5958dfc1c115648beec667046c801847e5ece08c
[exim.git] / src / src / tls.c
1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4
5 /* Copyright (c) University of Cambridge 1995 - 2015 */
6 /* See the file NOTICE for conditions of use and distribution. */
7
8 /* This module provides TLS (aka SSL) support for Exim. The code for OpenSSL is
9 based on a patch that was originally contributed by Steve Haslam. It was
10 adapted from stunnel, a GPL program by Michal Trojnara. The code for GNU TLS is
11 based on a patch contributed by Nikos Mavroyanopoulos. Because these packages
12 are so very different, the functions for each are kept in separate files. The
13 relevant file is #included as required, after any any common functions.
14
15 No cryptographic code is included in Exim. All this module does is to call
16 functions from the OpenSSL or GNU TLS libraries. */
17
18
19 #include "exim.h"
20 #include "transports/smtp.h"
21
22 /* This module is compiled only when it is specifically requested in the
23 build-time configuration. However, some compilers don't like compiling empty
24 modules, so keep them happy with a dummy when skipping the rest. Make it
25 reference itself to stop picky compilers complaining that it is unused, and put
26 in a dummy argument to stop even pickier compilers complaining about infinite
27 loops. */
28
29 #ifndef SUPPORT_TLS
30 static void dummy(int x) { dummy(x-1); }
31 #else
32
33 /* Static variables that are used for buffering data by both sets of
34 functions and the common functions below.
35
36 We're moving away from this; GnuTLS is already using a state, which
37 can switch, so we can do TLS callouts during ACLs. */
38
39 static const int ssl_xfer_buffer_size = 4096;
40 #ifndef USE_GNUTLS
41 static uschar *ssl_xfer_buffer = NULL;
42 static int ssl_xfer_buffer_lwm = 0;
43 static int ssl_xfer_buffer_hwm = 0;
44 static int ssl_xfer_eof = 0;
45 static int ssl_xfer_error = 0;
46 #endif
47
48 uschar *tls_channelbinding_b64 = NULL;
49
50
51 /*************************************************
52 * Expand string; give error on failure *
53 *************************************************/
54
55 /* If expansion is forced to fail, set the result NULL and return TRUE.
56 Other failures return FALSE. For a server, an SMTP response is given.
57
58 Arguments:
59 s the string to expand; if NULL just return TRUE
60 name name of string being expanded (for error)
61 result where to put the result
62
63 Returns: TRUE if OK; result may still be NULL after forced failure
64 */
65
66 static BOOL
67 expand_check(const uschar *s, const uschar *name, uschar **result)
68 {
69 if (s == NULL) *result = NULL; else
70 {
71 *result = expand_string(US s); /* need to clean up const some more */
72 if (*result == NULL && !expand_string_forcedfail)
73 {
74 log_write(0, LOG_MAIN|LOG_PANIC, "expansion of %s failed: %s", name,
75 expand_string_message);
76 return FALSE;
77 }
78 }
79 return TRUE;
80 }
81
82
83 /*************************************************
84 * Timezone environment flipping *
85 *************************************************/
86
87 #ifdef MISSING_UNSETENV_3
88 # include "setenv.c"
89 #endif
90
91 static uschar *
92 to_tz(uschar * tz)
93 {
94 uschar * old = US getenv("TZ");
95 (void) setenv("TZ", CCS tz, 1);
96 tzset();
97 return old;
98 }
99 static void
100 restore_tz(uschar * tz)
101 {
102 if (tz)
103 (void) setenv("TZ", CCS tz, 1);
104 else
105 (void) unsetenv("TZ");
106 tzset();
107 }
108
109 /*************************************************
110 * Many functions are package-specific *
111 *************************************************/
112
113 #ifdef USE_GNUTLS
114 # include "tls-gnu.c"
115 # include "tlscert-gnu.c"
116
117 # define ssl_xfer_buffer (state_server.xfer_buffer)
118 # define ssl_xfer_buffer_lwm (state_server.xfer_buffer_lwm)
119 # define ssl_xfer_buffer_hwm (state_server.xfer_buffer_hwm)
120 # define ssl_xfer_eof (state_server.xfer_eof)
121 # define ssl_xfer_error (state_server.xfer_error)
122
123 #else
124 # include "tls-openssl.c"
125 # include "tlscert-openssl.c"
126 #endif
127
128
129
130 /*************************************************
131 * TLS version of ungetc *
132 *************************************************/
133
134 /* Puts a character back in the input buffer. Only ever
135 called once.
136 Only used by the server-side TLS.
137
138 Arguments:
139 ch the character
140
141 Returns: the character
142 */
143
144 int
145 tls_ungetc(int ch)
146 {
147 ssl_xfer_buffer[--ssl_xfer_buffer_lwm] = ch;
148 return ch;
149 }
150
151
152
153 /*************************************************
154 * TLS version of feof *
155 *************************************************/
156
157 /* Tests for a previous EOF
158 Only used by the server-side TLS.
159
160 Arguments: none
161 Returns: non-zero if the eof flag is set
162 */
163
164 int
165 tls_feof(void)
166 {
167 return ssl_xfer_eof;
168 }
169
170
171
172 /*************************************************
173 * TLS version of ferror *
174 *************************************************/
175
176 /* Tests for a previous read error, and returns with errno
177 restored to what it was when the error was detected.
178 Only used by the server-side TLS.
179
180 >>>>> Hmm. Errno not handled yet. Where do we get it from? >>>>>
181
182 Arguments: none
183 Returns: non-zero if the error flag is set
184 */
185
186 int
187 tls_ferror(void)
188 {
189 return ssl_xfer_error;
190 }
191
192
193 /*************************************************
194 * TLS version of smtp_buffered *
195 *************************************************/
196
197 /* Tests for unused chars in the TLS input buffer.
198 Only used by the server-side TLS.
199
200 Arguments: none
201 Returns: TRUE/FALSE
202 */
203
204 BOOL
205 tls_smtp_buffered(void)
206 {
207 return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm;
208 }
209
210
211 #endif /* SUPPORT_TLS */
212
213 void
214 tls_modify_variables(tls_support * dest_tsp)
215 {
216 modify_variable(US"tls_bits", &dest_tsp->bits);
217 modify_variable(US"tls_certificate_verified", &dest_tsp->certificate_verified);
218 modify_variable(US"tls_cipher", &dest_tsp->cipher);
219 modify_variable(US"tls_peerdn", &dest_tsp->peerdn);
220 #if defined(SUPPORT_TLS) && !defined(USE_GNUTLS)
221 modify_variable(US"tls_sni", &dest_tsp->sni);
222 #endif
223 }
224
225
226 #ifdef SUPPORT_TLS
227 /************************************************
228 * TLS certificate name operations *
229 ************************************************/
230
231 /* Convert an rfc4514 DN to an exim comma-sep list.
232 Backslashed commas need to be replaced by doublecomma
233 for Exim's list quoting. We modify the given string
234 inplace.
235 */
236
237 static void
238 dn_to_list(uschar * dn)
239 {
240 uschar * cp;
241 for (cp = dn; *cp; cp++)
242 if (cp[0] == '\\' && cp[1] == ',')
243 *cp++ = ',';
244 }
245
246
247 /* Extract fields of a given type from an RFC4514-
248 format Distinguished Name. Return an Exim list.
249 NOTE: We modify the supplied dn string during operation.
250
251 Arguments:
252 dn Distinguished Name string
253 mod list containing optional output list-sep and
254 field selector match, comma-separated
255 Return:
256 allocated string with list of matching fields,
257 field type stripped
258 */
259
260 uschar *
261 tls_field_from_dn(uschar * dn, const uschar * mod)
262 {
263 int insep = ',';
264 uschar outsep = '\n';
265 uschar * ele;
266 uschar * match = NULL;
267 int len;
268 uschar * list = NULL;
269
270 while ((ele = string_nextinlist(&mod, &insep, NULL, 0)))
271 if (ele[0] != '>')
272 match = ele; /* field tag to match */
273 else if (ele[1])
274 outsep = ele[1]; /* nondefault output separator */
275
276 dn_to_list(dn);
277 insep = ',';
278 len = match ? Ustrlen(match) : -1;
279 while ((ele = string_nextinlist(CUSS &dn, &insep, NULL, 0)))
280 if ( !match
281 || Ustrncmp(ele, match, len) == 0 && ele[len] == '='
282 )
283 list = string_append_listele(list, outsep, ele+len+1);
284 return list;
285 }
286
287
288 /* Compare a domain name with a possibly-wildcarded name. Wildcards
289 are restricted to a single one, as the first element of patterns
290 having at least three dot-separated elements. Case-independent.
291 Return TRUE for a match
292 */
293 static BOOL
294 is_name_match(const uschar * name, const uschar * pat)
295 {
296 uschar * cp;
297 return *pat == '*' /* possible wildcard match */
298 ? *++pat == '.' /* starts star, dot */
299 && !Ustrchr(++pat, '*') /* has no more stars */
300 && Ustrchr(pat, '.') /* and has another dot. */
301 && (cp = Ustrchr(name, '.'))/* The name has at least one dot */
302 && strcmpic(++cp, pat) == 0 /* and we only compare after it. */
303 : !Ustrchr(pat+1, '*')
304 && strcmpic(name, pat) == 0;
305 }
306
307 /* Compare a list of names with the dnsname elements
308 of the Subject Alternate Name, if any, and the
309 Subject otherwise.
310
311 Arguments:
312 namelist names to compare
313 cert certificate
314
315 Returns:
316 TRUE/FALSE
317 */
318
319 BOOL
320 tls_is_name_for_cert(const uschar * namelist, void * cert)
321 {
322 uschar * altnames = tls_cert_subject_altname(cert, US"dns");
323 uschar * subjdn;
324 uschar * certname;
325 int cmp_sep = 0;
326 uschar * cmpname;
327
328 if ((altnames = tls_cert_subject_altname(cert, US"dns")))
329 {
330 int alt_sep = '\n';
331 while ((cmpname = string_nextinlist(&namelist, &cmp_sep, NULL, 0)))
332 {
333 const uschar * an = altnames;
334 while ((certname = string_nextinlist(&an, &alt_sep, NULL, 0)))
335 if (is_name_match(cmpname, certname))
336 return TRUE;
337 }
338 }
339
340 else if ((subjdn = tls_cert_subject(cert, NULL)))
341 {
342 int sn_sep = ',';
343
344 dn_to_list(subjdn);
345 while ((cmpname = string_nextinlist(&namelist, &cmp_sep, NULL, 0)))
346 {
347 const uschar * sn = subjdn;
348 while ((certname = string_nextinlist(&sn, &sn_sep, NULL, 0)))
349 if ( *certname++ == 'C'
350 && *certname++ == 'N'
351 && *certname++ == '='
352 && is_name_match(cmpname, certname)
353 )
354 return TRUE;
355 }
356 }
357 return FALSE;
358 }
359 #endif /*SUPPORT_TLS*/
360
361 /* vi: aw ai sw=2
362 */
363 /* End of tls.c */