Commit | Line | Data |
---|---|---|
059ec3d9 PH |
1 | /************************************************* |
2 | * Exim - an Internet mail transport agent * | |
3 | *************************************************/ | |
4 | ||
3386088d | 5 | /* Copyright (c) University of Cambridge 1995 - 2015 */ |
059ec3d9 PH |
6 | /* See the file NOTICE for conditions of use and distribution. */ |
7 | ||
8 | /* This module provides TLS (aka SSL) support for Exim. The code for OpenSSL is | |
9 | based on a patch that was originally contributed by Steve Haslam. It was | |
10 | adapted from stunnel, a GPL program by Michal Trojnara. The code for GNU TLS is | |
11 | based on a patch contributed by Nikos Mavroyanopoulos. Because these packages | |
12 | are so very different, the functions for each are kept in separate files. The | |
13 | relevant file is #included as required, after any any common functions. | |
14 | ||
15 | No cryptographic code is included in Exim. All this module does is to call | |
16 | functions from the OpenSSL or GNU TLS libraries. */ | |
17 | ||
18 | ||
19 | #include "exim.h" | |
65867078 | 20 | #include "transports/smtp.h" |
059ec3d9 PH |
21 | |
22 | /* This module is compiled only when it is specifically requested in the | |
23 | build-time configuration. However, some compilers don't like compiling empty | |
24 | modules, so keep them happy with a dummy when skipping the rest. Make it | |
25 | reference itself to stop picky compilers complaining that it is unused, and put | |
26 | in a dummy argument to stop even pickier compilers complaining about infinite | |
27 | loops. */ | |
28 | ||
29 | #ifndef SUPPORT_TLS | |
30 | static void dummy(int x) { dummy(x-1); } | |
31 | #else | |
32 | ||
33 | /* Static variables that are used for buffering data by both sets of | |
4fe99a6c | 34 | functions and the common functions below. |
059ec3d9 | 35 | |
4fe99a6c PP |
36 | We're moving away from this; GnuTLS is already using a state, which |
37 | can switch, so we can do TLS callouts during ACLs. */ | |
059ec3d9 | 38 | |
17c76198 | 39 | static const int ssl_xfer_buffer_size = 4096; |
4fe99a6c PP |
40 | #ifndef USE_GNUTLS |
41 | static uschar *ssl_xfer_buffer = NULL; | |
059ec3d9 PH |
42 | static int ssl_xfer_buffer_lwm = 0; |
43 | static int ssl_xfer_buffer_hwm = 0; | |
44 | static int ssl_xfer_eof = 0; | |
45 | static int ssl_xfer_error = 0; | |
4fe99a6c | 46 | #endif |
059ec3d9 | 47 | |
44bbabb5 | 48 | uschar *tls_channelbinding_b64 = NULL; |
059ec3d9 PH |
49 | |
50 | ||
51 | /************************************************* | |
52 | * Expand string; give error on failure * | |
53 | *************************************************/ | |
54 | ||
55 | /* If expansion is forced to fail, set the result NULL and return TRUE. | |
56 | Other failures return FALSE. For a server, an SMTP response is given. | |
57 | ||
58 | Arguments: | |
59 | s the string to expand; if NULL just return TRUE | |
60 | name name of string being expanded (for error) | |
61 | result where to put the result | |
62 | ||
63 | Returns: TRUE if OK; result may still be NULL after forced failure | |
64 | */ | |
65 | ||
66 | static BOOL | |
17c76198 | 67 | expand_check(const uschar *s, const uschar *name, uschar **result) |
059ec3d9 PH |
68 | { |
69 | if (s == NULL) *result = NULL; else | |
70 | { | |
17c76198 | 71 | *result = expand_string(US s); /* need to clean up const some more */ |
059ec3d9 PH |
72 | if (*result == NULL && !expand_string_forcedfail) |
73 | { | |
74 | log_write(0, LOG_MAIN|LOG_PANIC, "expansion of %s failed: %s", name, | |
75 | expand_string_message); | |
76 | return FALSE; | |
77 | } | |
78 | } | |
79 | return TRUE; | |
80 | } | |
81 | ||
82 | ||
e9477a08 JH |
83 | /************************************************* |
84 | * Timezone environment flipping * | |
85 | *************************************************/ | |
86 | ||
06cf6fdc JH |
87 | #ifdef MISSING_UNSETENV_3 |
88 | # include "setenv.c" | |
89 | #endif | |
90 | ||
e9477a08 JH |
91 | static uschar * |
92 | to_tz(uschar * tz) | |
93 | { | |
94 | uschar * old = US getenv("TZ"); | |
06cf6fdc JH |
95 | (void) setenv("TZ", CCS tz, 1); |
96 | tzset(); | |
e9477a08 JH |
97 | return old; |
98 | } | |
99 | static void | |
100 | restore_tz(uschar * tz) | |
101 | { | |
102 | if (tz) | |
06cf6fdc | 103 | (void) setenv("TZ", CCS tz, 1); |
e9477a08 | 104 | else |
06cf6fdc JH |
105 | (void) unsetenv("TZ"); |
106 | tzset(); | |
e9477a08 JH |
107 | } |
108 | ||
059ec3d9 PH |
109 | /************************************************* |
110 | * Many functions are package-specific * | |
111 | *************************************************/ | |
112 | ||
113 | #ifdef USE_GNUTLS | |
27f19eb4 JH |
114 | # include "tls-gnu.c" |
115 | # include "tlscert-gnu.c" | |
4fe99a6c | 116 | |
27f19eb4 JH |
117 | # define ssl_xfer_buffer (state_server.xfer_buffer) |
118 | # define ssl_xfer_buffer_lwm (state_server.xfer_buffer_lwm) | |
119 | # define ssl_xfer_buffer_hwm (state_server.xfer_buffer_hwm) | |
120 | # define ssl_xfer_eof (state_server.xfer_eof) | |
121 | # define ssl_xfer_error (state_server.xfer_error) | |
4fe99a6c | 122 | |
059ec3d9 | 123 | #else |
27f19eb4 JH |
124 | # include "tls-openssl.c" |
125 | # include "tlscert-openssl.c" | |
059ec3d9 PH |
126 | #endif |
127 | ||
128 | ||
129 | ||
130 | /************************************************* | |
131 | * TLS version of ungetc * | |
132 | *************************************************/ | |
133 | ||
134 | /* Puts a character back in the input buffer. Only ever | |
135 | called once. | |
389ca47a | 136 | Only used by the server-side TLS. |
059ec3d9 PH |
137 | |
138 | Arguments: | |
139 | ch the character | |
140 | ||
141 | Returns: the character | |
142 | */ | |
143 | ||
144 | int | |
145 | tls_ungetc(int ch) | |
146 | { | |
147 | ssl_xfer_buffer[--ssl_xfer_buffer_lwm] = ch; | |
148 | return ch; | |
149 | } | |
150 | ||
151 | ||
152 | ||
153 | /************************************************* | |
154 | * TLS version of feof * | |
155 | *************************************************/ | |
156 | ||
157 | /* Tests for a previous EOF | |
389ca47a | 158 | Only used by the server-side TLS. |
059ec3d9 PH |
159 | |
160 | Arguments: none | |
161 | Returns: non-zero if the eof flag is set | |
162 | */ | |
163 | ||
164 | int | |
165 | tls_feof(void) | |
166 | { | |
167 | return ssl_xfer_eof; | |
168 | } | |
169 | ||
170 | ||
171 | ||
172 | /************************************************* | |
173 | * TLS version of ferror * | |
174 | *************************************************/ | |
175 | ||
176 | /* Tests for a previous read error, and returns with errno | |
177 | restored to what it was when the error was detected. | |
389ca47a | 178 | Only used by the server-side TLS. |
059ec3d9 PH |
179 | |
180 | >>>>> Hmm. Errno not handled yet. Where do we get it from? >>>>> | |
181 | ||
182 | Arguments: none | |
183 | Returns: non-zero if the error flag is set | |
184 | */ | |
185 | ||
186 | int | |
187 | tls_ferror(void) | |
188 | { | |
189 | return ssl_xfer_error; | |
190 | } | |
191 | ||
58eb016e PH |
192 | |
193 | /************************************************* | |
194 | * TLS version of smtp_buffered * | |
195 | *************************************************/ | |
196 | ||
197 | /* Tests for unused chars in the TLS input buffer. | |
389ca47a | 198 | Only used by the server-side TLS. |
58eb016e PH |
199 | |
200 | Arguments: none | |
201 | Returns: TRUE/FALSE | |
202 | */ | |
203 | ||
204 | BOOL | |
205 | tls_smtp_buffered(void) | |
206 | { | |
207 | return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm; | |
208 | } | |
209 | ||
210 | ||
059ec3d9 PH |
211 | #endif /* SUPPORT_TLS */ |
212 | ||
35aba663 JH |
213 | void |
214 | tls_modify_variables(tls_support * dest_tsp) | |
215 | { | |
216 | modify_variable(US"tls_bits", &dest_tsp->bits); | |
217 | modify_variable(US"tls_certificate_verified", &dest_tsp->certificate_verified); | |
218 | modify_variable(US"tls_cipher", &dest_tsp->cipher); | |
219 | modify_variable(US"tls_peerdn", &dest_tsp->peerdn); | |
220 | #if defined(SUPPORT_TLS) && !defined(USE_GNUTLS) | |
221 | modify_variable(US"tls_sni", &dest_tsp->sni); | |
222 | #endif | |
223 | } | |
224 | ||
417bfce4 JH |
225 | |
226 | #ifdef SUPPORT_TLS | |
812a6045 JH |
227 | /************************************************ |
228 | * TLS certificate name operations * | |
229 | ************************************************/ | |
230 | ||
231 | /* Convert an rfc4514 DN to an exim comma-sep list. | |
232 | Backslashed commas need to be replaced by doublecomma | |
233 | for Exim's list quoting. We modify the given string | |
234 | inplace. | |
235 | */ | |
236 | ||
237 | static void | |
238 | dn_to_list(uschar * dn) | |
239 | { | |
240 | uschar * cp; | |
241 | for (cp = dn; *cp; cp++) | |
242 | if (cp[0] == '\\' && cp[1] == ',') | |
243 | *cp++ = ','; | |
244 | } | |
245 | ||
246 | ||
247 | /* Extract fields of a given type from an RFC4514- | |
248 | format Distinguished Name. Return an Exim list. | |
249 | NOTE: We modify the supplied dn string during operation. | |
250 | ||
251 | Arguments: | |
252 | dn Distinguished Name string | |
bfbad1dd | 253 | mod list containing optional output list-sep and |
812a6045 JH |
254 | field selector match, comma-separated |
255 | Return: | |
256 | allocated string with list of matching fields, | |
257 | field type stripped | |
258 | */ | |
259 | ||
260 | uschar * | |
55414b25 | 261 | tls_field_from_dn(uschar * dn, const uschar * mod) |
812a6045 JH |
262 | { |
263 | int insep = ','; | |
264 | uschar outsep = '\n'; | |
265 | uschar * ele; | |
266 | uschar * match = NULL; | |
267 | int len; | |
268 | uschar * list = NULL; | |
269 | ||
7437665e | 270 | while ((ele = string_nextinlist(&mod, &insep, NULL, 0))) |
812a6045 JH |
271 | if (ele[0] != '>') |
272 | match = ele; /* field tag to match */ | |
273 | else if (ele[1]) | |
bfbad1dd | 274 | outsep = ele[1]; /* nondefault output separator */ |
812a6045 JH |
275 | |
276 | dn_to_list(dn); | |
277 | insep = ','; | |
bfbad1dd | 278 | len = match ? Ustrlen(match) : -1; |
55414b25 | 279 | while ((ele = string_nextinlist(CUSS &dn, &insep, NULL, 0))) |
bfbad1dd JH |
280 | if ( !match |
281 | || Ustrncmp(ele, match, len) == 0 && ele[len] == '=' | |
282 | ) | |
812a6045 JH |
283 | list = string_append_listele(list, outsep, ele+len+1); |
284 | return list; | |
285 | } | |
286 | ||
287 | ||
e51c7be2 JH |
288 | /* Compare a domain name with a possibly-wildcarded name. Wildcards |
289 | are restricted to a single one, as the first element of patterns | |
290 | having at least three dot-separated elements. Case-independent. | |
291 | Return TRUE for a match | |
292 | */ | |
293 | static BOOL | |
294 | is_name_match(const uschar * name, const uschar * pat) | |
295 | { | |
296 | uschar * cp; | |
297 | return *pat == '*' /* possible wildcard match */ | |
298 | ? *++pat == '.' /* starts star, dot */ | |
299 | && !Ustrchr(++pat, '*') /* has no more stars */ | |
300 | && Ustrchr(pat, '.') /* and has another dot. */ | |
301 | && (cp = Ustrchr(name, '.'))/* The name has at least one dot */ | |
302 | && strcmpic(++cp, pat) == 0 /* and we only compare after it. */ | |
303 | : !Ustrchr(pat+1, '*') | |
304 | && strcmpic(name, pat) == 0; | |
305 | } | |
306 | ||
307 | /* Compare a list of names with the dnsname elements | |
308 | of the Subject Alternate Name, if any, and the | |
309 | Subject otherwise. | |
310 | ||
311 | Arguments: | |
312 | namelist names to compare | |
313 | cert certificate | |
314 | ||
315 | Returns: | |
316 | TRUE/FALSE | |
317 | */ | |
318 | ||
319 | BOOL | |
55414b25 | 320 | tls_is_name_for_cert(const uschar * namelist, void * cert) |
e51c7be2 JH |
321 | { |
322 | uschar * altnames = tls_cert_subject_altname(cert, US"dns"); | |
323 | uschar * subjdn; | |
324 | uschar * certname; | |
325 | int cmp_sep = 0; | |
326 | uschar * cmpname; | |
327 | ||
328 | if ((altnames = tls_cert_subject_altname(cert, US"dns"))) | |
329 | { | |
330 | int alt_sep = '\n'; | |
7437665e | 331 | while ((cmpname = string_nextinlist(&namelist, &cmp_sep, NULL, 0))) |
e51c7be2 | 332 | { |
55414b25 | 333 | const uschar * an = altnames; |
7437665e | 334 | while ((certname = string_nextinlist(&an, &alt_sep, NULL, 0))) |
e51c7be2 JH |
335 | if (is_name_match(cmpname, certname)) |
336 | return TRUE; | |
337 | } | |
338 | } | |
339 | ||
340 | else if ((subjdn = tls_cert_subject(cert, NULL))) | |
341 | { | |
342 | int sn_sep = ','; | |
e51c7be2 JH |
343 | |
344 | dn_to_list(subjdn); | |
67791ce4 | 345 | while ((cmpname = string_nextinlist(&namelist, &cmp_sep, NULL, 0))) |
e51c7be2 | 346 | { |
55414b25 | 347 | const uschar * sn = subjdn; |
7437665e | 348 | while ((certname = string_nextinlist(&sn, &sn_sep, NULL, 0))) |
e51c7be2 JH |
349 | if ( *certname++ == 'C' |
350 | && *certname++ == 'N' | |
351 | && *certname++ == '=' | |
352 | && is_name_match(cmpname, certname) | |
353 | ) | |
354 | return TRUE; | |
355 | } | |
356 | } | |
357 | return FALSE; | |
358 | } | |
6c1c3d1d | 359 | #endif /*SUPPORT_TLS*/ |
812a6045 JH |
360 | |
361 | /* vi: aw ai sw=2 | |
362 | */ | |
059ec3d9 | 363 | /* End of tls.c */ |