projects / exim.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Disable EXIM_MONITOR
[exim.git] / src / src / tls.c
1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4
5 /* Copyright (c) University of Cambridge 1995 - 2018 */
6 /* See the file NOTICE for conditions of use and distribution. */
7
8 /* This module provides TLS (aka SSL) support for Exim. The code for OpenSSL is
9 based on a patch that was originally contributed by Steve Haslam. It was
10 adapted from stunnel, a GPL program by Michal Trojnara. The code for GNU TLS is
11 based on a patch contributed by Nikos Mavrogiannopoulos. Because these packages
12 are so very different, the functions for each are kept in separate files. The
13 relevant file is #included as required, after any any common functions.
14
15 No cryptographic code is included in Exim. All this module does is to call
16 functions from the OpenSSL or GNU TLS libraries. */
17
18
19 #include "exim.h"
20 #include "transports/smtp.h"
21
22 #if !defined(DISABLE_TLS) && !defined(USE_OPENSSL) && !defined(USE_GNUTLS)
23 # error One of USE_OPENSSL or USE_GNUTLS must be defined for a TLS build
24 #endif
25
26
27 #if defined(MACRO_PREDEF) && !defined(DISABLE_TLS)
28 # include "macro_predef.h"
29 # ifdef USE_GNUTLS
30 # include "tls-gnu.c"
31 # else
32 # include "tls-openssl.c"
33 # endif
34 #endif
35
36 #ifndef MACRO_PREDEF
37
38 /* This module is compiled only when it is specifically requested in the
39 build-time configuration. However, some compilers don't like compiling empty
40 modules, so keep them happy with a dummy when skipping the rest. Make it
41 reference itself to stop picky compilers complaining that it is unused, and put
42 in a dummy argument to stop even pickier compilers complaining about infinite
43 loops. */
44
45 #ifdef DISABLE_TLS
46 static void dummy(int x) { dummy(x-1); }
47 #else
48
49 /* Static variables that are used for buffering data by both sets of
50 functions and the common functions below.
51
52 We're moving away from this; GnuTLS is already using a state, which
53 can switch, so we can do TLS callouts during ACLs. */
54
55 static const int ssl_xfer_buffer_size = 4096;
56 #ifdef USE_OPENSSL
57 static uschar *ssl_xfer_buffer = NULL;
58 static int ssl_xfer_buffer_lwm = 0;
59 static int ssl_xfer_buffer_hwm = 0;
60 static int ssl_xfer_eof = FALSE;
61 static BOOL ssl_xfer_error = FALSE;
62 #endif
63
64 uschar *tls_channelbinding_b64 = NULL;
65
66
67 /*************************************************
68 * Expand string; give error on failure *
69 *************************************************/
70
71 /* If expansion is forced to fail, set the result NULL and return TRUE.
72 Other failures return FALSE. For a server, an SMTP response is given.
73
74 Arguments:
75 s the string to expand; if NULL just return TRUE
76 name name of string being expanded (for error)
77 result where to put the result
78
79 Returns: TRUE if OK; result may still be NULL after forced failure
80 */
81
82 static BOOL
83 expand_check(const uschar *s, const uschar *name, uschar **result, uschar ** errstr)
84 {
85 if (!s)
86 *result = NULL;
87 else if ( !(*result = expand_string(US s)) /* need to clean up const more */
88 && !f.expand_string_forcedfail
89 )
90 {
91 *errstr = US"Internal error";
92 log_write(0, LOG_MAIN|LOG_PANIC, "expansion of %s failed: %s", name,
93 expand_string_message);
94 return FALSE;
95 }
96 return TRUE;
97 }
98
99
100 /*************************************************
101 * Timezone environment flipping *
102 *************************************************/
103
104 static uschar *
105 to_tz(uschar * tz)
106 {
107 uschar * old = US getenv("TZ");
108 (void) setenv("TZ", CCS tz, 1);
109 tzset();
110 return old;
111 }
112
113 static void
114 restore_tz(uschar * tz)
115 {
116 if (tz)
117 (void) setenv("TZ", CCS tz, 1);
118 else
119 (void) os_unsetenv(US"TZ");
120 tzset();
121 }
122
123 /*************************************************
124 * Many functions are package-specific *
125 *************************************************/
126
127 #ifdef USE_GNUTLS
128 # include "tls-gnu.c"
129 # include "tlscert-gnu.c"
130 # define ssl_xfer_buffer (state_server.xfer_buffer)
131 # define ssl_xfer_buffer_lwm (state_server.xfer_buffer_lwm)
132 # define ssl_xfer_buffer_hwm (state_server.xfer_buffer_hwm)
133 # define ssl_xfer_eof (state_server.xfer_eof)
134 # define ssl_xfer_error (state_server.xfer_error)
135 #endif
136
137 #ifdef USE_OPENSSL
138 # include "tls-openssl.c"
139 # include "tlscert-openssl.c"
140 #endif
141
142
143
144 /*************************************************
145 * TLS version of ungetc *
146 *************************************************/
147
148 /* Puts a character back in the input buffer. Only ever
149 called once.
150 Only used by the server-side TLS.
151
152 Arguments:
153 ch the character
154
155 Returns: the character
156 */
157
158 int
159 tls_ungetc(int ch)
160 {
161 ssl_xfer_buffer[--ssl_xfer_buffer_lwm] = ch;
162 return ch;
163 }
164
165
166
167 /*************************************************
168 * TLS version of feof *
169 *************************************************/
170
171 /* Tests for a previous EOF
172 Only used by the server-side TLS.
173
174 Arguments: none
175 Returns: non-zero if the eof flag is set
176 */
177
178 int
179 tls_feof(void)
180 {
181 return (int)ssl_xfer_eof;
182 }
183
184
185
186 /*************************************************
187 * TLS version of ferror *
188 *************************************************/
189
190 /* Tests for a previous read error, and returns with errno
191 restored to what it was when the error was detected.
192 Only used by the server-side TLS.
193
194 >>>>> Hmm. Errno not handled yet. Where do we get it from? >>>>>
195
196 Arguments: none
197 Returns: non-zero if the error flag is set
198 */
199
200 int
201 tls_ferror(void)
202 {
203 return (int)ssl_xfer_error;
204 }
205
206
207 /*************************************************
208 * TLS version of smtp_buffered *
209 *************************************************/
210
211 /* Tests for unused chars in the TLS input buffer.
212 Only used by the server-side TLS.
213
214 Arguments: none
215 Returns: TRUE/FALSE
216 */
217
218 BOOL
219 tls_smtp_buffered(void)
220 {
221 return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm;
222 }
223
224
225 #endif /*DISABLE_TLS*/
226
227 void
228 tls_modify_variables(tls_support * dest_tsp)
229 {
230 modify_variable(US"tls_bits", &dest_tsp->bits);
231 modify_variable(US"tls_certificate_verified", &dest_tsp->certificate_verified);
232 modify_variable(US"tls_cipher", &dest_tsp->cipher);
233 modify_variable(US"tls_peerdn", &dest_tsp->peerdn);
234 #ifdef USE_OPENSSL
235 modify_variable(US"tls_sni", &dest_tsp->sni);
236 #endif
237 }
238
239
240 #ifndef DISABLE_TLS
241 /************************************************
242 * TLS certificate name operations *
243 ************************************************/
244
245 /* Convert an rfc4514 DN to an exim comma-sep list.
246 Backslashed commas need to be replaced by doublecomma
247 for Exim's list quoting. We modify the given string
248 inplace.
249 */
250
251 static void
252 dn_to_list(uschar * dn)
253 {
254 for (uschar * cp = dn; *cp; cp++)
255 if (cp[0] == '\\' && cp[1] == ',')
256 *cp++ = ',';
257 }
258
259
260 /* Extract fields of a given type from an RFC4514-
261 format Distinguished Name. Return an Exim list.
262 NOTE: We modify the supplied dn string during operation.
263
264 Arguments:
265 dn Distinguished Name string
266 mod list containing optional output list-sep and
267 field selector match, comma-separated
268 Return:
269 allocated string with list of matching fields,
270 field type stripped
271 */
272
273 uschar *
274 tls_field_from_dn(uschar * dn, const uschar * mod)
275 {
276 int insep = ',';
277 uschar outsep = '\n';
278 uschar * ele;
279 uschar * match = NULL;
280 int len;
281 gstring * list = NULL;
282
283 while ((ele = string_nextinlist(&mod, &insep, NULL, 0)))
284 if (ele[0] != '>')
285 match = ele; /* field tag to match */
286 else if (ele[1])
287 outsep = ele[1]; /* nondefault output separator */
288
289 dn_to_list(dn);
290 insep = ',';
291 len = match ? Ustrlen(match) : -1;
292 while ((ele = string_nextinlist(CUSS &dn, &insep, NULL, 0)))
293 if ( !match
294 || Ustrncmp(ele, match, len) == 0 && ele[len] == '='
295 )
296 list = string_append_listele(list, outsep, ele+len+1);
297 return string_from_gstring(list);
298 }
299
300
301 /* Compare a domain name with a possibly-wildcarded name. Wildcards
302 are restricted to a single one, as the first element of patterns
303 having at least three dot-separated elements. Case-independent.
304 Return TRUE for a match
305 */
306 static BOOL
307 is_name_match(const uschar * name, const uschar * pat)
308 {
309 uschar * cp;
310 return *pat == '*' /* possible wildcard match */
311 ? *++pat == '.' /* starts star, dot */
312 && !Ustrchr(++pat, '*') /* has no more stars */
313 && Ustrchr(pat, '.') /* and has another dot. */
314 && (cp = Ustrchr(name, '.'))/* The name has at least one dot */
315 && strcmpic(++cp, pat) == 0 /* and we only compare after it. */
316 : !Ustrchr(pat+1, '*')
317 && strcmpic(name, pat) == 0;
318 }
319
320 /* Compare a list of names with the dnsname elements
321 of the Subject Alternate Name, if any, and the
322 Subject otherwise.
323
324 Arguments:
325 namelist names to compare
326 cert certificate
327
328 Returns:
329 TRUE/FALSE
330 */
331
332 BOOL
333 tls_is_name_for_cert(const uschar * namelist, void * cert)
334 {
335 uschar * altnames = tls_cert_subject_altname(cert, US"dns");
336 uschar * subjdn;
337 uschar * certname;
338 int cmp_sep = 0;
339 uschar * cmpname;
340
341 if ((altnames = tls_cert_subject_altname(cert, US"dns")))
342 {
343 int alt_sep = '\n';
344 while ((cmpname = string_nextinlist(&namelist, &cmp_sep, NULL, 0)))
345 {
346 const uschar * an = altnames;
347 while ((certname = string_nextinlist(&an, &alt_sep, NULL, 0)))
348 if (is_name_match(cmpname, certname))
349 return TRUE;
350 }
351 }
352
353 else if ((subjdn = tls_cert_subject(cert, NULL)))
354 {
355 int sn_sep = ',';
356
357 dn_to_list(subjdn);
358 while ((cmpname = string_nextinlist(&namelist, &cmp_sep, NULL, 0)))
359 {
360 const uschar * sn = subjdn;
361 while ((certname = string_nextinlist(&sn, &sn_sep, NULL, 0)))
362 if ( *certname++ == 'C'
363 && *certname++ == 'N'
364 && *certname++ == '='
365 && is_name_match(cmpname, certname)
366 )
367 return TRUE;
368 }
369 }
370 return FALSE;
371 }
372
373
374 /* Environment cleanup: The GnuTLS library uses SSLKEYLOGFILE in the environment
375 and writes a file by that name. Our OpenSSL code does the same, using keying
376 info from the library API.
377 The GnuTLS support only works if exim is run by root, not taking advantage of
378 the setuid bit.
379 You can use either the external environment (modulo the keep_environment config)
380 or the add_environment config option for SSLKEYLOGFILE; the latter takes
381 precedence.
382
383 If the path is absolute, require it starts with the spooldir; otherwise delete
384 the env variable. If relative, prefix the spooldir.
385 */
386 void
387 tls_clean_env(void)
388 {
389 uschar * path = US getenv("SSLKEYLOGFILE");
390 if (path)
391 if (!*path)
392 unsetenv("SSLKEYLOGFILE");
393 else if (*path != '/')
394 {
395 DEBUG(D_tls)
396 debug_printf("prepending spooldir to env SSLKEYLOGFILE\n");
397 setenv("SSLKEYLOGFILE", CCS string_sprintf("%s/%s", spool_directory, path), 1);
398 }
399 else if (Ustrncmp(path, spool_directory, Ustrlen(spool_directory)) != 0)
400 {
401 DEBUG(D_tls)
402 debug_printf("removing env SSLKEYLOGFILE=%s: not under spooldir\n", path);
403 unsetenv("SSLKEYLOGFILE");
404 }
405 }
406 #endif /*!DISABLE_TLS*/
407 #endif /*!MACRO_PREDEF*/
408
409 /* vi: aw ai sw=2
410 */
411 /* End of tls.c */
Unnamed repository; edit this file 'description' to name the repository.