environment grooming
[exim.git] / src / src / tls.c
CommitLineData
059ec3d9
PH
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
f9ba5e22 5/* Copyright (c) University of Cambridge 1995 - 2018 */
059ec3d9
PH
6/* See the file NOTICE for conditions of use and distribution. */
7
8/* This module provides TLS (aka SSL) support for Exim. The code for OpenSSL is
9based on a patch that was originally contributed by Steve Haslam. It was
10adapted from stunnel, a GPL program by Michal Trojnara. The code for GNU TLS is
6aa6fc9c 11based on a patch contributed by Nikos Mavrogiannopoulos. Because these packages
059ec3d9
PH
12are so very different, the functions for each are kept in separate files. The
13relevant file is #included as required, after any any common functions.
14
15No cryptographic code is included in Exim. All this module does is to call
16functions from the OpenSSL or GNU TLS libraries. */
17
18
19#include "exim.h"
65867078 20#include "transports/smtp.h"
059ec3d9 21
de517fd3
JH
22#if !defined(DISABLE_TLS) && !defined(USE_OPENSSL) && !defined(USE_GNUTLS)
23# error One of USE_OPENSSL or USE_GNUTLS must be defined for a TLS build
24#endif
25
26
01603eec 27#if defined(MACRO_PREDEF) && !defined(DISABLE_TLS)
b10c87b3
JH
28# include "macro_predef.h"
29# ifdef USE_GNUTLS
30# include "tls-gnu.c"
31# else
8442641e
JH
32# include "tls-openssl.c"
33# endif
34#endif
35
36#ifndef MACRO_PREDEF
37
059ec3d9
PH
38/* This module is compiled only when it is specifically requested in the
39build-time configuration. However, some compilers don't like compiling empty
40modules, so keep them happy with a dummy when skipping the rest. Make it
41reference itself to stop picky compilers complaining that it is unused, and put
42in a dummy argument to stop even pickier compilers complaining about infinite
43loops. */
44
01603eec 45#ifdef DISABLE_TLS
059ec3d9
PH
46static void dummy(int x) { dummy(x-1); }
47#else
48
49/* Static variables that are used for buffering data by both sets of
4fe99a6c 50functions and the common functions below.
059ec3d9 51
4fe99a6c
PP
52We're moving away from this; GnuTLS is already using a state, which
53can switch, so we can do TLS callouts during ACLs. */
059ec3d9 54
17c76198 55static const int ssl_xfer_buffer_size = 4096;
de517fd3 56#ifdef USE_OPENSSL
4fe99a6c 57static uschar *ssl_xfer_buffer = NULL;
059ec3d9
PH
58static int ssl_xfer_buffer_lwm = 0;
59static int ssl_xfer_buffer_hwm = 0;
8b77d27a
JH
60static int ssl_xfer_eof = FALSE;
61static BOOL ssl_xfer_error = FALSE;
4fe99a6c 62#endif
059ec3d9 63
44bbabb5 64uschar *tls_channelbinding_b64 = NULL;
059ec3d9
PH
65
66
67/*************************************************
68* Expand string; give error on failure *
69*************************************************/
70
71/* If expansion is forced to fail, set the result NULL and return TRUE.
72Other failures return FALSE. For a server, an SMTP response is given.
73
74Arguments:
75 s the string to expand; if NULL just return TRUE
76 name name of string being expanded (for error)
77 result where to put the result
78
79Returns: TRUE if OK; result may still be NULL after forced failure
80*/
81
82static BOOL
cf0c6164 83expand_check(const uschar *s, const uschar *name, uschar **result, uschar ** errstr)
059ec3d9 84{
cf0c6164
JH
85if (!s)
86 *result = NULL;
87else if ( !(*result = expand_string(US s)) /* need to clean up const more */
8768d548 88 && !f.expand_string_forcedfail
cf0c6164 89 )
059ec3d9 90 {
cf0c6164
JH
91 *errstr = US"Internal error";
92 log_write(0, LOG_MAIN|LOG_PANIC, "expansion of %s failed: %s", name,
93 expand_string_message);
94 return FALSE;
059ec3d9
PH
95 }
96return TRUE;
97}
98
99
100/*************************************************
e9477a08
JH
101* Timezone environment flipping *
102*************************************************/
103
104static uschar *
105to_tz(uschar * tz)
106{
dfe7d917
JH
107uschar * old = US getenv("TZ");
108(void) setenv("TZ", CCS tz, 1);
271019bd 109tzset();
dfe7d917 110return old;
e9477a08 111}
dfe7d917 112
e9477a08
JH
113static void
114restore_tz(uschar * tz)
115{
dfe7d917
JH
116if (tz)
117 (void) setenv("TZ", CCS tz, 1);
118else
93a680e4 119 (void) os_unsetenv(US"TZ");
271019bd 120tzset();
e9477a08
JH
121}
122
123/*************************************************
059ec3d9
PH
124* Many functions are package-specific *
125*************************************************/
126
127#ifdef USE_GNUTLS
27f19eb4
JH
128# include "tls-gnu.c"
129# include "tlscert-gnu.c"
27f19eb4
JH
130# define ssl_xfer_buffer (state_server.xfer_buffer)
131# define ssl_xfer_buffer_lwm (state_server.xfer_buffer_lwm)
132# define ssl_xfer_buffer_hwm (state_server.xfer_buffer_hwm)
133# define ssl_xfer_eof (state_server.xfer_eof)
134# define ssl_xfer_error (state_server.xfer_error)
de517fd3 135#endif
4fe99a6c 136
de517fd3 137#ifdef USE_OPENSSL
27f19eb4
JH
138# include "tls-openssl.c"
139# include "tlscert-openssl.c"
059ec3d9
PH
140#endif
141
142
143
144/*************************************************
145* TLS version of ungetc *
146*************************************************/
147
148/* Puts a character back in the input buffer. Only ever
149called once.
389ca47a 150Only used by the server-side TLS.
059ec3d9
PH
151
152Arguments:
153 ch the character
154
155Returns: the character
156*/
157
158int
159tls_ungetc(int ch)
160{
161ssl_xfer_buffer[--ssl_xfer_buffer_lwm] = ch;
162return ch;
163}
164
165
166
167/*************************************************
168* TLS version of feof *
169*************************************************/
170
171/* Tests for a previous EOF
389ca47a 172Only used by the server-side TLS.
059ec3d9
PH
173
174Arguments: none
175Returns: non-zero if the eof flag is set
176*/
177
178int
179tls_feof(void)
180{
8b77d27a 181return (int)ssl_xfer_eof;
059ec3d9
PH
182}
183
184
185
186/*************************************************
187* TLS version of ferror *
188*************************************************/
189
190/* Tests for a previous read error, and returns with errno
191restored to what it was when the error was detected.
389ca47a 192Only used by the server-side TLS.
059ec3d9
PH
193
194>>>>> Hmm. Errno not handled yet. Where do we get it from? >>>>>
195
196Arguments: none
197Returns: non-zero if the error flag is set
198*/
199
200int
201tls_ferror(void)
202{
8b77d27a 203return (int)ssl_xfer_error;
059ec3d9
PH
204}
205
58eb016e
PH
206
207/*************************************************
208* TLS version of smtp_buffered *
209*************************************************/
210
211/* Tests for unused chars in the TLS input buffer.
389ca47a 212Only used by the server-side TLS.
58eb016e
PH
213
214Arguments: none
215Returns: TRUE/FALSE
216*/
217
218BOOL
219tls_smtp_buffered(void)
220{
221return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm;
222}
223
224
01603eec 225#endif /*DISABLE_TLS*/
059ec3d9 226
35aba663
JH
227void
228tls_modify_variables(tls_support * dest_tsp)
229{
230modify_variable(US"tls_bits", &dest_tsp->bits);
231modify_variable(US"tls_certificate_verified", &dest_tsp->certificate_verified);
232modify_variable(US"tls_cipher", &dest_tsp->cipher);
233modify_variable(US"tls_peerdn", &dest_tsp->peerdn);
de517fd3 234#ifdef USE_OPENSSL
35aba663
JH
235modify_variable(US"tls_sni", &dest_tsp->sni);
236#endif
237}
238
417bfce4 239
01603eec 240#ifndef DISABLE_TLS
812a6045
JH
241/************************************************
242* TLS certificate name operations *
243************************************************/
244
245/* Convert an rfc4514 DN to an exim comma-sep list.
246Backslashed commas need to be replaced by doublecomma
247for Exim's list quoting. We modify the given string
248inplace.
249*/
250
251static void
252dn_to_list(uschar * dn)
253{
d7978c0f 254for (uschar * cp = dn; *cp; cp++)
812a6045
JH
255 if (cp[0] == '\\' && cp[1] == ',')
256 *cp++ = ',';
257}
258
259
260/* Extract fields of a given type from an RFC4514-
261format Distinguished Name. Return an Exim list.
262NOTE: We modify the supplied dn string during operation.
263
264Arguments:
265 dn Distinguished Name string
bfbad1dd 266 mod list containing optional output list-sep and
812a6045
JH
267 field selector match, comma-separated
268Return:
269 allocated string with list of matching fields,
270 field type stripped
271*/
272
273uschar *
55414b25 274tls_field_from_dn(uschar * dn, const uschar * mod)
812a6045
JH
275{
276int insep = ',';
277uschar outsep = '\n';
278uschar * ele;
279uschar * match = NULL;
280int len;
acec9514 281gstring * list = NULL;
812a6045 282
7437665e 283while ((ele = string_nextinlist(&mod, &insep, NULL, 0)))
812a6045
JH
284 if (ele[0] != '>')
285 match = ele; /* field tag to match */
286 else if (ele[1])
bfbad1dd 287 outsep = ele[1]; /* nondefault output separator */
812a6045
JH
288
289dn_to_list(dn);
290insep = ',';
bfbad1dd 291len = match ? Ustrlen(match) : -1;
55414b25 292while ((ele = string_nextinlist(CUSS &dn, &insep, NULL, 0)))
bfbad1dd
JH
293 if ( !match
294 || Ustrncmp(ele, match, len) == 0 && ele[len] == '='
295 )
acec9514
JH
296 list = string_append_listele(list, outsep, ele+len+1);
297return string_from_gstring(list);
812a6045
JH
298}
299
300
e51c7be2
JH
301/* Compare a domain name with a possibly-wildcarded name. Wildcards
302are restricted to a single one, as the first element of patterns
303having at least three dot-separated elements. Case-independent.
304Return TRUE for a match
305*/
306static BOOL
307is_name_match(const uschar * name, const uschar * pat)
308{
309uschar * cp;
310return *pat == '*' /* possible wildcard match */
311 ? *++pat == '.' /* starts star, dot */
312 && !Ustrchr(++pat, '*') /* has no more stars */
313 && Ustrchr(pat, '.') /* and has another dot. */
314 && (cp = Ustrchr(name, '.'))/* The name has at least one dot */
315 && strcmpic(++cp, pat) == 0 /* and we only compare after it. */
316 : !Ustrchr(pat+1, '*')
317 && strcmpic(name, pat) == 0;
318}
319
320/* Compare a list of names with the dnsname elements
321of the Subject Alternate Name, if any, and the
322Subject otherwise.
323
324Arguments:
325 namelist names to compare
326 cert certificate
327
328Returns:
329 TRUE/FALSE
330*/
331
332BOOL
55414b25 333tls_is_name_for_cert(const uschar * namelist, void * cert)
e51c7be2
JH
334{
335uschar * altnames = tls_cert_subject_altname(cert, US"dns");
336uschar * subjdn;
337uschar * certname;
338int cmp_sep = 0;
339uschar * cmpname;
340
341if ((altnames = tls_cert_subject_altname(cert, US"dns")))
342 {
343 int alt_sep = '\n';
7437665e 344 while ((cmpname = string_nextinlist(&namelist, &cmp_sep, NULL, 0)))
e51c7be2 345 {
55414b25 346 const uschar * an = altnames;
7437665e 347 while ((certname = string_nextinlist(&an, &alt_sep, NULL, 0)))
e51c7be2
JH
348 if (is_name_match(cmpname, certname))
349 return TRUE;
350 }
351 }
352
353else if ((subjdn = tls_cert_subject(cert, NULL)))
354 {
355 int sn_sep = ',';
e51c7be2
JH
356
357 dn_to_list(subjdn);
67791ce4 358 while ((cmpname = string_nextinlist(&namelist, &cmp_sep, NULL, 0)))
e51c7be2 359 {
55414b25 360 const uschar * sn = subjdn;
7437665e 361 while ((certname = string_nextinlist(&sn, &sn_sep, NULL, 0)))
e51c7be2
JH
362 if ( *certname++ == 'C'
363 && *certname++ == 'N'
364 && *certname++ == '='
365 && is_name_match(cmpname, certname)
366 )
367 return TRUE;
368 }
369 }
370return FALSE;
371}
6b5cbf74
JH
372
373
374/* Environment cleanup: The GnuTLS library spots SSLKEYLOGFILE in the envonment
375and writes a file by that name. We might make the OpenSSL support do the same,
376in some future release. Restrict that filename to be under the spool directory.
377
378If the path is absolute, require it starts with the spooldir; otherwise delete
379the env variable. If relative, prefix the spooldir.
380*/
381void
382tls_clean_env(void)
383{
384uschar * path = US getenv("SSLKEYLOGFILE");
385if (path)
386 if (!*path)
387 unsetenv("SSLKEYLOGFILE");
388 else if (*path != '/')
389 {
390 DEBUG(D_tls)
391 debug_printf("prepending spooldir to env SSLKEYLOGFILE\n");
392 setenv("SSLKEYLOGFILE", CCS string_sprintf("%s/%s", spool_directory, path), 1);
393 }
394 else if (Ustrncmp(path, spool_directory, Ustrlen(spool_directory)) != 0)
395 {
396 DEBUG(D_tls)
397 debug_printf("removing env SSLKEYLOGFILE: not under spooldir\n");
398 unsetenv("SSLKEYLOGFILE");
399 }
400}
01603eec 401#endif /*!DISABLE_TLS*/
8442641e 402#endif /*!MACRO_PREDEF*/
812a6045
JH
403
404/* vi: aw ai sw=2
405*/
059ec3d9 406/* End of tls.c */