topic) &` `& on &`=>`& &`**`& and &`==`& lines: transport name &`U `& local user or RFC 1413 identity -&`X `& TLS cipher suite, or TLS usage mark +&`X `& TLS cipher suite .endd diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index ac35c75f1..3e5d6f7fc 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -24,8 +24,7 @@ JH/03 Rework the transport continued-connection mechanism: when TLS is active, the passed-on TCP connection. Instead, proxy the child (and any subsequent ones) for TLS via a unix-domain socket channel. Logging is affected: the continued delivery log lines do not have any DNSSEC, TLS - cipher, Certificate or OCSP information. A "continued-TLS" marker is - added instead of the cipher information: "X=*". + Certificate or OCSP information. TLS cipher information is still logged. JH/04 Shorten the log line for daemon startup by collapsing adjacent sets of identical IP addresses on different listening ports. Will also affect diff --git a/src/src/deliver.c b/src/src/deliver.c index 7743d37c3..ccc32667e 100644 --- a/src/src/deliver.c +++ b/src/src/deliver.c @@ -4715,8 +4715,12 @@ for (delivery_count = 0; addr_remote; delivery_count++) rmt_dlv_checked_write(fd, 'X', '1', big_buffer, ptr - big_buffer); } - else if (continue_proxy) /* known TLS, but no cipher info */ - rmt_dlv_checked_write(fd, 'X', '1', US"*\0", 3); + else if (continue_proxy_cipher) + { + ptr = big_buffer + sprintf(CS big_buffer, "%.128s", continue_proxy_cipher) + 1; + *ptr++ = 0; + rmt_dlv_checked_write(fd, 'X', '1', big_buffer, ptr - big_buffer); + } if (addr->peercert) { diff --git a/src/src/exim.c b/src/src/exim.c index fd08cc780..383382072 100644 --- a/src/src/exim.c +++ b/src/src/exim.c @@ -2710,7 +2710,7 @@ for (i = 1; i < argc; i++) /* Set up $sending_ip_address and $sending_port, unless proxied */ - if (!continue_proxy) + if (!continue_proxy_cipher) if (getsockname(fileno(stdin), (struct sockaddr *)(&interface_sock), &size) == 0) sending_ip_address = host_ntoa(-1, &interface_sock, NULL, @@ -2774,13 +2774,15 @@ for (i = 1; i < argc; i++) #ifdef SUPPORT_TLS /* -MCt: similar to -MCT below but the connection is still open via a proxy proces which handles the TLS context and coding. - Require two arguments for the proxied local address and port. */ + Require three arguments for the proxied local address and port, + and the TLS cipher. */ - case 't': continue_proxy = TRUE; - if (++i < argc) sending_ip_address = argv[i]; + case 't': if (++i < argc) sending_ip_address = argv[i]; else badarg = TRUE; if (++i < argc) sending_port = (int)(Uatol(argv[i])); else badarg = TRUE; + if (++i < argc) continue_proxy_cipher = argv[i]; + else badarg = TRUE; /*FALLTHROUGH*/ /* -MCT: set the tls_offered flag; this is useful only when it diff --git a/src/src/globals.c b/src/src/globals.c index f3e4bad96..9e417b0d2 100644 --- a/src/src/globals.c +++ b/src/src/globals.c @@ -529,11 +529,11 @@ uid_t config_uid = 0; #endif int connection_max_messages= -1; +uschar *continue_proxy_cipher = NULL; uschar *continue_hostname = NULL; uschar *continue_host_address = NULL; BOOL continue_more = FALSE; int continue_sequence = 1; -BOOL continue_proxy = FALSE; uschar *continue_transport = NULL; uschar *csa_status = NULL; diff --git a/src/src/globals.h b/src/src/globals.h index 750a960eb..72be706a4 100644 --- a/src/src/globals.h +++ b/src/src/globals.h @@ -289,11 +289,11 @@ extern uschar *config_main_filelist; /* List of possible config files */ extern uschar *config_main_filename; /* File name actually used */ extern uschar *config_main_directory; /* Directory where the main config file was found */ extern uid_t config_uid; /* Additional owner */ +extern uschar *continue_proxy_cipher; /* TLS cipher for proxied continued delivery */ extern uschar *continue_hostname; /* Host for continued delivery */ extern uschar *continue_host_address; /* IP address for ditto */ extern BOOL continue_more; /* Flag more addresses waiting */ extern int continue_sequence; /* Sequence num for continued delivery */ -extern BOOL continue_proxy; /* Continued delivery is proxied for TLS */ extern uschar *continue_transport; /* Transport for continued delivery */ extern uschar *csa_status; /* Client SMTP Authorization result */ diff --git a/src/src/transport.c b/src/src/transport.c index aca33762b..e6e327822 100644 --- a/src/src/transport.c +++ b/src/src/transport.c @@ -1959,7 +1959,7 @@ DEBUG(D_transport) debug_printf("transport_pass_socket entered\n"); if ((pid = fork()) == 0) { - int i = 19; + int i = 20; const uschar **argv; /* Disconnect entirely from the parent process. If we are running in the @@ -1983,11 +1983,12 @@ if ((pid = fork()) == 0) if (smtp_peer_options & PEER_OFFERED_SIZE) argv[i++] = US"-MCS"; #ifdef SUPPORT_TLS if (smtp_peer_options & PEER_OFFERED_TLS) - if (tls_out.active >= 0 || continue_proxy) + if (tls_out.active >= 0 || continue_proxy_cipher) { argv[i++] = US"-MCt"; argv[i++] = sending_ip_address; argv[i++] = string_sprintf("%d", sending_port); + argv[i++] = tls_out.active >= 0 ? tls_out.cipher : continue_proxy_cipher; } else argv[i++] = US"-MCT"; diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c index 52e04b8a5..34c96dbff 100644 --- a/src/src/transports/smtp.c +++ b/src/src/transports/smtp.c @@ -1823,7 +1823,7 @@ else /* For a continued connection with TLS being proxied for us, nothing more to do. */ - if (continue_proxy) + if (continue_proxy_cipher) { sx->peer_offered = smtp_peer_options; pipelining_active = !!(smtp_peer_options & PEER_OFFERED_PIPE); @@ -3277,7 +3277,7 @@ if (sx.completed_addr && sx.ok && sx.send_quit) || continue_more || ( #ifdef SUPPORT_TLS - ( tls_out.active < 0 && !continue_proxy + ( tls_out.active < 0 && !continue_proxy_cipher || verify_check_given_host(&sx.ob->hosts_nopass_tls, host) != OK ) && diff --git a/test/log/2013 b/test/log/2013 index ad78743ec..e66fdbfae 100644 --- a/test/log/2013 +++ b/test/log/2013 @@ -4,9 +4,9 @@ 1999-03-02 09:44:33 Start queue run: pid=pppp -qqf 1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00" 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed -1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=* CV=no C="250 OK id=10HmbB-0005vi-00" +1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmbB-0005vi-00" 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed -1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=* CV=no C="250 OK id=10HmbC-0005vi-00" +1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmbC-0005vi-00" 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed 1999-03-02 09:44:33 End queue run: pid=pppp -qqf diff --git a/test/log/2113 b/test/log/2113 index 88eafe9b3..144154088 100644 --- a/test/log/2113 +++ b/test/log/2113 @@ -4,9 +4,9 @@ 1999-03-02 09:44:33 Start queue run: pid=pppp -qqf 1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00" 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed -1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=* CV=no C="250 OK id=10HmbB-0005vi-00" +1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLSv1:AES256-SHA:256 CV=no C="250 OK id=10HmbB-0005vi-00" 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed -1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=* CV=no C="250 OK id=10HmbC-0005vi-00" +1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLSv1:AES256-SHA:256 CV=no C="250 OK id=10HmbC-0005vi-00" 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed 1999-03-02 09:44:33 End queue run: pid=pppp -qqf diff --git a/test/stderr/2013 b/test/stderr/2013 index c183664d6..4c1b0ce12 100644 --- a/test/stderr/2013 +++ b/test/stderr/2013 @@ -49,7 +49,7 @@ cmd buf flush ddd bytes SMTP<< 250 OK id=10HmbB-0005vi-00 SMTP(close)>> LOG: MAIN - => userz@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=* CV=no C="250 OK id=10HmbB-0005vi-00" + => userz@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmbB-0005vi-00" LOG: MAIN Completed >>>>>>>>>>>>>>>> Exim pid=pppp terminating with rc=0 >>>>>>>>>>>>>>>> @@ -70,7 +70,7 @@ cmd buf flush ddd bytes SMTP(close)>> >>>>>>>>>>>>>>>> Exim pid=pppp terminating with rc=0 >>>>>>>>>>>>>>>> LOG: MAIN - => usery@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=* CV=no C="250 OK id=10HmbC-0005vi-00" + => usery@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmbC-0005vi-00" LOG: MAIN Completed >>>>>>>>>>>>>>>> Exim pid=pppp terminating with rc=0 >>>>>>>>>>>>>>>> diff --git a/test/stderr/2113 b/test/stderr/2113 index ae0044b99..af5ff730f 100644 --- a/test/stderr/2113 +++ b/test/stderr/2113 @@ -49,7 +49,7 @@ cmd buf flush ddd bytes SMTP<< 250 OK id=10HmbB-0005vi-00 SMTP(close)>> LOG: MAIN - => userz@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=* CV=no C="250 OK id=10HmbB-0005vi-00" + => userz@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLSv1:AES256-SHA:256 CV=no C="250 OK id=10HmbB-0005vi-00" LOG: MAIN Completed >>>>>>>>>>>>>>>> Exim pid=pppp terminating with rc=0 >>>>>>>>>>>>>>>> @@ -70,7 +70,7 @@ cmd buf flush ddd bytes SMTP(close)>> >>>>>>>>>>>>>>>> Exim pid=pppp terminating with rc=0 >>>>>>>>>>>>>>>> LOG: MAIN - => usery@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=* CV=no C="250 OK id=10HmbC-0005vi-00" + => usery@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLSv1:AES256-SHA:256 CV=no C="250 OK id=10HmbC-0005vi-00" LOG: MAIN Completed >>>>>>>>>>>>>>>> Exim pid=pppp terminating with rc=0 >>>>>>>>>>>>>>>> -- 2.25.1